On 4/20/13 9:16 AM, "Sam Hartman" <[log in to unmask]> wrote: >>>>>> "Luke" == Luke Howard <[log in to unmask]> writes: > > > Luke> But cryptographically the trust flows through the AAA chain, > Luke> doesn't it? Or are people deploying Moonshot with explicitly > Luke> signed SAML assertions? Who verifies these? > >So, the first assertion--the one from the IDP--flows through the AAA >chain. >However, the second assertion--from the group IDP--is something we >expect the RP to be configured to retrieve directly from the group IDP >and to check the signature. Typically not signed, it's normally just mutual TLS. Can be signed, but the evaluation against metadata is identical whether it's TLS or signatures. -- Scott