Clarify that you need to have signed AuthnRequests when using skipentities

thijskh · thijskh · commit d904bf261f4d · 2022-12-13T16:26:05.000+01:00
diff --git a/docs/stepupsfo.md b/docs/stepupsfo.md
@@ -86,6 +86,10 @@ If you use the module to protect an IdP, you will want to exclude at least the
 token registration portal via the `skipentities` setting, if that portal uses
 said IdP for authentication.
 
+When using the skipentities setting on an IdP, you must ensure that AuthnRequests
+are signed so users cannot circumvent stepup by manipulating an unsigned
+AuthnRequest.
+
 After setting the configuration up, you supply the following to the persons
 running the SFO service:
 
