You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to some SAML specifications (4.1.4.3 in SAMLProf and 6.4.2 in SAMLSec), the specs says that a Service Provider MUST check the Recipient attribute of the SAML response. However, there doesn't seem to be any logic for validation in this library.
IMO, Audience validation may suffice in the majority of cases, but I think it is desirable to validate Recipient because there is a clear difference in the specifications between them.
The text was updated successfully, but these errors were encountered:
According to some SAML specifications (4.1.4.3 in SAMLProf and 6.4.2 in SAMLSec), the specs says that a Service Provider MUST check the Recipient attribute of the SAML response. However, there doesn't seem to be any logic for validation in this library.
IMO, Audience validation may suffice in the majority of cases, but I think it is desirable to validate Recipient because there is a clear difference in the specifications between them.
The text was updated successfully, but these errors were encountered: