Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggestion about adding a validation logic for Recipient of SAML Response #509

Open
akasakashota opened this issue Dec 7, 2020 · 1 comment

Comments

@akasakashota
Copy link

According to some SAML specifications (4.1.4.3 in SAMLProf and 6.4.2 in SAMLSec), the specs says that a Service Provider MUST check the Recipient attribute of the SAML response. However, there doesn't seem to be any logic for validation in this library.

IMO, Audience validation may suffice in the majority of cases, but I think it is desirable to validate Recipient because there is a clear difference in the specifications between them.

@cjbarth
Copy link
Collaborator

cjbarth commented Dec 14, 2020

@akasakashota , please provide a PR to accomplish this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants