Is the SAML support implemented properly?

[bkosborne]

When parsing a response from a CAS server's /samlValidate endpoint, this library loads the response into a DOM object and does some basic validation on the data to ensure integrity. But given that SAML has an actual specification for what its request/responses should look like, shouldn't this library be more careful about verifying the response data structure?

I did some research on SOAP and SAML but it's a complication subject area and I'm still not sure on the best approach to this. But I think the current implementation linked above could use some work.

For instance, apparently every SAML response should include an InResponseTo attribute which should match the RequestID attribute that was sent in the request. This library isn't performing that check.

Also, the RequestID and IssueInstant are both hardcoded to some sample values, which is surely incorrect.

[jfritschi]

To my knowledge the full SAML parsing was skipped since this would have required third party libraries...

You are probably right but at many points in the early development it was always preferred not to have to many dependencies. (This library was born when this was a real manual hassle)

I'm happy to accept a patch :-)