-
Notifications
You must be signed in to change notification settings - Fork 398
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the SAML support implemented properly? #241
Labels
Comments
To my knowledge the full SAML parsing was skipped since this would have required third party libraries... You are probably right but at many points in the early development it was always preferred not to have to many dependencies. (This library was born when this was a real manual hassle) I'm happy to accept a patch :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When parsing a response from a CAS server's /samlValidate endpoint, this library loads the response into a DOM object and does some basic validation on the data to ensure integrity. But given that SAML has an actual specification for what its request/responses should look like, shouldn't this library be more careful about verifying the response data structure?
I did some research on SOAP and SAML but it's a complication subject area and I'm still not sure on the best approach to this. But I think the current implementation linked above could use some work.
For instance, apparently every SAML response should include an
InResponseTo
attribute which should match theRequestID
attribute that was sent in the request. This library isn't performing that check.Also, the
RequestID
andIssueInstant
are both hardcoded to some sample values, which is surely incorrect.The text was updated successfully, but these errors were encountered: