-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Response Destination Validation - Query Strings #525
Comments
This is affecting us as well. The proper solution here would be to compare This would correctly implement Section "3.4.5.2, Security Considerations" of the SAML spec:
This is how SAML-toolkits/java-saml implements the check here. This can be done by adding a new param for the actual URL to |
We are porting an old SAML implementation from PHP over to Go, and so far this library has worked great. I have reused the middleware logic and mixed with our own to satisfy the multi-tenant setup we have.
The issue I'm running into now is our old setup used a few query strings in the ACS URL Location, and we need to maintain that for compatibility. With the library and go, unfortunately, it organizes the query string in alphabetical order and looks for an exact match URL with query strings, and if not matching, it fails. So even if the URL is the same, but the query string appear in a different order, the destination validation fails.
Would you be open to a PR that either:
saml/service_provider.go
Lines 869 to 873 in 34930b2
The text was updated successfully, but these errors were encountered: