Destination is checked only if this is a signed SAML request, as that… #113
Conversation
There was a problem hiding this comment.
So the service provider is hard coded to require a signed response. I assume, based on the test, that you are parsing non-signed responses from another source, is that correct?
If we are going to support unsigned responses, I think the first step is to add a mechanism to specify that in the ServiceProvider metadata, then use that mechanism to determine if signatures should be checked.
service_provider_test.go
Outdated
| @@ -17,6 +17,8 @@ import ( | |||
| "crypto/x509" | |||
|
|
|||
| . "gopkg.in/check.v1" | |||
| "strings" | |||
There was a problem hiding this comment.
nit: can you please fix up the import order here
| @@ -363,6 +363,39 @@ func (ivr *InvalidResponseError) Error() string { | |||
| return fmt.Sprintf("Authentication failed") | |||
| } | |||
|
|
|||
| func responseContainsSignature(response *etree.Document) (bool, error) { | |||
There was a problem hiding this comment.
This check doesn't work (I think) if the response is encrypted
|
Your diagnosis is correct - the IDP in question responds with an unsigned response, containing signed assertions. So let me see if I have this right - the steps to make this happen would be as follows:
|
… is the only case in which a Destination attribute is required.
|
This feature was added previously but I did cherry-pick the tests you added in [93d07ad] Thanks! |
… is the only case in which a Destination attribute is required.