-
Notifications
You must be signed in to change notification settings - Fork 433
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Destination is checked only if this is a signed SAML request, as that… #113
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the service provider is hard coded to require a signed response. I assume, based on the test, that you are parsing non-signed responses from another source, is that correct?
If we are going to support unsigned responses, I think the first step is to add a mechanism to specify that in the ServiceProvider metadata, then use that mechanism to determine if signatures should be checked.
service_provider_test.go
Outdated
@@ -17,6 +17,8 @@ import ( | |||
"crypto/x509" | |||
|
|||
. "gopkg.in/check.v1" | |||
"strings" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can you please fix up the import order here
@@ -363,6 +363,39 @@ func (ivr *InvalidResponseError) Error() string { | |||
return fmt.Sprintf("Authentication failed") | |||
} | |||
|
|||
func responseContainsSignature(response *etree.Document) (bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This check doesn't work (I think) if the response is encrypted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will fix.
Your diagnosis is correct - the IDP in question responds with an unsigned response, containing signed assertions. So let me see if I have this right - the steps to make this happen would be as follows:
|
… is the only case in which a Destination attribute is required.
This feature was added previously but I did cherry-pick the tests you added in [93d07ad] Thanks! |
… is the only case in which a Destination attribute is required.