Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Conditions element is required even though it's optional in the specification #322

Open
ThePetrov opened this issue Apr 2, 2021 · 1 comment
Open

The Conditions element is required even though it's optional in the specification #322

ThePetrov opened this issue Apr 2, 2021 · 1 comment

Comments

@ThePetrov
Copy link
Contributor

The SAML specification describes the Conditions element as optional (section 2.3.3). While that element is very useful and greatly enhances security, it's technically not required. As there may be IdPs which don't include this element I think it's worthwhile to allow for that element to be absent from a valid SAML response.
ThePetrov added a commit to atlassian-forks/java-saml that referenced this issue Apr 2, 2021
@ThePetrov
fixes SAML-Toolkits#322: allow SAML responses without Conditions
f3c97a9 
- the conditions element is optional according to the spec
- require Conditions element to be present by default
- added new configuration option to allow lack of Conditions
@mauromol
Copy link
Contributor

mauromol commented Apr 2, 2021
edited
Loading

Please see my comment on your PR: #323 (comment)

The fact that the <Conditions> element is optional in general, doesn't mean that it's optional for the protocol and/or profile implemented by java-saml.
See, for instance section 1.1 of the SAML 2.0 Profile specification:

Another type of SAML profile defines a set of constraints on the use of a general SAML protocol or
assertion capability for a particular environment or context of use. Profiles of this nature may constrain
optionality, require the use of specific SAML functionality (for example, attributes, conditions, or bindings),
and in other respects define the processing rules to be followed by profile actors.

Web SSO is IMHO one of such profiles which adds further constraints on what the general schema says.

This of course does not prevent the implementation of an opt-in "less strict" behaviour, if the maintainers are willing.

@mauromol mauromol mentioned this issue Apr 14, 2021
Open
ThePetrov added a commit to atlassian-forks/java-saml that referenced this issue Apr 23, 2021
@ThePetrov
fixes SAML-Toolkits#322: allow SAML responses without Conditions
90548fc 
- the conditions element is optional according to the spec
- require Conditions element to be present by default
- added new configuration option to allow lack of Conditions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mauromol @ThePetrov