-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditions and AudienceRestriction validation #335
Comments
We could agree on making the AudienceRestriction element required, but that gonna be a behavior change, so maybe we need to control it with a security setting checkOneCondition is covered by the schema validator, but I don't see such extra check something bad. |
@mauromol Do you have a PR for this one? |
No, because I still have some doubts. First of all, is a dedicated security setting for this really worth? Considering that:
So, I would be inclined to implement this without any further "flag" to enable it. Or, on the contrary, to add a flag to disable it to explicitly preserve backward compatibility (or to go even further, as requested in #322: what do you think about it?), however I was wondering whether it's worth the effort. With regards to |
@pitbulk what do you then think about this? I can add the additional check to |
An in-depth discussion is at #323.
This is somewhat related to #322, but it's more targeted at SAML specification compliancy.
The SAML 2.0 specification says:
So, since the
<AudienceRestriction>
element appears within<Conditions>
, although the<Conditions>
element is optional in the schema, it should be present BECAUSE it should contain AT LEAST oneAudienceRestriction
matching the SP entity id.What java-saml is doing right now is:
com.onelogin.saml2.authn.SamlResponse.checkOneCondition()
it checks that there is exactly one<Conditions>
element; the javadoc says "checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique", but the latter part is useless because the schema already enforces that at most one such element is present; so, since that check is made after performing schema validation (at least if schema validation is enabled...), the check is partially uselesscom.onelogin.saml2.authn.SamlResponse.validateAudiences()
checks that, if any<AudienceRestriction>
element exists, at least one of them is equal to the SP entity idThis said, considering what the specification requires, I think that the above two methods could be changed like this:
com.onelogin.saml2.authn.SamlResponse.validateAudiences()
make validation fail ifvalidAudiences
is emptycom.onelogin.saml2.authn.SamlResponse.checkOneCondition()
, because it becomes redundant by the above check, especially if it's moved at the same position of thecheckOneCondition()
call incom.onelogin.saml2.authn.SamlResponse.isValid(String)
What do you think?
The text was updated successfully, but these errors were encountered: