[keycloak-dev] Keycloak SAML response 'Destination' Element is always validated.

Arulkumar Ponnusamy parul.com at gmail.com
Thu Jan 28 10:21:43 EST 2016


Yep.. We are trying to integrate with Ping Federate IDP and it causing the
authentication failure. But, Ping federate does not give Destination
element  for signed xml too which we need to follow up with Ping federate.
On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke at redhat.com> wrote:

> Yes, we validate it.  Is this a problem with some third party saml
> integration?
>
> On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
>
> As per OASIS/SAML spec recommendation, If the message is signed, the
> Destination XML attribute in the root SAML element of the protocol message
> MUST contain the URL to which the sender has instructed the user agent to
> deliver the message. The recipient MUST then verify that the value matches
> the location at which the message has been received.
>
> However, in keycloak, always validate the 'Destination'  on saml response.
> irrespective of response is signed or not.
>
> is not a defect?
>
> Thanks,
> Arul kumar P.
>
>
> _______________________________________________
> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
> Bill Burke
> JBoss, a division of Red Hathttp://bill.burkecentral.com
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160128/dd3a2fb9/attachment.html 


More information about the keycloak-dev mailing list