<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes, we validate it. Is this a problem with some third party saml
integration?<br>
<br>
<div class="moz-cite-prefix">On 1/28/2016 5:31 AM, Arulkumar
Ponnusamy wrote:<br>
</div>
<blockquote
cite="mid:CAFj68vV0w88S7Z1HZyry3nUxvqdkr7DAfVALOKuOkce4LFOBmQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><span dir="ltr" class="" lang="">As per OASIS/SAML
spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of
the protocol message MUST contain the URL to which the
sender has instructed the user agent to deliver the
message. The recipient MUST then verify that the value
matches the location at which the message has been
received.<br>
<br>
</span></div>
<span dir="ltr" class="" lang="">However, in keycloak,
always validate the 'Destination' on saml response.
irrespective of response is signed or not. <br>
<br>
</span></div>
<span dir="ltr" class="" lang="">is not a defect?<br>
<br>
</span></div>
<span dir="ltr" class="" lang="">Thanks,<br>
</span></div>
<span dir="ltr" class="" lang="">Arul kumar P.<br>
</span></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>