<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
IMO, they should provide it irregardless.<br>
<br>
<div class="moz-cite-prefix">On 1/28/2016 10:21 AM, Arulkumar
Ponnusamy wrote:<br>
</div>
<blockquote
cite="mid:CAFj68vXjKjoYH_2WHFcD0zjXE_4nLyURYFDSOOebchoNFYjJig@mail.gmail.com"
type="cite">
<div dir="ltr">
<p dir="ltr">Yep.. We are trying to integrate with Ping Federate
IDP and it causing the authentication failure. But, Ping
federate does not give Destination element for signed xml too
which we need to follow up with Ping federate. <br>
</p>
<div class="gmail_quote">On 28-Jan-2016 8:03 PM, "Bill Burke"
<<a moz-do-not-send="true" href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>> wrote:<br
type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Yes, we validate it.
Is this a problem with some third party saml integration?<br>
<br>
<div>On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><span dir="ltr" lang="">As per OASIS/SAML
spec recommendation, If the message is
signed, the Destination XML attribute in the
root SAML element of the protocol message
MUST contain the URL to which the sender has
instructed the user agent to deliver the
message. The recipient MUST then verify that
the value matches the location at which the
message has been received.<br>
<br>
</span></div>
<span dir="ltr" lang="">However, in keycloak,
always validate the 'Destination' on saml
response. irrespective of response is signed
or not. <br>
<br>
</span></div>
<span dir="ltr" lang="">is not a defect?<br>
<br>
</span></div>
<span dir="ltr" lang="">Thanks,<br>
</span></div>
<span dir="ltr" lang="">Arul kumar P.<br>
</span></div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>