<div dir="ltr"><p dir="ltr">Yep.. We are trying to integrate with Ping Federate IDP and it causing the authentication failure. But, Ping federate does not give Destination element  for signed xml too which we need to follow up with Ping federate. <br></p>

<div class="gmail_quote">On 28-Jan-2016 8:03 PM, &quot;Bill Burke&quot; &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div bgcolor="#FFFFFF" text="#000000">

    Yes, we validate it.  Is this a problem with some third party saml

    integration?<br>

    <br>

    <div>On 1/28/2016 5:31 AM, Arulkumar

      Ponnusamy wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">

        <div>

          <div>

            <div>

              <div><span dir="ltr" lang="">As per OASIS/SAML

                  spec recommendation, If the message is signed, the

                  Destination XML attribute in the root SAML element of

                  the protocol message MUST contain the URL to which the

                  sender has instructed the user agent to deliver the

                  message. The recipient MUST then verify that the value

                  matches the location at which the message has been

                  received.<br>

                  <br>

                </span></div>

              <span dir="ltr" lang="">However, in keycloak,

                always validate the &#39;Destination&#39;  on saml response.

                irrespective of response is signed or not. <br>

                <br>

              </span></div>

            <span dir="ltr" lang="">is not a defect?<br>

              <br>

            </span></div>

          <span dir="ltr" lang="">Thanks,<br>

          </span></div>

        <span dir="ltr" lang="">Arul kumar P.<br>

        </span></div>

      <br>

      <fieldset></fieldset>

      <br>

      <pre>_______________________________________________

keycloak-dev mailing list

<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>

    </blockquote>

    <br>

    <pre cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>

  </div>

<br>_______________________________________________<br>

keycloak-dev mailing list<br>

<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br></blockquote></div>

</div>