<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I would say that I'd be reluctant to turn it off. I think this
could be used with the classic case of:<br>
<br>
1. Attacker authenticates with his account at SAML IDP<br>
2. Attacker saves the response from the IDP<br>
3. Attack tricks user to visit their rogue website, then tricks
browser to repost the SAML response<br>
4. user now thinks they are logged in, but they are logged in as the
attacker.<br>
<br>
<div class="moz-cite-prefix">On 1/31/2016 11:11 PM, Arulkumar
Ponnusamy wrote:<br>
</div>
<blockquote
cite="mid:CAFj68vUtyBqyDYf5ot1ncZqiASy9RcY39U+Z-xVk=4_zYsKToA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hi Bill,<br>
</div>
As per SAML spec, this Destination element is optional. does
not this validation is optional. <br>
<br>
</div>
SAML Spec says, <br>
<div>
<div>
<div>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10pt;font-family:CourierNewPSMT">Destination
</span><span style="font-size:10pt;font-family:ArialMT">[Optional]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10pt;font-family:ArialMT">A URI
reference indicating the address to which this
request has been sent. This is useful to prevent</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10pt;font-family:ArialMT">malicious
forwarding of requests to unintended recipients,
a protection that is required by some</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10pt;font-family:ArialMT">protocol
bindings. If it is present, the actual recipient
MUST check that the URI reference identifies the</span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:10pt;font-family:ArialMT">location at
which the message was received. If it does
not, the request MUST be discarded. Some</span></p>
<p class="MsoNormal"><span
style="font-size:10pt;font-family:ArialMT">protocol
bindings may require the use of this attribute (see
[SAMLBind]).</span></p>
<br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Jan 28, 2016 at 9:08 PM, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> IMO, they should
provide it irregardless.
<div>
<div class="h5"><br>
<br>
<div>On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<p dir="ltr">Yep.. We are trying to integrate with
Ping Federate IDP and it causing the
authentication failure. But, Ping federate does
not give Destination element for signed xml too
which we need to follow up with Ping federate. <br>
</p>
<div class="gmail_quote">On 28-Jan-2016 8:03 PM,
"Bill Burke" <<a moz-do-not-send="true"
href="mailto:bburke@redhat.com"
target="_blank">bburke@redhat.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Yes, we
validate it. Is this a problem with some
third party saml integration?<br>
<br>
<div>On 1/28/2016 5:31 AM, Arulkumar
Ponnusamy wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div><span dir="ltr" lang="">As
per OASIS/SAML spec
recommendation, If the message
is signed, the Destination XML
attribute in the root SAML
element of the protocol
message MUST contain the URL
to which the sender has
instructed the user agent to
deliver the message. The
recipient MUST then verify
that the value matches the
location at which the message
has been received.<br>
<br>
</span></div>
<span dir="ltr" lang="">However,
in keycloak, always validate the
'Destination' on saml response.
irrespective of response is
signed or not. <br>
<br>
</span></div>
<span dir="ltr" lang="">is not a
defect?<br>
<br>
</span></div>
<span dir="ltr" lang="">Thanks,<br>
</span></div>
<span dir="ltr" lang="">Arul kumar P.<br>
</span></div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a moz-do-not-send="true" href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>