
<div dir="ltr"><div><div>Hi Bill,<br></div>As per SAML spec, this Destination element is optional. does not this validation is optional. <br><br></div>SAML Spec says, <br><div><div><div>


<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10pt;font-family:CourierNewPSMT">Destination </span><span style="font-size:10pt;font-family:ArialMT">[Optional]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10pt;font-family:ArialMT">A URI reference indicating the address to which this

request has been sent. This is useful to prevent</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10pt;font-family:ArialMT">malicious forwarding of requests to unintended recipients,

a protection that is required by some</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10pt;font-family:ArialMT">protocol bindings. If it is present, the actual recipient

MUST check that the URI reference identifies the</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-size:10pt;font-family:ArialMT">location at which the message was received. If it does

not, the request MUST be discarded. Some</span></p>


<p class="MsoNormal"><span style="font-size:10pt;font-family:ArialMT">protocol

bindings may require the use of this attribute (see [SAMLBind]).</span></p>


<br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 28, 2016 at 9:08 PM, Bill Burke <span dir="ltr">&lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
  <div bgcolor="#FFFFFF" text="#000000">

    IMO, they should provide it irregardless.<div><div class="h5"><br>

    <br>

    <div>On 1/28/2016 10:21 AM, Arulkumar

      Ponnusamy wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">

        <p dir="ltr">Yep.. We are trying to integrate with Ping Federate

          IDP and it causing the authentication failure. But, Ping

          federate does not give Destination element  for signed xml too

          which we need to follow up with Ping federate. <br>

        </p>

        <div class="gmail_quote">On 28-Jan-2016 8:03 PM, &quot;Bill Burke&quot;

          &lt;<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>&gt; wrote:<br type="attribution">

          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div bgcolor="#FFFFFF" text="#000000"> Yes, we validate it. 

              Is this a problem with some third party saml integration?<br>

              <br>

              <div>On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:<br>

              </div>

              <blockquote type="cite">

                <div dir="ltr">

                  <div>

                    <div>

                      <div>

                        <div><span dir="ltr" lang="">As per OASIS/SAML

                            spec recommendation, If the message is

                            signed, the Destination XML attribute in the

                            root SAML element of the protocol message

                            MUST contain the URL to which the sender has

                            instructed the user agent to deliver the

                            message. The recipient MUST then verify that

                            the value matches the location at which the

                            message has been received.<br>

                            <br>

                          </span></div>

                        <span dir="ltr" lang="">However, in keycloak,

                          always validate the &#39;Destination&#39;  on saml

                          response. irrespective of response is signed

                          or not. <br>

                          <br>

                        </span></div>

                      <span dir="ltr" lang="">is not a defect?<br>

                        <br>

                      </span></div>

                    <span dir="ltr" lang="">Thanks,<br>

                    </span></div>

                  <span dir="ltr" lang="">Arul kumar P.<br>

                  </span></div>

                <br>

                <fieldset></fieldset>

                <br>

                <pre>_______________________________________________

keycloak-dev mailing list

<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>

<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>

              </blockquote>

              <br>

              <pre cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>

            </div>

            <br>

            _______________________________________________<br>

            keycloak-dev mailing list<br>

            <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>

            <a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>

          </blockquote>

        </div>

      </div>

    </blockquote>

    <br>

    <pre cols="72">-- 

Bill Burke

JBoss, a division of Red Hat

<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a></pre>

  </div></div></div>


</blockquote></div><br></div>