Yes, we validate it. Is this a problem with some third party saml
On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
As per OASIS/SAML spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of the protocol
message MUST contain the URL to which the sender has instructed the
user agent to deliver the message. The recipient MUST then verify that
the value matches the location at which the message has been received.
However, in keycloak, always validate the 'Destination' on saml
response. irrespective of response is signed or not.
is not a defect?
Arul kumar P.
keycloak-dev mailing list
JBoss, a division of Red Hat