Yes, we validate it. Is this a problem with some third party saml
On 1/28/2016 5:31 AM, Arulkumar
Arul kumar P.
is not a defect?
As per OASIS/SAML
spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of
the protocol message MUST contain the URL to which the
sender has instructed the user agent to deliver the
message. The recipient MUST then verify that the value
matches the location at which the message has been
However, in keycloak,
always validate the 'Destination' on saml response.
irrespective of response is signed or not.
keycloak-dev mailing list
JBoss, a division of Red Hat