I would say that I'd be reluctant to turn it off.  I think this could be used with the classic case of:

1. Attacker authenticates with his account at SAML IDP
2. Attacker saves the response from the IDP
3. Attack tricks user to visit their rogue website, then tricks browser to repost the SAML response
4. user now thinks they are logged in, but they are logged in as the attacker.

On 1/31/2016 11:11 PM, Arulkumar Ponnusamy wrote:
Hi Bill,
As per SAML spec, this Destination element is optional. does not this validation is optional.

SAML Spec says,

Destination [Optional]

A URI reference indicating the address to which this request has been sent. This is useful to prevent

malicious forwarding of requests to unintended recipients, a protection that is required by some

protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the

location at which the message was received. If it does not, the request MUST be discarded. Some

protocol bindings may require the use of this attribute (see [SAMLBind]).



On Thu, Jan 28, 2016 at 9:08 PM, Bill Burke <bburke@redhat.com> wrote:
IMO, they should provide it irregardless.


On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:

Yep.. We are trying to integrate with Ping Federate IDP and it causing the authentication failure. But, Ping federate does not give Destination element  for signed xml too which we need to follow up with Ping federate.

On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke@redhat.com> wrote:
Yes, we validate it.  Is this a problem with some third party saml integration?

On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
As per OASIS/SAML spec recommendation, If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.

However, in keycloak, always validate the 'Destination'  on saml response. irrespective of response is signed or not.

is not a defect?

Thanks,
Arul kumar P.


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com