Re: [keycloak-dev] Keycloak SAML response 'Destination' Element is always validated.
Yep.. We are trying to integrate with Ping Federate IDP and it causing the
authentication failure. But, Ping federate does not give Destination
element for signed xml too which we need to follow up with Ping federate.
On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke(a)redhat.com> wrote:
Yes, we validate it. Is this a problem with some third party saml
integration?
On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
As per OASIS/SAML spec recommendation, If the message is signed, the
Destination XML attribute in the root SAML element of the protocol message
MUST contain the URL to which the sender has instructed the user agent to
deliver the message. The recipient MUST then verify that the value matches
the location at which the message has been received.
However, in keycloak, always validate the 'Destination' on saml response.
irrespective of response is signed or not.
is not a defect?
Thanks,
Arul kumar P.
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hathttp://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
Attachments:
- attachment.html (text/html — 2.8 KB)