Destination [Optional]
A URI reference indicating the address to which this request has been sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a protection that is required by some
protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the
location at which the message was received. If it does not, the request MUST be discarded. Some
protocol bindings may require the use of this attribute (see [SAMLBind]).
IMO, they should provide it irregardless.
On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:
Yep.. We are trying to integrate with Ping Federate IDP and it causing the authentication failure. But, Ping federate does not give Destination element for signed xml too which we need to follow up with Ping federate.
On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke@redhat.com> wrote:
Yes, we validate it. Is this a problem with some third party saml integration?
On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
Arul kumar P.Thanks,is not a defect?As per OASIS/SAML spec recommendation, If the message is signed, the Destination XML attribute in the root SAML element of the protocol message MUST contain the URL to which the sender has instructed the user agent to deliver the message. The recipient MUST then verify that the value matches the location at which the message has been received.However, in keycloak, always validate the 'Destination' on saml response. irrespective of response is signed or not.
_______________________________________________ keycloak-dev mailing list keycloak-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev
-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com