I would say that I'd be reluctant to turn it off. I think this could be
used with the classic case of:
1. Attacker authenticates with his account at SAML IDP
2. Attacker saves the response from the IDP
3. Attack tricks user to visit their rogue website, then tricks browser
to repost the SAML response
4. user now thinks they are logged in, but they are logged in as the
On 1/31/2016 11:11 PM, Arulkumar Ponnusamy wrote:
As per SAML spec, this Destination element is optional. does not this
validation is optional.
SAML Spec says,
A URI reference indicating the address to which this request has been
sent. This is useful to prevent
malicious forwarding of requests to unintended recipients, a
protection that is required by some
protocol bindings. If it is present, the actual recipient MUST check
that the URI reference identifies the
location at which the message was received. If it does not, the
request MUST be discarded. Some
protocol bindings may require the use of this attribute (see [SAMLBind]).
On Thu, Jan 28, 2016 at 9:08 PM, Bill Burke <bburke(a)redhat.com
IMO, they should provide it irregardless.
On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:
> Yep.. We are trying to integrate with Ping Federate IDP and it
> causing the authentication failure. But, Ping federate does not
> give Destination element for signed xml too which we need to
> follow up with Ping federate.
> On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke(a)redhat.com
> <mailto:email@example.com>> wrote:
> Yes, we validate it. Is this a problem with some third party
> saml integration?
> On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
>> As per OASIS/SAML spec recommendation, If the message is
>> signed, the Destination XML attribute in the root SAML
>> element of the protocol message MUST contain the URL to
>> which the sender has instructed the user agent to deliver
>> the message. The recipient MUST then verify that the value
>> matches the location at which the message has been received.
>> However, in keycloak, always validate the 'Destination' on
>> saml response. irrespective of response is signed or not.
>> is not a defect?
>> Arul kumar P.
>> keycloak-dev mailing list
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-dev mailing list
JBoss, a division of Red Hat