[keycloak-dev] Keycloak SAML response 'Destination' Element is always validated.

Bill Burke bburke at redhat.com
Thu Jan 28 10:38:55 EST 2016 

IMO, they should provide it irregardless.

On 1/28/2016 10:21 AM, Arulkumar Ponnusamy wrote:
>
> Yep.. We are trying to integrate with Ping Federate IDP and it causing 
> the authentication failure. But, Ping federate does not give 
> Destination element  for signed xml too which we need to follow up 
> with Ping federate.
>
> On 28-Jan-2016 8:03 PM, "Bill Burke" <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>     Yes, we validate it. Is this a problem with some third party saml
>     integration?
>
>     On 1/28/2016 5:31 AM, Arulkumar Ponnusamy wrote:
>>     As per OASIS/SAML spec recommendation, If the message is signed,
>>     the Destination XML attribute in the root SAML element of the
>>     protocol message MUST contain the URL to which the sender has
>>     instructed the user agent to deliver the message. The recipient
>>     MUST then verify that the value matches the location at which the
>>     message has been received.
>>
>>     However, in keycloak, always validate the 'Destination'  on saml
>>     response. irrespective of response is signed or not.
>>
>>     is not a defect?
>>
>>     Thanks,
>>     Arul kumar P.
>>
>>
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>     -- 
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160128/aade9f84/attachment.html

More information about the keycloak-dev mailing list