-
Notifications
You must be signed in to change notification settings - Fork 123
Open
Description
Hello! Thanks for the library!
In my testing, it appears as though this library requires a signature for either the SAML Response or its Assertion, but not both.
Lines 272 to 304 in 8690358
| var responseSignatureValidated bool | |
| if !sp.SkipSignatureValidation { | |
| el, err = sp.validateElementSignature(el) | |
| if err == dsig.ErrMissingSignature { | |
| // Unfortunately we just blew away our Response | |
| el = doc.Root() | |
| } else if err != nil { | |
| return nil, err | |
| } else if el == nil { | |
| return nil, fmt.Errorf("missing transformed response") | |
| } else { | |
| responseSignatureValidated = true | |
| } | |
| } | |
| err = sp.decryptAssertions(el) | |
| if err != nil { | |
| return nil, err | |
| } | |
| var assertionSignaturesValidated bool | |
| if !sp.SkipSignatureValidation { | |
| err = sp.validateAssertionSignatures(el) | |
| if err == dsig.ErrMissingSignature { | |
| if !responseSignatureValidated { | |
| return nil, fmt.Errorf("response and/or assertions must be signed") | |
| } | |
| } else if err != nil { | |
| return nil, err | |
| } else { | |
| assertionSignaturesValidated = true | |
| } | |
| } |
Would you accept a PR to enable requiring both Response and assertion to be signed? Thanks
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels