Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add additional CSRF protection when FusionAuth is functioning as a SAML IdP #2611

Closed
andrewpai opened this issue Jan 12, 2024 · 3 comments
Closed

Add additional CSRF protection when FusionAuth is functioning as a SAML IdP #2611

andrewpai opened this issue Jan 12, 2024 · 3 comments
Assignees
@andrewpai
Labels
enhancement New feature or request security
Projects
FusionAuth Issues
Milestone
1.49.0

Comments

@andrewpai
Copy link

andrewpai commented Jan 12, 2024
edited

Add additional CSRF protection when FusionAuth is functioning as a SAML IdP #2611

Description

If a SAML state contains an unregistered redirect URI in its acs value, override it with the first registered URI.

Is this a question about how to use FusionAuth? Please consider posting on the FusionAuth forum instead.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Release Notes

Add additional protection against cross-site attacks when FusionAuth is acting as a SAML IdP.
@andrewpai andrewpai added this to the 1.49.0 milestone Jan 12, 2024
@robotdan
Copy link
Member

@andrewpai is this a bug, or an enhancement request?

@andrewpai andrewpai added the enhancement New feature or request label Jan 24, 2024
@andrewpai
Copy link
Author

andrewpai commented Jan 24, 2024
edited by robotdan

Internal:

@andrewpai andrewpai changed the title Override unknown ACS values in SAML state with registered URI Add additional CSRF protection when FusionAuth is functioning as a SAML IdP Jan 24, 2024
@andrewpai andrewpai self-assigned this Jan 24, 2024
@andrewpai
Copy link
Author

@andrewpai is this a bug, or an enhancement request?

Updated as an enhancement, as the implementation adds additional cross-site protection.

@robotdan robotdan added this to Code complete in FusionAuth Issues Jan 24, 2024
@andrewpai andrewpai moved this from Code complete to Delivered in FusionAuth Issues Feb 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewpai andrewpai

Labels
enhancement New feature or request security
Projects
FusionAuth Issues
  
Delivered
Milestone
1.49.0
Development

No branches or pull requests
2 participants
@robotdan @andrewpai