-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version checking on SAML response processing #334
Comments
I don't think a SAMLResponse Version 2.0 gonna have an Assertion 1.0 or 1.1 ... but if that the case the xsd validation will raise an error, so I believe we can omit it. |
I don't know how 1.0 or 1.1 assertions look like and I don't know whether some of them may be forward compatible with 2.0 assertions. What is sure is that the SAML 2.0 schema for assertions does not mandate that the |
Im ok if we verify the assertion version as well. I dont think an attack could be executed exploting the version attribute, to be honest. |
It must be 2.0, just like the Response version. Closes SAML-Toolkits#334.
When validating the SAML response, java-saml now checks that the
Version
attribute ofResponse
is 2.0.However it does not check the
Version
attribute of theAssertion
.Shouldn't it be checked as well?
The text was updated successfully, but these errors were encountered: