Version checking on SAML response processing

[mauromol]

When validating the SAML response, java-saml now checks that the Version attribute of Response is 2.0.
However it does not check the Version attribute of the Assertion.

Shouldn't it be checked as well?

[pitbulk]

I don't think a SAMLResponse Version 2.0 gonna have an Assertion 1.0 or 1.1 ... but if that the case the xsd validation will raise an error, so I believe we can omit it.

[mauromol]

I don't know how 1.0 or 1.1 assertions look like and I don't know whether some of them may be forward compatible with 2.0 assertions. What is sure is that the SAML 2.0 schema for assertions does not mandate that the Version attribute of AssertionType must be equal to 2.0, so, for instance, if a (malicious/erroneous?) response is received with a Version="3.0" on the assertion, the schema validation performed by java-saml won't fail: should it instead? I think that it should as much as a Response with Version="3.0" causes it to fail ;-)

[pitbulk]

Im ok if we verify the assertion version as well.
The check on the response was important to detect valid saml 1.1 responses to be identified and rejected.

I dont think an attack could be executed exploting the version attribute, to be honest.