From b92d951c058dcb753d370bed2e22ff85f918edf1 Mon Sep 17 00:00:00 2001
From: Anders Abel <anders@abel.nu>
Date: Mon, 11 Sep 2023 12:10:26 +0200
Subject: [PATCH] Validate response and assertion issuers are same

---
 Sustainsys.Saml2/SAML2P/Saml2Response.cs      |  2 ++
 .../Tests.Shared/Saml2P/Saml2ResponseTests.cs | 31 +++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/Sustainsys.Saml2/SAML2P/Saml2Response.cs b/Sustainsys.Saml2/SAML2P/Saml2Response.cs
index 2a3598a10..1d3fd1c9e 100644
--- a/Sustainsys.Saml2/SAML2P/Saml2Response.cs
+++ b/Sustainsys.Saml2/SAML2P/Saml2Response.cs
@@ -605,6 +605,8 @@ private IEnumerable<ClaimsIdentity> CreateClaims(IOptions options, IdentityProvi
             validationParameters.ValidAudience = options.SPOptions.EntityId.Id;
             validationParameters.TokenReplayCache = options.SPOptions.TokenReplayCache;
             validationParameters.ValidateTokenReplay = true;
+            validationParameters.ValidIssuer = idp.EntityId.Id;
+            validationParameters.ValidateIssuer = true;
 
             options.Notifications.Unsafe.TokenValidationParametersCreated(validationParameters, idp, XmlElement);
 
diff --git a/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs b/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs
index 0b389c7a9..3d30ff120 100644
--- a/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs
+++ b/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs
@@ -24,6 +24,7 @@
 using X509SecurityKey = Microsoft.IdentityModel.Tokens.X509SecurityKey;
 using System.Collections.Generic;
 using Microsoft.IdentityModel.Logging;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Sustainsys.Saml2.Tests.Saml2P
 {
@@ -2506,5 +2507,35 @@ public void Saml2Response_SessionNotOnOrAfter_ThrowsIfCalledBeforeGetClaims()
                 .Should().Throw<InvalidOperationException>()
                 .WithMessage("*GetClaims*");
         }
+
+        [TestMethod]
+        public void Saml2Response_GetClaims_DifferentIssuers()
+        {
+            var response =
+            @"<?xml version=""1.0"" encoding=""UTF-8""?>
+            <saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
+            xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
+            ID = """ + MethodBase.GetCurrentMethod().Name + @""" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
+                <saml2:Issuer>https://idp.example.com</saml2:Issuer>
+                <saml2p:Status>
+                    <saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
+                </saml2p:Status>
+                <saml2:Assertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
+                Version=""2.0"" ID=""" + MethodBase.GetCurrentMethod().Name + @"_Assertion1""
+                IssueInstant=""2013-09-25T00:00:00Z"">
+                    <saml2:Issuer>https://other.example.com</saml2:Issuer>
+                    <saml2:Subject>
+                        <saml2:NameID>SomeUser</saml2:NameID>
+                        <saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
+                    </saml2:Subject>
+                    <saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
+                </saml2:Assertion>
+            </saml2p:Response>";
+
+            var signedResponse = SignedXmlHelper.SignXml(response);
+
+            Saml2Response.Read(signedResponse).Invoking(r => r.GetClaims(Options.FromConfiguration))
+                .Should().Throw<SecurityTokenInvalidIssuerException>();
+        }
     }
 }