Skip to content

Issuer Validation #712

Closed
Closed
@AndersAbel

Description

@AndersAbel

The issuer in the saml response is used to retreive signin keys and it is thus properly validated that the issuer of the response has access to the signing keys. The issuer in the assertion should also be validated, otherwise a malicious idp could craft a response where the assertion issuer identifies another Idp. It is the assertion issuer that is used to create the issuer property of the issued claims.
The issuer should also be validated against the issuer identified in the stored request state to prevent substition of encrypted request state.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions