Closed
Description
The issuer in the saml response is used to retreive signin keys and it is thus properly validated that the issuer of the response has access to the signing keys. The issuer in the assertion should also be validated, otherwise a malicious idp could craft a response where the assertion issuer identifies another Idp. It is the assertion issuer that is used to create the issuer property of the issued claims.
The issuer should also be validated against the issuer identified in the stored request state to prevent substition of encrypted request state.