Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decode and track RequestIds #28

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Decode and track RequestIds #28

wants to merge 1 commit into from

Conversation

kmacgugan
Copy link

  • When generating an authn request, generate unique ID and store it for
    a certain time (5 minutes).
  • When validating an assertion response, verify that the ID in
    InResponseTo (if present) matches one we know; then forget that one.

Note that both #esaml_response{} and #esaml_assertion{} gets an
in_response_to field: the ID is present in both subtrees of the XML
document; but for validating an assertion response, only esaml_assertion
is used.

We chose not to add an ets table in esaml_utils and instead track the ID within our application, however this could be an option here.

Decode and track RequestIds
8329da5 
* Add ets table for tracking request ID's.
* When generating an authn request, generate unique ID and store it for
  a certain time (5 minutes).
* When validating an assertion response, verify that the ID in
  `InResponseTo` (if present) matches one we know; then forget that one.

Note that both #esaml_response{} and #esaml_assertion{} gets an
`in_response_to` field: the ID is present in _both_ subtrees of the XML
document; but for validating an assertion response, only esaml_assertion
is used.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@kmacgugan