SAML ACS Endpoint should ignore any unknown parameters #58850
Labels
enhancement
New value added to drive a business result
Feature:Security/Authentication
Platform Security - Authentication
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
I like this idea. Something along the lines of |
|
Fixed in #69401 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently our SAML ACS Endpoint expects only
SAMLResponseandRelayStateparameters and rejects requests that provide anything else that we don't expect. This may become a problem for IdPs that used to send some additional parameters for whatever reason.It shouldn't harm if we stop rejecting such requests and just ignore unknown parameters. We could potentially use
allowUnknownofschema.objectvalidation scheme we use for the request body, but I don't like that after validation we'll still have these unknown properties in the object that someone can potentially enumerate through. After a conversation with @restrry we think that there is a chance we may add an additionalschema.objectmode that may allow unknown properties, but would strip them out.The text was updated successfully, but these errors were encountered: