You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're using node-saml as a "plugin" for SAML authentication at our company.
We've recently had an issue with one of our clients who is sending multiple Audiences in one AudienceRestriction:
We're using
node-saml
as a "plugin" for SAML authentication at our company.We've recently had an issue with one of our clients who is sending multiple
Audience
s in oneAudienceRestriction
:At first, we thought that such input is invalid, but having googled for it, looks like it is valid according to SAML specification:
https://stackoverflow.com/questions/43082519/does-ping-support-multiple-audience-restriction-values-in-saml
Furthermore, after looking at
node-saml
source code, we can see how it simply discards any "audience"s except the first one:node-saml/src/saml.ts
Lines 1229 to 1237 in e691ccf
It's not clear why it was written the way it is, but we think that the code above should be corrected:
We've submitted the code patch above in the form of a pull request.
The text was updated successfully, but these errors were encountered: