You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, if the validation of the top-level signature fails, we continue after setting a variable. We should have an option, or perhaps just fail, if we find a top-level signature that isn't valid. Right now, node-saml will allow an invalid top-level signature. This allowance allows for a whole class of crafty attacks that cause a top-level signature to be invalid, but which preserve the signature of an assertion. See node-saml/passport-saml#671 for a more thorough discussion of this matter.
The text was updated successfully, but these errors were encountered:
Currently, if the validation of the top-level signature fails, we continue after setting a variable. We should have an option, or perhaps just fail, if we find a top-level signature that isn't valid. Right now,
node-saml
will allow an invalid top-level signature. This allowance allows for a whole class of crafty attacks that cause a top-level signature to be invalid, but which preserve the signature of an assertion. See node-saml/passport-saml#671 for a more thorough discussion of this matter.The text was updated successfully, but these errors were encountered: