Validate issuer on logout requests/responses if configured #314
Conversation
|
@markstos can you take a look? |
README.md
Outdated
| @@ -125,6 +125,8 @@ type Profile = { | |||
| * `validateInResponseTo`: if truthy, then InResponseTo will be validated from incoming SAML responses | |||
| * `requestIdExpirationPeriodMs`: Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the `InResponseTo` field. Default is 8 hours. | |||
| * `cacheProvider`: Defines the implementation for a cache provider used to store request Ids generated in SAML requests as part of `InResponseTo` validation. Default is a built-in in-memory cache provider. For details see the 'Cache Provider' section. | |||
| * **Issuer Validation** | |||
| * `samlIssuer`: if provided, then the IdP issuer will be validated for incoming Logout Requests/Responses | |||
There was a problem hiding this comment.
I think it could be helpful to add an example at the end of this line that shows an example expected value for samlIssuer. The name here is also confusing, since we have both issuer and samlIssuer.
As I understand issuer is our name-- the name of the Service Provider, while samlssuer is the expected name of the IdP that we validate against. Is that correct? Perhaps 'responseIssuer` would be clearer?
Including as "saml" as a prefix does not help much at all, because the entire module has to do with SAML.
There was a problem hiding this comment.
I see, that's a valid point, but responseIssuer isn't really better, since this is validated in requests as well.
What do you think for idpIssuer?
stavros-wb
force-pushed
the
validate_issuer_on_logout
branch
from
b682e8f
to
b161068
Compare
I've added documentation on
samlIssuerand also made its validation optional (just asInResponseTo). This should actually be a part of #277