Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Validate acs url #102
@ikkisoft @itstehkman does this make sense? I have to update docs before merging, but basically this would make it so ACS URLs are whitelisted based on the Host of the metadata URL or the list from
My understanding of the Destination (saml 2 core lines 1477-1482) vs AssertionConsumerServiceURL (saml 2 core lines 1483-1488) is that they're the same value, but just used for different purposes:
So, I think you can simply use the value you already have in the config for the service_provide and not the metadata URL.
some-issuer-url.com/saml --> some-issuer-url.com
If you allow override via config file (as implemented), I think is safe enough to enforce it since people can change the config after the new deployment. Especially, if it's clear in the README.
Btw, reading the standard (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf line 2063) they are actually saying that the IDP is required to perform validation on the AssertionConsumerServiceURL field:
ruby-saml (https://github.com/onelogin/ruby-saml) seems to have three separate fields for those items:
So, this is probably the safest / most flexible option.
I agree with @ikkisoft. I think this PR is mostly good. The only issue I see is if you've configured the IdP with N acceptable_response_hosts, where one of these could maliciously accept a response meant for another host:
acceptable_response_hosts = [A, B]
I make a SAMLRequest for host A, and it gets maliciously modified such that its Destination / ACS URL is sent to B instead. In the unlikely case that B would accept the assertion, this is an issue.
I think it is simpler and more accurate to just have this on a per-service-provider configuration level without checking a set of acceptable hosts.