Skip to content

SAML 2 Assertion - Always require signature validation #7490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fhanik opened this issue Sep 28, 2019 · 0 comments · Fixed by #7491
Closed

SAML 2 Assertion - Always require signature validation #7490

fhanik opened this issue Sep 28, 2019 · 0 comments · Fixed by #7491
Assignees
@fhanik
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
5.2.0

Comments

@fhanik
Copy link
Contributor

fhanik commented Sep 28, 2019

In some use cases, privately exchanged credentials can justify a use case where encryption is validation of the assertion content.

The default behavior should be that signature is always required, as that is the most secure behavior.
@fhanik fhanik added the type: enhancement A general enhancement label Sep 28, 2019
@fhanik fhanik added this to the 5.2.0 milestone Sep 28, 2019
@fhanik fhanik self-assigned this Sep 28, 2019
fhanik added a commit to fhanik/spring-security that referenced this issue Sep 28, 2019
@fhanik
Always require signature on either response or assertion
b2ccbc1 
Fixes spring-projectsgh-7490
spring-projects#7490
@fhanik fhanik mentioned this issue Sep 28, 2019
Merged
@jzheaux jzheaux added the in: saml2 An issue in SAML2 modules label Sep 30, 2019
fhanik added a commit that referenced this issue Sep 30, 2019
@fhanik
Always require signature on either response or assertion
7adb4da 
Fixes gh-7490
#7490
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fhanik fhanik

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0
Development

Successfully merging a pull request may close this issue.

Always validate saml2 signatures fhanik/spring-security
2 participants
@fhanik @jzheaux