Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Don't use the raw xml authn request for cross check response validation #12961

Closed
1livv opened this issue Apr 3, 2023 · 0 comments · Fixed by #12962
Closed

Don't use the raw xml authn request for cross check response validation #12961

1livv opened this issue Apr 3, 2023 · 0 comments · Fixed by #12962
Assignees
@jzheaux
Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Milestone
6.1.0-RC1

Comments

@1livv
Copy link
Contributor

1livv commented Apr 3, 2023

Current Behavior

Right now the only cross check validation between the returning SAML response and the outgoing SAML request is that
inReponseTo and authnRequest id need to match. The authentication request id is retrieved by parsing the raw xml request.
See OpenSaml4AuthenticationProvider#validateInResponseTo and OpenSaml4AuthenticationProvider#getAuthnRequestId

Expected Behavior

The id of the request is readily available in the AbstractSaml2AuthenticationRequest.
This would improve performance, allow for better abstraction and allow for repository implementations which do not store the whole xml request since it might be too big.
@1livv 1livv added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 3, 2023
@1livv 1livv mentioned this issue Apr 3, 2023
Merged
1livv added a commit to 1livv/spring-security that referenced this issue Apr 3, 2023
@1livv
Don't use raw xml saml authentication request for response validation
dd18b56 
closes spring-projectsgh-12961
jzheaux pushed a commit that referenced this issue Apr 3, 2023
@1livv @jzheaux
Don't use raw xml saml authentication request for response validation
7e305dd 
closes gh-12961
@jzheaux jzheaux self-assigned this May 12, 2023
@jzheaux jzheaux added in: saml2 An issue in SAML2 modules and removed status: waiting-for-triage An issue we've not yet triaged labels May 12, 2023
@jzheaux jzheaux added this to the 6.1.0-RC1 milestone May 12, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jzheaux jzheaux

Labels
in: saml2 An issue in SAML2 modules type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-RC1
Development

Successfully merging a pull request may close this issue.

Don't use raw xml saml authentication request for response validation 1livv/spring-security
2 participants
@jzheaux @1livv