cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Bernhardt (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FEDIZ-157) SAMLResponse Handler uses URL instead of Realm name for issuer validation
Date Wed, 09 Mar 2016 09:13:41 GMT

    [ https://issues.apache.org/jira/browse/FEDIZ-157?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15186807#comment-15186807
] 

Jan Bernhardt commented on FEDIZ-157:
-------------------------------------

A new property is now available for a trusted IDP configuration {{issuer}}. If set this property
will be used for issuer name validation. If it is not set, the {{url}} parameter will be used
as before to ensure backward compatibility.

> SAMLResponse Handler uses URL instead of Realm name for issuer validation
> -------------------------------------------------------------------------
>
>                 Key: FEDIZ-157
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-157
>             Project: CXF-Fediz
>          Issue Type: Bug
>          Components: IDP
>    Affects Versions: 1.2.2
>            Reporter: Jan Bernhardt
>            Assignee: Jan Bernhardt
>             Fix For: 1.3.0
>
>
> The {{TrustedIdpSAMLProtocolHandler}} uses the {{SAMLSSOResponseValidator}} to validate
the issuer name within the {{SAMLResponse}}.
> For this validation the configured 3rd party URL is used. This is an error, because the
redirect URL for the {{SAMLRequest}} does not need to be equal or even similar to the issuer
name within the {{SAMLResponse}}.
> The 3rd party realm name should be applicable instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message