Need to verify certificate when response is returned using httpredirect #910
Labels
Comments
|
LogoutResponses must be signed according to the SAML2 spec. Is the response you receive really signed? The library does validate and handle signatures on incoming logout responses over http redirect. |
|
Yes, you are right. LogoutResponse isn't signed. I checked with OneLogin and they don't have any option for signed LogoutResponse. So my app keep failing as it cannot validate the signature. |
|
I see. There's an old request #446 to add a compatibility flag to handle that. If you need it you can either implement it and submit a PR or mail me at [email protected] to discuss sponsoring so that I make the implementation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm receiving signout response using Http-Redirect and My Saml application is failing with the exception
Sustainsys.Saml2.Exceptions.UnsuccessfulSamlOperationException: 'Received a LogoutResponse from https://app.onelogin.com/saml/metadata/xxx that cannot be processed because it is not signed
Seems like it is expecting Http-Post. So, what modification i need to do in my code to validate signature in this case ?
Thanks,
The text was updated successfully, but these errors were encountered: