feat: Add optional compatibility option to support non-complaint IDPs that do not sign their LogOut responses. #1178
Conversation
… that do not sign their LogOut responses.
|
I'm a bit confused about what the scope is of this PR. The title mentions "Logout Responses". The code excludes both logout responses and incoming logout requests from the signature check. The test case is for a logout request. Do you want this to apply only to logout responses? Or only to requests? Or both? From a security perspective I can't think of why a missing signature on a logout response is a problem. A missing signature/sender validation for an incoming logout request however might be part of an attack vector. If we compare to OpenID Connect they authenticate incoming logout requests (by including the id_token) but not the redirect back. |
|
My apologies for the late reply, been putting out various brush fires and then easter holiday hit us. Being unfamilar with the Saml2 protocol and the codebase, so the overly aggressive patch is my fault. For our use case, until the IDP becomes spec complient, we only need to support unsigned logout RESPONSES. I can supply you with an example HAR archive of the traffic, if needed. |
|
@henrikottesorensen Thank you for your response. I will go ahead and merge this with a modification to only allow unsigned logout responses. |
We got hit by issue #446, after our IDP began to returning unsigned LogOut responses. I have added a compatibility switch to support this specification violating behaviour, while we work with the IDP provider to get them in compliance with the spec.