wornet-mwo commented on issue #4519: URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-2260154287
As the documentation does not state the exact verification of signatures: The linked and integrated PR expects the whole SAMLResponse to be signed, not only the assertion. As far i can see in the source code the assertion signature is not validated. That's a problem with Authentik as it only signs the assertions (which itself would be also valid, [Link to authentik issue](https://github.com/goauthentik/authentik/issues/7909)). E.g. Nextcloud offers a more fine grained control about the validation. Hope this helps someone to save time debugging SAML in that case. A workaround is to disable signature validation here for now. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
