ngrosc commented on issue #4519: URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-750322450
Hi guys Meanwhile we were able to secure the connection between our IDP and Cloudstack and are now encrypting the assertions. But the initial issue still exists. When someone removes the signature, cloudstack accepts this. Of course, if someone is able to intercept, decrypt, edit and reencrypt the assertion, we have some other major problems. But from my point of view, it should be possible to enforce signature checking. As far as I understood, the underlying java component has a flag for this, but its not used from cloudstack. Even it is almost impossible to manipulate such a request, pentesters will classify this as "critical design flaw". ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
