dxbjavid opened a new pull request, #3281:
URL: https://github.com/apache/cxf/pull/3281

   validateIssuer in the SAML 2.0 SSO response validator checks the received 
issuer against the configured issuer IDP with 
issuerIDP.startsWith(issuer.getValue()), so any value that is only a prefix of 
the expected issuer satisfies the enforceKnownIssuer check, right down to a 
single character. That means the known-issuer control does not really pin the 
issuer, and where a service provider trusts more than one identity provider it 
weakens the binding between an assertion and the IdP it is meant to have come 
from. Compare the issuer to the configured value exactly instead, which is how 
SAML entityIDs are meant to be matched.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to