Originally we identified the tenant domain only after user authentication. Then only tenant specific SP configs could be retrieved. That's why validation was done only after authentication.
On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <[email protected]> wrote: > Hi Farasath, > > On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> > wrote: > >> Hi, >> >> Noticed $subject happening when we configure SAML SSO with SAML Request >> Validation enabled. >> >> This means that even for an invalid SAML Request (with an invalid >> signature) the user will go through the authentication steps configured for >> that Service Provider(identified by the issuer value in the request) and >> the SAML Request validation only happens after we get the response from the >> authentication framework. >> >> Is this the expected behaviour? >> >> Yes. > > We only validate issuer name of the SAML service priovider in the > authentication request before the authentication. > > Since we store SAML related configurations in the registry, we have > implemented it in this way to improve performance for the valid > authentication requests. > > But ideally, we should validate authentication request before moving to > authentication. > > >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> > Thanks, > Thanuja > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
