This is how the new SAML2 inbound authenticator is written. On Tue, Feb 28, 2017 at 4:19 AM, Thanuja Jayasinghe <[email protected]> wrote:
> Hi Farasath, > > On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> > wrote: > >> Hi, >> >> Noticed $subject happening when we configure SAML SSO with SAML Request >> Validation enabled. >> >> This means that even for an invalid SAML Request (with an invalid >> signature) the user will go through the authentication steps configured for >> that Service Provider(identified by the issuer value in the request) and >> the SAML Request validation only happens after we get the response from the >> authentication framework. >> >> Is this the expected behaviour? >> >> Yes. > > We only validate issuer name of the SAML service priovider in the > authentication request before the authentication. > > Since we store SAML related configurations in the registry, we have > implemented it in this way to improve performance for the valid > authentication requests. > > But ideally, we should validate authentication request before moving to > authentication. > > >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> > Thanks, > Thanuja > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
