On Tue, Feb 28, 2017 at 2:52 PM, Dulanja Liyanage <[email protected]> wrote:
> Originally we identified the tenant domain only after user authentication. > Then only tenant specific SP configs could be retrieved. That's why > validation was done only after authentication. > Aren't we getting SP tenant domain with the issuer (appended after an "@" sign)? or at least as a query parameter ?. Do we do any request validation based on authenticated user's tenant domain ?. > > On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <[email protected]> > wrote: > >> Hi Farasath, >> >> On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> >> wrote: >> >>> Hi, >>> >>> Noticed $subject happening when we configure SAML SSO with SAML Request >>> Validation enabled. >>> >>> This means that even for an invalid SAML Request (with an invalid >>> signature) the user will go through the authentication steps configured for >>> that Service Provider(identified by the issuer value in the request) and >>> the SAML Request validation only happens after we get the response from the >>> authentication framework. >>> >>> Is this the expected behaviour? >>> >>> Yes. >> >> We only validate issuer name of the SAML service priovider in the >> authentication request before the authentication. >> >> Since we store SAML related configurations in the registry, we have >> implemented it in this way to improve performance for the valid >> authentication requests. >> >> But ideally, we should validate authentication request before moving to >> authentication. >> >> >>> >>> Thanks, >>> Farasath Ahamed >>> Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >> Thanks, >> Thanuja >> -- >> *Thanuja Lakmal* >> Senior Software Engineer >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 +94758009992 >> > > > > -- > Thanks & Regards, > Dulanja Liyanage > Lead, Platform Security Team > WSO2 Inc. > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
