On Tue, Feb 28, 2017 at 2:57 PM, Hasintha Indrajee <[email protected]> wrote:
> > > On Tue, Feb 28, 2017 at 2:52 PM, Dulanja Liyanage <[email protected]> > wrote: > >> Originally we identified the tenant domain only after user >> authentication. Then only tenant specific SP configs could be retrieved. >> That's why validation was done only after authentication. >> > > Aren't we getting SP tenant domain with the issuer (appended after an "@" > sign)? or at least as a query parameter ?. Do we do any request validation > based on authenticated user's tenant domain ?. > Yes, we get the tenant domain of SP in the request. Therefore we can validate authentication request before the authetication. But considering the performance we have implemented it this way. > >> On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <[email protected]> >> wrote: >> >>> Hi Farasath, >>> >>> On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> Noticed $subject happening when we configure SAML SSO with SAML Request >>>> Validation enabled. >>>> >>>> This means that even for an invalid SAML Request (with an invalid >>>> signature) the user will go through the authentication steps configured for >>>> that Service Provider(identified by the issuer value in the request) and >>>> the SAML Request validation only happens after we get the response from the >>>> authentication framework. >>>> >>>> Is this the expected behaviour? >>>> >>>> Yes. >>> >>> We only validate issuer name of the SAML service priovider in the >>> authentication request before the authentication. >>> >>> Since we store SAML related configurations in the registry, we have >>> implemented it in this way to improve performance for the valid >>> authentication requests. >>> >>> But ideally, we should validate authentication request before moving to >>> authentication. >>> >>> >>>> >>>> Thanks, >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>> Thanks, >>> Thanuja >>> -- >>> *Thanuja Lakmal* >>> Senior Software Engineer >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 +94758009992 >>> >> >> >> >> -- >> Thanks & Regards, >> Dulanja Liyanage >> Lead, Platform Security Team >> WSO2 Inc. >> > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
