On Tue, Feb 28, 2017 at 2:49 PM, Thanuja Jayasinghe <[email protected]> wrote:
> Hi Farasath, > > On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <[email protected]> > wrote: > >> Hi, >> >> Noticed $subject happening when we configure SAML SSO with SAML Request >> Validation enabled. >> >> This means that even for an invalid SAML Request (with an invalid >> signature) the user will go through the authentication steps configured for >> that Service Provider(identified by the issuer value in the request) and >> the SAML Request validation only happens after we get the response from the >> authentication framework. >> >> Is this the expected behaviour? >> >> Yes. > > We only validate issuer name of the SAML service priovider in the > authentication request before the authentication. > > Since we store SAML related configurations in the registry, we have > implemented it in this way to improve performance for the valid > authentication requests. > > But ideally, we should validate authentication request before moving to > authentication. > Yes, this is happened correctly in IS 6.0.0 that is done the validation before to the all. > > >> >> Thanks, >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> > Thanks, > Thanuja > -- > *Thanuja Lakmal* > Senior Software Engineer > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 +94758009992 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
