Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issuer confusion in Saml2Response #865

Closed
marshal-nash opened this issue Dec 6, 2017 · 1 comment
Closed

Issuer confusion in Saml2Response #865

marshal-nash opened this issue Dec 6, 2017 · 1 comment

Comments

@marshal-nash
Copy link

Hello,

I just found that in Saml2Response, the issuer is extracted from the Issuer xml element child of Response:
Issuer = new EntityId(xmlElement["Issuer", Saml2Namespaces.Saml2Name].GetTrimmedTextIfNotNull());

Looking at the specification (saml-core-2.0-os) from oasis, it appears that this element is optional (page 38, line 1566). On the other hand, the element Assertion has a required child Issuer (page 16, line 558).

The Response > Issuer element contains information about who generated the response message, while the Response > Assertion > Issuer contains information about who made the claims.

Usually, the two issuers contains the same information, but I have a case where the provider doesn't populate the response issuer in the Saml2Response.

Would it be possible to use the assertion issuer in the Saml2Response class ?

@explunit
Copy link
Contributor

explunit commented Dec 6, 2017

You are correct, and this is a known issue (#477). I'll close this one so we keep discussion in one place. Linked in #477 is a PR that attempted to fix this, but wasn't quite ready for production use. If you have a better approach please submit a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants