Hi Farasath, On Tue, Feb 28, 2017 at 2:39 PM, Farasath Ahamed <farasa...@wso2.com> wrote:
> Hi, > > Noticed $subject happening when we configure SAML SSO with SAML Request > Validation enabled. > > This means that even for an invalid SAML Request (with an invalid > signature) the user will go through the authentication steps configured for > that Service Provider(identified by the issuer value in the request) and > the SAML Request validation only happens after we get the response from the > authentication framework. > > Is this the expected behaviour? > > Yes. We only validate issuer name of the SAML service priovider in the authentication request before the authentication. Since we store SAML related configurations in the registry, we have implemented it in this way to improve performance for the valid authentication requests. But ideally, we should validate authentication request before moving to authentication. > > Thanks, > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > Thanks, Thanuja -- *Thanuja Lakmal* Senior Software Engineer WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891 +94758009992
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
