thijskh
commented
8 years ago Should it? If we don't require a signature, but someone sends a message with one, why is it a problem to just continue and act if there was none?
Open relaxnow opened 8 years ago
thijskh
commented
8 years ago Should it? If we don't require a signature, but someone sends a message with one, why is it a problem to just continue and act if there was none?
relaxnow
commented
8 years ago This issue was created in response to an issue where an SP was misconfigured but we didn't notice until we connected the SP to a different IdP but were puzzling over why suddenly the signature was broken.
I agree that OpenConext is not required to validate the signature (changed this to enhancement). However if an SP sends a signature anyway this could be indicative of a misconfigured SP or worse an SP that expects request verification because it wants us to redirect to a different ACS or it wants to be used as an SP proxy (like Stepup Gateway) but we simply ignore it.
Somewhere there is a difference between what we expect the SP to send and what it actually sends. While I agree that we shouldn't break on it, ideally you'd inform the SP so it doesn't expect us to do something we don't.
At the very least this should trigger a log warning.