Further qualifies a name with the name of a service provider or affiliation of providers. This attribute provides an additional means to federate names on the basis of the relying party or parties
So I think it makes sense that it match the service provider ID rather than be hardcoded.
Issuer
This one didn't specifically cause me a problem, but I was confused to see in the response that Issuer was not correct for how I was running the IDP. I'm running via Docker with a different port
bjorns
commented
1 year ago
Hello! First off, thanks for creating this app. I'm just getting my feet wet with SAML integration in a Ruby app and this is a handy tool.
I encountered a couple issues along the way and want to share my fixes. If they should be broken up into separate PRs, let me know.
ConditionspositionThe SP library I'm using validates SAML responses with this XSD: https://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. As far as I can tell, this XSD is the standard.
TIL that validating XML with XSD is sensitive to the order of elements in the document.
I ran into a validation error since
Conditionswas appearing after theAudienceRestriction, but according to the XSD, it should be before it.https://www.samltool.com/validate_xml.php
SPNameQualifierThe SP library I'm using by default wants the
SPNameQualifierto match our ID. Otherwise it thinks the response is invalid.According to the SAML specification, the field is:
So I think it makes sense that it match the service provider ID rather than be hardcoded.
IssuerThis one didn't specifically cause me a problem, but I was confused to see in the response that
Issuerwas not correct for how I was running the IDP. I'm running via Docker with a different port