search

italia / spid-sp-shibboleth

Middleware SPID basato su Shibboleth
Creative Commons Zero v1.0 Universal
13 stars 5 forks source link

InResponseTo validation #11

Closed peppelinux closed 3 years ago

peppelinux commented 3 years ago

The following AgID tests will fail without any remediation possibile with a standard shibboleth sp distribution

ERROR:spid_sp_test:Test [16] Attributo InResponseTo non specificato. Risultato atteso: KO: : [http status_code: 404] : FAILED
ERROR:spid_sp_test:Test [17] Attributo InResponseTo mancante. Risultato atteso: KO: : [http status_code: 404] : FAILED
ERROR:spid_sp_test:Test [18] Attributo InResponseTo diverso da ID request. Risultato atteso: KO: : [http status_code: 404] : FAILED

Here a relevant thread https://shibboleth.1660669.n2.nabble.com/Validate-InResponseTo-attribute-td7641623.html

peppelinux commented 3 years ago

Considerare https://wiki.shibboleth.net/confluence/display/SP3/CSRF

robertogallea commented 3 years ago

Perhaps this can be closed

peppelinux commented 3 years ago

Fixed by https://github.com/italia/spid-sp-shibboleth/commit/79d163e39c6f89ca9ab1ee4c42a32c9f4ff6d453