Open Tazoeur opened 5 years ago
Hi
I think the response created in Http/Traits/SamlAuth.php:138 should also contain a "set in response to"
// Generate the response object $response = new \LightSaml\Model\Protocol\Response(); $response ->addAssertion($assertion = new \LightSaml\Model\Assertion\Assertion()) ->setID(\LightSaml\Helper::generateID()) ->setIssueInstant(new \DateTime()) ->setInResponseTo($authnRequest->getId()) ->setDestination($destination) ->setIssuer(new \LightSaml\Model\Assertion\Issuer($issuer)) ->setStatus(new \LightSaml\Model\Protocol\Status(new \LightSaml\Model\Protocol\StatusCode(\LightSaml\SamlConstants::STATUS_SUCCESS))) ->setSignature(new \LightSaml\Model\XmlDSig\SignatureWriter($certificate, $privateKey)) ;
so the sp that checks where the response come from could not assume that the request is unsolicited.
Hi
I think the response created in Http/Traits/SamlAuth.php:138 should also contain a "set in response to"
so the sp that checks where the response come from could not assume that the request is unsolicited.