Closed Philonous closed 1 year ago
ProxyRestriction
is relevant for wai-saml2 because we are not issuing our own assertions. It might be potentially useful for a user of the library, but I don't plan on implementing it, since I won't be needing it. OneTimeUse
. wai-saml2 doesn't cache assertions, so I don't think we need to validate this condition. I won't implement this for now either
To check the validity of an
Assertion
, we should also checkAudienceRestriction
s. (This doesn't seem to happen at the moment)To quote [1] (lines 922 - 925)
As I understand it, this means:
<AudienceRestriction>
elementsAudienceRestriction
can include multiple (one or more)Audience
elementsAudienceRestriction
, we have to accept one of theAudiences
in it (OR), but all of theAudienceRestrictions
have be validated (AND)I'll work on a PR
References: