Support signed assertions

fumieval commented 1 year ago

Summary

At the moment, wai-saml2 validates signed responses, but not signed assertions. This might cause an error when the identity provider signs assertions only (by default AzureAD does not sign responses). This change adds support for signed assertions; when a signature for the response is present, it validates the response. If this is missing, it validates the signature for the assertion instead.

Checklist

[x] All definitions are documented with Haddock-style comments.
[x] All exported definitions have @since annotations.
[x] Code is formatted in line with the existing code.
[x] The changelog has been updated.

mbg commented 1 year ago

I haven't had the time to review this yet, but I hope to be able to do so by the end of the coming weekend at the latest. Thank you as always for your contributions and patience! 🙇🏽

fumieval commented 1 year ago

@mbg I split the tests to #52; I hope this makes reviewing easier a bit

mbg commented 2 months ago

@fumieval Do you want to update this now that #52 is merged?

fumieval commented 2 months ago

@mbg Sure. I refactored the implementation for more clarity

mbg / wai-saml2

Support signed assertions #45