Open fumieval opened 1 year ago
I haven't had the time to review this yet, but I hope to be able to do so by the end of the coming weekend at the latest. Thank you as always for your contributions and patience! 🙇🏽
@mbg I split the tests to #52; I hope this makes reviewing easier a bit
@fumieval Do you want to update this now that #52 is merged?
@mbg Sure. I refactored the implementation for more clarity
Summary
At the moment, wai-saml2 validates signed responses, but not signed assertions. This might cause an error when the identity provider signs assertions only (by default AzureAD does not sign responses). This change adds support for signed assertions; when a signature for the response is present, it validates the response. If this is missing, it validates the signature for the assertion instead.
Checklist
@since
annotations.