Zogoo
commented
3 years ago Validation of metadata signature is optional. Recently most of web service requires that download SP metadata (when peoples trusting that SP service) and uploading manually to the IdP. Also, most of the scenarios that the metadata doesn't have any certificate in this case if we check it by default it would break those IdP applications.
About your scenario, it might be good if you generate a fingerprint of the public key with following function, then you don't need to change it by manually.
This function might help you. lib/saml_idp/fingerprint.rb
It seems to me as though the SP's fingerprint is not validated by default although the documentation implies that the fingerprint configuration should be required. I discovered this only because I realized I forgot to change a fingerprint for one of my use cases but yet the connection still worked.
Based on the following line of code, it seems as though the fingerprint won't be checked against the SP unless the SP is configured with an attribute of
validate_signaturethat is set to something truthy. Am I right here or am I missing something? Line of code in question: https://github.com/saml-idp/saml_idp/blob/b34adcb4edbc25eecdf4cffe71fb6b852889824f/lib/saml_idp/service_provider.rb#L25Is this an intended design or something that was missed?