I'm currently in the undertaking to integrate an SP with SamlIdp into our web platform. All works great but for some reason :) (still trying to figure out why) the SP will sign the SLO request but does not include a certificate element.
Due to: https://github.com/saml-idp/saml_idp/blob/master/lib/saml_idp/xml_security.rb#L49 the request is not validated. My question now is: Does it make sense to expand the validation code to also take a certificate as argument and use this to validate the signature? I just wanted to check how the feeling about this is, as i'm not a SAML expert.
Happy to hear your thoughts before i start wrapping up a PR for this.
I'm currently in the undertaking to integrate an SP with SamlIdp into our web platform. All works great but for some reason :) (still trying to figure out why) the SP will sign the SLO request but does not include a certificate element.
Due to: https://github.com/saml-idp/saml_idp/blob/master/lib/saml_idp/xml_security.rb#L49 the request is not validated. My question now is: Does it make sense to expand the validation code to also take a certificate as argument and use this to validate the signature? I just wanted to check how the feeling about this is, as i'm not a SAML expert.
Happy to hear your thoughts before i start wrapping up a PR for this.