Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No IdP signing certificate validation #322

Open
zedosoad1995 opened this issue Jan 29, 2025 · 0 comments
Open

No IdP signing certificate validation #322

zedosoad1995 opened this issue Jan 29, 2025 · 0 comments
Labels
enhancement

Comments

@zedosoad1995
Copy link

When calling the method process_response from python-saml/src/onelogin/saml2/auth.py, I've noticed that the IdP signing certificate is not validated.

process_response calls is_valid, which calls validate_sign. However the method validate_sign is invoked with the flag validatecert=False. This means that expired or tampered certificates won't be flagged as invalid.

It would be beneficial to introduce a configuration parameter that allows enforcing certificate validation for the IdP signing certificate. This would help users avoid mistakenly assuming that process_response performs certificate validation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pitbulk @zedosoad1995