You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FuPingFranco opened this issue
Oct 11, 2024
· 2 comments
Assignees
Labels
InternalIndicates issue was opened by the IdentityModel teamP3If we have time in the milestone or it just is easy when addressing a more important issue
During the work to migrate Saml2SecurityTokenHandler to our new validation model I'd like to clarify a couple of scenarios that are possible to break on the snip of code below:
var foundAudienceRestriction = false;
foreach (var audienceRestriction in samlToken.Assertion.Conditions.AudienceRestrictions)
{
if (!foundAudienceRestriction)
foundAudienceRestriction = true;
ValidateAudience(audienceRestriction.Audiences, samlToken, validationParameters); //This will only run once reagardless of a successful validation or not.
}
Points to clarify:
Do we need the loop at all?
If we keep the loop, should we return as soon as we find a valid audience
Is there an scenario where the valid audience is on the second audience restriction obj?
Is unclear from the SAML 2 spec, what is our current guideline for this case?
The text was updated successfully, but these errors were encountered:
This is also handled differently in SamlSecurityTokenHandler
var foundAudienceRestriction = false;
foreach (var condition in securityToken.Assertion.Conditions.Conditions)
{
if (condition is SamlAudienceRestrictionCondition audienceRestriction)
{
if (!foundAudienceRestriction)
foundAudienceRestriction = true;
ValidateAudience(audienceRestriction.Audiences.ToDictionary(x => x.OriginalString).Keys, securityToken, validationParameters);
}
}
It might be worthwhile to have them follow the same logic but there is a caveat where samlCondition.audiences return different values. One returns an ICollection<Uri> and the other ICollection<String>
brentschmaltz
added
the
P3
If we have time in the milestone or it just is easy when addressing a more important issue
label
Oct 21, 2024
InternalIndicates issue was opened by the IdentityModel teamP3If we have time in the milestone or it just is easy when addressing a more important issue
During the work to migrate Saml2SecurityTokenHandler to our new validation model I'd like to clarify a couple of scenarios that are possible to break on the snip of code below:
Points to clarify:
The text was updated successfully, but these errors were encountered: