You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/03/06 10:45:42 UTC

[GitHub] [cloudstack] ngrosc commented on issue #4519: SAML signature is optional

ngrosc commented on issue #4519:
URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-791910614


   Hi Rohit
   
   I completely agree with you. If the assertion is encrypted or not is an IDP
   "issue".
   
   But if a signature is present or not, has to be enforced on client side
   (cloudstack). Because even when the IDP adds a signature, a man in the
   middle can remove it and fake data.
   Of course, in case of encrypted assertions only if he has the private key
   of the IDP, and then you definitely have other issues..
   Nevertheless, it should be possible to enforce the check of the signature.
   Then, cloudstack can ensure, that the data is valid..
   
   
   
   
   Am Sa., 6. März 2021 um 11:13 Uhr schrieb Rohit Yadav <
   notifications@github.com>:
   
   > Needs investigation, I don't remember if it does or does not. However, if
   > the assertions are not encrypted - I suppose that's issue of the overall
   > IDP setup.
   >
   > —
   > You are receiving this because you were mentioned.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/cloudstack/issues/4519#issuecomment-791907116>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/ARBOIGJTIFMRSXJYLMUWPL3TCH54HANCNFSM4UNP732Q>
   > .
   >
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org