When parsing a response from a CAS server's /samlValidate endpoint, this library loads the response into a DOM object and does some basic validation on the data to ensure integrity. But given that SAML has an actual specification for what its request/responses should look like, shouldn't this library be more careful about verifying the response data structure?
I did some research on SOAP and SAML but it's a complication subject area and I'm still not sure on the best approach to this. But I think the current implementation linked above could use some work.
For instance, apparently every SAML response should include an InResponseTo attribute which should match the RequestID attribute that was sent in the request. This library isn't performing that check.
Also, the RequestID and IssueInstant are both hardcoded to some sample values, which is surely incorrect.
When parsing a response from a CAS server's /samlValidate endpoint, this library loads the response into a DOM object and does some basic validation on the data to ensure integrity. But given that SAML has an actual specification for what its request/responses should look like, shouldn't this library be more careful about verifying the response data structure?
I did some research on SOAP and SAML but it's a complication subject area and I'm still not sure on the best approach to this. But I think the current implementation linked above could use some work.
For instance, apparently every SAML response should include an
InResponseToattribute which should match theRequestIDattribute that was sent in the request. This library isn't performing that check.Also, the
RequestIDandIssueInstantare both hardcoded to some sample values, which is surely incorrect.