Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-619

Wildfly SP allows access after bad IDP signature

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Cannot Reproduce
    • Icon: Critical Critical
    • PLINK_2.7.0.Final
    • PLINK_2.7.0.CR1
    • SAML
    • None

      Wildfly SAML2 SP will allow a constrained HTTP request into the servlet even if the IDPs signature is invalid. Principal will be null though

      https://github.com/keycloak/keycloak/blob/master/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlSignedPostBindingTest.java

      See method: testBadRealmSignature()

      Let me know if you can't get to this. I'll look into it when I finish keycloak saml work.

              psilva@redhat.com Pedro Igor Craveiro
              patriot1burke@gmail.com Bill Burke (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: