Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to ignore the received public encryption certificate #147

Open
landron opened this issue Oct 20, 2023 · 0 comments
Open

How to ignore the received public encryption certificate #147

landron opened this issue Oct 20, 2023 · 0 comments

Comments

@landron
Copy link

landron commented Oct 20, 2023

Hello,

We have a compatibility problem when switching to gosaml2 (from pysaml2) because we don't keep the public encryption certificate. But gosaml2 will fail when decrypting an EncryptedAssertion that contains this certificate as it tries to validate it against the client provided one (which we don't keep): "The EncryptedKey may or may not include X509Data (certificate)", current line

gosaml2/types/encrypted_key.go

Line 109 in 9517aa5

// The EncryptedKey may or may not include X509Data (certificate).
. It fails even if this certificate isn't used afterwards. Can this validation be ignored in certain cases? Like using ValidateEncryptionCert also in this case maybe ?
The second question is security ... Would ignoring this certificate be a security problem ? The only justification I was able to find for this certificate inclusion is "The reason a public key is specified in the SAML response is because the metadata for an identity provider can specify multiple public keys."

Thank you,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@landron