Sheila Allen

Couldn't this also happen in IdP initiated scenario where the SAML response "Destination=" value does not match the ACS url? (versus having an incorrect ACS endpoint configuration)

Also what exception should be raised when response.destination is not in self.return_addrs? I would like to better understand the reason for this check.

It looks like the issue may have been introduced in [this commit](https://github.com/IdentityPython/pysaml2/commit/d21ac9a70bce0535a2f3cc3a621452ad9d0681d6) (between v2.1 and 2.3), where AuthnResponse.verify would now be able return None when it was expected to return...

I learned a little more about this and it looks like this functionality could be called signed destination validation. The security issue is summarized in this [StackOverflow article](https://stackoverflow.com/questions/38778187/destination-and-relaystate-difference-in-saml-2-0), which explained...

More notes about this: I was able to reproduce this issue by setting the Destination attribute of a signed SAML response to not match the ACS URL. This [StackOverflow article...

> @sheilatron , I have already checked all my metadata files (from SP and the IDP), the SP configuration and the request redirect log / the IDP logs; but I...

+1

That could be a lot of effort, and might also be missing functionality such as XML Schema validation. What about a documentation solution, to make sure that users have clear...

Maybe the work on this should wait for the 3.0 release, in the interests of getting 2.0 completed soon.

In addition to YAML, it might be interesting to see support for HJSON or HOCON. Here's an interesting commentary comparing these formats. http://blog.ometer.com/2015/09/07/json-like-config-a-spectrum-of-underoverengineering/