saml2 icon indicating copy to clipboard operation
saml2 copied to clipboard
verified publisher icon simplesamlphp

Incorrect HTTP Redirect binding signature

Open Prusias opened this issue 2 years ago • 1 comments

The signature of the HTTP Redirect binding appears to be incorrect since this commit: https://github.com/simplesamlphp/saml2/commit/7b785a83a552e225c34adc84040a9268bbc3d4dd#diff-6a2c4640d940f28e0b49947ffbafd6d2726f92c9fba5fdad8202234083daff57

The signature is now set to the value of signature in the AuthnRequest, but (please correct me if I'm wrong) the signature should be based on the combined query parameters (As it was before the above commit)

Prusias avatar Aug 14 '23 13:08 Prusias

You are absolutely right that the signature should be calculated over the message + some (not all) parameters. There is also more wrong about this code, because we're actually not signing anything..

tvdijen avatar Aug 14 '23 14:08 tvdijen