validate_document_with_cert uses local cert when no cert in response #400
Conversation
|
@Adam21e you can generate self-signed cert for the SP with that tool: If there is no x509Cert in the SAMLResponse, then you are not able to verify the signature if your SP settings only contains the fingerprint of the IdP Public cert (since you need the cert to execute the signature validation). |
|
Thanks, I had a lot more time today so poked around a bit more and found a similar test already and added a new test based on this. response_test has a "return true when no X509Certificate and the cert provided at settings matches" which is the situation that I have. The difference for me is that I am using idp_cert_multi and not idp_cert. Using idp_cert_multi triggers validate_document_with_cert which is where the issue for me was. |
I hit an issue when you have 2 certs signing and encryption and the cert is not included in the response.
After tracing it down, it appears that the validate_document_with_cert behaves differently to the validate_document method in that it won't fall back to the supplied cert when there was no cert included in the response.
I tried to write tests, but wasn't sure how to generate an signing/encryption pair of certs and wasn't sure I was allowed to use what my SP was using.