By jwoodie - 3/15/2016
I'm new to ComponentSpace and the mostly to Saml. I've evaluating the component for use to support a client who has very specific security requirements. They want us to certify that our SSO solution for them conforms to these standards:
We "process" the following attributes of the Saml assertion:
InResponseTo (to ensure the Response was intended for them and is still fresh)
Destination (to ensure the Response was intended for them)
SubjectConfirmationData (to ensure the Assertions was intended for them)
NotOnOrAfter (to ensure the Assertion is still fresh)
AudienceRestrictions (to ensure the assertion was intended for them)
AuthnContext (to ensure class of Authentication)
In practical terms, I'm not sure what some of these would mean. I think (but can't really find documentation for) that the ReceiveSSO in the high-level API likely does all or most of this automatically. There is also this SAMLValidator class in the component which seems like it might have facilities for some of these as well, but again, no documentation that I've been able to find. If I need to do any manual "processing" of these tags, I'm not sure how to get access to internals of the Saml assertion at the time of the ReceiveSSO call, and I'm wondering if that means I need to switch to the low-level API instead.
Any help or guidance would be much appreciated.
By ComponentSpace - 7/26/2021
The ReceiveSSO method is part of the SAML high-level API which was introduced in v2.5.0.
There have been various updates where we've tightened up some of the checks we make. However, the checks you're referring to are included in the product version you have.
Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.
Also include your saml.config with any passwords removed.