- 
                Notifications
    You must be signed in to change notification settings 
- Fork 472
idp: Allow intermediates to be encoded in signature #127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
          
     Merged
      
        
      
    Conversation
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
    | LGTM in theory. Does this need to wait for russellhaering/goxmldsig#33, which I see hasn't been merged yet, or is it safe to merge now? | 
| No need to wait, without that change intermediates will just be ignored. | 
    
  mattcobb 
      added a commit
        to lightstep/saml
      that referenced
      this pull request
    
      Nov 30, 2021 
    
    
      
  
    
      
    
  
* bugfix: New sometimes selected the wrong EntityDescriptor when parsing a metadata file with multiple EntityDescriptor's underneath a EntitiesDescriptor tag * Add syntax highlight * expose CookieMaxAge in samlsp Options * Enable persistent name id format (crewjam#107) * Enable persistent name id format * add ability to set the domain for the cookies (crewjam#95) * Fixed script hash to remove JS console errors when redirecting (crewjam#117) @RichardKnop PR#94 * saml{sp,idp}: add httpOnly and secure flag (conditionally) to cookies (crewjam#116) * Use dep package manager (crewjam#114) * use dep package manager * updated travis * Fix example code so that it compiles (crewjam#118) * expose ForceAuthn (crewjam#119) * fix validUntil in SPSSODescriptor fixes crewjam#123 * samlsp.Middleware.SecureCookie option (crewjam#128) * remove cruft * update README * fix some minor lint / style errors * samlsp: use current time for the JWT rather than the IssueInstant from the assertion (crewjam#130) fixes crewjam#122 jwt-go not support leeway parameter * travis cleanup: remove older go versions (crewjam#132) * samlsp: remove X-Saml headers in favor of attaching Claims to request context (crewjam#131) * samlsp: move the setting and reading of cookies into an interface (crewjam#133) We’ve had a bunch of changes requesting the ability to customize how cookies are set and it is getting a little messy. This change moves the code to setting and reading cookies into two interfaces which you can extend/customize. * add field to IdpAuthnRequest so you can externally control the “current” time (crewjam#136) The default is obviously the current time, but for various reasons you may wish to evaluate the response at a different reference time, for example processing a response that has been deferred. We can’t use the global TimeNow() thunk, which is designed for testing, because it isn’t safe to modify concurrently. * idp: handle assertions where no ACS url is specified (crewjam#139) * add test cases for SAML comment injection (crewjam#140) ref: CVE-2017-11427 ref: CVE-2017-11428 ref: CVE-2017-11429 ref: CVE-2017-11430 ref: CVE-2018-0489 ref: CVE-2018-7340 ref: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations * Update PGP key in README.md * make MaxIssueDelay configurable at runtime (mini-hack) * Remove the default xmlns from the expected output because the encoder does not reset the default. Should resolve the test for issue 152. (crewjam#158) * Added Travis badge (crewjam#159) * Fixed some typos in the README.md file. (crewjam#160) * dep ensure [ch16254] (crewjam#156) * add the ability to use custom cookie names and domain * fix missing time on IDP-initiated IdpAuthnRequest (crewjam#147) * added godoc badge to README.md (crewjam#143) * made selected binding configureable (crewjam#144) * Fix AES decryption (crewjam#142) Fix AES decryption by decrypting the EncryptedKey from the response, and passing the decrypted key to the data encryption. * idp: Allow intermediates to be encoded in signature (crewjam#127) * idp: Make signature method configurable (crewjam#126) * Removed %s format for claims audience not matching Provider EntityID for crewjam#154 (crewjam#161) * add support for a logout URL binding * add stale integration ref: https://probot.github.io/apps/stale/ * add support for other external middleware (crewjam#184) Changed samlsp/middleware.go to move the request handling part of the RequireAccount method out into a separate public method attached to the middleware type which can be used as a stand alone HTTP RequestHandler. That way the Handler can be used with other middleware chains which provide their own http.Handler wrapper methods. * crewjam#192: Support multiple IdP signing certificates * crewjam#192: Account for Go/check changes. * Handle root URL's with trailing slash * crewjam#194: Properly default EncryptionMethod/DigestMethod when not present. * Allow AudienceRestriction to be missing re crewjam#198 * Don't include the port with the domain when setting the cookie (crewjam#202) * update value of UnspecifiedNameIDFormat and EmailAddressNameIDFormat (crewjam#217) * Don't require Destination attribute in response when response is not signed (crewjam#213) * Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * Check Destination when present, even if response unsigned * Replaces testshib.org with samltest.id in the README (crewjam#211) Fixes crewjam#201 * Set the default domain for cookies properly (crewjam#187) Fixes crewjam#186. * Separate response validation from the Middleware so that ServiceProvider can be used standalone to validate requests. Also fix IDPInitiated requestids bug since Standalone validation may not have possibleRequestIds. * Adding support for eduPersonScopedAffiliation * Add in actual attribute evaluation for eduPersonScopedAffiliation. * Fix typo for idp example path in readme (crewjam#170) * omit validUntil if empty (crewjam#190) * Prevent panic caused by IDP-initiated login (crewjam#183) * - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link. - Guard against an IDP-initiated request that may not have the request ID in the claims. - Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed. * Only address the panic in IDP-initiated login (#1) This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins. I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP. * SP: Add capability to provide intermediate certs (crewjam#178) * remove bad import * remove log junk * fix compile error * Gopkg -> go.mod * tests: convert from go-check to testify * lint with golangci-lint * lint with golangci-lint * fix go.mod * fix travis configuration * fix travis configuration * Use RS256 rather than HS256 Using HS256 with the RSA private key (serialised as ASN.1 according to PKCS1) as the secret is unconventional and perhaps dangerous. The string of bytes isn't entirely random given that it starts with the version number. The encoded RSA key will be larger than the block size of the underlying hash and so to create a secret, the RSA key will be hashed. A more important problem is that we should be able to validate a jwt issued by the middleware with just the RSA public key. By moving to RS256, we can validate jwts without sharing the private key. Fix randomBytes: should ensure that the entire buffer is full. * Add Single Logout data structure * Set session NameID based on email * update test expectations * removed mandatory check for validating embedded certificate for rsa * Rename validateRSAKey to validateRSAKeyIfPresent Now that the validation is optional, the previous name did not accurately reflected the intention. * Removes unused dependencies Ran go mod tidy to remove golangci-lint as that isn't actally needed for this project. Its inclusion result in a huge number of dependencies to be imported. * travis: pin golangci-lint version * Bump github.com/beevik/etree from 1.0.1 to 1.1.0 Bumps [github.com/beevik/etree](https://github.com/beevik/etree) from 1.0.1 to 1.1.0. - [Release notes](https://github.com/beevik/etree/releases) - [Changelog](https://github.com/beevik/etree/blob/master/RELEASE_NOTES.md) - [Commits](beevik/etree@v1.0.1...v1.1.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * update test expectations * Return status code if not success * Make cert optional for ServiceProvider.Metadata() * Add test case from OneLogin This adds a test case provided by @fredipevcin in [https://github.com/crewjam/saml/pull/25](PR25) that makes sure we can parse cases where the assertion is signed rather than the whole message. This has been supported for a while, but it is nice to ensure that the compatibility at issue continues to work. * Remove 'Failing' from certificate missing check * (Add tests for) Destination is checked only if this is a signed SAML request, as that is the only case in which a Destination attribute is required. * update readme to reflect our inability to produce encrypted assertions re crewjam#179 * fix bad merge * golangci: require comments, add a few missing ones * golangci: require comments, add a few missing ones * update test expectations * schema: don't include empty Format attributes in samlp:NameIDPolicyElement fixes crewjam#177 * make ValidDuration configurable for IDP. (crewjam#235) * refactor samlsp package to be more modular (crewjam#230) This change splits the Middleware component into three interfaces (in addition to the saml.ServiceProvider): * RequestTracker which handles tracking pending authn requests. * Session which handles issuing session cookies. * OnError which handles reporting errors to both the user and any logging. The default implementations of RequestTracker and Session use http cookie to encode JWTs, but further delegate the encoding/verification of the JWTs to codec interfaces which allow further customization, again with default implementations. This should make the *samlsp* package easier to extend to fit more use cases. Fixes crewjam#231 * Add optional callback for signature verification (crewjam#237) Fixes crewjam#234 * AllowIDPInitiated=true allows both IDP-initiated and normal (crewjam#240) * Bump github.com/kr/pretty from 0.1.0 to 0.2.0 (crewjam#243) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.1.0 to 0.2.0. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.1.0...v0.2.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * add HTTPOnly bool to CookieSessionProvider (crewjam#248) * feat(slo): add logout response request validation (crewjam#247) * fix(slo): fix SessionIndex attribute in LogoutRequest (crewjam#245) * clean up README about breaking changes * feat(slo): add Bytes() and Deflate() functions for LogoutRequest (crewjam#251) Bytes() is needed in for returning a byte array for POST Binding. Deflate() is needed for compressing using gzip algorithm a LogoutRequest byte array. * fix(sp): no check for InResponseTo for if IDPInitiated is true (crewjam#259) * Add EntityID (crewjam#258) * feat: add Post / Redirect methods for LogoutRequest (crewjam#260) * Update README.md (crewjam#261) * Bump github.com/stretchr/testify from 1.4.0 to 1.5.0 (crewjam#263) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.4.0...v1.5.0) Signed-off-by: dependabot-preview[bot] <[email protected]> * Bump github.com/stretchr/testify from 1.5.0 to 1.5.1 (crewjam#264) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.0 to 1.5.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.0...v1.5.1) Signed-off-by: dependabot-preview[bot] <[email protected]> * Include a path when clearing the cookie (crewjam#278) Some browsers will refuse to remove a cookie that doesn't include the path * SessionNotOnOrAfter is serialized to XML if set (crewjam#292) It is currently possible to set SessionNotOnOrAfter directly on the Go structure, but it is not serialized to or deserialized from XML. * Fixes handling signed response with encrypted assertions (crewjam#273) When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Bump github.com/kr/pretty from 0.2.0 to 0.2.1 (crewjam#294) Bumps [github.com/kr/pretty](https://github.com/kr/pretty) from 0.2.0 to 0.2.1. - [Release notes](https://github.com/kr/pretty/releases) - [Commits](kr/pretty@v0.2.0...v0.2.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Bump github.com/stretchr/testify from 1.5.1 to 1.6.1 (crewjam#288) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.5.1 to 1.6.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.5.1...v1.6.1) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Add support for signed authnRequest (crewjam#296) * Fixes handling signed response with encrypted assertions When the response is signed, the verification must happen before the assertion is decrypted since the encrypted XML is used in the signature digest. The response signature is sufficient unless the assertion is also signed in which case both must be valid. * Add support for signed authnRequests * Update metadata.go (crewjam#297) Renamed LocalizedName & LocalizedURI Lang attributes -> `xml:"http://www.w3.org/XML/1998/namespace lang,attr"` fixes crewjam#295 * Allows configuring SameSite for session cookie (crewjam#276) Fixes crewjam#275 * fix lint errors & update test expectations * update README re: security issues * fix test expectation for go 1.15 * remove output cruft from xmlenc test * [SECURITY] bump version of goxmldsig [CVE-2020-15216] There was a signature validation bypass in goxmldsig, which saml uses to authenticate assertions. This change increments the dependent version of goxmldsig to a version that is no longer affected. For more information: GHSA-q547-gmf8-8jr7 * Merge pull request from GHSA-4hq8-gmxx-h6w9 This change validates that the XML input we receive is safe to parse before passing it to the standard library's XML parsing functions or the etree DOM parsing functions. This validation mitigates critical vulnerabilities in `encoding/xml` - CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511. TODO: is there going to be a go.mod version assigned to this on release? * fix version of xml-roundtrip-validator in go.mod * add SignLogoutResponse SignLogoutRequest MakeLogoutResponse * add SessionIndex to claims Attributes * Include a domain when clearing the cookie * identity_provider: extend session with CustomAttributes (crewjam#310) * add xUserId and xAccountId for session * add CustomAttributes for idp session content * fix: logout response element Response -> LogoutResponse (crewjam#305) * Spread the use of option SameSite to tracking cookies (crewjam#302) * fix formatting * travis -> github actions * fix typo in README * update test expectations * Stop validating InResponseTo when AllowIDPInitiated is set With this change we no longer validate InResponseTo when AllowIDPInitiated is set. Here's why: The SAML specification does not provide clear guidance for handling InResponseTo for IDP-initiated requests where there is no request to be in response to. The specification says: InResponseTo [Optional] The ID of a SAML protocol message in response to which an attesting entity can present the assertion. For example, this attribute might be used to correlate the assertion to a SAML request that resulted in its presentation. The initial thought was that we should specify a single empty string in possibleRequestIDs for IDP-initiated requests so that we would ensure that an InResponseTo was *not* provided in those cases where it wasn't expected. Even that turns out to be frustrating for users. And in practice some IDPs (e.g. Rippling) set a specific non-empty value for InResponseTo in IDP-initiated requests. Finally, it is unclear that there is significant security value in checking InResponseTo when we allow IDP initiated assertions. This issue has been reported quite a few times, including: Fixes crewjam#291 crewjam#286 crewjam#300 crewjam#301 crewjam#286 * set cookie domain when clearing request tracker cookie (crewjam#321) * samlsp: make middleware endpoints public (crewjam#323) * samlsp: remove deprecated fields (crewjam#324) * remove deprecated fields * update readme * add test that we can marshal an AuthnStatement without SessionNotOnOrAfter being set re crewjam#312 * samlsp: fix validating response with no issuer element (crewjam#328) * in tests, replace long strings with files we read from testdata/ * replace testify (which is more or less unmaintained) with gotest.tools * remove redundant []byte conversions * explicitly copy loop iterator variables This silences a warning from golangci-lint * fix spelling of test data file * add maintainer action to update dependencies * adjust maintainer action to update dependencies * Update go.mod * upgrade github.com/crewjam/httperr from v0.0.0-20190612203328-a946449404da to v0.2.0 * upgrade github.com/dchest/uniuri from v0.0.0-20160212164326-8902c56451e9 to v0.0.0-20200228104902-7aecb25e1fe5 * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201213122252-bcd7e1b9601e to v0.0.0-20201219040909-8fd2afad43d1 * upgrade github.com/zenazn/goji from v0.9.1-0.20160507202103-64eb34159fe5 to v1.0.1 * upgrade golang.org/x/crypto from v0.0.0-20200622213623-75b288015ac9 to v0.0.0-20201221181555-eec23a3978ad * Fix AuthN Request signing for HTTP-Redirect binding (crewjam#339) * Fix signing for HTTP-Redirect binding The currently implemented behavior for signing AuthN Requests where an enveloped signature is added in the XML Document, is appropriate only when the HTTP-POST binding is used. Signing for authentication requests when the HTTP-Redirect binding is in use, is described in http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf section 3.4.4.1 and involves generating a signature of the deflated form of the AuthN request along with some other URL parameters, mainly because of URL length considerations. This commit implements proper AuthNRequest signing support according to the specification. * Add comment for function * linter is picky :) * SplitHostPort on DeleteSession (crewjam#335) * Add explicit tests for XSW (crewjam#338) XML Signature Wrapping attacks are unfortunately still very common in SAML implementations. crewjam/saml is not vulnerable to any XSW attacks as goxmldsig and this library's use of goxmldsig are safe. This commit adds a number of tests against common XSW attacks, so that these can serve as verification of the current safe state, prevent future regressions in crewjam/saml and detect possible future regressions in goxmldsig The numbering of the permutations of the XSW attack follows that of https://github.com/CompassSecurity/SAMLRaider and a visual depiction is available in https://github.com/CompassSecurity/SAMLRaider/blob/5b9eace70e88d0af17b86c26c2cad1178b08c7d0/src/main/resources/xswlist.png * Custom relayState generator (crewjam#337) * Update go.mod (crewjam#331) * upgrade github.com/mattermost/xml-roundtrip-validator from v0.0.0-20201219040909-8fd2afad43d1 to v0.1.0 * upgrade golang.org/x/crypto from v0.0.0-20201221181555-eec23a3978ad to v0.0.0-20210317152858-513c2a44f670 Co-authored-by: Github Actions <[email protected]> * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 (crewjam#336) * Bump github.com/google/go-cmp from 0.5.4 to 0.5.5 Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.4 to 0.5.5. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.5.4...v0.5.5) Signed-off-by: dependabot-preview[bot] <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Ross Kinder <[email protected]> * update README (crewjam#340) fixes crewjam#333 * Update go.mod (crewjam#342) * upgrade golang.org/x/crypto from v0.0.0-20210317152858-513c2a44f670 to v0.0.0-20210322153248-0c34fe9e7dc2 Co-authored-by: Github Actions <[email protected]> * Update go.mod (crewjam#343) Co-authored-by: crewjam <[email protected]> * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. (crewjam#344) * Change dgrijalva/jwt-go imported module to form3tech-oss/jwt-go. dgrijalva/jwt-go is abandoned (dgrijalva/jwt-go#457) with an outstanding security vulnerability (dgrijalva/jwt-go#422). form3tech-oss/jwt-go is a fork that has fixed the vulnerability. * Upgrade to GitHub-native Dependabot (crewjam#346) Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> * Make SP check more certs in IDP metadata (crewjam#353) From https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf ``` [E62]A use value of "signing" means that the contained key information is applicable to both signing and TLS/SSL operations performed by the entity when acting in the enclosing role. A use value of "encryption" means that the contained key information is suitable for use in wrapping encryption keys for use by the entity when acting in the enclosing role. If the use attribute is omitted, then the contained key information is applicable to both of the above uses. ``` We need to include certificates both when they have a "use" attribute of "signing" as well as when the "use" attribute is missing. Fixes crewjam#352 SAML input from @simmel. * bring monorepo lightstep/saml changes into lightstep forked saml repo #LS-26157 * Fix merge problems * Fix valid until tests * req.now may not be initialized in MakeResponse() so use Now() * use TimeNow() * req.now not guaranteed to be defined. Use TimeNow() in IdpAuthnRequest() and MakeAssertion() * Remove old code from comments, remove commented out Skip(broken) * use upstream's new validateDestination, but modify it to use urlsMatchModuloPortNumbers(). Add clock kew to notOnOrAfter Co-authored-by: Donald Hoelle <[email protected]> Co-authored-by: Umayr Shahid <[email protected]> Co-authored-by: Dustin Decker <[email protected]> Co-authored-by: Ross Kinder <[email protected]> Co-authored-by: Bryce Fisher <[email protected]> Co-authored-by: Sevki <[email protected]> Co-authored-by: Paul Tötterman <[email protected]> Co-authored-by: Lucas <[email protected]> Co-authored-by: Beyang Liu <[email protected]> Co-authored-by: Nao YONASHIRO <[email protected]> Co-authored-by: Darrel Herbst <[email protected]> Co-authored-by: Neha Malviya <[email protected]> Co-authored-by: Josh Silvas <[email protected]> Co-authored-by: ☃ Elliot Shepherd <[email protected]> Co-authored-by: Christoph Hack <[email protected]> Co-authored-by: Volkan Gürel <[email protected]> Co-authored-by: Andrew Pilloud <[email protected]> Co-authored-by: jb <[email protected]> Co-authored-by: Stephen Kress <[email protected]> Co-authored-by: Geoff Bourne <[email protected]> Co-authored-by: Robin Wood <[email protected]> Co-authored-by: Noval Agung Prayogo <[email protected]> Co-authored-by: Chris Vermilion <[email protected]> Co-authored-by: Joe Siltberg <[email protected]> Co-authored-by: Daniel Cormier <[email protected]> Co-authored-by: Tom Bruno <[email protected]> Co-authored-by: Shane Jeffery <[email protected]> Co-authored-by: ferhat elmas <[email protected]> Co-authored-by: Christopher Goulet <[email protected]> Co-authored-by: Praneet Loke <[email protected]> Co-authored-by: Benjamin Schubert <[email protected]> Co-authored-by: Stevie Johnstone <[email protected]> Co-authored-by: Ryan Zhang <[email protected]> Co-authored-by: Grace Noah <[email protected]> Co-authored-by: Jon Gyllensward <[email protected]> Co-authored-by: gotjosh <[email protected]> Co-authored-by: Leonard Gram <[email protected]> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> Co-authored-by: Michael Rauh <[email protected]> Co-authored-by: Matthew Steffen <[email protected]> Co-authored-by: Bryce Fisher <[email protected]> Co-authored-by: Jan Szumiec <[email protected]> Co-authored-by: aspeteRakete <[email protected]> Co-authored-by: Joe Siltberg <[email protected]> Co-authored-by: David Goeke <[email protected]> Co-authored-by: Daniel Hochman <[email protected]> Co-authored-by: Mathieu Mailhos <[email protected]> Co-authored-by: miketonks <[email protected]> Co-authored-by: (0x794E6).toString(36) <[email protected]> Co-authored-by: Andreas Fritzler <[email protected]> Co-authored-by: Ron Kuris <[email protected]> Co-authored-by: Andy Lindeman <[email protected]> Co-authored-by: Ricardo Andrade <[email protected]> Co-authored-by: bstrueb <[email protected]> Co-authored-by: Ross Kinder <[email protected]> Co-authored-by: neilli-sable <[email protected]> Co-authored-by: Alex Yan <[email protected]> Co-authored-by: Alan Shreve <[email protected]> Co-authored-by: AlekseyZolotuhin <[email protected]> Co-authored-by: Alexander Zobnin <[email protected]> Co-authored-by: Github Actions <[email protected]> Co-authored-by: Ioannis Kakavas <[email protected]> Co-authored-by: yuki2006 <[email protected]> Co-authored-by: Harold Alcala <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: crewjam <[email protected]> Co-authored-by: Bay Grabowski <[email protected]> Co-authored-by: Patrik Lundin <[email protected]>
    
  atezet 
      pushed a commit
        to atezet/saml
      that referenced
      this pull request
    
      Jul 9, 2022 
    
    
  
  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment
  
      
  Add this suggestion to a batch that can be applied as a single commit.
  This suggestion is invalid because no changes were made to the code.
  Suggestions cannot be applied while the pull request is closed.
  Suggestions cannot be applied while viewing a subset of changes.
  Only one suggestion per line can be applied in a batch.
  Add this suggestion to a batch that can be applied as a single commit.
  Applying suggestions on deleted lines is not supported.
  You must change the existing code in this line in order to create a valid suggestion.
  Outdated suggestions cannot be applied.
  This suggestion has been applied or marked resolved.
  Suggestions cannot be applied from pending reviews.
  Suggestions cannot be applied on multi-line comments.
  Suggestions cannot be applied while the pull request is queued to merge.
  Suggestion cannot be applied right now. Please check back later.
  
    
  
    
Some service providers validate the signing cert using a x509 chain. This may require an intermediate certificate to be passed. This is a nonfunctional change until paired with russellhaering/goxmldsig#33.