Validate response and assertion issuers are same

Sustainsys · Sep 18, 2023 · b92d951 · b92d951
1 parent af646c1
commit b92d951
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/Sustainsys.Saml2/SAML2P/Saml2Response.cs b/Sustainsys.Saml2/SAML2P/Saml2Response.cs
@@ -605,6 +605,8 @@ private IEnumerable<ClaimsIdentity> CreateClaims(IOptions options, IdentityProvi
  validationParameters.ValidAudience = options.SPOptions.EntityId.Id;
  validationParameters.TokenReplayCache = options.SPOptions.TokenReplayCache;
  validationParameters.ValidateTokenReplay = true;
+ validationParameters.ValidIssuer = idp.EntityId.Id;
+ validationParameters.ValidateIssuer = true;
 
  options.Notifications.Unsafe.TokenValidationParametersCreated(validationParameters, idp, XmlElement);
 

diff --git a/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs b/Tests/Tests.Shared/Saml2P/Saml2ResponseTests.cs
@@ -24,6 +24,7 @@
 using X509SecurityKey = Microsoft.IdentityModel.Tokens.X509SecurityKey;
 using System.Collections.Generic;
 using Microsoft.IdentityModel.Logging;
+using Microsoft.IdentityModel.Tokens;
 
 namespace Sustainsys.Saml2.Tests.Saml2P
 {
@@ -2506,5 +2507,35 @@ public void Saml2Response_SessionNotOnOrAfter_ThrowsIfCalledBeforeGetClaims()
  .Should().Throw<InvalidOperationException>()
  .WithMessage("*GetClaims*");
  }
+
+ [TestMethod]
+ public void Saml2Response_GetClaims_DifferentIssuers()
+ {
+ var response =
+ @"<?xml version=""1.0"" encoding=""UTF-8""?>
+ <saml2p:Response xmlns:saml2p=""urn:oasis:names:tc:SAML:2.0:protocol""
+ xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
+ ID = """ + MethodBase.GetCurrentMethod().Name + @""" Version=""2.0"" IssueInstant=""2013-01-01T00:00:00Z"">
+ <saml2:Issuer>https://idp.example.com</saml2:Issuer>
+ <saml2p:Status>
+ <saml2p:StatusCode Value=""urn:oasis:names:tc:SAML:2.0:status:Success"" />
+ </saml2p:Status>
+ <saml2:Assertion xmlns:saml2=""urn:oasis:names:tc:SAML:2.0:assertion""
+ Version=""2.0"" ID=""" + MethodBase.GetCurrentMethod().Name + @"_Assertion1""
+ IssueInstant=""2013-09-25T00:00:00Z"">
+ <saml2:Issuer>https://other.example.com</saml2:Issuer>
+ <saml2:Subject>
+ <saml2:NameID>SomeUser</saml2:NameID>
+ <saml2:SubjectConfirmation Method=""urn:oasis:names:tc:SAML:2.0:cm:bearer"" />
+ </saml2:Subject>
+ <saml2:Conditions NotOnOrAfter=""2100-01-01T00:00:00Z"" />
+ </saml2:Assertion>
+ </saml2p:Response>";
+
+ var signedResponse = SignedXmlHelper.SignXml(response);
+
+ Saml2Response.Read(signedResponse).Invoking(r => r.GetClaims(Options.FromConfiguration))
+ .Should().Throw<SecurityTokenInvalidIssuerException>();
+ }
  }
 }