Summary
The current implementation of the Metadata() function sets the SPSSODescriptor.WantAssertionsSigned attribute to true by default.
It should be false by default?
Reference:
|
wantAssertionsSigned := true |
Problem
The SAML V2.0 Metadata Specification explicitly states that the default value for WantAssertionsSigned is false if the attribute is omitted.
Reference: SAML V2.0 Metadata Specification, Section 2.4.4 (for SPSSODescriptor):
WantAssertionsSigned [Optional]
Optional attribute that indicates a requirement for the <saml:Assertion> elements received by
this service provider to be signed. If omitted, the value is assumed to be false. This requirement
is in addition to any requirement for signing derived from the use of a particular profile/binding
combination.
https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf 2.4.4
Issue
By setting the default value to true explicitly in the library, crewjam/saml deviates from the strict interpretation of the SAML Metadata specification's default requirement.
While setting it to true promotes a strong security posture (which is generally good practice), it overrides the specification's defined default of false. This can lead to interoperability issues or unexpected behavior when dealing with IdPs that strictly adhere to the specification's defaults, especially if they rely on the absence of the attribute to imply false.
Suggestion
To strictly comply with the SAML specification, I suggest one of the following approaches:
Option A (Strict Compliance): Change the internal default in Metadata() to false.
Option B (Explicit Configuration): Provide an explicit configuration option (e.g., in saml.Options for NewServiceProvider) that allows users to override this value easily, while setting the library's internal default to false (or omitting the attribute) for strict compliance.
How do the maintainers view this deviation from the specification's defined default?
Summary
The current implementation of the
Metadata()function sets theSPSSODescriptor.WantAssertionsSignedattribute totrueby default.It should be
falseby default?Reference:
saml/service_provider.go
Line 188 in 3465403
Problem
The SAML V2.0 Metadata Specification explicitly states that the default value for WantAssertionsSigned is false if the attribute is omitted.
Reference: SAML V2.0 Metadata Specification, Section 2.4.4 (for SPSSODescriptor):
https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf 2.4.4
Issue
By setting the default value to true explicitly in the library, crewjam/saml deviates from the strict interpretation of the SAML Metadata specification's default requirement.
While setting it to true promotes a strong security posture (which is generally good practice), it overrides the specification's defined default of false. This can lead to interoperability issues or unexpected behavior when dealing with IdPs that strictly adhere to the specification's defaults, especially if they rely on the absence of the attribute to imply false.
Suggestion
To strictly comply with the SAML specification, I suggest one of the following approaches:
Option A (Strict Compliance): Change the internal default in Metadata() to false.
Option B (Explicit Configuration): Provide an explicit configuration option (e.g., in saml.Options for NewServiceProvider) that allows users to override this value easily, while setting the library's internal default to false (or omitting the attribute) for strict compliance.
How do the maintainers view this deviation from the specification's defined default?