guanxi idp 2 2 6
Tue, Feb 5, 2013
I’ve made a SAML2 related release of the IdP to address a vulnerability discovered by Andreas Mayer (Adolf Würth GmbH & Co. KG), Vladislav Mladenov, Marcus Niemietz, and Joerg Schwenk from Horst Görtz Institute for IT Security (Ruhr-University Bochum). The release addresses the case where the Attribute Consumer Service URL and Binding are specified in the Request but are not checked against metadata. I’ve changed this so that WebBrowserSSOAuthHandler validates the requested ACS URL and Binding against the Service Provider’s metadata. Many thanks to Andreas and colleagues for the information.
The Guanxi IdP 2.2.6 release is available from GitHub.