Hi Douane,
On 5 Dec 2017, at 15:40 PM, Duane Gran <
duane...@gmail.com> wrote:
> Does your application allow automatic downloading of third party schemas?
No.
> Is the SAML engine configured to always use local, trusted copies of the schema for validation?
Well, if you cannot download schemas… :-)
SSP doesn’t do schema validation as a general rule. Schema validation is computationally expensive and offers very little back. You can manually enable validation of SAML 1.1 messages or metadata, though.
> Are schema inspections, validations and hardening of the SAML Token (XML document) regularly conducted to disable possible wildcard-type or relaxed processing statements?
As far as we know, there are no relaxed processing issues in SimpleSAMLphp. If there are, those should be regarded as a vulnerability and fixed.
> Does your application consider any keys that are embedded in the SAML Token to be untrusted?
That’s not how trust works in SAML. Embedded keys are checked against the list of keys configured offline for a given entity. If the key is not in that list, then it’s not trusted. Trust does not depend on the key being or not embedded in the SAML message.
> Does your application perform key validation on the x.509 key before the document validation process occurs?
No.
> When selecting elements from the SAML Token, is XPATH being used (even on validated schema documents)?
It is used in some places, yes.
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost