No IdP signing certificate validation

When calling the method `process_response` from [`python-saml/src/onelogin/saml2/auth.py`](https://github.com/SAML-Toolkits/python-saml/blob/857139539f8e72f8c8c597eb5d3619bfcca51eca/src/onelogin/saml2/auth.py#L89C1-L90C1), I've noticed that the IdP signing certificate is not validated.

`process_response` calls `is_valid`, which calls [`validate_sign`](https://github.com/SAML-Toolkits/python-saml/blob/857139539f8e72f8c8c597eb5d3619bfcca51eca/src/onelogin/saml2/utils.py#L965). However the method `validate_sign` is invoked with the flag `validatecert=False`. This means that expired or tampered certificates won't be flagged as invalid.

It would be beneficial to introduce a configuration parameter that allows enforcing certificate validation for the IdP signing certificate. This would help users avoid mistakenly assuming that `process_response` performs certificate validation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

No IdP signing certificate validation #322

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

No IdP signing certificate validation #322

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions