▲ | tptacek a day ago | |
These kinds of issues (parser differentials in particular) are why you shouldn't trust Go SAML implementations that use `encoding/xml`, which was never designed for that application to begin with; I just wrote my own for my SAML. (I mean, don't use SAML to begin with, but.) | ||
▲ | securesaml a day ago | parent [-] | |
Issue is not with go's parser, but instead about processing layer using different input than verifying layer [1] We patched the gosaml2 (and other go saml libraries), by ensuring only the authenticated bytes are processed (not the original XML document). You can see the patches here: https://github.com/russellhaering/goxmldsig/commit/e1c8a5b89... https://github.com/russellhaering/gosaml2/commit/99574489327... > I just wrote my own for my SAML. Curious to see your implementation for SAML and XML Signatures. [1]: https://bsky.app/profile/filippo.abyssdomain.expert/post/3le... |