Warn about the Recipient validation.

marciopocebon · May 25, 2017 · 6c61d23 · 6c61d23
1 parent 6788e86
commit 6c61d23
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,5 +1,13 @@
 # Ruby SAML [![Build Status](https://secure.travis-ci.org/onelogin/ruby-saml.svg)](http://travis-ci.org/onelogin/ruby-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/ruby-saml/badge.svg?branch=master%0A)](https://coveralls.io/r/onelogin/ruby-saml?branch=master%0A) [![Gem Version](https://badge.fury.io/rb/ruby-saml.svg)](http://badge.fury.io/rb/ruby-saml)
 
+## Updating from 1.4.2 to 1.4.3
+
+Version `1.4.3` introduces Recipient validation of SubjectConfirmation elements.
+The 'Recipient' value is compared with the settings.assertion_consumer_service_url
+value.
+If you want to skip that validation, add the :skip_recipient_check option to the
+initialize method of the Response object.
+
 ## Updating from 1.3.x to 1.4.X
 
 Version `1.4.0` is a recommended update for all Ruby SAML users as it includes security improvements.

diff --git a/changelog.md b/changelog.md
@@ -6,7 +6,6 @@
 * Improve binding detection on idp metadata parser
 * [#373](https://github.com/onelogin/ruby-saml/pull/373) Allow metadata to be retrieved from source containing data for multiple entities
 * Be able to register future SP x509cert on the settings and publish it on SP metadata
-* Be able to register future SP x509cert on the settings and publish it on SP metadata.
 * Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption.
 * Improve regex to detect base64 encoded messages
 * Fix binding configuration example in README.md

diff --git a/lib/onelogin/ruby-saml/response.rb b/lib/onelogin/ruby-saml/response.rb
@@ -37,6 +37,7 @@ class Response < SamlMessage
       #                          with the :skip_conditions, or allow a clock_drift when checking dates with :allowed_clock_drift
       #                          or :matches_request_id that will validate that the response matches the ID of the request,
       #                          or skip the subject confirmation validation with the :skip_subject_confirmation option
+      #                          or skip the recipient validation of the subject confirmation element with :skip_recipient_check option 
       def initialize(response, options = {})
         raise ArgumentError.new("Response cannot be nil") if response.nil?