Add 'destinationStrictlyMatches' option

README.md

@@ -509,6 +509,12 @@ $advancedSettings = array (
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, Destination URL should strictly match to the address to
+        // which the response has been sent.
+        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // will be accepted.
+        'destinationStrictlyMatches' => false,
+
         // Algorithm that the toolkit will use on signing process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
         //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'

advanced_settings_example.php

@@ -85,6 +85,12 @@
         // attribute will not be rejected for this fact.
         'relaxDestinationValidation' => false,
 
+        // If true, Destination URL should strictly match to the address to
+        // which the response has been sent.
+        // Notice that if 'relaxDestinationValidation' is true an empty Destintation
+        // will be accepted.
+        'destinationStrictlyMatches' => false,
+
         // Algorithm that the toolkit will use on signing process. Options:
         //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
         //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'

lib/Saml2/Settings.php

@@ -385,6 +385,11 @@ private function _addDefaultValues()
             $this->_security['relaxDestinationValidation'] = false;
         }
 
+        // Strict Destination match validation
+        if (!isset($this->_security['destinationStrictlyMatches'])) {
+            $this->_security['destinationStrictlyMatches'] = false;
+        }
+
         // encrypt expected
         if (!isset($this->_security['wantAssertionsEncrypted'])) {
             $this->_security['wantAssertionsEncrypted'] = false;