Hi guys,
Thank you for your work. Does it make sense to make validateName() configurable to use equalsignorecase() instead of equals()?
Comment From: jzheaux
The SAML spec (line 1299) says:
The principal MUST be identified in the request using an identifier that strongly matches the identifier in the authentication assertion the requester issued or received regarding the session being terminated, per the matching rules defined in Section 3.3.4 of [SAMLCore].
And Section 3.3.4 of SAMLCore (line 1949) defines "strongly matches" in part as follows:
If S2 includes an identifier element (
, , or ), then S1 MUST include an identical identifier element...
Given that, I don't think we want to encourage customization of OpenSamlLogoutRequestValidator along those lines.
That said, you can switch out the validator for one of your own. If you want to reuse the existing validator, your custom validator can call it and then remove the unwanted error message.