When calling the method process_response from python-saml/src/onelogin/saml2/auth.py, I've noticed that the IdP signing certificate is not validated.
process_response calls is_valid, which calls validate_sign. However the method validate_sign is invoked with the flag validatecert=False. This means that expired or tampered certificates won't be flagged as invalid.
It would be beneficial to introduce a configuration parameter that allows enforcing certificate validation for the IdP signing certificate. This would help users avoid mistakenly assuming that process_response performs certificate validation.
When calling the method
process_responsefrompython-saml/src/onelogin/saml2/auth.py, I've noticed that the IdP signing certificate is not validated.process_responsecallsis_valid, which callsvalidate_sign. However the methodvalidate_signis invoked with the flagvalidatecert=False. This means that expired or tampered certificates won't be flagged as invalid.It would be beneficial to introduce a configuration parameter that allows enforcing certificate validation for the IdP signing certificate. This would help users avoid mistakenly assuming that
process_responseperforms certificate validation.