I'm new to ComponentSpace and the mostly to Saml. I've evaluating the component for use to support a client who has very specific security requirements. They want us to certify that our SSO solution for them conforms to these standards:
We "process" the following attributes of the Saml assertion:
InResponseTo (to ensure the Response was intended for them and is still fresh)
Destination (to ensure the Response was intended for them)
SubjectConfirmationData (to ensure the Assertions was intended for them)
NotOnOrAfter (to ensure the Assertion is still fresh)
AudienceRestrictions (to ensure the assertion was intended for them)
AuthnContext (to ensure class of Authentication)
In practical terms, I'm not sure what some of these would mean. I think (but can't really find documentation for) that the ReceiveSSO in the high-level API likely does all or most of this automatically. There is also this SAMLValidator class in the component which seems like it might have facilities for some of these as well, but again, no documentation that I've been able to find. If I need to do any manual "processing" of these tags, I'm not sure how to get access to internals of the Saml assertion at the time of the ReceiveSSO call, and I'm wondering if that means I need to switch to the low-level API instead.
Any help or guidance would be much appreciated.