diff --git a/saml/response.go b/saml/response.go index b2208ec..ceca34b 100644 --- a/saml/response.go +++ b/saml/response.go @@ -133,6 +133,8 @@ func (sp *ServiceProvider) ParseResponse( return nil, fmt.Errorf("%s: missing request ID: %w", op, ErrInvalidParameter) case opts.skipSignatureValidation && callValidateSignature: return nil, fmt.Errorf("%s: option `skip signature validation` cannot be true with any validate signature option : %w", op, ErrInvalidParameter) + case multipleSignatureOptionEnabled(opts.validateResponseAndAssertionSignatures, opts.validateResponseSignature, opts.validateAssertionSignature): + return nil, fmt.Errorf("%s: only one validate signature option can be set: %w", op, ErrInvalidParameter) } // We use github.com/russellhaering/gosaml2 for SAMLResponse signature and condition validation. @@ -316,3 +318,10 @@ func validateSignature(response *core.Response, op string, opts parseResponseOpt return nil } + +func multipleSignatureOptionEnabled(a bool, b bool, c bool) bool { + if (a && b) || (b && c) || (a && c) { + return true + } + return false +} diff --git a/saml/response_test.go b/saml/response_test.go index 1d09a3d..8158b61 100644 --- a/saml/response_test.go +++ b/saml/response_test.go @@ -108,6 +108,14 @@ func TestServiceProvider_ParseResponse(t *testing.T) { requestID: testRequestId, wantErrContains: "response and/or assertions must be signed", }, + { + name: "err-multiple-validate-signature-options", + sp: testSp, + samlResp: base64.StdEncoding.EncodeToString([]byte(tp.SamlResponse(t))), + opts: []saml.Option{saml.ValidateResponseAndAssertionSignatures(), saml.ValidateResponseSignature()}, + requestID: testRequestId, + wantErrContains: "only one validate signature option can be set", + }, { name: "error-invalid-signature - with option of validate both signatures & with only response signed", sp: testSp,