set strict mode
Closed this issue · 2 comments
simevo commented
from the onelogin/php-saml documentation:
In production, the strict parameter MUST be set as "true"
and:
If 'strict' is True, then the PHP Toolkit will reject unsigned or unencrypted messages if it expects them to be signed or encrypted. Also it will reject the messages if the SAML standard is not strictly followed: Destination, NameId, Conditions ... are validated too.
simevo commented
should be fixed by d00cbc5#diff-6d10993b10a46b9c0bdf023f421e6d1aR35