Isn't it necessary to check the destination XML attribute of the root SAML element of the protocol?

[dogharrycatpotter]

The following is an excerpt from 3.5.5.2 Security Considerations on the site.

https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf

If the message is signed, the Destination XML attribute in the root SAML element of the protocol
message MUST contain the URL to which the sender has instructed the user agent to deliver the
message. The recipient MUST then verify that the value matches the location at which the message has
been received.

This check is a MUST according to the Oasis text.
However, there currently appears to be no implementation of this check.

Are there any plans to add this check?

Also, if there are no plans to add it, why is it not implemented even though it is a MUST?

[cjbarth]

It isn't implemented because no one has done it yet. There is no development team to implement feature requests. If you'd like to see this, please submit a PR referencing this Discussion and I'll do my best to help it get landed.

[srd90]

@dogharrycatpotter instead of referencing (just) this discussion consider referencing also node-saml/passport-saml#509

Reason why ticket is at passport-saml repo is that ticket was created before core node-saml was splitted from passport specific code.

[dogharrycatpotter]

thank you. Consider making a pull request.

[cjbarth]

@dogharrycatpotter , as a heads up, while @srd90 is an absolutely amazing resource, he hasn't historically created any PRs, though he has provided lots of sample code. So, just to set expectations, I wouldn't look to @srd90 to make a PR (though there is a first for everything :) )