How to block multiple or embedded assertions

[eslevy17]

Using tools like SAML Raider show to use multiple assertions, including embedded assertions, that allow users to log in as the wrong person.

The "multiple" assertions can be related to a timing issue, which may be solved by the NotBefore and NotOnOrAfter.

However the "embedded" assertions seems to be unrelated. Recommendations are to block embedded assertions from being allowed at all. Is this a setting in passport-saml? The alternative is to parse the assertions (which can be nested in many ways) and block each of those variations, which seems quite high-maintenance.

This seems to be a well-known attack vector to exploit a vulnerability in SAML, which leads me to believe there might just be a setting somewhere in passport-saml to fix it. Is that the case? I'm not finding any settings regarding this issue.

[srd90]

@eslevy17 answer for how @node-saml/passport-saml 4.0.1 validates authn responses at the moment is available here: @node-saml/node-saml 4.0.2's src/saml.ts#L667-L823.

@node-saml/node-saml provides core SAML functionality for @node-saml/passport-saml.