From 2c3c426c7f431fe0f31cc2f67145acec31348530 Mon Sep 17 00:00:00 2001
From: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Sat, 24 Aug 2019 19:53:29 +0300
Subject: Validate the audience of assertions regardless of a response being
 unsolicited

Fixes #609

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
---
 src/saml2/response.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'src/saml2/response.py')

diff --git a/src/saml2/response.py b/src/saml2/response.py
index 4c884c30..f61a376f 100644
--- a/src/saml2/response.py
+++ b/src/saml2/response.py
@@ -611,10 +611,9 @@ class AuthnResponse(StatusResponse):
             else:
                 self.not_on_or_after = 0
 
-        if not self.allow_unsolicited:
-            if not for_me(conditions, self.entity_id):
-                if not lax:
-                    raise Exception("Not for me!!!")
+        if not for_me(conditions, self.entity_id):
+            if not lax:
+                raise Exception("Not for me!!!")
 
         if conditions.condition:  # extra conditions
             for cond in conditions.condition:
-- 
cgit v1.2.1