You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If I receive a SAML Response with an InResponseTo field, I'd expect the outstanding request checking to fail with an error (because the InResponseTo field doesn't match any outstanding queries) rather than succeeding and treating the response as an unsolicited one.
Note: My understanding of SAML isn't particularly deep so happy to be corrected on this if this is the expected behaviour.
Possible Solution
If I receive a SAML Response with an InResponseTo field which doesn't match an outstanding query (when allow_unsolicited is on), maybe I should get an error of some kind.
An unsolicited MUST NOT contain an InResponseTo attribute, nor should any bearer elements contain one
As for a name, perhaps something like RequestIdMismatch?
Steps to Reproduce
Create a Saml2Client(config) with a config with the service SP's allow_unsolicited set to true
Call saml_client.parse_authn_request_response() with an SP-initiated SAML response (which InResponseTo set) but pass an empty dict for the outstanding parameter
Assuming the SAML response is well-formed, this request should pass instead of throwing an error
The text was updated successfully, but these errors were encountered:
Code Version
7.2.1
Expected Behavior
In the following situation:
If I receive a SAML Response with an InResponseTo field, I'd expect the outstanding request checking to fail with an error (because the InResponseTo field doesn't match any outstanding queries) rather than succeeding and treating the response as an unsolicited one.
Current Behavior
The SAML Response handling succeeds and doesn't fail with an error. See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533
Note: My understanding of SAML isn't particularly deep so happy to be corrected on this if this is the expected behaviour.
Possible Solution
If I receive a SAML Response with an InResponseTo field which doesn't match an outstanding query (when allow_unsolicited is on), maybe I should get an error of some kind.
Looking at https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533 the easiest thing to do would be to return an UnsolicitedResponse error, but I'm not sure if that would be an appropriate error - according to the 4.1.5 Unsolicited Responses section (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf), it says:
As for a name, perhaps something like RequestIdMismatch?
Steps to Reproduce
allow_unsolicitedset to trueThe text was updated successfully, but these errors were encountered: