Shibboleth Developers

[Peter Williams <>]

 

In fact, the SP ignores the InResponseTo value in the SSO message in all

cases. OpenSAML doesn't, but the SP has no Request ID to give to OpenSAML

when it processes the incoming message. It treats all responses as

essentially unsolicited, oddly enough.

 

-- Scott

 

What do you know! Just found a vulnerability in the “NAR toolkit” – that is based on opensaml2. It too accepts an unsolicited response “returned” in response an authentication request [indication].

 

This issue is now bugging me. Makes me feel like SP metadata ought to be explicit whether or not an SP is configured/authorized to process unsolicited requests.

 

It’s clear from SAML errata and text on how to populate InResponseTo fields that an IDP is absolutely conforming if sending out unsolicited responses. Whether an SP is authorized to process such a “response” is an entirely different question.

 

From the SP side, it becoming a case of: When is a response not a response? When its an unsolicited response.

 

That English is tantamount to nonsense of course,, even if formally it’s all ok in a formal model.