Shibboleth Developers

["Scott Cantor" <>]

> What do you know! Just found a vulnerability in the "NAR toolkit" - that
is
> based on opensaml2. It too accepts an unsolicited response "returned" in
> response an authentication request [indication].

That isn't a vulnerability, unless you're maintaining state associated with
the Request ID that you then "assume" to be in effect when processing the
response. The SP for example doesn't do that.

> This issue is now bugging me. Makes me feel like SP metadata ought to be
> explicit whether or not an SP is configured/authorized to process
> unsolicited requests.

The profile more or less demands that you do so.

> It's clear from SAML errata and text on how to populate InResponseTo
fields
> that an IDP is absolutely conforming if sending out unsolicited responses.

Absolutely.

> Whether an SP is authorized to process such a "response" is an entirely
> different question.

No, it's required to if it supports the profile.

-- Scott