Reputation: 2781
Where is `InResponseTo` required in the SAMLResponse in an SP-initiated saml flow?
Reading the SAML core documentation I can't figure out where InResponseTo is required (if anywhere) in an SP-initiated SAML2.0 Post Redirect flow.
The docs stipulate that InResponseTo is optional in the SubjectConfirmationData. The documentation is quiet on whether or not InResponseTo should be part of the Response tag, although my experience is that in practice it's almost always present (I suspect the InResponseTo's existence in the Response is covered by other SAML documentation that I haven't been able to find). Can the IdP decide freely if the InResponseTo value goes in the Response tag or in the SubjectConfirmationData (or even somewhere else)?
(For the avoidance of doubt, I understand InResponseTo is not part of the SAMLResponse in an IdP-initiated response.)
Upvotes: 2
Views: 9036
Answers (2)
Reputation: 2280
There is clear documentation available for InResponseTo in the SAML core documentation under Section 3.2.2 Complex Type StatusResponseType.
The <Response> message element has the complex type ResponseType, which extends StatusResponseType. Check Section 3.3.3
InResponseTo [Optional] A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present. Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute.
Upvotes: 4
Reputation: 5595
It is optional in the Response message because SAML allows for the IdP to send a unsolicited response to the SP without the SP requesting it. Under 3.2.1 for the AuthnRequest it states that InResponseTo must match ID in the AuthnRequest.
More importantly. When you use requests and response for Web Browser SSO, you are using the Web Browser SSO Profile in the SAML Profiles spec.
The profile adds extra requirements on how the requests and responses are used.
4.1.4.2 <Response> Usage states
If the containing message is in response to an , then the InResponseTo attribute MUST match the request's ID.
4.1.4.3 <Response> Message Processing Rules states
Verify that the InResponseTo attribute in the bearer equals the ID of its original message, unless the response is unsolicited (see Section 4.1.5 ), in which case the attribute MUST NOT be present
The SAML Profile spec adds alot of important requirements for the context of usage of the protocol messages in the core spec and is very important for interoperability and security.
Upvotes: 2
Related Questions
- SAML 2.0 Response and the KeyInfo element
- Spring Security SAML: Accept only signed SAML response messages from IDP
- SAML Response: <ds:KeyInfo>
- Should SAMLResponse contain extra line breaks?
- Is Response signature required in SAML Web SSO profile?
- Create SAML response based on SAML request
- Validate SAML Response
- Processing SAML response with Spring SAML
- SAML Response xml not valid
- SAML — how to process a request?