Open m-novikov opened 2 years ago
If you provide a request_id in order to validate the InResponseTo, but there is no InResponseTo, that means that meanwhile you generated the request, an IdP-initiated flow happened, that SAMLResponse is legit and it should not be invalidated by the request_id match, in my opinion.
It seems highly unlikely that this kind of concurrency happens in a user browser, and even if it is ,developer still has an option to distinguish between IdP and Sp initiated flows based on RelayState and adjust validation
Also for some applications IdP initiated flow is optional.
In my opinion it would be nicer for library to provide stricter validation that can be bypassed by developer in their app.
I agree with Maksim here. It would be nice to be strict by default.
Ditto.
With the current logic, rejecting IdP-initiated SSO requires more work than it should.
If
request_id
is given andInResponseTo
doesn't match error is raised But ifrequest_id
is given andInResponseTo
is missing from the assertion body, then there is no reason. Excepted to have an error in second case also Kind of related to my previous issue #263