I'd like to verify that certain requests were initiated from the service provider, rather than being unsolicited ones from the IdP. I'd like to do this by storing authn_request.uuid from #request_phase and then later comparing this to InResponseTo. This might involve matches_request_id, or might bypass that to sometimes allow unsolicited IdP initiated requests.
The SAML protocols spec section on 4.1.4 Use of Authentication Request Protocol includes the following:
4.1.4.3 Message Processing Rules
Regardless of the SAML binding used, the service provider MUST do the following:
• ...
• Verify that the InResponseTo attribute in the bearer <SubjectConfirmationData> equals the ID of its original <AuthnRequest> message, unless the response is unsolicited (see Section 4.1.5), in which case the attribute MUST NOT be present
Unfortunately I don't have any way to access authn_request.uuid during the request phase to make this work.
I'd like to verify that certain requests were initiated from the service provider, rather than being unsolicited ones from the IdP. I'd like to do this by storing
authn_request.uuidfrom#request_phaseand then later comparing this toInResponseTo. This might involvematches_request_id, or might bypass that to sometimes allow unsolicited IdP initiated requests.The SAML protocols spec section on
4.1.4 Use of Authentication Request Protocolincludes the following:Unfortunately I don't have any way to access
authn_request.uuidduring the request phase to make this work.