InResponseTo being added to <saml2p:Response ...> on IdP initated SSO's
57 views
Skip to first unread message
Matthew Gordon
Sep 8, 2023, 2:08:17 PM9/8/23
to CAS Community
Hello,
When using the built in IdP functonality as of CAS 6.6.11 with an IdP initiated a.k.a. Unsolicited SSO the SAML response now includes a "inResponseTo" attribute within the "saml2p:Response" tag. There is no option to disable it here, only within the subject. We have a vendor that does not handle this possibility, and it makes it appear as if it's a SP initiated SSO rather than an IdP initiated to their SP.
6.6.11:
<saml2p:Response Destination="https://sp/saml/assertionconsumerservice"
ID="_2025749187894792192"
InResponseTo="_2327057598197701632"
IssueInstant="2023-09-07T11:49:38.388Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idp/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_2025749187894792192">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>lbux+715IPQofujJcxFrugbIJCGSu71RzspyDtqWrUY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[removed]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[removed]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_2922271030423692288"
IssueInstant="2023-09-07T11:49:38.341Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer>https://idp/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp/cas/idp"
SPNameQualifier="https://sp"
>[removed]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="sp"
InResponseTo="_2327057598197701632"
NotOnOrAfter="2023-09-07T11:50:08.341Z"
Recipient="https://sp/saml/assertionconsumerservice"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-09-07T11:49:08.388Z"
NotOnOrAfter="2023-09-07T11:50:08.388Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-09-07T11:37:25.550Z"
SessionIndex="_7306874654027032576"
SessionNotOnOrAfter="2023-09-08T11:50:08.332Z"
>
<saml2:SubjectLocality Address="[removed]" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Email"
Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="LastName"
Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FirstName"
Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
6.6.10:
<saml2p:Response Destination="https://sp/saml/assertionconsumerservice"
ID="_8596234070664411136"
IssueInstant="2023-09-07T11:54:55.123Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idp/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8596234070664411136">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>[removed]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[removed]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[removed]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_125767328824104960"
IssueInstant="2023-09-07T11:54:54.953Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer>https://idp/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp/cas/idp"
SPNameQualifier="https://sp"
>[removed]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="sp"
NotOnOrAfter="2023-09-07T11:55:24.955Z"
Recipient="https://sp/saml/assertionconsumerservice"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-09-07T11:54:25.118Z"
NotOnOrAfter="2023-09-07T11:55:25.118Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-09-07T11:54:25.261Z"
SessionIndex="_6374997026704939008"
SessionNotOnOrAfter="2023-09-08T11:55:24.867Z"
>
<saml2:SubjectLocality Address="[removed]" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Email"
Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="LastName"
Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FirstName"
Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
<saml2p:Response Destination="https://sp/saml/assertionconsumerservice"
ID="_2025749187894792192"
InResponseTo="_2327057598197701632"
IssueInstant="2023-09-07T11:49:38.388Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idp/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_2025749187894792192">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>lbux+715IPQofujJcxFrugbIJCGSu71RzspyDtqWrUY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[removed]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[removed]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_2922271030423692288"
IssueInstant="2023-09-07T11:49:38.341Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer>https://idp/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp/cas/idp"
SPNameQualifier="https://sp"
>[removed]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="sp"
InResponseTo="_2327057598197701632"
NotOnOrAfter="2023-09-07T11:50:08.341Z"
Recipient="https://sp/saml/assertionconsumerservice"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-09-07T11:49:08.388Z"
NotOnOrAfter="2023-09-07T11:50:08.388Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-09-07T11:37:25.550Z"
SessionIndex="_7306874654027032576"
SessionNotOnOrAfter="2023-09-08T11:50:08.332Z"
>
<saml2:SubjectLocality Address="[removed]" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Email"
Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="LastName"
Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FirstName"
Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
6.6.10:
<saml2p:Response Destination="https://sp/saml/assertionconsumerservice"
ID="_8596234070664411136"
IssueInstant="2023-09-07T11:54:55.123Z"
Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>https://idp/cas/idp</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_8596234070664411136">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>[removed]</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>[removed]</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>[removed]</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</saml2p:Status>
<saml2:Assertion ID="_125767328824104960"
IssueInstant="2023-09-07T11:54:54.953Z"
Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:Issuer>https://idp/cas/idp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp/cas/idp"
SPNameQualifier="https://sp"
>[removed]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="sp"
NotOnOrAfter="2023-09-07T11:55:24.955Z"
Recipient="https://sp/saml/assertionconsumerservice"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-09-07T11:54:25.118Z"
NotOnOrAfter="2023-09-07T11:55:25.118Z"
>
<saml2:AudienceRestriction>
<saml2:Audience>https://sp</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-09-07T11:54:25.261Z"
SessionIndex="_6374997026704939008"
SessionNotOnOrAfter="2023-09-08T11:55:24.867Z"
>
<saml2:SubjectLocality Address="[removed]" />
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="Email"
Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="LastName"
Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="FirstName"
Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml2:AttributeValue>[removed]</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2p:Response>
Any ideas how I can get it to stop sending the InResponseTo in the Response?
Thank you,
Matt
Matthew Gordon
Sep 8, 2023, 3:32:11 PM9/8/23
to CAS Community, Matthew Gordon
Actually according to the SAML2 Specification it should not be returning the InResponseTo for any unsolicited/ IdP Initiated SSO's: https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
4.1.5 Unsolicited Responses
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a
service provider.
An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer
<SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used,
the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint
of the service provider designated as the default.
Of special mention is that the identity provider MAY include a binding-specific "RelayState" parameter that
indicates, based on mutual agreement with the service provider, how to handle subsequent interactions
with the user agent. This MAY be the URL of a resource at the service provider. The service provider
SHOULD be prepared to handle unsolicited responses by designating a default location to send the user
agent subsequent to processing a response successfully.
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a
service provider.
An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer
<SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used,
the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint
of the service provider designated as the default.
Of special mention is that the identity provider MAY include a binding-specific "RelayState" parameter that
indicates, based on mutual agreement with the service provider, how to handle subsequent interactions
with the user agent. This MAY be the URL of a resource at the service provider. The service provider
SHOULD be prepared to handle unsolicited responses by designating a default location to send the user
agent subsequent to processing a response successfully.
Thank you,
Matt
Matthew Gordon
Sep 19, 2023, 9:14:23 AM9/19/23
to CAS Community, Matthew Gordon
Is this push going to resolve this issue?
Thank you,
Matt
Matthew Gordon
Oct 16, 2023, 11:31:31 AM10/16/23
to CAS Community, Matthew Gordon
@mmoayyed
Thank you,
Matt
Reply all
Reply to author
Forward
0 new messages