Outstanding query checking not working when allow_unsolicited is on
mcho421 opened this issue · 0 comments
Code Version
7.2.1
Expected Behavior
In the following situation:
- allow_unsolicited is True
- there are no outstanding_queries
If I receive a SAML Response with an InResponseTo field, I'd expect the outstanding request checking to fail with an error (because the InResponseTo field doesn't match any outstanding queries) rather than succeeding and treating the response as an unsolicited one.
Current Behavior
The SAML Response handling succeeds and doesn't fail with an error. See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533
Note: My understanding of SAML isn't particularly deep so happy to be corrected on this if this is the expected behaviour.
Possible Solution
If I receive a SAML Response with an InResponseTo field which doesn't match an outstanding query (when allow_unsolicited is on), maybe I should get an error of some kind.
Looking at https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533 the easiest thing to do would be to return an UnsolicitedResponse error, but I'm not sure if that would be an appropriate error - according to the 4.1.5 Unsolicited Responses section (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf), it says:
An unsolicited MUST NOT contain an InResponseTo attribute, nor should any bearer elements contain one
As for a name, perhaps something like RequestIdMismatch?
Steps to Reproduce
- Create a Saml2Client(config) with a config with the service SP's
allow_unsolicitedset to true - Call saml_client.parse_authn_request_response() with an SP-initiated SAML response (which InResponseTo set) but pass an empty dict for the outstanding parameter
- Assuming the SAML response is well-formed, this request should pass instead of throwing an error