SAML Request ID is not used in AuthnResponse

Question

SAML Request ID is not used in AuthnResponse

yesvivek opened this issue 7 years ago · 9 comments

When sending SAML request to node-samlp IdP, for the first time, ID in the request is properly used in InResponseTo attribute of Response. But for the subsequent requests, this InResponseTo attribute is not taken from the respective requests, instead, the same ID from the first request is sent as InResponseTo for all requests. I could see this issue always.

Answer 1 · 2017-03-07T19:25:05.000Z

Hello @yesvivek

I was reviewing the implementation of the auth function and the ID used as InResponseTo in the SAMLResponse is taken from the SAMLRequest unless you explicit set it as an option

https://github.com/auth0/node-samlp/blob/master/lib/samlp.js#L174-L175

Can you check the following:

You are not explicitly setting the InResponseTo when calling samlp.auth(options)
Your SAMLRequest has different IDs

Answer 2 · 2017-03-07T19:38:00.000Z

@mcastany , My SAMLRequest has different IDs for each request. Am setting destination and all REQUIRED options when calling samlp.auth.

https://github.com/auth0/node-samlp/blob/master/lib/samlp.js#L175
This seems to be causing this issue for me. Changing it to if (id) opts.inResponseTo = id; works for me.
What do you suggest?

Answer 3 · 2017-03-07T19:49:44.000Z

Could you please check the value of opts.inResponseTo before line 175? https://github.com/auth0/node-samlp/blob/master/lib/samlp.js#L175

Answer 4 · 2017-03-07T20:16:35.000Z

Have added the below line as recommended in above comment.
console.log( "Dom ID: " + id + " VS opts.inResponseTo: " + opts.inResponseTo);

Results after multiple SAMLRequests:

1. Dom ID: id175479885406247111143820862 VS opts.inResponseTo: undefined
2. Dom ID: id13229522944305032913039188 VS opts.inResponseTo: id175479885406247111143820862
3. Dom ID: id175429005758588441628725185 VS opts.inResponseTo: id175479885406247111143820862
4. Dom ID: id175496083313503221789498695 VS opts.inResponseTo: id175479885406247111143820862

Answer 5 · 2017-03-07T20:22:19.000Z

I can reproduce the issue, we'll work on it. In the meantime, you can apply your workaround (if (id) opts.inResponseTo = id;)

Answer 6 · 2017-03-07T20:32:03.000Z

try with samlp@2.1.2

thanks for reporting!

Answer 7 · 2017-03-08T05:34:54.000Z

Thanks for the quick patch! It works awesome now.

Answer 8 · 2017-08-11T20:16:32.000Z

But this is incompatible with my Service Provider

do you know why? InResponseTo contains the ID of the initial SAMLRequest.

Answer 9 · 2017-08-11T21:47:37.000Z

Don't know. But I close the issue since I saw what creates this id. Thanks.