Actually according to the SAML2 Specification it should not be returning the InResponseTo for any unsolicited/ IdP Initiated SSO's: https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
4.1.5 Unsolicited Responses An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a service provider. An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer <SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used, the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint of the service provider designated as the default. Of special mention is that the identity provider MAY include a binding-specific "RelayState" parameter that indicates, based on mutual agreement with the service provider, how to handle subsequent interactions with the user agent. This MAY be the URL of a resource at the service provider. The service provider SHOULD be prepared to handle unsolicited responses by designating a default location to send the user agent subsequent to processing a response successfully. Thank you, Matt On Friday, September 8, 2023 at 2:08:17 PM UTC-4 Matthew Gordon wrote: > Hello, > > When using the built in IdP functonality as of CAS 6.6.11 with an IdP > initiated a.k.a. Unsolicited SSO the SAML response now includes a > "inResponseTo" attribute within the "saml2p:Response" tag. There is no > option to disable it here, only within the subject. We have a vendor that > does not handle this possibility, and it makes it appear as if it's a SP > initiated SSO rather than an IdP initiated to their SP. > > e.x. you go to: > https://idp/cas/idp/profile/SAML2/Unsolicited/SSO?providerId=https://sp > > *6.6.11:* > <saml2p:Response Destination="https://sp/saml/assertionconsumerservice"; > ID="_2025749187894792192" > InResponseTo="_2327057598197701632" > IssueInstant="2023-09-07T11:49:38.388Z" > Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > > > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > >https://idp/cas/idp</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> > <ds:Reference URI="#_2025749187894792192"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"; /> > > <ds:DigestValue>lbux+715IPQofujJcxFrugbIJCGSu71RzspyDtqWrUY=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>[removed]</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate>[removed]</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status> > <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> > </saml2p:Status> > <saml2:Assertion ID="_2922271030423692288" > IssueInstant="2023-09-07T11:49:38.341Z" > Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > <saml2:Issuer>https://idp/cas/idp</saml2:Issuer> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > NameQualifier="https://idp/cas/idp"; > SPNameQualifier="https://sp"; > >[removed]</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData Address="sp" > > InResponseTo="_2327057598197701632" > > NotOnOrAfter="2023-09-07T11:50:08.341Z" > Recipient=" > https://sp/saml/assertionconsumerservice"; > /> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2023-09-07T11:49:08.388Z" > NotOnOrAfter="2023-09-07T11:50:08.388Z" > > > <saml2:AudienceRestriction> > <saml2:Audience>https://sp</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2023-09-07T11:37:25.550Z" > SessionIndex="_7306874654027032576" > > SessionNotOnOrAfter="2023-09-08T11:50:08.332Z" > > > <saml2:SubjectLocality Address="[removed]" /> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute FriendlyName="Email" > Name="Email" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="LastName" > Name="LastName" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="FirstName" > Name="FirstName" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > > *6.6.10:* > <saml2p:Response Destination="https://sp/saml/assertionconsumerservice"; > ID="_8596234070664411136" > IssueInstant="2023-09-07T11:54:55.123Z" > Version="2.0" > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > > > <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > >https://idp/cas/idp</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; /> > <ds:Reference URI="#_8596234070664411136"> > <ds:Transforms> > <ds:Transform Algorithm=" > http://www.w3.org/2000/09/xmldsig#enveloped-signature"; /> > <ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > </ds:Transforms> > <ds:DigestMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#sha256"; /> > <ds:DigestValue>[removed]</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>[removed]</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate>[removed]</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:Status> > <saml2p:StatusCode > Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> > </saml2p:Status> > <saml2:Assertion ID="_125767328824104960" > IssueInstant="2023-09-07T11:54:54.953Z" > Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > > <saml2:Issuer>https://idp/cas/idp</saml2:Issuer> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" > NameQualifier="https://idp/cas/idp"; > SPNameQualifier="https://sp"; > >[removed]</saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> > <saml2:SubjectConfirmationData Address="sp" > > NotOnOrAfter="2023-09-07T11:55:24.955Z" > Recipient=" > https://sp/saml/assertionconsumerservice"; > /> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2023-09-07T11:54:25.118Z" > NotOnOrAfter="2023-09-07T11:55:25.118Z" > > > <saml2:AudienceRestriction> > <saml2:Audience>https://sp</saml2:Audience> > </saml2:AudienceRestriction> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2023-09-07T11:54:25.261Z" > SessionIndex="_6374997026704939008" > > SessionNotOnOrAfter="2023-09-08T11:55:24.867Z" > > > <saml2:SubjectLocality Address="[removed]" /> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute FriendlyName="Email" > Name="Email" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="LastName" > Name="LastName" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="FirstName" > Name="FirstName" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > > > <saml2:AttributeValue>[removed]</saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > </saml2p:Response> > > > Any ideas how I can get it to stop sending the InResponseTo in the > Response? > > Thank you, > Matt > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f3c16863-7df9-4123-b693-176e5d3a5bfan%40apereo.org.
