InResponseTo validation fails for response type LogoutResponse

[stevenmasci]

When performing a logout action the logout consumer callback receives a LogoutResponse from the IDP.
If validateInResponseTo is enabled then an error will be thrown:

Error: InResponseTo is missing from response

It appears the reason for this is within the SAML.prototype.validatePostResponse function, specifically when extracting the InResponseTo value from the response xml.

inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");

Since it is a logout response the xml object name is LogoutResponse not Response, therefore it fails to extract the InResponseTo value as Response does not exist.

Is there a reason for this design or is it a bug?

[Quutti]

We have also this issue, any comments?

[cjbarth]

It could be a bug. I haven't noticed it being a problem in my use, but that may just be that my situation has never exercised this code. This seems like an easy fix, but we'd like to see a reference to the SAML spec that says how this should be and then a simple test to make sure we never regress this.

[colmaengus]

I'm also seeing this problem using Keycloak. I'm not a SAML expert from looking around it seems that its correct behaviour to return a LogoutResponse. For example if you search for LogoutResponse in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

[colmaengus]

Changing to the following xpath supports both Response and LogoutResponse
const inResponseToNodes = xml_1.xpath.selectAttributes(doc, "/*[local-name()='Response' or local-name()='LogoutResponse']/@InResponseTo");

[cjbarth]

@colmaengus Thank you for this find. Would you be wiling to create a PR to address this? I'd be happy to review it. Please make sure your PR includes a test that fails when your fix isn't applied, but passes when it is (TDD). We don't want to regress on this later on.

[zgurea1]

Hi guys, do you figured how to add the InResponseTo attribute to saml response?