Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InResponseTo validation fails for response type LogoutResponse #438

Open
stevenmasci opened this issue Jun 2, 2020 · 6 comments
Open

InResponseTo validation fails for response type LogoutResponse #438

stevenmasci opened this issue Jun 2, 2020 · 6 comments

Comments

@stevenmasci
Copy link

When performing a logout action the logout consumer callback receives a LogoutResponse from the IDP.
If validateInResponseTo is enabled then an error will be thrown:

Error: InResponseTo is missing from response

It appears the reason for this is within the SAML.prototype.validatePostResponse function, specifically when extracting the InResponseTo value from the response xml.

inResponseTo = xpath(doc, "/*[local-name()='Response']/@InResponseTo");

Since it is a logout response the xml object name is LogoutResponse not Response, therefore it fails to extract the InResponseTo value as Response does not exist.

Is there a reason for this design or is it a bug?

@Quutti
Copy link

Quutti commented Oct 21, 2020

We have also this issue, any comments?

@cjbarth
Copy link
Collaborator

cjbarth commented Oct 22, 2020

It could be a bug. I haven't noticed it being a problem in my use, but that may just be that my situation has never exercised this code. This seems like an easy fix, but we'd like to see a reference to the SAML spec that says how this should be and then a simple test to make sure we never regress this.

@colmaengus
Copy link

I'm also seeing this problem using Keycloak. I'm not a SAML expert from looking around it seems that its correct behaviour to return a LogoutResponse. For example if you search for LogoutResponse in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

@colmaengus
Copy link

Changing to the following xpath supports both Response and LogoutResponse
const inResponseToNodes = xml_1.xpath.selectAttributes(doc, "/*[local-name()='Response' or local-name()='LogoutResponse']/@InResponseTo");

@cjbarth
Copy link
Collaborator

cjbarth commented Oct 4, 2021

@colmaengus Thank you for this find. Would you be wiling to create a PR to address this? I'd be happy to review it. Please make sure your PR includes a test that fails when your fix isn't applied, but passes when it is (TDD). We don't want to regress on this later on.

@zgurea1
Copy link

zgurea1 commented Feb 23, 2024

Hi guys, do you figured how to add the InResponseTo attribute to saml response?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants