-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InResponseTo validation fails for response type LogoutResponse #438
Comments
We have also this issue, any comments? |
It could be a bug. I haven't noticed it being a problem in my use, but that may just be that my situation has never exercised this code. This seems like an easy fix, but we'd like to see a reference to the SAML spec that says how this should be and then a simple test to make sure we never regress this. |
I'm also seeing this problem using Keycloak. I'm not a SAML expert from looking around it seems that its correct behaviour to return a LogoutResponse. For example if you search for LogoutResponse in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html |
Changing to the following xpath supports both Response and LogoutResponse |
@colmaengus Thank you for this find. Would you be wiling to create a PR to address this? I'd be happy to review it. Please make sure your PR includes a test that fails when your fix isn't applied, but passes when it is (TDD). We don't want to regress on this later on. |
Hi guys, do you figured how to add the InResponseTo attribute to saml response? |
When performing a logout action the logout consumer callback receives a
LogoutResponse
from the IDP.If
validateInResponseTo
is enabled then an error will be thrown:It appears the reason for this is within the
SAML.prototype.validatePostResponse
function, specifically when extracting the InResponseTo value from the response xml.Since it is a logout response the xml object name is
LogoutResponse
notResponse
, therefore it fails to extract the InResponseTo value asResponse
does not exist.Is there a reason for this design or is it a bug?
The text was updated successfully, but these errors were encountered: