GetTrackedRequests returns empty slice, carrying potential errors to many functions

[samuelvenzi]

I could not figure out why, but GetTrackedRequests is returning an empty slice when being called inside serveACS(), in line 82, to be exact.

This is carried onto the possibleRequestIDs variable, heading into ParseResponse(), then ParseXMLResponse() and finally being checked against the resp.InResponseTo from the XML response. Since possibleRequestIDs is empty, requestIDvalid is set as false, triggering an error InResponseTo does not match any of the possible request IDs (expected []) and a 403 Forbidden when serving ACS.

I am not making IDP Initiated requests, so I figure the solution provided in #322 is not really ideal.

I actually tried setting AllowIDPInitiated as true, but then I started getting a http: named cookie not present error, mentioned in #300. I tried changing the code to get the redirectURI from the RelayState but that just returned a 404 for me (as I commented in #300).

I am using the trivial example and samltest.id, if that makes any difference. Hope you could shed some light for me on this...

[DonovanCharpin]

@samuelvenzi same issue on my side, cannot make the IDP initiated request working.

[DonovanCharpin]

@samuelvenzi I was able to make it work, I forked the repo and changed the middleware method CreateSessionFromAssertion in #300.

After redirecting with a POST to saml/acs, it does a get to saml/RelayState, you need to handle the same logic that you are currently doing with HandleStartAuthFlow

[crewjam]

Any chance for a PR?