pysaml2 icon indicating copy to clipboard operation
pysaml2 copied to clipboard
verified publisher icon IdentityPython

Outstanding query checking not working when allow_unsolicited is on

Open mcho421 opened this issue 1 year ago • 1 comments

Code Version

7.2.1

Expected Behavior

In the following situation:

  • allow_unsolicited is True
  • there are no outstanding_queries

If I receive a SAML Response with an InResponseTo field, I'd expect the outstanding request checking to fail with an error (because the InResponseTo field doesn't match any outstanding queries) rather than succeeding and treating the response as an unsolicited one.

Current Behavior

The SAML Response handling succeeds and doesn't fail with an error. See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533

Note: My understanding of SAML isn't particularly deep so happy to be corrected on this if this is the expected behaviour.

Possible Solution

If I receive a SAML Response with an InResponseTo field which doesn't match an outstanding query (when allow_unsolicited is on), maybe I should get an error of some kind.

Looking at https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533 the easiest thing to do would be to return an UnsolicitedResponse error, but I'm not sure if that would be an appropriate error - according to the 4.1.5 Unsolicited Responses section (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf), it says:

An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer <SubjectConfirmationData> elements contain one

As for a name, perhaps something like RequestIdMismatch?

Steps to Reproduce

  1. Create a Saml2Client(config) with a config with the service SP's allow_unsolicited set to true
  2. Call saml_client.parse_authn_request_response() with an SP-initiated SAML response (which InResponseTo set) but pass an empty dict for the outstanding parameter
  3. Assuming the SAML response is well-formed, this request should pass instead of throwing an error

mcho421 avatar Mar 05 '24 00:03 mcho421

Atm, pysaml2 considers any response without a corresponding request as "unsolicited". It does not care if the response have an InResponseTo field.

We can make this check stricter and follow the spec to consider any response without a corresponding request and without an InResponseTo field as unsolicited. That would make responses without a corresponding request but with an InResponseTo field invalid.

I think this is easy to do by adding a check for the InResponseTo field at https://github.com/IdentityPython/pysaml2/blob/dff1d5b57e4244cffbd54b043e823a3278adf48c/src/saml2/response.py#L541

c00kiemon5ter avatar Oct 05 '25 08:10 c00kiemon5ter