Bug 1342685

Summary: [GSS] (6.4.z) IDP initiated (unsolicited) responses should not contain InResponseTo attributes
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: PicketLinkAssignee: Miroslav Sochurek <msochure>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.7CC: anmiller, bbaranow, bdawidow, bmaxwell, ihradek, jtruhlar, msochure, psilva, pskopek
Target Milestone: CR1Flags: vpakan: needinfo+
Target Release: EAP 6.4.10   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1342686 (view as bug list) Environment:
Last Closed: 2017-01-17 12:55:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1339868, 1342686, 1353339    

Description dhorton 2016-06-03 21:56:55 UTC 
Description of problem:

IDP initiated (unsolicited) responses should not contain InResponseTo attributes

From saml-profiles-2.0-os.pdf:


4.1.5 Unsolicited Responses
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a
service provider.
An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer
<SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used,
the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint
of the service provider designated as the default.
Comment 2 dhorton 2016-07-07 21:03:37 UTC 
To reproduce:

- deploy idp.war and employee.war
- login to IDP  -  http://localhost:8080/idp/
- trigger the SAMLv2 unsolicited response by going to http://localhost:8080/idp/index.html?TARGET=http://localhost:8080/employee/&SAML_VERSION=2.0
- view the SAML request that gets sent to the employee application
  - there should not be an InResponseTo attribute


Required security-domain configuration:

                <security-domain name="idp" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="sp" cache-type="default">
                    <authentication>
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>
                    </authentication>
                </security-domain>
Comment 15 Ivo Hradek 2016-08-23 08:24:21 UTC 
Verified with EAP 6.4.10.CP.CR2
Comment 18 Petr Penicka 2017-01-17 12:55:38 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.