Bug 1342685 - [GSS] (6.4.z) IDP initiated (unsolicited) responses should not contain InResponseTo attributes
Summary: [GSS] (6.4.z) IDP initiated (unsolicited) responses should not contain InResp...
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: CR1
: EAP 6.4.10
Assignee: Miroslav Sochurek
QA Contact: Josef Cacek
Depends On:
Blocks: eap6410-payload 1342686 1353339
TreeView+ depends on / blocked
Reported: 2016-06-03 21:56 UTC by dhorton
Modified: 2019-11-14 08:16 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1342686 (view as bug list)
Last Closed: 2017-01-17 12:55:38 UTC
Type: Bug
vpakan: needinfo+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-5273 0 Major Verified [GSS](7.0.z) PLINK-700 - SAML 2.0 Unsolicited Response MUST NOT contain an InResponseTo attribute 2017-03-23 09:21:15 UTC
Red Hat Issue Tracker PLINK-700 0 Major Resolved SAML 2.0 Unsollicited Response MUST NOT contain an InResponseTo attribute, 2017-03-23 09:21:14 UTC
Red Hat Knowledge Base (Solution) 2325481 0 None None None 2016-07-07 21:07:20 UTC

Description dhorton 2016-06-03 21:56:55 UTC
Description of problem:

IDP initiated (unsolicited) responses should not contain InResponseTo attributes

From saml-profiles-2.0-os.pdf:

4.1.5 Unsolicited Responses
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a
service provider.
An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer
<SubjectConfirmationData> elements contain one. If metadata as specified in [SAMLMeta] is used,
the <Response> or artifact SHOULD be delivered to the <md:AssertionConsumerService> endpoint
of the service provider designated as the default.

Comment 2 dhorton 2016-07-07 21:03:37 UTC
To reproduce:

- deploy idp.war and employee.war
- login to IDP  -  http://localhost:8080/idp/
- trigger the SAMLv2 unsolicited response by going to http://localhost:8080/idp/index.html?TARGET=http://localhost:8080/employee/&SAML_VERSION=2.0
- view the SAML request that gets sent to the employee application
  - there should not be an InResponseTo attribute

Required security-domain configuration:

                <security-domain name="idp" cache-type="default">
                        <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
                <security-domain name="sp" cache-type="default">
                        <login-module code="org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule" flag="required"/>

Comment 15 Ivo Hradek 2016-08-23 08:24:21 UTC
Verified with EAP 6.4.10.CP.CR2

Comment 18 Petr Penicka 2017-01-17 12:55:38 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Note You need to log in before you can comment on or make changes to this bug.