ComponentSpace

Forums



Attached InResponseTo attribute into the IDP Response


Attached InResponseTo attribute into the IDP Response

Author
Message
Arooran
Arooran
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 18
Hi Team,

We are using the IDP initiated SSO. Our service provider informed,  In the IDP response the InResponseTo attribute it is not populated. We created a new samlObserver class by deriving AbstractSAMLObserver and override the OnSAMLResponseCreated to attach the InResponseTo attribute.


public override SAMLResponse OnSAMLResponseCreated(string partnerName, SAMLResponse samlResponse)
   {
    samlResponse.InResponseTo = Have to extract the ID from AuthnRequest;
    return samlResponse;
   }


 
But service provider asked us to use the Authentication request ID to pass as InResponseTo attribute. Please see the authentication request.

<saml2p:AuthnRequest AssertionConsumerServiceURL=https://testurl.com Destination=http://loct.test/samlsso ID="_cdba5eed-768d-4045-bb44-7a35a557ac91" IssueInstant="2023-07-31T09:28:36.125Z" Version="2.0"    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"        xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:xxxxxxxxxxx    </saml2:Issuer></saml2p:AuthnRequest>

How do we access the ID from the AuthnRequest? 

Thank you


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
As per the SAML specification, the InResponseTo field is only present for SP-initiated SSO. We automatically include it with the value set to the ID of the previously received SAML authn request.

This field should not be present for IdP-initiated SSO as there's no previously received authn request.

If the service provider is expecting an InResponseTo for IdP-initiated SSO, they're misunderstanding the SAML specification.

If this is SP-initiated SSO, we include the InResponseTo field automatically. You don't need to do this in OnSAMLResponseCreated.




Regards
ComponentSpace Development
Arooran
Arooran
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 18

Thanks for your prompt reply. Sorry for the misunderstanding, We are using SP-Initiated SSO. As we are the IDP,  in IDP SAMLResponse object InResponseID comes as null. Please see the following image. 




SSO Controller


[HttpGet]
   public ActionResult InitiateSingleSignOn()
   {
     var userName = retrieve from the request conext;
    var account = _accountService.GetMyAccountDetails(userName)
    var attributes = new Dictionary<string, string>
    {
      ["email"] = account.Email,
      ["given_name"] = account.Forename,
      ["family_name"] = account.Surname
    };
    var partnerName = _settings.SsoPartnerName;
    var relayState = Request.QueryString["RelayState"];

    try
    {
      SAMLIdentityProvider.InitiateSSO(Response, userName, attributes, relayState, partnerName);

    }
    catch (Exception ex)
    {
       Logger.LogError(string.Format("Error occurred during InitiateSSO for '{0}'", userName), ex);
      throw;
    }

    return new EmptyResult();
   }



As per your previous post, In SP-Initiated SSO, InResponseTo attribute automatically include it with the value set to the ID of the previously received SAML authentication request.
Are we doing anything wrong here? 

Thanks.



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
SAMLIdentityProvidet.InitiateSSO is for IdP-initiated SSO only. You should be calling SAMLIdentityProvider.SendSSO instead for SP-initiated SSO.

SAMLIdentityProvider.ReceiveSSO receives and processes the SAML authn request from the SP.

SAMLIdentityProvider.SendSSO creates and sends a SAML response with the InResponseTo field set to the authn request's ID.

Regards
ComponentSpace Development
Arooran
Arooran
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 18
ComponentSpace - 8/4/2023
SAMLIdentityProvidet.InitiateSSO is for IdP-initiated SSO only. You should be calling SAMLIdentityProvider.SendSSO instead for SP-initiated SSO.

SAMLIdentityProvider.ReceiveSSO receives and processes the SAML authn request from the SP.

SAMLIdentityProvider.SendSSO creates and sends a SAML response with the InResponseTo field set to the authn request's ID.

Many thanks for your response, After following your steps, Now I can see the InResponseTo is auto populated in the response.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome. Thanks for the update.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search