Make IdP omit inResponseTo

Tue Jan 24 19:34:23 GMT 2012

SIDP-461 states 

"Finally, the whole point of this exercise is to signal that the IdP should omit InResponseTo. We can't do this by the absence of a messageID, because the replay support we added to 2.2.1 mocks up a messageID for legacy protocol requests. Chad suggested using a profile handler option, but I would rather that deployers didn't have to turn this off for all responses from the profile handler, mainly because the SP at some point might start enforcing the InResponseTo check."

The intention of this fix as I understand is to selectively send inResponseTo.  How can the Idp be made to omit InResponseTo?


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Chad La Joie
Sent: Tuesday, January 24, 2012 2:25 PM
To: Shib Users
Subject: Re: Make IdP omit inResponseTo

If the incoming request contains a request ID the IdP is required to send it back.  There is no way to disable that.

On Tue, Jan 24, 2012 at 14:17, Nanda Kumar <NKK at> wrote:
> Hello,
>     In an Idp Initiated sso scenario, how can I make the IdP to omit 
> inResponseTo?
> I have seen SIDP-461,  but couldn't figure out how to make the IdP set 
> the unsolicited flag.
> Is that controlled by setting an attribute to the samlp:AuthnRequest  
> xml element?
> Thanks
> Nanda
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at

Chad La Joie
trusted identities, delivered
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list