IDP response message type on SP missing in metadata

Cantor, Scott cantor.2 at osu.edu
Mon May 16 14:42:06 EDT 2016


On 5/16/16, 1:28 PM, "users on behalf of Rainer Hoerbe" <users-bounces at shibboleth.net on behalf of rainer at hoerbe.at> wrote:



>When an SP is sending an AuthnRequest to a Shib IDP, and the IDP cannot locate the SP’s entityID in its metadata, it will return an HTTP 400 with "The application you have accessed is not registered for use with this service“ in the body. I wonder if this is spec-comliant, because SAML core 3.4.1.4 is saying:
>"The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message containing one or more assertions that meet the specifications defined by the request, or with a<Response> message containing a <Status> describing the error that occurred."
>
>Wouldn’t an XML <Response> be the correct answer?

The IdP doesn't respond to untrusted endpoints. The logic that would establish the endpoint hasn't run yet, so it couldn't respond even if it were told to (and of course it couldn't do so anyway unless the request contains the endpoint, which admittedly is the normal case).

Also, you're reading core, which is speaking generically. The profile text was modified in E85 to speak to this question and it's worded fairly precisely to allow for this.

-- Scott

>


More information about the users mailing list