Description
Expected Behavior
Two cases:
-
When the
isPassiveflag is set totrue, and the request is sent to an IdP that doesn't support passive mode, the expected statusCode isurn:oasis:names:tc:SAML:2.0:status:NoPassive: -
Similarly, with the
isPassiveflag, is set totrue, and the request is sent to an IdP that supports passive mode, but the user doesn't have a session yet with the IdP, the expected statusCode isurn:oasis:names:tc:SAML:2.0:status:NoPassive
Current Behavior
In the createDefaultResponseValidator method, when the request goes through case 1, the samlResponse looks like this:
However, the createDefaultResponseValidator uses the outer statusCode urn:oasis:names:tc:SAML:2.0:status:Responder:
Similarly, in case 2, the samlResponse looks like this:
and output from createDefaultResponseValidator is urn:oasis:names:tc:SAML:2.0:status:Requester:
Context
How has this issue affected you?
I can't tell if the source of the error is NoPassive or something else to decide how to proceed with the sign-in flow.
What are you trying to accomplish?
I'm implementing a dynamic passive value for multi-tenants, and when the IdP doesn't support passive, or there's no session at the IdP, I'm detecting the error and using the redirectStrategy to send the user back to the main page. It's a public page that tries to passively log the user in if there's a session with the IdP.
What other alternatives have you considered?
None.
Are you aware of any workarounds?
No.