Tim Bosserman
03/15/2019, 7:42 PMzwass
03/15/2019, 7:43 PMTim Bosserman
03/15/2019, 7:43 PMzwass
03/15/2019, 7:43 PMTim Bosserman
03/15/2019, 7:43 PMzwass
03/15/2019, 7:44 PMTim Bosserman
03/15/2019, 7:44 PMzwass
03/15/2019, 7:44 PMTim Bosserman
03/15/2019, 7:44 PMzwass
03/15/2019, 7:45 PMTim Bosserman
03/15/2019, 7:45 PMzwass
03/15/2019, 7:47 PMTim Bosserman
03/15/2019, 7:47 PMzwass
03/15/2019, 7:47 PMInResponseTo
element, which is required by the SAML spec and likely what is generating the "session missing" errors.Tim Bosserman
03/15/2019, 8:04 PMzwass
03/15/2019, 8:05 PMTim Bosserman
03/15/2019, 8:05 PMzwass
03/15/2019, 8:12 PMInResponseTo
in Fleet's SSO login (in a custom build of Fleet).Tim Bosserman
03/15/2019, 8:13 PMzwass
03/15/2019, 8:16 PMTim Bosserman
03/15/2019, 8:18 PM{
"component": "service",
"err": "validation failed: session missing for request",
"method": "CallbackSSO",
"took": "585.133µs",
"ts": "2019-03-15T20:17:46.258744406Z"
}
zwass
03/15/2019, 8:19 PMTim Bosserman
03/15/2019, 8:20 PMzwass
03/15/2019, 8:23 PMTim Bosserman
03/15/2019, 8:25 PMzwass
03/15/2019, 8:26 PMTim Bosserman
03/15/2019, 8:26 PMzwass
03/15/2019, 8:51 PMTim Bosserman
03/15/2019, 8:51 PMzwass
03/15/2019, 8:52 PMTim Bosserman
03/15/2019, 8:52 PMzwass
03/15/2019, 8:54 PMInResponseTo
. There's some discussion about this here: https://security.stackexchange.com/questions/42354/do-i-have-to-validate-saml2-inresponsetoInResponseTo
would be considered legitimate, while existing requests would be validated as they are.
I would really like to get some validation from someone else that this seems to be a correct interpretation of how IdP-initiated login needs to be handled from the SP perspective.Tim Bosserman
03/15/2019, 9:15 PMzwass
03/15/2019, 9:15 PMTim Bosserman
03/15/2019, 9:15 PMzwass
03/15/2019, 9:15 PMTim Bosserman
03/15/2019, 9:15 PMzwass
03/15/2019, 9:16 PMTim Bosserman
03/15/2019, 9:16 PMzwass
03/15/2019, 9:17 PMTim Bosserman
03/15/2019, 9:18 PM