Tim Bosserman
03/15/2019, 7:42 PMzwass
Tim Bosserman
03/15/2019, 7:43 PMzwass
Tim Bosserman
03/15/2019, 7:43 PMzwass
Tim Bosserman
03/15/2019, 7:44 PMzwass
Tim Bosserman
03/15/2019, 7:44 PMzwass
Tim Bosserman
03/15/2019, 7:45 PMzwass
Tim Bosserman
03/15/2019, 7:47 PMzwass
InResponseTo
element, which is required by the SAML spec and likely what is generating the "session missing" errors.Tim Bosserman
03/15/2019, 8:04 PMzwass
Tim Bosserman
03/15/2019, 8:05 PMzwass
InResponseTo
in Fleet's SSO login (in a custom build of Fleet).Tim Bosserman
03/15/2019, 8:13 PMzwass
Tim Bosserman
03/15/2019, 8:18 PM{
"component": "service",
"err": "validation failed: session missing for request",
"method": "CallbackSSO",
"took": "585.133µs",
"ts": "2019-03-15T20:17:46.258744406Z"
}
zwass
Tim Bosserman
03/15/2019, 8:20 PMzwass
Tim Bosserman
03/15/2019, 8:25 PMzwass
Tim Bosserman
03/15/2019, 8:26 PMzwass
Tim Bosserman
03/15/2019, 8:51 PMzwass
Tim Bosserman
03/15/2019, 8:52 PMzwass
InResponseTo
. There's some discussion about this here: https://security.stackexchange.com/questions/42354/do-i-have-to-validate-saml2-inresponsetoInResponseTo
would be considered legitimate, while existing requests would be validated as they are.
I would really like to get some validation from someone else that this seems to be a correct interpretation of how IdP-initiated login needs to be handled from the SP perspective.Tim Bosserman
03/15/2019, 9:15 PMzwass
Tim Bosserman
03/15/2019, 9:15 PMzwass
Tim Bosserman
03/15/2019, 9:15 PMzwass
Tim Bosserman
03/15/2019, 9:16 PMzwass
Tim Bosserman
03/15/2019, 9:18 PM