Description
I could be wrong, so forgive me eventually!
Using Saml2Saml I found that SATOSA does not check the consistency between in_response_to and the identifier of the original Authn Request. Specifically, in satosa.frontends.saml2.SAMLFrontend._handle_authn_request, here:
SATOSA/src/satosa/frontends/saml2.py
Line 207 in 473bf95
we do not carry with us any attributes related to the authentication request, which instead could be useful in the authn_response method, within which we could carry out various consistency checks.
I give an example. If we, after
SATOSA/src/satosa/frontends/saml2.py
Line 207 in 473bf95
context.state ['req_args'] = {'id': authn_req.id}
This would allow us to get a check on the in_response_to value in the authn_response method.
This approach I made here:
italia/iam-proxy-italia@e72ad20#diff-003c65e5c4d89f24821f8a6a35d9b75ce5ea60424cd58cff14cebb58ee783327R319
Where I needed to check that the "in_response_to" replied by the-evil-idp would have been checked with the originated authentication request id, here:
https://github.com/peppelinux/Satosa-Saml2Spid/blob/e72ad2086027d718ee5724fe74079ad13fd0eae3/example/backends/spidsaml2_validator.py#L38
Overall, with this approach, I manage to get this useful exception
File "./backends/spidsaml2_validator.py", line 42, in validate_in_response_to
raise Exception (f'In response To not valid: {self.in_response_to}! = {self.response.in_response_to} ')
Exception: In response To not valid: id-BeQddIJ1oYwE4VvMI! = Inresponsetodiversodaidrequest