Hi Team,
We are using the IDP initiated SSO. Our service provider informed, In the IDP response the InResponseTo attribute it is not populated. We created a new samlObserver class by deriving AbstractSAMLObserver and override the OnSAMLResponseCreated to attach the InResponseTo attribute.
[left]
public override SAMLResponse OnSAMLResponseCreated(string partnerName, SAMLResponse samlResponse)
{
samlResponse.InResponseTo = Have to extract the ID from AuthnRequest;
return samlResponse;
}[/left]
But service provider asked us to use the Authentication request ID to pass as InResponseTo attribute. Please see the authentication request.
<saml2p:AuthnRequest AssertionConsumerServiceURL=https://testurl.com Destination=http://loct.test/samlsso ID=“_cdba5eed-768d-4045-bb44-7a35a557ac91” IssueInstant=“2023-07-31T09:28:36.125Z” Version=“2.0” xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol”> <saml2:Issuer Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:entity” xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>urn:xxxxxxxxxxx </saml2:Issuer></saml2p:AuthnRequest>
How do we access the ID from the AuthnRequest?
Thank you
As per the SAML specification, the InResponseTo field is only present for SP-initiated SSO. We automatically include it with the value set to the ID of the previously received SAML authn request.
This field should not be present for IdP-initiated SSO as there’s no previously received authn request.
If the service provider is expecting an InResponseTo for IdP-initiated SSO, they’re misunderstanding the SAML specification.
If this is SP-initiated SSO, we include the InResponseTo field automatically. You don’t need to do this in OnSAMLResponseCreated.
Thanks for your prompt reply. Sorry for the misunderstanding, We are using SP-Initiated SSO. As we are the IDP, in IDP SAMLResponse object InResponseID comes as null. Please see the following image. 
SSO Controller
[left]
[HttpGet]
public ActionResult InitiateSingleSignOn()
{
var userName = retrieve from the request conext;
var account = _accountService.GetMyAccountDetails(userName)
var attributes = new Dictionary<string, string>
{
[“email”] = account.Email,
[“given_name”] = account.Forename,
[“family_name”] = account.Surname
};
var partnerName = _settings.SsoPartnerName;
var relayState = Request.QueryString[“RelayState”];
try
{
SAMLIdentityProvider.InitiateSSO(Response, userName, attributes, relayState, partnerName);
}
catch (Exception ex)
{
Logger.LogError(string.Format(“Error occurred during InitiateSSO for ‘{0}’”, userName), ex);
throw;
}
return new EmptyResult();
}
[/left]
As per your previous post, In SP-Initiated SSO, InResponseTo attribute automatically include it with the value set to the ID of the previously received SAML authentication request.
Are we doing anything wrong here?
Thanks.
SAMLIdentityProvidet.InitiateSSO is for IdP-initiated SSO only. You should be calling SAMLIdentityProvider.SendSSO instead for SP-initiated SSO.
SAMLIdentityProvider.ReceiveSSO receives and processes the SAML authn request from the SP.
SAMLIdentityProvider.SendSSO creates and sends a SAML response with the InResponseTo field set to the authn request’s ID.
SAMLIdentityProvider.ReceiveSSO receives and processes the SAML authn request from the SP.
SAMLIdentityProvider.SendSSO creates and sends a SAML response with the InResponseTo field set to the authn request's ID.
Many thanks for your response, After following your steps, Now I can see the InResponseTo is auto populated in the response.
You’re welcome. Thanks for the update.