1

Closed

Option to allow Unsolicited SSO aka IdP-Initiated

description

Section 4.1.5 of the spec says:
An identity provider MAY initiate this profile by delivering an unsolicited <Response> message to a service provider. An unsolicited <Response> MUST NOT contain an InResponseTo attribute, nor should any bearer <SubjectConfirmationData> elements contain one.
I would like an option to enable Unsolicited SSO. At least one code change would be to make CheckReplayAttack() allow a missing InResponseTo attribute through.

I wonder if it would be best here:
<serviceProvider id="..." server="..." allowUnsolicitedSSO="True">
Closed Aug 16, 2014 at 4:39 PM by i8beef

comments

i8beef wrote Aug 16, 2014 at 4:17 PM

Fixed in changeset ee1bfbaadbd9

i8beef wrote Aug 16, 2014 at 4:39 PM

Added in 2.4.5, see IDP allowUnsolicitedResponses setting.