Solicited and unsolicited responses in SAML
Overview
Intro
Solicited and unsolicited responses
So what is a solicited or unsolicited response? Simply put, a solicited response is a response you asked for, as opposed to a unsolicited response that arrives without you asking for it.
In the context of SAML, a un solicited response is a SAML authentication response received from the IdP without the SP first having sent an authentication request.
This is allowed in SAML and is also known as IdP initiated authentication, as opposed to SP initiated authentication, when the SP initiated authenticate by sending the authentication request.
In order to keep track of this in SAML, when the SP sends a request to the IdP, SP saves the Id of the request. When the IdP send the authentication response back includes the id for the request it responds to in a an attribute, InResponseTo
1<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
2 ID="de8b79c37092487aa7f9c5cb6c5a542a"
3 InResponseTo="id-5PGmWNaR9dLIoTGOf"
4 Version="2.0"
5 IssueInstant="2023-12-02T13:17:14.765Z"
6 Destination="http://localhost:5000/acs">
7...
8</samlp:Response>When the SP receives the response it verifies that the InResponseTo id in the response is the same as the request it sent, ensuring that the response is actually an response to the request that was sent.
diagram
This is a topic a dive deep into in my book on SAML.
