Outstanding query checking not working when allow_unsolicited is on

[mcho421]

Code Version

7.2.1

Expected Behavior

In the following situation:

• allow_unsolicited is True
• there are no outstanding_queries

If I receive a SAML Response with an InResponseTo field, I'd expect the outstanding request checking to fail with an error (because the InResponseTo field doesn't match any outstanding queries) rather than succeeding and treating the response as an unsolicited one.

Current Behavior

The SAML Response handling succeeds and doesn't fail with an error. See https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533

Note: My understanding of SAML isn't particularly deep so happy to be corrected on this if this is the expected behaviour.

Possible Solution

If I receive a SAML Response with an InResponseTo field which doesn't match an outstanding query (when allow_unsolicited is on), maybe I should get an error of some kind.

Looking at https://github.com/IdentityPython/pysaml2/blob/master/src/saml2/response.py#L533 the easiest thing to do would be to return an UnsolicitedResponse error, but I'm not sure if that would be an appropriate error - according to the 4.1.5 Unsolicited Responses section (https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf), it says:

An unsolicited MUST NOT contain an InResponseTo attribute, nor should any bearer elements contain one

As for a name, perhaps something like RequestIdMismatch?

Steps to Reproduce

1. Create a Saml2Client(config) with a config with the service SP's allow_unsolicited set to true
2. Call saml_client.parse_authn_request_response() with an SP-initiated SAML response (which InResponseTo set) but pass an empty dict for the outstanding parameter
3. Assuming the SAML response is well-formed, this request should pass instead of throwing an error