Expected Behavior

Two cases: 1. When the isPassive flag is set to true, and the request is sent to an IdP that doesn't support passive mode, the expected statusCode is urn:oasis:names:tc:SAML:2.0:status:NoPassive:

  1. Similarly, with the isPassive flag, is set to true, and the request is sent to an IdP that supports passive mode, but the user doesn't have a session yet with the IdP, the expected statusCode is urn:oasis:names:tc:SAML:2.0:status:NoPassive

Current Behavior

In the createDefaultResponseValidator method, when the request goes through case 1, the samlResponse looks like this: Screen Shot 2022-08-18 at 2 13 54 PM

However, the createDefaultResponseValidator uses the outer statusCode urn:oasis:names:tc:SAML:2.0:status:Responder: Screen Shot 2022-08-18 at 2 07 23 PM

Similarly, in case 2, the samlResponse looks like this: Screen Shot 2022-08-18 at 2 14 33 PM

and output from createDefaultResponseValidator is urn:oasis:names:tc:SAML:2.0:status:Requester: Screen Shot 2022-08-18 at 3 06 09 PM

Context

How has this issue affected you?

I can't tell if the source of the error is NoPassive or something else to decide how to proceed with the sign-in flow.

What are you trying to accomplish?

I'm implementing a dynamic passive value for multi-tenants, and when the IdP doesn't support passive, or there's no session at the IdP, I'm detecting the error and using the redirectStrategy to send the user back to the main page. It's a public page that tries to passively log the user in if there's a session with the IdP.

What other alternatives have you considered?

None.

Are you aware of any workarounds?

No.

Comment From: jzheaux

Thanks, @kha1989led, I think it makes sense to add this extra detail.

Given that a top-level status code may have many secondary status codes, I think we should make sure to include each as an individual error message.

Are you able to provide a PR to add this behavior?

Comment From: kha1989led

@jzheaux I can take stab at it. Is there a deadline for when I should provide the PR?

Comment From: jzheaux

Hi, @kha1989led, if you are still available, a PR would be most appreciated!

Comment From: Anubhav-2000

Hi, can i try to resolve this?

Comment From: Anubhav-2000

@jzheaux I have made a PR, can you check and merge please?