Saml2 response not conforming to the spec

Hi there folks,

With Auth0 acting as a SAML IDP, and when the saml response indicates a failure, the XML that Auth0 produces is not valid. For instance consider the following message:

 <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_anid"  InResponseTo="_authnreq_id"  Version="2.0" IssueInstant="2021-01-04T09:21:52.037Z"  Destination="https://the.sp.acs.here"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:tenant.auth0.com</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/><samlp:StatusMessage Value="user is blocked"/></samlp:Status></samlp:Response>

The problem is that StatusMessage is not allowed to have any attributes as it is supposed to be a simple type. For reference, the xsd is available here

<samlp:StatusMessage Value="user is blocked"/>

should be

<samlp:StatusMessage>user is blocked</samlp:StatusMessage>

When a SP that does schema validation, attempts to parse this message it will fail, for instance, in Java, SAXParser throws

SAXParseException[cvc-type.3.1.1: Element 'samlp:StatusMessage' is a simple type, so it cannot have attributes, excepting those whose namespace name is identical to 'http://www.w3.org/2001/XMLSchema-instance' and whose [local name] is one of 'type', 'nil', 'schemaLocation' or 'noNamespaceSchemaLocation'. However, the attribute, 'Value' was found.];)

Thanks,
Ioannis

1 Like

Thanks for the feedback. I created a ticket for our engineering team to review. I’ll update here with my findings.

1 Like

Thanks for the swift reply here Dan. Cheers

1 Like