Not receiving InResponseTo from Okta SAML server

I am sending an HttpPost Saml request to my Okta development account server using the ComponentPro Saml library’s AuthnRequest object. I call its SendHttpPost method to make the request. The XML of my AuthnRequest is as follows (with identifying info replaced):

<samlp:AuthnRequest ID="_6C5CE371A3F28127DEBBF158F2ABDB08" Version=“2.0” IssueInstant=“2021-10-01T20:31:38.437Z” Destination=“https://dev-myOktaDevAcctId.okta.com/home/myDevAcctmyOktaDevAcctId_myest_1/MyLongDirectoryID1/MyLongDirectoryID2” ForceAuthn=“false” IsPassive=“false” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“https://mySPServiceUrl” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>https://MySPServer</saml:Issuer><samlp:NameIDPolicy AllowCreate=“true” /></samlp:AuthnRequest>

I am expecting to see AuthnID returned in an InResponseTo attribute of the SAML Assertion, in at least one of the Subject → SubjectConfirmations elements’ SubjectConfirmationData child, but it isn’t present, nor is my AuthnID contained anywhere else in the SAML Assertion Okta sends me.

This is the Assertion I’m receiving back (again with identifying info removed):
<saml:Subject xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”><saml:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>myUsername@myCompanyDomain.com</saml:NameID><saml:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”><saml:SubjectConfirmationData NotOnOrAfter=“2021-10-01T20:43:12.793Z” Recipient=“mySPServiceURL” /></saml:SubjectConfirmation></saml:Subject>

I expect to receive my AuthnID back in an InResponseTo element per lines 625-626 of the SAML Spec here: https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profiles-errata-2.0-wd-07.pdf#page=19

Am I somehow misunderstanding the SAML spec? Is there something wrong with my request, or some specific configuration needed on my SAML server to achieve compliance with this specification?

1 Like