From da60688ce53f8a7af85cf4b752793c4f01191c5b Mon Sep 17 00:00:00 2001
From: i321718 <rohit.aggarwal@sap.com>
Date: Fri, 10 Jul 2020 15:41:28 +0530
Subject: [PATCH] Handling an error bug during SAML Assertion in case it is an
 IDP Initiated Flow by removing the inResponseTo check in
 SubjectConfirmationData

---
 service_provider.go | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/service_provider.go b/service_provider.go
index ae01e233..69239649 100644
--- a/service_provider.go
+++ b/service_provider.go
@@ -635,10 +635,17 @@ func (sp *ServiceProvider) validateAssertion(assertion *Assertion, possibleReque
 	}
 	for _, subjectConfirmation := range assertion.Subject.SubjectConfirmations {
 		requestIDvalid := false
-		for _, possibleRequestID := range possibleRequestIDs {
-			if subjectConfirmation.SubjectConfirmationData.InResponseTo == possibleRequestID {
-				requestIDvalid = true
-				break
+		// If it is an IDP Initiated Flow,
+		// then inResponseTo will not exist in the SubjectConfirmationData. And hence,
+		// in this case we are marking requestIDvalid as true by default.
+		if sp.AllowIDPInitiated {
+			requestIDvalid = true
+		} else {
+			for _, possibleRequestID := range possibleRequestIDs {
+				if subjectConfirmation.SubjectConfirmationData.InResponseTo == possibleRequestID {
+					requestIDvalid = true
+					break
+				}
 			}
 		}
 		if !requestIDvalid {