bug: Missing AuthnStatement node in SAML Response

[Oniokey]

Describe the bug

For a SAML Response, AuthnStatement is a required node, but this node is missing in the process of Alibaba Cloud interaction, resulting in verification failure.

And here is the full SAML Response which I've got. (Hide some sensitive information with {HIDE})

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ID_sb6mdg5sv5rogt0k3wo0k" Version="2.0" IssueInstant="2025-02-07T10:24:00.993Z" Destination="{HIDE}" InResponseTo="a1c0d771283h7fjcigb9bf741e145g">
    <saml:Issuer>{HIDE}</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="#ID_sb6mdg5sv5rogt0k3wo0k">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue>{HIDE}</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>{HIDE}</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>{HIDE}</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <saml:Assertion ID="ID_jvoaopo0nt6p2dar08zck" Version="2.0" IssueInstant="2025-02-07T10:24:00.993Z"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer>{HIDE}</saml:Issuer>
        <saml:Subject>
            <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">{HIDE}</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2025-02-07T10:34:00.993Z" Recipient="{HIDE}" InResponseTo="a1c0d771283h7fjcigb9bf741e145g"/>
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2025-02-07T10:24:00.993Z" NotOnOrAfter="2025-02-07T10:34:00.993Z">
            <saml:AudienceRestriction>
                <saml:Audience>{HIDE}</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AttributeStatement/>
    </saml:Assertion>
</samlp:Response>

Expected behavior

Here is an example (5.1.2 SP-Initiated SSO: Redirect/POST Bindings) from oasis-open (AuthnStatement section)

<saml:AuthnStatement AuthnInstant="2004-12-05T09:22:00Z" SessionIndex="identifier_3">
    <saml:AuthnContext>
        <saml:AuthnContextClassRef>
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
    </saml:AuthnContext>
</saml:AuthnStatement>

And the AuthnStatement node should in the Assertion node.

How to reproduce?

Just configure SAML according to the guidance of Alibaba Cloud and Logto.

Context

• Logto Cloud
• Self-hosted, Logto version = 1.24.0
  • Container (Docker image)
  • Raw Node.js