SubjectConfirmationData element should contain attribute InResponseTo when the response is for AuthnStatement.
SAML Core document states that the attribute is optional, but SAML Profiles states the following. IMO this makes the attribute mandatory when response is for AuthnRequest.
From SAML Profiles:
---------------------------------------------------------------------------------------------------------------------------------------------------
• The set of one or more assertions MUST contain at least one <AuthnStatement> that reflects the
authentication of the principal to the identity provider.
• At least one assertion containing an <AuthnStatement> MUST contain a <Subject> element with
at least one <SubjectConfirmation> element containing a Method of
urn:oasis:names:tc:SAML:2.0:cm:bearer. If the identity provider supports the Single Logout
profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex
attribute to enable per-session logout requests by the service provider.
• The bearer <SubjectConfirmation> element described above MUST contain a
<SubjectConfirmationData> element that contains a Recipient attribute containing the service
provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window
during which the assertion can be delivered. It MAY contain an Address attribute limiting the client
address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If
the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute
MUST match the request's ID.
---------------------------------------------------------------------------------------------------------------------------------------------------
Bug
Open
Major