Check on missing Assertion element in Response

[haunted2]

Hello.
According to the SPID Quality Assessment Document ( https://www.spid.gov.it/assets/download/SPID_QAD.pdf ), test 3.32,
if the Assertion element is missing, the Service Provider should give an error message.

This lib, perform tests on the assertion:

spid-php-lib/src/Spid/Saml/In/Response.php

Line 66 in 29888e0

if ($hasAssertion) {

but it doesn't throw an exception if the element is not present in the response.
In fact, when performing tests with the spid-testenv2 ( https://github.com/italia/spid-testenv2 ), if i check the "Assertion assente" option. i can't login but i don't get any error message.

Looking at the spid-php-lib code, it seems to be legitimate to have no Assertion, so i don't really know which way to go, whether to add the exception or leave the code as it is.
Could you give me some suggestions? Thank you.

[lorenzocattaneo]

Hi,

there is indeed a bug, and an exception should be thrown. I've checked the technical documentation and the relevant point is:

Deve essere presente un elemento <Assertion> ad attestare l’avvenuta autenticazione, contenente almeno un elemento <AuthnStatement>; nel caso l’Identity Provider abbia riscontrato un errore nella gestione della richiesta di autenticazione l’elemento <Assertion> non deve essere presente.

So we should expect to have an Assertion when the StatusCode is Success and throw an exception if missing, but expect no Assertion if login failed.