Missing saml:AuthnStatement from Response should raise error

[peppelinux]

A normal SAML2 Response would have a clear AuthnStatement like the following example

        <saml:AuthnStatement AuthnInstant="2021-01-24T13:41:04Z" SessionIndex="_dc2ad814-cb14-40d3-8e7f-d823193fd6a2">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:Password
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>

a pySAML2 SP with a Responses with unvalued AuthStatement:

        <saml:AuthnStatement AuthnInstant="2021-01-24T13:43:22Z" SessionIndex="_af1a9ca2-8279-4c6b-8442-1bd6dfd66617">
        </saml:AuthnStatement>

Make the Authentication flow work SP side, this would be prevented.

With this, otherwise, we have an exception (quite good)

       <!-- no AuthnStamentent at all ! -->

exception

ValueError: Invalid number of AuthnStatement found in Response: 0

[c00kiemon5ter]

Let's differentiate between things; we have (at least) the following:

• the SAML2 core specification
• the SAML2 SSO profile specification
• the saml2int specification

---

• Per the core specification (line 628):

2.3.3 Element <Assertion>

...
Zero or more of the following statement elements:
...

<AuthnStatement>

An authentication statement.
...

and the related .xsd (line 669):

<element name="Assertion" type="saml:AssertionType"/>
<complexType name="AssertionType">
  <sequence>
    <element ref="saml:Issuer"/>
    <element ref="ds:Signature" minOccurs="0"/>
    <element ref="saml:Subject" minOccurs="0"/>
    <element ref="saml:Conditions" minOccurs="0"/>
    <element ref="saml:Advice" minOccurs="0"/>
    <choice minOccurs="0" maxOccurs="unbounded">          *** zero or more
      <element ref="saml:Statement"/>
      <element ref="saml:AuthnStatement"/>                *** of type saml:AuthnStatement
      <element ref="saml:AuthzDecisionStatement"/>
      <element ref="saml:AttributeStatement"/>
    </choice>
  </sequence>
  <attribute name="Version" type="string" use="required"/>
  <attribute name="ID" type="ID" use="required"/>
  <attribute name="IssueInstant" type="dateTime" use="required"/>
</complexType>

• Per the SSO specification (line 627):

4.1.4.2 <Response> Usage

...
The set of one or more bearer assertions MUST contain at least one <AuthnStatement> that
reflects the authentication of the principal to the identity provider. Multiple <AuthnStatement>
elements MAY be included, but the semantics of multiple statements is not defined by this profile.

• Per saml2int:

Response Content

[SDP-IDP10]
Successful responses MUST contain exactly one SAML assertion. The assertion MUST contain exactly one <saml:AuthnStatement> element and MUST contain zero or one <saml:AttributeStatement> elements. The assertion within the response MAY be directly signed.

---

Even though the core spec is loose and allows the AuthnStatement to be missing, I think in practice it should always be there. So, this should be fixed.