I'm facing a really weird behavior inside a specific shibboleth security policy: Bearer policy control.
According to documentation, it is supposed to perform 4 different checks during the validation of a SAML Response. Among those, the one, object of this issue, is the checkCorrelation control.
It doesn't work. It is supposed to work by default and is enabled by default, but I can't make it work.
It basically compares the SAML Response attribute InResponseTo, inside the <samlp response> tag, with the parameter of the same name but contained inside the <saml:SubjectConfirmationData> element.
If i put inside the <saml:SubjectConfirmationData> tag, InResponseTo attribute, a fake value the checkCorrelation is always true and the SAML Response is not rejected as expected.
Could you please help me