response_id is not validated if assertion doesn't have InResponseTo

[m-novikov]

If request_id is given and InResponseTo doesn't match error is raised
But if request_id is given and InResponseTo is missing from the assertion body, then there is no reason.
Excepted to have an error in second case also
Kind of related to my previous issue #263

[pitbulk]

If you provide a request_id in order to validate the InResponseTo, but there is no InResponseTo, that means that meanwhile you generated the request, an IdP-initiated flow happened, that SAMLResponse is legit and it should not be invalidated by the request_id match, in my opinion.

[m-novikov]

It seems highly unlikely that this kind of concurrency happens in a user browser, and even if it is ,developer still has an option to distinguish between IdP and Sp initiated flows based on RelayState and adjust validation

Also for some applications IdP initiated flow is optional.

In my opinion it would be nicer for library to provide stricter validation that can be bypassed by developer in their app.

[paulwouters]

I agree with Maksim here. It would be nice to be strict by default.

[neuroid]

Ditto.

With the current logic, rejecting IdP-initiated SSO requires more work than it should.