test: add Behat coverage for unsolicited SAML response (IdP-initiated SSO)

- Add omitInResponseTo flag to MockIdentityProvider (serialized in __sleep)
- ResponseFactory: skip InResponseTo when flag set, explicitly null the template placeholder
- MockIdpContext: new step 'the IdP omits InResponseTo from its response'
- Bindings.feature: scenario asserting redirect to unsolicited-response error page

Author: kayjoosten

library/EngineBlock/Corto/Module/Bindings/UnsolicitedAssertionException.php

@@ -1,7 +1,7 @@
 <?php
 
 /**
- * Copyright 2010 SURFnet B.V.
+ * Copyright 2026 SURFnet B.V.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Bindings.feature

@@ -110,3 +110,11 @@ Feature:
      Then no RelayState should be present
       And I pass through EngineBlock
      Then the url should match "functional-testing/Dummy%20SP/acs"
+
+  Scenario: EngineBlock rejects a SAMLResponse without InResponseTo (IdP-initiated SSO)
+    Given the IdP omits InResponseTo from its response
+     When I log in at "Dummy SP"
+      And I pass through EngineBlock
+      And I pass through the IdP
+     Then the url should match "authentication/feedback/unsolicited-response"
+      And I should see "Error - Sign-in could not be completed"

src/OpenConext/EngineBlockFunctionalTestingBundle/Features/Context/MockIdpContext.php

@@ -301,6 +301,18 @@ public function theIdPIsConfiguredToNotSendAnAssertion()
         $this->mockIdpRegistry->save();
     }
 
+    /**
+     * @Given /^the IdP omits InResponseTo from its response$/
+     */
+    public function theIdpOmitsInResponseToFromItsResponse(): void
+    {
+        $idp = $this->mockIdpRegistry->getOnly();
+
+        $idp->omitInResponseTo();
+
+        $this->mockIdpRegistry->save();
+    }
+
     /**
      * @Given /^the IdP "([^"]*)" sends attribute "([^"]*)" with value "([^"]*)"$/
      * @param string $idpName

src/OpenConext/EngineBlockFunctionalTestingBundle/Mock/MockIdentityProvider.php

@@ -39,6 +39,8 @@ class MockIdentityProvider extends AbstractMockEntityRole
 
     private $fromTheFuture = false;
 
+    private $omitInResponseTo = false;
+
     public function singleSignOnLocation()
     {
         return $this->getSsoRole()->getSingleSignOnService()[0]->getLocation();
@@ -341,6 +343,18 @@ public function fromTheFuture()
         return $this;
     }
 
+    public function omitInResponseTo(): self
+    {
+        $this->omitInResponseTo = true;
+
+        return $this;
+    }
+
+    public function shouldOmitInResponseTo(): bool
+    {
+        return $this->omitInResponseTo;
+    }
+
     public function shouldNotSendAssertions()
     {
         return $this->sendAssertions === false;
@@ -374,7 +388,7 @@ public function __sleep()
             $role->setExtensions($extensions);
         }
 
-        return ['name', 'descriptor', 'sendAssertions', 'turnBackTime', 'fromTheFuture'];
+        return ['name', 'descriptor', 'sendAssertions', 'turnBackTime', 'fromTheFuture', 'omitInResponseTo'];
     }
 
     /**

src/OpenConext/EngineBlockFunctionalTestingBundle/Saml2/ResponseFactory.php

@@ -34,7 +34,11 @@ public function createForEntityWithRequest(
         // Note that we expect the Mock IdP to always have a 'template' Response.
         $response = $mockIdp->getResponse();
 
-        $this->setResponseReferencesToRequest($request, $response);
+        if ($mockIdp->shouldOmitInResponseTo()) {
+            $response->setInResponseTo(null);
+        } else {
+            $this->setResponseReferencesToRequest($request, $response);
+        }
 
         $this->setResponseStatus($mockIdp, $response);