We're having an issue with using Shibboleth as our IDP.    Salesforce is rejectig the Shibboleth SAML assertion because of the presence of the inResponseTo attribute.   Our ITS group won't modify Shibboleth to not send the attribute because that will break other implmentations.  Any Shibboleth users out there with some insight?

Issue: Salesforce rejects the SAML assertion from Shibboleth because of the presence of an attribute called InResponseTo

Taken from Shibboleth users forum http://shibboleth.1660669.n2.nabble.com/IdP-Initiated-SSO-td5741045.html, posting by Brent Putman on 01/25/2011

Many people, including our school, have gotten the Shib IdP to work via
SAML 2 with salesforce.com.  The only real substantive issue is that the
issued Response and Assertion must have the InResponseTo attribute
removed, else they are rejected by Salesforce.  That requires some mods
to the IdP, either code changes or additions.  See the list archive for
some solutions people have come up with.

Taken from Shibboleth users forum http://shibboleth.1660669.n2.nabble.com/IdP-Initiated-SSO-td5741045.html, posting by Scott Cantor on 01/26/2011

That [commenting out the code in  the IdP that sends out a inResponseTo attribute in the SAML response] will simply break other SPs ... that enforce the check. In other words, this is a bad idea.

Previous Salesforce response to Salesforce not sending out the inResponseTo, taken from Developer Force forum postings at http://boards.developerforce.com/t5/Security/Salesforce-com-SAML-IdP-Problem/td-p/218531, posting from Chuck Mortimore at 11/23/2010

 That being said there seem to be enough implementations that favor duplication of the inResponseTo that we need to fix it.   Code wins as they say.

Is it possible for Salesforce to look at adding the inResponseTo attribute?