From 0bc8647754cb56d07f770ce6bf1e7aa110eb43fe Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Sun, 20 Feb 2022 21:48:53 +0100
Subject: [PATCH] Address comments

---
 docs/simplesamlphp-changelog.md     | 2 +-
 modules/saml/docs/sp.md             | 4 ++--
 modules/saml/lib/Auth/Source/SP.php | 4 ----
 modules/saml/www/sp/saml2-acs.php   | 6 +++---
 4 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index 5c1c8d00e..c33e3ad15 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -16,7 +16,7 @@ See the upgrade notes for specific information about upgrading.
     to comply with SAML2INT
   * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
     Use 'scopeAttribute' instead to identify the attribute holding the scope.
-  * Unsolicited responses can denied by disabling it by setting `disable_unsolicited` to `true` in the SP authsource.
+  * Unsolicited responses can denied by disabling it by setting `enable_unsolicited` to `true` in the SP authsource.
 
 ## Version 1.19.1
 
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
index 1e3c864ff..8d21c409f 100644
--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -219,8 +219,8 @@ Options
     in the IdP-remote metadata overrides this the option in the SP
     configuration.
 
-`disable_unsolicited`
-:    Whether this SP will refuse to process unsolicited responses. The default value is `false`.
+`enable_unsolicited`
+:    Whether this SP is willing to process unsolicited responses. The default value is `true`.
 
 `discoURL`
 :   Set which IdP discovery service this SP should use.
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index a0b3829ae..263c4bd3b 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -1139,10 +1139,6 @@ class SP extends \SimpleSAML\Auth\Source
 
         if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) {
             $spMetadata = $source->getMetadata();
-            $disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false);
-            if ($disableUnsolicited === true) {
-                throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
-            }
 
             if (!empty($state['saml:sp:RelayState'])) {
                 $redirectTo = $state['saml:sp:RelayState'];
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 7b943c988..3da83aa49 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -101,8 +101,8 @@ if (!empty($stateId)) {
     }
 }
 
-$disableUnsolicited = $spMetadata->getBoolean('disable_unsolicited', false);
-if ($state === null && $disableUnsolicited === true) {
+$enableUnsolicited = $spMetadata->getBoolean('enable_unsolicited', true);
+if ($state === null && $enableUnsolicited === false) {
     throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
 }
 
@@ -158,13 +158,13 @@ $expire = null;
 $attributes = [];
 $foundAuthnStatement = false;
 
-// check for duplicate assertion (replay attack)
 $config = Configuration::getInstance();
 $storeType = $config->getString('store.type', 'phpsession');
 
 $store = StoreFactory::getInstance($storeType);
 
 foreach ($assertions as $assertion) {
+    // check for duplicate assertion (replay attack)
     if ($store !== false) {
         $aID = $assertion->getId();
         if ($store->get('saml.AssertionReceived', $aID) !== null) {
-- 
GitLab