From 0eea5c8bd647a85b9be567bf1e2311498fff5655 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Fri, 30 Jun 2017 11:13:48 +0200
Subject: [PATCH] Fix a bug in the assertion consumer service.

If we get a response with an InResponseTo attribute that doesn't match a valid state array, and the response is not a duplicate, we should continue with the response as an unsolicited one.
---
 modules/saml/www/sp/saml2-acs.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index e98f60b42..194e00954 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -72,11 +72,20 @@ if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['i
 
 $idpMetadata = array();
 
+$state = null;
 $stateId = $response->getInResponseTo();
 if (!empty($stateId)) {
-    // this is a response to a request we sent earlier
-    $state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
+    // this should be a response to a request we sent earlier
+    try {
+        $state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
+    } catch (Exception $e) {
+        // something went wrong,
+        SimpleSAML_Logger::warning('Could not load state specified by InResponseTo: '.$e->getMessage().
+            ' Processing response as unsolicited.');
+    }
+}
 
+if ($state) {
     // check that the authentication source is correct
     assert('array_key_exists("saml:sp:AuthId", $state)');
     if ($state['saml:sp:AuthId'] !== $sourceId) {
-- 
GitLab