Skip to content
Snippets Groups Projects
Unverified Commit 0eea5c8b authored by Jaime Pérez Crespo's avatar Jaime Pérez Crespo
Browse files

Fix a bug in the assertion consumer service. 

If we get a response with an InResponseTo attribute that doesn't match a valid state array, and the response is not a duplicate, we should continue with the response as an unsolicited one.
parent 84560d76
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/saml/www/sp/saml2-acs.php
+ 11
2
View file @ 0eea5c8b
...@@ -72,11 +72,20 @@ if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['i ...@@ -72,11 +72,20 @@ if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['i
$idpMetadata = array(); $idpMetadata = array();
$state = null;
$stateId = $response->getInResponseTo(); $stateId = $response->getInResponseTo();
if (!empty($stateId)) { if (!empty($stateId)) {
// this is a response to a request we sent earlier // this should be a response to a request we sent earlier
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso'); try {
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
} catch (Exception $e) {
// something went wrong,
SimpleSAML_Logger::warning('Could not load state specified by InResponseTo: '.$e->getMessage().
' Processing response as unsolicited.');
}
}
if ($state) {
// check that the authentication source is correct // check that the authentication source is correct
assert('array_key_exists("saml:sp:AuthId", $state)'); assert('array_key_exists("saml:sp:AuthId", $state)');
if ($state['saml:sp:AuthId'] !== $sourceId) { if ($state['saml:sp:AuthId'] !== $sourceId) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment