From 0f7e548623fe4956eeedc742b2a97fad184a8d15 Mon Sep 17 00:00:00 2001
From: Mads Freek Petersen <freek@wayf.dk>
Date: Sat, 6 Sep 2008 15:59:51 +0000
Subject: [PATCH] Send non Success StatusCode as per the spec ie. as a
 two-level StatusCode element.

Currently the only non Succes statuscode we use is NoPassive.

HTTPPost required a follow up fix thats prevents a runtime error
that occurs if we try to encrypt an assertion thats missing in
unsuccessfull responses


git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@858 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/Bindings/SAML20/HTTPPost.php |  3 ++-
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 10 ++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php b/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
index 71ceba798..6b1b22b62 100644
--- a/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
+++ b/lib/SimpleSAML/Bindings/SAML20/HTTPPost.php
@@ -127,7 +127,8 @@ class SimpleSAML_Bindings_SAML20_HTTPPost {
 			$signer->sign($firstassertionroot, $firstassertionroot, $subjectElements[0]);
 		}
 
-		if (isset($spmd['assertion.encryption']) && $spmd['assertion.encryption']) {
+		/* if the response status is not Success (eg. NoPassive) there is no assertions (firstassertionroot == null) to encrypt */
+		if (isset($spmd['assertion.encryption']) && $spmd['assertion.encryption'] && $firstassertionroot != null) {
 			$encryptedassertion = $responsedom->createElement("saml:EncryptedAssertion");
 			$encryptedassertion->setAttribute("xmlns:saml", "urn:oasis:names:tc:SAML:2.0:assertion");
 		
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 32ebfb432..080d5ea3d 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -734,6 +734,11 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
         </saml:AuthnStatement>
         ' . $attributestatement. '
     </saml:Assertion>';
+			$statusCode = '<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>';
+		} else {
+			$statusCode = '<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder">
+				<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:' . $status . '"/>;
+				</samlp:statusCode>';
 		}
 		
 		
@@ -750,10 +755,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 			IssueInstant="' . $issueInstant . '"
 			Destination="' . htmlspecialchars($destination) . '">
 			<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">' . htmlspecialchars($issuer) . '</saml:Issuer>
-			<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
-				<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
-				Value="urn:oasis:names:tc:SAML:2.0:status:' . $status . '" />
-			</samlp:Status>'
+			<samlp:Status>' . $statusCode .	'</samlp:Status>'
 			. $assertion . 
 			'</samlp:Response>';
 
-- 
GitLab