diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index f39c2c0478aa20531702b53795bc3293d855b317..6e712ea3a3491a332dec2538b5c84a0f88218ab1 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -2,6 +2,7 @@
namespace SimpleSAML\Metadata;
+use SAML2\XML\saml\Issuer;
use SimpleSAML\Utils\ClearableState;
/**
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index c400c881e851658b2d7def6358e7ae601c3169a2..bce1bf077dbb38802f86e6cd13bea26e087b54c0 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -342,11 +342,15 @@ class SAML2
);
}
- $spEntityId = $request->getIssuer();
- if ($spEntityId === null) {
+ $issuer = $request->getIssuer();
+ if ($issuer === null) {
throw new \SimpleSAML\Error\BadRequest(
'Received message on authentication request endpoint without issuer.'
);
+ } elseif ($issuer instanceof Issuer) {
+ $spEntityId = $issuer->getValue();
+ } else { // we got a string, old case
+ $spEntityId = $issuer;
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
@@ -565,10 +569,14 @@ class SAML2
$binding = \SAML2\Binding::getCurrentBinding();
$message = $binding->receive();
- $spEntityId = $message->getIssuer();
- if ($spEntityId === null) {
+ $issuer = $message->getIssuer();
+ if ($issuer === null) {
/* Without an issuer we have no way to respond to the message. */
throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+ } elseif ($issuer instanceof Issuer) {
+ $spEntityId = $issuer->getValue();
+ } else {
+ $spEntityId = $issuer;
}
$metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index d95c5c76f533dfbd622ad86ea7ad909d481ed148..34c80bc766a0c4c9f6f19a183548d732269ae669 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -35,22 +35,27 @@ if (!($response instanceof \SAML2\Response)) {
throw new \SimpleSAML\Error\BadRequest('Invalid message received to AssertionConsumerService endpoint.');
}
-$idp = $response->getIssuer();
-if ($idp === null) {
+$issuer = $response->getIssuer();
+if ($issuer === null) {
// no Issuer in the response. Look for an unencrypted assertion with an issuer
foreach ($response->getAssertions() as $a) {
if ($a instanceof \SAML2\Assertion) {
// we found an unencrypted assertion, there should be an issuer here
- $idp = $a->getIssuer();
+ $issuer = $a->getIssuer();
break;
}
}
- if ($idp === null) {
+ if ($issuer === null) {
// no issuer found in the assertions
throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
}
}
+$idp = $issuer;
+if ($issuer instanceof \SAML2\XML\saml\Issuer) {
+ $idp = $idp->getValue();
+}
+
$session = \SimpleSAML\Session::getSessionFromRequest();
$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index e67431f83ac204193fb2c4d69800c9f57f96dc41..d6d17835549f9ff11606160009c1f48dd6d51c33 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -34,10 +34,14 @@ try {
}
$message = $binding->receive();
-$idpEntityId = $message->getIssuer();
-if ($idpEntityId === null) {
+$issuer = $message->getIssuer();
+if ($issuer === null) {
// Without an issuer we have no way to respond to the message.
throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+} elseif ($issuer instanceof \SAML2\XML\saml\Issuer) {
+ $idpEntityId = $issuer->getValue();
+} else {
+ $idpEntityId = $issuer;
}
$spEntityId = $source->getEntityId();