From 1de2e1d39350bd3e80b5923f4006c52622efaf74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no>
Date: Fri, 18 Jan 2019 14:55:30 +0100
Subject: [PATCH] Allow us to be prepared for Issuer objects being returned
 instead of strings.

---
 .../Metadata/MetaDataStorageHandler.php          |  1 +
 modules/saml/lib/IdP/SAML2.php                   | 16 ++++++++++++----
 modules/saml/www/sp/saml2-acs.php                | 13 +++++++++----
 modules/saml/www/sp/saml2-logout.php             |  8 ++++++--
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index f39c2c047..6e712ea3a 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Metadata;
 
+use SAML2\XML\saml\Issuer;
 use SimpleSAML\Utils\ClearableState;
 
 /**
diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index c400c881e..bce1bf077 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -342,11 +342,15 @@ class SAML2
                 );
             }
 
-            $spEntityId = $request->getIssuer();
-            if ($spEntityId === null) {
+            $issuer = $request->getIssuer();
+            if ($issuer === null) {
                 throw new \SimpleSAML\Error\BadRequest(
                     'Received message on authentication request endpoint without issuer.'
                 );
+            } elseif ($issuer instanceof Issuer) {
+                $spEntityId = $issuer->getValue();
+            } else { // we got a string, old case
+                $spEntityId = $issuer;
             }
             $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
 
@@ -565,10 +569,14 @@ class SAML2
         $binding = \SAML2\Binding::getCurrentBinding();
         $message = $binding->receive();
 
-        $spEntityId = $message->getIssuer();
-        if ($spEntityId === null) {
+        $issuer = $message->getIssuer();
+        if ($issuer === null) {
             /* Without an issuer we have no way to respond to the message. */
             throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+        } elseif ($issuer instanceof Issuer) {
+            $spEntityId = $issuer->getValue();
+        } else {
+            $spEntityId = $issuer;
         }
 
         $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index d95c5c76f..34c80bc76 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -35,22 +35,27 @@ if (!($response instanceof \SAML2\Response)) {
     throw new \SimpleSAML\Error\BadRequest('Invalid message received to AssertionConsumerService endpoint.');
 }
 
-$idp = $response->getIssuer();
-if ($idp === null) {
+$issuer = $response->getIssuer();
+if ($issuer === null) {
     // no Issuer in the response. Look for an unencrypted assertion with an issuer
     foreach ($response->getAssertions() as $a) {
         if ($a instanceof \SAML2\Assertion) {
             // we found an unencrypted assertion, there should be an issuer here
-            $idp = $a->getIssuer();
+            $issuer = $a->getIssuer();
             break;
         }
     }
-    if ($idp === null) {
+    if ($issuer === null) {
         // no issuer found in the assertions
         throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
     }
 }
 
+$idp = $issuer;
+if ($issuer instanceof \SAML2\XML\saml\Issuer) {
+    $idp = $idp->getValue();
+}
+
 $session = \SimpleSAML\Session::getSessionFromRequest();
 $prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
 if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index e67431f83..d6d178355 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -34,10 +34,14 @@ try {
 }
 $message = $binding->receive();
 
-$idpEntityId = $message->getIssuer();
-if ($idpEntityId === null) {
+$issuer = $message->getIssuer();
+if ($issuer === null) {
     // Without an issuer we have no way to respond to the message.
     throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+} elseif ($issuer instanceof \SAML2\XML\saml\Issuer) {
+    $idpEntityId = $issuer->getValue();
+} else {
+    $idpEntityId = $issuer;
 }
 
 $spEntityId = $source->getEntityId();
-- 
GitLab