Allow us to be prepared for Issuer objects being returned instead of strings.

1de2e1d3 · Jaime Pérez Crespo · dc6b10f8 · 1de2e1d3 · 1de2e1d3 · 1de2e1d3
Unverified Commit 1de2e1d3 authored 6 years ago by Jaime Pérez Crespo
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -2,6 +2,7 @@
 namespace SimpleSAML\Metadata;
+use SAML2\XML\saml\Issuer;
 use SimpleSAML\Utils\ClearableState;
 /**

--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -342,11 +342,15 @@ class SAML2
                );
            }
-            $spEntityId = $request->getIssuer();
+            $issuer = $request->getIssuer();
-            if ($spEntityId === null) {
+            if ($issuer === null) {
                throw new \SimpleSAML\Error\BadRequest(
                    'Received message on authentication request endpoint without issuer.'
                );
+            } elseif ($issuer instanceof Issuer) {
+                $spEntityId = $issuer->getValue();
+            } else { // we got a string, old case
+                $spEntityId = $issuer;
            }
            $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
@@ -565,10 +569,14 @@ class SAML2
        $binding = \SAML2\Binding::getCurrentBinding();
        $message = $binding->receive();
-        $spEntityId = $message->getIssuer();
+        $issuer = $message->getIssuer();
-        if ($spEntityId === null) {
+        if ($issuer === null) {
            /* Without an issuer we have no way to respond to the message. */
            throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+        } elseif ($issuer instanceof Issuer) {
+            $spEntityId = $issuer->getValue();
+        } else {
+            $spEntityId = $issuer;
        }
        $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();

--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -35,22 +35,27 @@ if (!($response instanceof \SAML2\Response)) {
    throw new \SimpleSAML\Error\BadRequest('Invalid message received to AssertionConsumerService endpoint.');
 }
-$idp = $response->getIssuer();
+$issuer = $response->getIssuer();
-if ($idp === null) {
+if ($issuer === null) {
    // no Issuer in the response. Look for an unencrypted assertion with an issuer
    foreach ($response->getAssertions() as $a) {
        if ($a instanceof \SAML2\Assertion) {
            // we found an unencrypted assertion, there should be an issuer here
-            $idp = $a->getIssuer();
+            $issuer = $a->getIssuer();
            break;
        }
    }
-    if ($idp === null) {
+    if ($issuer === null) {
        // no issuer found in the assertions
        throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
    }
 }
+$idp = $issuer;
+if ($issuer instanceof \SAML2\XML\saml\Issuer) {
+    $idp = $idp->getValue();
+}
 $session = \SimpleSAML\Session::getSessionFromRequest();
 $prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
 if ($prevAuth !== null && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {

--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -34,10 +34,14 @@ try {
 }
 $message = $binding->receive();
-$idpEntityId = $message->getIssuer();
+$issuer = $message->getIssuer();
-if ($idpEntityId === null) {
+if ($issuer === null) {
    // Without an issuer we have no way to respond to the message.
    throw new \SimpleSAML\Error\BadRequest('Received message on logout endpoint without issuer.');
+} elseif ($issuer instanceof \SAML2\XML\saml\Issuer) {
+    $idpEntityId = $issuer->getValue();
+} else {
+    $idpEntityId = $issuer;
 }
 $spEntityId = $source->getEntityId();