Merge pull request #1581 from simplesamlphp/unsolicited

Allow to refuse unsolicited responses

docs/simplesamlphp-changelog.md

@@ -16,6 +16,7 @@ See the upgrade notes for specific information about upgrading.
     to comply with SAML2INT
   * core:PairwiseID and core:SubjectID authprocs no longer support the 'scope' config-setting.
     Use 'scopeAttribute' instead to identify the attribute holding the scope.
+  * Accepting unsolicited responses can be disabled by setting `enable_unsolicited` to `false` in the SP authsource.
 
 ## Version 1.19.1
 

docs/simplesamlphp-upgrade-notes-2.0.md

@@ -27,7 +27,8 @@ Functional changes
   validated if present and requests not passing validation will be refused.
 - In the  core:TargetedID authproc-filter, the `attributename` setting has been renamed to `identifyingAttribute`.
 - The default encryption algorithm is set from `AES128_CBC` to `AES128_GCM`.
-  It is possible to switch back via the `sharedkey_algorithm`. Note however that CBC is vulnerable to the Padding oracle attack.
+  It is possible to switch back via the `sharedkey_algorithm`.
+  Note however that CBC is vulnerable to the Padding oracle attack.
 - All support for the Shibboleth 1.3 / SAML 1.1 protocol has been removed.
 
 Configuration changes

modules/saml/docs/sp.md

@@ -219,6 +219,9 @@ Options
     in the IdP-remote metadata overrides this the option in the SP
     configuration.
 
+`enable_unsolicited`
+:    Whether this SP is willing to process unsolicited responses. The default value is `true`.
+
 `discoURL`
 :   Set which IdP discovery service this SP should use.
     If this is unset, the IdP discovery service specified in the global option `idpdisco.url.saml20` in `config/config.php` will be used.

modules/saml/lib/Auth/Source/SP.php

@@ -1143,6 +1143,7 @@ class SP extends \SimpleSAML\Auth\Source
             } else {
                 $redirectTo = $source->getMetadata()->getString('RelayState', '/');
             }
+
             self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
         }
 

modules/saml/www/sp/saml2-acs.php

@@ -94,11 +94,18 @@ if (!empty($stateId)) {
         $state = Auth\State::loadState($stateId, 'saml:sp:sso');
     } catch (Exception $e) {
         // something went wrong,
-        Logger::warning('Could not load state specified by InResponseTo: ' . $e->getMessage() .
-            ' Processing response as unsolicited.');
+        Logger::warning(sprintf(
+            'Could not load state specified by InResponseTo: %s Processing response as unsolicited.',
+            $e->getMessage(),
+        ));
     }
 }
 
+$enableUnsolicited = $spMetadata->getBoolean('enable_unsolicited', true);
+if ($state === null && $enableUnsolicited === false) {
+    throw new Error\BadRequest('Unsolicited responses are denied by configuration.');
+}
+
 if ($state) {
     // check that the authentication source is correct
     Assert::keyExists($state, 'saml:sp:AuthId');
@@ -151,12 +158,13 @@ $expire = null;
 $attributes = [];
 $foundAuthnStatement = false;
 
+$config = Configuration::getInstance();
+$storeType = $config->getString('store.type', 'phpsession');
+
+$store = StoreFactory::getInstance($storeType);
+
 foreach ($assertions as $assertion) {
     // check for duplicate assertion (replay attack)
-    $config = Configuration::getInstance();
-    $storeType = $config->getString('store.type', 'phpsession');
-
-    $store = StoreFactory::getInstance($storeType);
     if ($store !== false) {
         $aID = $assertion->getId();
         if ($store->get('saml.AssertionReceived', $aID) !== null) {