Fix to make issuer entity ID validation work when the remote IdP is a proxy...

Fix to make issuer entity ID validation work when the remote IdP is a proxy and we are using IDPList option.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3264 44740490-163a-0410-bde0-09ae8108e29a

modules/saml/www/sp/saml2-acs.php

@@ -48,6 +48,8 @@ if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['i
 	SimpleSAML_Utilities::redirect($prevAuth['redirect']);
 }
 
+$idpMetadata = array();
+
 $stateId = $response->getInResponseTo();
 if (!empty($stateId)) {
 	/* This is a response to a request we sent earlier. */
@@ -62,7 +64,11 @@ if (!empty($stateId)) {
 	/* Check that the issuer is the one we are expecting. */
 	assert('array_key_exists("ExpectedIssuer", $state)');
 	if ($state['ExpectedIssuer'] !== $idp) {
-		throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+		$idpMetadata = $source->getIdPMetadata($idp);
+		$idplist = $idpMetadata->getArrayize('IDPList', array());
+		if (!in_array($state['ExpectedIssuer'], $idplist)) {
+			throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+		}
 	}
 } else {
 	/* This is an unsolicited response. */
@@ -75,7 +81,9 @@ if (!empty($stateId)) {
 
 SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.');
 
-$idpMetadata = $source->getIdPmetadata($idp);
+if (empty($idpMetadata)) {
+	$idpMetadata = $source->getIdPmetadata($idp);
+}
 
 try {
 	$assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);