From 27b6b15d6d633d8627696c0532b4eac71f94c611 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20P=C3=A9rez=20Crespo?= <jaime.perez@uninett.no>
Date: Thu, 22 Aug 2013 10:09:27 +0000
Subject: [PATCH] Fix to make issuer entity ID validation work when the remote
IdP is a proxy and we are using IDPList option.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3264 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml/www/sp/saml2-acs.php | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index d9dfee9e7..4c4b6db29 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -48,6 +48,8 @@ if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['i
SimpleSAML_Utilities::redirect($prevAuth['redirect']);
}
+$idpMetadata = array();
+
$stateId = $response->getInResponseTo();
if (!empty($stateId)) {
/* This is a response to a request we sent earlier. */
@@ -62,7 +64,11 @@ if (!empty($stateId)) {
/* Check that the issuer is the one we are expecting. */
assert('array_key_exists("ExpectedIssuer", $state)');
if ($state['ExpectedIssuer'] !== $idp) {
- throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+ $idpMetadata = $source->getIdPMetadata($idp);
+ $idplist = $idpMetadata->getArrayize('IDPList', array());
+ if (!in_array($state['ExpectedIssuer'], $idplist)) {
+ throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+ }
}
} else {
/* This is an unsolicited response. */
@@ -75,7 +81,9 @@ if (!empty($stateId)) {
SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.');
-$idpMetadata = $source->getIdPmetadata($idp);
+if (empty($idpMetadata)) {
+ $idpMetadata = $source->getIdPmetadata($idp);
+}
try {
$assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
--
GitLab