From 305f5b6904ee435b76411b79cda9a2a3f23eaa97 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Fri, 28 Jan 2011 15:13:53 +0000
Subject: [PATCH] saml: Verify that we have at least one AuthnStatement in the
 response.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2728 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/www/sp/saml2-acs.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 19c1ed59c..a1746967e 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -60,6 +60,7 @@ $nameId = NULL;
 $sessionIndex = NULL;
 $expire = NULL;
 $attributes = array();
+$foundAuthnStatement = FALSE;
 foreach ($assertions as $assertion) {
 
 	/* Check for duplicate assertion (replay attack). */
@@ -96,6 +97,16 @@ foreach ($assertions as $assertion) {
 	}
 
 	$attributes = array_merge($attributes, $assertion->getAttributes());
+
+	if ($assertion->getAuthnInstant() !== NULL) {
+		/* Assertion contains AuthnStatement, since AuthnInstant is a required attribute. */
+		$foundAuthnStatement = TRUE;
+	}
+}
+
+if (!$foundAuthnStatement) {
+	$e = new SimpleSAML_Error_Exception('No AuthnStatement found in assertion(s).');
+	SimpleSAML_Auth_State::throwException($state, $e);
 }
 
 if ($expire === NULL) {
-- 
GitLab