From 3ebb3931c8c16c38d095a949b33809b453a5aa15 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 15 Mar 2012 13:31:50 +0000
Subject: [PATCH] saml:SP: Fix handling of samlp:Response without saml:Issuer.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3048 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml/www/sp/saml2-acs.php | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index e6fc47a54..222c3e3a8 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -18,9 +18,25 @@ if (!($response instanceof SAML2_Response)) {
throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
}
+$idp = $response->getIssuer();
+if ($idp === NULL) {
+ /* No Issuer in the response. Look for an unencrypted assertion with an issuer. */
+ foreach ($response->getAssertions() as $a) {
+ if ($a instanceof SAML2_Assertion) {
+ /* We found an unencrypted assertion - there should be an issuer here. */
+ $idp = $a->getIssuer();
+ break;
+ }
+ }
+ if ($idp === NULL) {
+ /* No issuer found in the assertions. */
+ throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
+ }
+}
+
$session = SimpleSAML_Session::getInstance();
$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
-if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $response->getIssuer()) {
+if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
/* OK, it looks like this message has the same issuer
* and ID as the SP session we already have active. We
* therefore assume that the user has somehow triggered
@@ -51,11 +67,6 @@ if (!empty($stateId)) {
);
}
-$idp = $response->getIssuer();
-if ($idp === NULL) {
- throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
-}
-
SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.');
$idpMetadata = $source->getIdPmetadata($idp);
--
GitLab