Change shib13 & saml2 SSOService to use a generated request id instead of the...

Change shib13 & saml2 SSOService to use a generated request id instead of the one received from the AuthnRequest. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@545 44740490-163a-0410-bde0-09ae8108e29a

Change shib13 & saml2 SSOService to use a generated request id instead of the...
54550be4 · Olav Morken · 66aaf4f0 · 54550be4 · 54550be4
Commit 54550be4 authored 17 years ago by Olav Morken
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -41,8 +41,6 @@ try {
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
 }

-$requestid = null;
-
 SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');

 if (!$config->getValue('enable.saml20-idp', false))
@@ -70,11 +68,11 @@ if (isset($_GET['SAMLRequest'])) {
 		 * Create an assoc array of the request to store in the session cache.
 		 */
 		$requestcache = array(
-			'Issuer'    => $issuer,
+			'RequestID' => $requestid,
+			'Issuer' => $issuer,
 			'ConsentCookie' => SimpleSAML_Utilities::generateID(),
+			'RelayState' => $authnrequest->getRelayState()
 		);
-		if ($relaystate = $authnrequest->getRelayState() )
-			$requestcache['RelayState'] = $relaystate;
 			

 		/*
@@ -119,9 +117,6 @@ if (isset($_GET['SAMLRequest'])) {
 			$requestcache['NeedAuthentication'] = TRUE;
 		}

-		$session->setAuthnRequest('saml2', $requestid, $requestcache);
-		
-		
 		if ($binding->validateQuery($issuer, 'IdP')) {
 			SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Valid signature found for ' . $requestid);
 		}
@@ -145,11 +140,13 @@ if (isset($_GET['SAMLRequest'])) {

 	try {
 	
-		SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Got incomming RequestID');
+		SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Got incomming authentication ID');
 		
-		$requestid = $_GET['RequestID'];
-		$requestcache = $session->getAuthnRequest('saml2', $requestid);
-		if (!$requestcache) throw new Exception('Could not retrieve cached RequestID = ' . $requestid);
+		$authId = $_GET['RequestID'];
+		$requestcache = $session->getAuthnRequest('saml2', $authId);
+		if (!$requestcache) {
+			throw new Exception('Could not retrieve cached RequestID = ' . $authId);
+		}
 		
 	} catch(Exception $exception) {
 		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CACHEAUTHNREQUEST', $exception);
@@ -187,11 +184,14 @@ if($needAuth && !$isPassive) {

 	SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Will go to authentication module ' . $idpmetadata['auth']);

-	$relaystate = SimpleSAML_Utilities::selfURLNoQuery() .
-		'?RequestID=' . urlencode($requestid);
+	$authId = SimpleSAML_Utilities::generateID();
+	$session->setAuthnRequest('saml2', $authId, $requestcache);
+
+	$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() .
+		'?RequestID=' . urlencode($authId);
 	$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];

-	SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $relaystate));
+	SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $redirectTo));
 		
 /**
 * We got an request, and we have a valid session. Then we send an AuthnResponse back to the
@@ -217,13 +217,11 @@ if($needAuth && !$isPassive) {
 			   With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
 			*/
 			$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
-			$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestid, null, array(), 'NoPassive');
+			$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestcache['RequestID'], null, array(), 'NoPassive');
 		
 			// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
 			$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
-			$httppost->sendResponse($authnResponseXML, $idpentityid, $spentityid, 
-				isset($requestcache['RelayState']) ? $requestcache['RelayState'] : null
-			);
+			$httppost->sendResponse($authnResponseXML, $idpentityid, $spentityid, $requestcache['RelayState']);
 			exit;
 		}
 		
@@ -273,13 +271,16 @@ if($needAuth && !$isPassive) {
 			$consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $requestcache['ConsentCookie']);
 			
 			if (!$consent->consent()) {
+				/* Save the request information. */
+				$authId = SimpleSAML_Utilities::generateID();
+				$session->setAuthnRequest('saml2', $authId, $requestcache);
 				
 				$t = new SimpleSAML_XHTML_Template($config, 'consent.php', 'attributes.php');
 				$t->data['header'] = 'Consent';
 				$t->data['sp_name'] = $sp_name;
 				$t->data['attributes'] = $filteredattributes;
 				$t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery();
-				$t->data['requestid'] = $requestid;
+				$t->data['requestid'] = $authId;
 				$t->data['consent_cookie'] = $requestcache['ConsentCookie'];
 				$t->data['usestorage'] = $consent->useStorage();
 				$t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php';
@@ -294,13 +295,11 @@ if($needAuth && !$isPassive) {
 		
 		// Generate an SAML 2.0 AuthNResponse message
 		$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
-		$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestid, null, $filteredattributes);
+		$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestcache['RequestID'], null, $filteredattributes);
 	
 		// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
 		$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
-		$httppost->sendResponse($authnResponseXML, $idmetaindex, $spentityid, 
-			isset($requestcache['RelayState']) ? $requestcache['RelayState'] : null
-		);
+		$httppost->sendResponse($authnResponseXML, $idmetaindex, $spentityid, $requestcache['RelayState']);
 		
 	} catch(Exception $exception) {
 		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception);

--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -28,8 +28,6 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 $session = SimpleSAML_Session::getInstance(true);


-$requestid = null;
-
 SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService');

 if (!$config->getValue('enable.shib13-idp', false))
@@ -64,14 +62,12 @@ if (isset($_GET['shire'])) {
 		 * Create an assoc array of the request to store in the session cache.
 		 */
 		$requestcache = array(
+			'RequestID' => $requestid,
 			'Issuer'    => $authnrequest->getIssuer(),
 			'shire'		=> $authnrequest->getShire(),
+			'RelayState' => $authnrequest->getRelayState(),
 		);
-		if ($relaystate = $authnrequest->getRelayState() )
-			$requestcache['RelayState'] = $relaystate;
 			
-		$session->setAuthnRequest('shib13', $requestid, $requestcache);
-		
 		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming Shib authnRequest requestid: '.$requestid);
 	
 	} catch(Exception $exception) {
@@ -92,13 +88,15 @@ if (isset($_GET['shire'])) {
 	
 	try {

-		$requestid = $_GET['RequestID'];
+		$authId = $_GET['RequestID'];

-		$requestcache = $session->getAuthnRequest('shib13', $requestid);
+		$requestcache = $session->getAuthnRequest('shib13', $authId);
 		
-		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming RequestID: '.$requestid);
+		SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming RequestID: '. $authId);
 		
-		if (!$requestcache) throw new Exception('Could not retrieve cached RequestID = ' . $requestid);
+		if (!$requestcache) {
+			throw new Exception('Could not retrieve cached RequestID = ' . $authId);
+		}

 	} catch(Exception $exception) {
 		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CACHEAUTHNREQUEST', $exception);
@@ -122,7 +120,11 @@ $authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : null
 */
 if (!$session->isAuthenticated($authority) ) {

-	$relaystate = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($requestid);
+	$authId = SimpleSAML_Utilities::generateID();
+	$session->setAuthnRequest('shib13', $authId, $requestcache);
+
+
+	$relaystate = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
 	$authurl = SimpleSAML_Utilities::addURLparameter('/' . $config->getBaseURL() . $idpmetadata['auth'], 
 		'RelayState=' . urlencode($relaystate));
 	SimpleSAML_Utilities::redirect($authurl);
@@ -171,8 +173,8 @@ if (!$session->isAuthenticated($authority) ) {

 		// Generating a Shibboleth 1.3 Response.
 		$ar = new SimpleSAML_XML_Shib13_AuthnResponse($config, $metadata);
-		$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'], 
-			$requestid, null, $filteredattributes);
+		$authnResponseXML = $ar->generate($idpentityid, $requestcache['Issuer'],
+			$requestcache['RequestID'], null, $filteredattributes);
 		
 		
 		#echo $authnResponseXML;
@@ -188,8 +190,7 @@ if (!$session->isAuthenticated($authority) ) {
 		if ($issuer == null || $issuer == '')
 			throw new Exception('Could not retrieve issuer of the AuthNRequest (ProviderID)');
 		
-		$httppost->sendResponse($authnResponseXML, 
-			$idpmetaindex, $issuer, isset($requestcache['RelayState']) ? $requestcache['RelayState'] : null, $shire);
+		$httppost->sendResponse($authnResponseXML, $idpmetaindex, $issuer, $requestcache['RelayState'], $shire);
 			
 	} catch(Exception $exception) {
 		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception);