From 57e2220a95c818dd350c23b974a38d78fdcebe68 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Thu, 5 Mar 2020 19:18:57 +0000
Subject: [PATCH] Make note of Shib 1.3 / SAML 1 deprecation.

closes: #1267
---
 config-templates/config.php                | 2 ++
 docs/simplesamlphp-changelog.md            | 1 +
 docs/simplesamlphp-reference-idp-hosted.md | 2 ++
 docs/simplesamlphp-reference-idp-remote.md | 2 ++
 docs/simplesamlphp-reference-sp-remote.md  | 2 ++
 docs/simplesamlphp-upgrade-notes-1.19.md   | 3 +++
 metadata-templates/shib13-idp-hosted.php   | 2 ++
 metadata-templates/shib13-idp-remote.php   | 2 ++
 metadata-templates/shib13-sp-hosted.php    | 2 ++
 metadata-templates/shib13-sp-remote.php    | 2 ++
 modules/saml/www/sp/saml1-acs.php          | 1 +
 www/shib13/idp/SSOService.php              | 1 +
 12 files changed, 22 insertions(+)

diff --git a/config-templates/config.php b/config-templates/config.php
index dc4280072..bc7fc589f 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -460,6 +460,8 @@ $config = [
      * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
      * one of the functionalities below, but in some cases you could run multiple functionalities.
      * In example when you are setting up a federation bridge.
+     *
+     * Note that shib13-idp has been deprecated and will be removed in SimpleSAMLphp 2.0.
      */
     'enable.saml20-idp' => false,
     'enable.shib13-idp' => false,
diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index a8cd1396c..1d59a9788 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -12,6 +12,7 @@ Released TBD
 
   * This version will be the last of the 1.x branch and will provide a migration path to our new
     templating system, routing system, translation system and hooks.
+  * SAML 1 / Shib 1.3 support is now marked deprecated and will be removed in SimpleSAMLphp 2.0.
 
 ## Version 1.18.4
 
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index 3a6b47934..03acd590f 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -399,6 +399,8 @@ messages from that SP.
 Shibboleth 1.3 options
 ----------------------
 
+Note that Shibboleth 1.3 support is deprecated and will be removed in the next major release of SimpleSAMLphp.
+
 The following options for Shibboleth 1.3 IdP's are avaiblable:
 
 `scopedattributes`
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index 95b4eda3e..db15941e9 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -248,6 +248,8 @@ SimpleSAMLphp only signs authentication responses by default. Signing of authent
 Shibboleth 1.3 options
 ----------------------
 
+Note that Shibboleth 1.3 support is deprecated and will be removed in the next major release of SimpleSAMLphp.
+
 `caFile`
 :   Alternative to specifying a certificate. Allows you to specify a file with root certificates, and responses from the service be validated against these certificates. Note that SimpleSAMLphp doesn't support chains with any itermediate certificates between the root and the certificate used to sign the response. Support for PKIX in SimpleSAMLphp is experimental, and we encourage users to not rely on PKIX for validation of signatures; for background information review [the SAML 2.0 Metadata Interoperability Profile](http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cd-01.pdf).
 
diff --git a/docs/simplesamlphp-reference-sp-remote.md b/docs/simplesamlphp-reference-sp-remote.md
index 423df7b37..485d996bf 100644
--- a/docs/simplesamlphp-reference-sp-remote.md
+++ b/docs/simplesamlphp-reference-sp-remote.md
@@ -383,6 +383,8 @@ idp is in the intersection the discoveryservice will go directly to the idp.
 Shibboleth 1.3 options
 ----------------------
 
+Note that Shibboleth 1.3 support is deprecated and will be removed in the next major release of SimpleSAMLphp.
+
 The following options for Shibboleth 1.3 SP's are avaiblable:
 
 `audience`
diff --git a/docs/simplesamlphp-upgrade-notes-1.19.md b/docs/simplesamlphp-upgrade-notes-1.19.md
index 5e039e974..8978f30e9 100644
--- a/docs/simplesamlphp-upgrade-notes-1.19.md
+++ b/docs/simplesamlphp-upgrade-notes-1.19.md
@@ -2,3 +2,6 @@ Upgrade notes for SimpleSAMLphp 1.19
 ====================================
 
 The minimum PHP version required is now PHP 7.0.
+
+SAML 1 / Shib 1.3 support is now deprecated and will start logging notices
+when used. It will be removed in SimpleSAMLphp 2.0.
diff --git a/metadata-templates/shib13-idp-hosted.php b/metadata-templates/shib13-idp-hosted.php
index dc6c9e0a9..3af97d688 100644
--- a/metadata-templates/shib13-idp-hosted.php
+++ b/metadata-templates/shib13-idp-hosted.php
@@ -3,6 +3,8 @@
 /**
  * SAML 1.1 IdP configuration for SimpleSAMLphp.
  *
+ * Note that SAML 1.1 support has been deprecated and will be removed in SimpleSAMLphp 2.0.
+ *
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
  */
 
diff --git a/metadata-templates/shib13-idp-remote.php b/metadata-templates/shib13-idp-remote.php
index 9aa6f0e64..d2eed7ab7 100644
--- a/metadata-templates/shib13-idp-remote.php
+++ b/metadata-templates/shib13-idp-remote.php
@@ -3,6 +3,8 @@
 /**
  * SAML 1.1 remote IdP metadata for SimpleSAMLphp.
  *
+ * Note that SAML 1.1 support has been deprecated and will be removed in SimpleSAMLphp 2.0.
+ *
  * Remember to remove the IdPs you don't use from this file.
  *
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
diff --git a/metadata-templates/shib13-sp-hosted.php b/metadata-templates/shib13-sp-hosted.php
index 15a275a38..5cb8dc2de 100644
--- a/metadata-templates/shib13-sp-hosted.php
+++ b/metadata-templates/shib13-sp-hosted.php
@@ -3,6 +3,8 @@
 /**
  * SAML 1.1 SP configuration for SimpleSAMLphp.
  *
+ * Note that SAML 1.1 support has been deprecated and will be removed in SimpleSAMLphp 2.0.
+ *
  * See: https://simplesamlphp.org/docs/stable/saml:sp
  */
 
diff --git a/metadata-templates/shib13-sp-remote.php b/metadata-templates/shib13-sp-remote.php
index b2fb1d8e0..f686733c4 100644
--- a/metadata-templates/shib13-sp-remote.php
+++ b/metadata-templates/shib13-sp-remote.php
@@ -3,6 +3,8 @@
 /**
  * SAML 1.1 remote SP metadata for SimpleSAMLphp.
  *
+ * Note that SAML 1.1 support has been deprecated and will be removed in SimpleSAMLphp 2.0.
+ *
  * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
  */
 
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index 6b981774c..cd1147093 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -25,6 +25,7 @@ $sourceId = substr($sourceId, 1, $end - 1);
 $source = \SimpleSAML\Auth\Source::getById($sourceId, '\SimpleSAML\Module\saml\Auth\Source\SP');
 
 SimpleSAML\Logger::debug('Received SAML1 response');
+SimpleSAML\Logger::notice('SAML1 support is deprecated and will be removed in SimpleSAMLphp 2.0');
 
 $target = (string) $_REQUEST['TARGET'];
 
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index 14a014fcd..1bc2ff7ca 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -12,6 +12,7 @@
 require_once '../../_include.php';
 
 \SimpleSAML\Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService');
+\SimpleSAML\Logger::notice('SAML1 support is deprecated and will be removed in SimpleSAMLphp 2.0');
 
 $metadata = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
 $idpEntityId = $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted');
-- 
GitLab