From 6d7221a631ad1de5ed4d07d7501302e0fe73f422 Mon Sep 17 00:00:00 2001 From: Olav Morken <olav.morken@uninett.no> Date: Wed, 18 Mar 2009 07:44:06 +0000 Subject: [PATCH] SAML2:SSOService: Keep track of whether the user authenticates to the same SP multiple times in a session. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1419 44740490-163a-0410-bde0-09ae8108e29a --- www/saml2/idp/SSOService.php | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php index 14100ef32..ada15ff81 100644 --- a/www/saml2/idp/SSOService.php +++ b/www/saml2/idp/SSOService.php @@ -293,6 +293,16 @@ if($needAuth && !$isPassive) { 'isPassive' => $isPassive, ); + /* + * Check whether the user has been authenticated to this SP previously + * during this session. If the SP is authenticated earlier, we include + * the timestamp to the authentication processing filters. + */ + $previousSSOTime = $session->getData('saml2-idp-ssotime', $spentityid); + if ($previousSSOTime !== NULL) { + $authProcState['PreviousSSOTimestamp'] = $previousSSOTime; + } + try { $pc->processState($authProcState); } catch (SimpleSAML_Error_NoPassive $e) { @@ -324,6 +334,14 @@ if($needAuth && !$isPassive) { + + /* + * Save the time we authenticated to this SP. This can be used later to detect an + * SP which reauthenticates a user very often. + */ + $session->setData('saml2-idp-ssotime', $spentityid, time(), + SimpleSAML_Session::DATA_TIMEOUT_LOGOUT); + // Adding this service provider to the list of sessions. // Right now the list is used for SAML 2.0 only. $session->add_sp_session($spentityid); -- GitLab