From 6d7221a631ad1de5ed4d07d7501302e0fe73f422 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 18 Mar 2009 07:44:06 +0000
Subject: [PATCH] SAML2:SSOService: Keep track of whether the user
 authenticates to the same SP multiple times in a session.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1419 44740490-163a-0410-bde0-09ae8108e29a
---
 www/saml2/idp/SSOService.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 14100ef32..ada15ff81 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -293,6 +293,16 @@ if($needAuth && !$isPassive) {
 				'isPassive' => $isPassive,
 			);
 
+			/*
+			 * Check whether the user has been authenticated to this SP previously
+			 * during this session. If the SP is authenticated earlier, we include
+			 * the timestamp to the authentication processing filters.
+			 */
+			$previousSSOTime = $session->getData('saml2-idp-ssotime', $spentityid);
+			if ($previousSSOTime !== NULL) {
+				$authProcState['PreviousSSOTimestamp'] = $previousSSOTime;
+			}
+
 			try {
 				$pc->processState($authProcState);
 			} catch (SimpleSAML_Error_NoPassive $e) {
@@ -324,6 +334,14 @@ if($needAuth && !$isPassive) {
 
 		
 		
+
+		/*
+		 * Save the time we authenticated to this SP. This can be used later to detect an
+		 * SP which reauthenticates a user very often.
+		 */
+		$session->setData('saml2-idp-ssotime', $spentityid, time(),
+			SimpleSAML_Session::DATA_TIMEOUT_LOGOUT);
+
 		// Adding this service provider to the list of sessions.
 		// Right now the list is used for SAML 2.0 only.
 		$session->add_sp_session($spentityid);
-- 
GitLab