From 73a95cf4d2256ab637e1214ab1799370f3adcdbf Mon Sep 17 00:00:00 2001
From: Remko Nolten <remko@paragin.nl>
Date: Fri, 10 Jun 2022 09:29:06 +0200
Subject: [PATCH] Refactor scoping code in the SP class

Make sure the `saml:IDPList` and `IDPList` parameters are not overloaded. From now on, saml:IDPList is being used when SSP is used as a proxy while the IDPList parameter is used when SSP is used as in SP-mode and you want to apply scoping to your AuthnRequest.

See https://github.com/simplesamlphp/simplesamlphp/pull/1563 for the full explanation of the changes.
---
 modules/saml/src/Auth/Source/SP.php | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/modules/saml/src/Auth/Source/SP.php b/modules/saml/src/Auth/Source/SP.php
index c7b5a0d12..3eef0d97e 100644
--- a/modules/saml/src/Auth/Source/SP.php
+++ b/modules/saml/src/Auth/Source/SP.php
@@ -531,13 +531,16 @@ class SP extends \SimpleSAML\Auth\Source
             }
         }
 
-        $IDPList = [];
         $requesterID = [];
 
         /* Only check for real info for Scoping element if we are going to send Scoping element */
         if ($this->disable_scoping !== true && $idpMetadata->getOptionalBoolean('disable_scoping', false) !== true) {
-            if (isset($state['saml:IDPList'])) {
-                $IDPList = $state['saml:IDPList'];
+            if (isset($state['IDPList'])) {
+                $ar->setIDPList($state['IDPList']);
+            } elseif (!empty($this->metadata->getOptionalArray('IDPList', []))) {
+                $ar->setIDPList($this->metadata->getArray('IDPList'));
+            } elseif (!empty($idpMetadata->getOptionalArray('IDPList', []))) {
+                $ar->setIDPList($idpMetadata->getArray('IDPList'));
             }
 
             if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
@@ -560,16 +563,6 @@ class SP extends \SimpleSAML\Auth\Source
             Logger::debug('Disabling samlp:Scoping for ' . var_export($idpMetadata->getString('entityid'), true));
         }
 
-        $ar->setIDPList(
-            array_unique(
-                array_merge(
-                    $this->metadata->getOptionalArray('IDPList', []),
-                    $idpMetadata->getOptionalArray('IDPList', []),
-                    (array) $IDPList
-                )
-            )
-        );
-
         $ar->setRequesterID($requesterID);
 
         // If the downstream SP has set extensions then use them.
-- 
GitLab