From 74d4029d16261a94919035d268a360acb7a6f0ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaime=20P=C3=A9rez=20Crespo?= <jaime.perez@uninett.no>
Date: Mon, 15 Oct 2012 10:36:12 +0000
Subject: [PATCH] The issuer of an AuthnResponse is now validated to check if
 we get the response from the same entity ID we sent the request to.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3189 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/lib/Auth/Source/SP.php | 3 +++
 modules/saml/www/sp/saml2-acs.php   | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 20b8e486c..ebeea693d 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -252,6 +252,9 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$ar->setExtensions($state['saml:Extensions']);
 		}
 
+		// save IdP entity ID as part of the state
+		$state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
+
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
 		$ar->setId($id);
 
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index b3e73cf5c..4dccbf489 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -58,6 +58,12 @@ if (!empty($stateId)) {
 	if ($state['saml:sp:AuthId'] !== $sourceId) {
 		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 	}
+
+	/* Check that the issuer is the one we are expecting. */
+	assert('array_key_exists("ExpectedIssuer", $state)');
+	if ($state['ExpectedIssuer'] !== $idp) {
+		throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+	}
 } else {
 	/* This is an unsolicited response. */
 	$state = array(
-- 
GitLab