The issuer of an AuthnResponse is now validated to check if we get the...

The issuer of an AuthnResponse is now validated to check if we get the response from the same entity ID we sent the request to. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3189 44740490-163a-0410-bde0-09ae8108e29a

The issuer of an AuthnResponse is now validated to check if we get the...
The issuer of an AuthnResponse is now validated to check if we get the response from the same entity ID we sent the request to. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3189 44740490-163a-0410-bde0-09ae8108e29a
74d4029d · Jaime Pérez Crespo · 6b1fa288 · 74d4029d · 74d4029d
Commit 74d4029d authored 12 years ago by Jaime Pérez Crespo
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -252,6 +252,9 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$ar->setExtensions($state['saml:Extensions']);
 		}

+		// save IdP entity ID as part of the state
+		$state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
+
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
 		$ar->setId($id);


--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -58,6 +58,12 @@ if (!empty($stateId)) {
 	if ($state['saml:sp:AuthId'] !== $sourceId) {
 		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 	}
+
+	/* Check that the issuer is the one we are expecting. */
+	assert('array_key_exists("ExpectedIssuer", $state)');
+	if ($state['ExpectedIssuer'] !== $idp) {
+		throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
+	}
 } else {
 	/* This is an unsolicited response. */
 	$state = array(