Merge branch 'ghalse-enhancement/disable_scoping'

docs/simplesamlphp-changelog.md

@@ -316,6 +316,9 @@ Released 2017-11-20
     refuse to parse an assertion with an eduPersonTargetedID in 'string' format.
   * Receiving an eduPersonTargetedID in string form will no longer break
     parsing of the assertion.
+  * Can disable the Scoping element in SP and remote IdP configuration with the
+    `disable_scoping` option, for compatibility with ADFS which does not accept
+    the element.
 
 ### `smartattributes`
   * Fix SmartName authproc that failed to load.

docs/simplesamlphp-reference-idp-remote.md

@@ -104,6 +104,15 @@ SAML 2.0 options
 
 The following SAML 2.0 options are available:
 
+`disable_scoping`
+:    Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+     When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows 
+     interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+
+:   Note that this option also exists in the SP configuration. This
+    entry in the IdP-remote metadata overrides the option in the
+    [SP configuration](./saml:sp).
+
 `encryption.blacklisted-algorithms`
 :   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
 

modules/saml/docs/sp.md

@@ -196,6 +196,15 @@ Options
 
 :   *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
 
+`disable_scoping`
+:    Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+     When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
+     interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+
+:   Note that this option also exists in the IdP remote configuration. An
+    entry in the the IdP-remote metadata overrides this the option in the
+    SP configuration.
+
 `discoURL`
 :   Set which IdP discovery service this SP should use.
     If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.

modules/saml/lib/Auth/Source/SP.php

@@ -35,6 +35,13 @@ class SP extends Source
      */
     private $discoURL;
 
+    /**
+     * Flag to indicate whether to disable sending the Scoping element.
+     *
+     * @var boolean|FALSE
+     */
+    private $disable_scoping;
+
     /**
      * Constructor for SAML SP authentication source.
      *
@@ -64,6 +71,7 @@ class SP extends Source
         $this->entityId = $this->metadata->getString('entityID');
         $this->idp = $this->metadata->getString('idp', null);
         $this->discoURL = $this->metadata->getString('discoURL', null);
+        $this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
 
         if (empty($this->discoURL) && \SimpleSAML\Module::isModuleEnabled('discojuice')) {
             $this->discoURL = \SimpleSAML\Module::getModuleURL('discojuice/central.php');
@@ -241,10 +249,33 @@ class SP extends Source
             $ar->setNameIdPolicy($policy);
         }
 
-        if (isset($state['saml:IDPList'])) {
-            $IDPList = $state['saml:IDPList'];
+        $IDPList = [];
+        $requesterID = [];
+
+        /* Only check for real info for Scoping element if we are going to send Scoping element */
+        if ($this->disable_scoping != true && $idpMetadata->getBoolean('disable_scoping', false) != true) {
+            if (isset($state['saml:IDPList'])) {
+                $IDPList = $state['saml:IDPList'];
+            }
+
+            if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
+                $ar->setProxyCount($state['saml:ProxyCount']);
+            } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
+                $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
+            } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
+                $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
+            }
+
+            $requesterID = [];
+            if (isset($state['saml:RequesterID'])) {
+                $requesterID = $state['saml:RequesterID'];
+            }
+
+            if (isset($state['core:SP'])) {
+                $requesterID[] = $state['core:SP'];
+            }
         } else {
-            $IDPList = [];
+            \SimpleSAML\Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
         }
 
         $ar->setIDPList(
@@ -257,23 +288,6 @@ class SP extends Source
             )
         );
 
-        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
-            $ar->setProxyCount($state['saml:ProxyCount']);
-        } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
-        } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
-        }
-
-        $requesterID = [];
-        if (isset($state['saml:RequesterID'])) {
-            $requesterID = $state['saml:RequesterID'];
-        }
-
-        if (isset($state['core:SP'])) {
-            $requesterID[] = $state['core:SP'];
-        }
-
         $ar->setRequesterID($requesterID);
 
         if (isset($state['saml:Extensions'])) {