Skip to content
Snippets Groups Projects
Commit 77fb6bc3 authored by Thijs Kinkhorst's avatar Thijs Kinkhorst
Browse files

Merge branch 'ghalse-enhancement/disable_scoping'

parents 88f59e06 dab61cc8
No related branches found
No related tags found
No related merge requests found
......@@ -316,6 +316,9 @@ Released 2017-11-20
refuse to parse an assertion with an eduPersonTargetedID in 'string' format.
* Receiving an eduPersonTargetedID in string form will no longer break
parsing of the assertion.
* Can disable the Scoping element in SP and remote IdP configuration with the
`disable_scoping` option, for compatibility with ADFS which does not accept
the element.
### `smartattributes`
* Fix SmartName authproc that failed to load.
......
......@@ -104,6 +104,15 @@ SAML 2.0 options
The following SAML 2.0 options are available:
`disable_scoping`
: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
: Note that this option also exists in the SP configuration. This
entry in the IdP-remote metadata overrides the option in the
[SP configuration](./saml:sp).
`encryption.blacklisted-algorithms`
: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
......
......@@ -196,6 +196,15 @@ Options
: *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
`disable_scoping`
: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
: Note that this option also exists in the IdP remote configuration. An
entry in the the IdP-remote metadata overrides this the option in the
SP configuration.
`discoURL`
: Set which IdP discovery service this SP should use.
If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.
......
......@@ -35,6 +35,13 @@ class SP extends Source
*/
private $discoURL;
/**
* Flag to indicate whether to disable sending the Scoping element.
*
* @var boolean|FALSE
*/
private $disable_scoping;
/**
* Constructor for SAML SP authentication source.
*
......@@ -64,6 +71,7 @@ class SP extends Source
$this->entityId = $this->metadata->getString('entityID');
$this->idp = $this->metadata->getString('idp', null);
$this->discoURL = $this->metadata->getString('discoURL', null);
$this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
if (empty($this->discoURL) && \SimpleSAML\Module::isModuleEnabled('discojuice')) {
$this->discoURL = \SimpleSAML\Module::getModuleURL('discojuice/central.php');
......@@ -241,10 +249,33 @@ class SP extends Source
$ar->setNameIdPolicy($policy);
}
if (isset($state['saml:IDPList'])) {
$IDPList = $state['saml:IDPList'];
$IDPList = [];
$requesterID = [];
/* Only check for real info for Scoping element if we are going to send Scoping element */
if ($this->disable_scoping != true && $idpMetadata->getBoolean('disable_scoping', false) != true) {
if (isset($state['saml:IDPList'])) {
$IDPList = $state['saml:IDPList'];
}
if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
$ar->setProxyCount($state['saml:ProxyCount']);
} elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
$ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
} elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
$ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
}
$requesterID = [];
if (isset($state['saml:RequesterID'])) {
$requesterID = $state['saml:RequesterID'];
}
if (isset($state['core:SP'])) {
$requesterID[] = $state['core:SP'];
}
} else {
$IDPList = [];
\SimpleSAML\Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
}
$ar->setIDPList(
......@@ -257,23 +288,6 @@ class SP extends Source
)
);
if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
$ar->setProxyCount($state['saml:ProxyCount']);
} elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
$ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
} elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
$ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
}
$requesterID = [];
if (isset($state['saml:RequesterID'])) {
$requesterID = $state['saml:RequesterID'];
}
if (isset($state['core:SP'])) {
$requesterID[] = $state['core:SP'];
}
$ar->setRequesterID($requesterID);
if (isset($state['saml:Extensions'])) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment