Merge branch 'ghalse-enhancement/disable_scoping'

77fb6bc3 · Thijs Kinkhorst · 88f59e06 · dab61cc8 · 77fb6bc3 · 77fb6bc3
Commit 77fb6bc3 authored 6 years ago by Thijs Kinkhorst
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -316,6 +316,9 @@ Released 2017-11-20
    refuse to parse an assertion with an eduPersonTargetedID in 'string' format.
  * Receiving an eduPersonTargetedID in string form will no longer break
    parsing of the assertion.
+  * Can disable the Scoping element in SP and remote IdP configuration with the
+    `disable_scoping` option, for compatibility with ADFS which does not accept
+    the element.
 ### `smartattributes`
  * Fix SmartName authproc that failed to load.

--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -104,6 +104,15 @@ SAML 2.0 options
 The following SAML 2.0 options are available:
+`disable_scoping`
+:    Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+     When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows 
+     interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+:   Note that this option also exists in the SP configuration. This
+    entry in the IdP-remote metadata overrides the option in the
+    [SP configuration](./saml:sp).
 `encryption.blacklisted-algorithms`
 :   Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.

--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -196,6 +196,15 @@ Options
 :   *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
+`disable_scoping`
+:    Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+     When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
+     interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+:   Note that this option also exists in the IdP remote configuration. An
+    entry in the the IdP-remote metadata overrides this the option in the
+    SP configuration.
 `discoURL`
 :   Set which IdP discovery service this SP should use.
    If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.

--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -35,6 +35,13 @@ class SP extends Source
     */
    private $discoURL;
+    /**
+     * Flag to indicate whether to disable sending the Scoping element.
+     *
+     * @var boolean|FALSE
+     */
+    private $disable_scoping;
    /**
     * Constructor for SAML SP authentication source.
     *
@@ -64,6 +71,7 @@ class SP extends Source
        $this->entityId = $this->metadata->getString('entityID');
        $this->idp = $this->metadata->getString('idp', null);
        $this->discoURL = $this->metadata->getString('discoURL', null);
+        $this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
        if (empty($this->discoURL) && \SimpleSAML\Module::isModuleEnabled('discojuice')) {
            $this->discoURL = \SimpleSAML\Module::getModuleURL('discojuice/central.php');
@@ -241,10 +249,33 @@ class SP extends Source
            $ar->setNameIdPolicy($policy);
        }
-        if (isset($state['saml:IDPList'])) {
+        $IDPList = [];
-            $IDPList = $state['saml:IDPList'];
+        $requesterID = [];
+        /* Only check for real info for Scoping element if we are going to send Scoping element */
+        if ($this->disable_scoping != true && $idpMetadata->getBoolean('disable_scoping', false) != true) {
+            if (isset($state['saml:IDPList'])) {
+                $IDPList = $state['saml:IDPList'];
+            }
+            if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
+                $ar->setProxyCount($state['saml:ProxyCount']);
+            } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
+                $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
+            } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
+                $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
+            }
+            $requesterID = [];
+            if (isset($state['saml:RequesterID'])) {
+                $requesterID = $state['saml:RequesterID'];
+            }
+            if (isset($state['core:SP'])) {
+                $requesterID[] = $state['core:SP'];
+            }
        } else {
-            $IDPList = [];
+            \SimpleSAML\Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
        }
        $ar->setIDPList(
@@ -257,23 +288,6 @@ class SP extends Source
            )
        );
-        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
-            $ar->setProxyCount($state['saml:ProxyCount']);
-        } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
-        } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
-        }
-        $requesterID = [];
-        if (isset($state['saml:RequesterID'])) {
-            $requesterID = $state['saml:RequesterID'];
-        }
-        if (isset($state['core:SP'])) {
-            $requesterID[] = $state['core:SP'];
-        }
        $ar->setRequesterID($requesterID);
        if (isset($state['saml:Extensions'])) {