diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index de68e28078909049770e37cdea40f44a17252869..c29ee86400a604f3cbbba3812f64e9fe41dc99a7 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -316,6 +316,9 @@ Released 2017-11-20
refuse to parse an assertion with an eduPersonTargetedID in 'string' format.
* Receiving an eduPersonTargetedID in string form will no longer break
parsing of the assertion.
+ * Can disable the Scoping element in SP and remote IdP configuration with the
+ `disable_scoping` option, for compatibility with ADFS which does not accept
+ the element.
### `smartattributes`
* Fix SmartName authproc that failed to load.
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index af324ef4d681f19973c632ac442dc3f02ae956b4..9d46826b0303e86e0198907e9497b98705b3edc4 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -104,6 +104,15 @@ SAML 2.0 options
The following SAML 2.0 options are available:
+`disable_scoping`
+: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+ When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
+ interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+
+: Note that this option also exists in the SP configuration. This
+ entry in the IdP-remote metadata overrides the option in the
+ [SP configuration](./saml:sp).
+
`encryption.blacklisted-algorithms`
: Blacklisted encryption algorithms. This is an array containing the algorithm identifiers.
diff --git a/modules/saml/docs/sp.md b/modules/saml/docs/sp.md
index 9ee03c584d827514ec4b4c0014a8ba8c0b9bf5f9..96f8fd510a4506773ab78184f1e19d443c33227c 100644
--- a/modules/saml/docs/sp.md
+++ b/modules/saml/docs/sp.md
@@ -196,6 +196,15 @@ Options
: *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
+`disable_scoping`
+: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
+ When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
+ interoperability with ADFS which [does not support Scoping elements](https://docs.microsoft.com/en-za/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference#scoping).
+
+: Note that this option also exists in the IdP remote configuration. An
+ entry in the the IdP-remote metadata overrides this the option in the
+ SP configuration.
+
`discoURL`
: Set which IdP discovery service this SP should use.
If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used.
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index ecd1e852c6a92e251b804c360b0e2bce51851df5..bba48eee7affbca44488514db1dad9f7a4ab69dd 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -35,6 +35,13 @@ class SP extends Source
*/
private $discoURL;
+ /**
+ * Flag to indicate whether to disable sending the Scoping element.
+ *
+ * @var boolean|FALSE
+ */
+ private $disable_scoping;
+
/**
* Constructor for SAML SP authentication source.
*
@@ -64,6 +71,7 @@ class SP extends Source
$this->entityId = $this->metadata->getString('entityID');
$this->idp = $this->metadata->getString('idp', null);
$this->discoURL = $this->metadata->getString('discoURL', null);
+ $this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
if (empty($this->discoURL) && \SimpleSAML\Module::isModuleEnabled('discojuice')) {
$this->discoURL = \SimpleSAML\Module::getModuleURL('discojuice/central.php');
@@ -241,10 +249,33 @@ class SP extends Source
$ar->setNameIdPolicy($policy);
}
- if (isset($state['saml:IDPList'])) {
- $IDPList = $state['saml:IDPList'];
+ $IDPList = [];
+ $requesterID = [];
+
+ /* Only check for real info for Scoping element if we are going to send Scoping element */
+ if ($this->disable_scoping != true && $idpMetadata->getBoolean('disable_scoping', false) != true) {
+ if (isset($state['saml:IDPList'])) {
+ $IDPList = $state['saml:IDPList'];
+ }
+
+ if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
+ $ar->setProxyCount($state['saml:ProxyCount']);
+ } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
+ $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
+ } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
+ $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
+ }
+
+ $requesterID = [];
+ if (isset($state['saml:RequesterID'])) {
+ $requesterID = $state['saml:RequesterID'];
+ }
+
+ if (isset($state['core:SP'])) {
+ $requesterID[] = $state['core:SP'];
+ }
} else {
- $IDPList = [];
+ \SimpleSAML\Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
}
$ar->setIDPList(
@@ -257,23 +288,6 @@ class SP extends Source
)
);
- if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
- $ar->setProxyCount($state['saml:ProxyCount']);
- } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
- $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
- } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
- $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
- }
-
- $requesterID = [];
- if (isset($state['saml:RequesterID'])) {
- $requesterID = $state['saml:RequesterID'];
- }
-
- if (isset($state['core:SP'])) {
- $requesterID[] = $state['core:SP'];
- }
-
$ar->setRequesterID($requesterID);
if (isset($state['saml:Extensions'])) {