From 7b18c4cec8ece4d9a3d21a060fdb2710fd895d8a Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 28 Apr 2010 08:16:14 +0000
Subject: [PATCH] IdP: Proper support for ForceAuthn with old login handlers.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2274 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/IdP.php              | 3 ++-
 modules/core/www/idp/resumeauth.php | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index 2beffb6d4..e324e09af 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -329,6 +329,7 @@ class SimpleSAML_IdP {
 		$auth = $this->config->getString('auth');
 		$authSource = SimpleSAML_Auth_Source::getById($auth);
 		if ($authSource === NULL) {
+			$session = SimpleSAML_Session::getInstance();
 			$config = SimpleSAML_Configuration::getInstance();
 			$authurl = '/' . $config->getBaseURL() . $auth;
 
@@ -336,6 +337,7 @@ class SimpleSAML_IdP {
 				'IsPassive' => isset($state['isPassive']) ? $state['isPassive'] : FALSE,
 				'ForceAuthn' => isset($state['ForceAuthn']) ? $state['ForceAuthn'] : FALSE,
 				'State' => $state,
+				'core:prevSession' => $session->getAuthnInstant(),
 			);
 
 			if (isset($state['saml:RequestId'])) {
@@ -352,7 +354,6 @@ class SimpleSAML_IdP {
 			}
 
 			$authId = SimpleSAML_Utilities::generateID();
-			$session = SimpleSAML_Session::getInstance();
 			$session->setAuthnRequest('saml2', $authId, $authnRequest);
 
 			$relayState = SimpleSAML_Module::getModuleURL('core/idp/resumeauth.php', array('RequestID' => $authId));
diff --git a/modules/core/www/idp/resumeauth.php b/modules/core/www/idp/resumeauth.php
index ba2803e4e..e33bb99ac 100644
--- a/modules/core/www/idp/resumeauth.php
+++ b/modules/core/www/idp/resumeauth.php
@@ -10,5 +10,10 @@ $requestcache = $session->getAuthnRequest('saml2', (string)$_REQUEST['RequestID'
 if (!$requestcache) {
 	throw new Exception('Could not retrieve cached RequestID = ' . $authId);
 }
+
+if ($requestcache['ForceAuthn'] && $requestcache['core:prevSession'] === $session->getAuthnInstant()) {
+	throw new Exception('ForceAuthn set, but timestamp not updated.');
+}
+
 $state = $requestcache['State'];
 SimpleSAML_IdP::postAuth($state);
-- 
GitLab