From 7bca4e6ed008ce62c402431181cec8d16e0d9fd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Thu, 6 Mar 2008 15:10:42 +0000
Subject: [PATCH] Removed some unneccesary code, and improved handling of
 relaystate.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@367 44740490-163a-0410-bde0-09ae8108e29a
---
 www/saml2/sp/initSSO.php | 90 +++++++++++++++++-----------------------
 1 file changed, 38 insertions(+), 52 deletions(-)

diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
index d2e454922..e4756b421 100644
--- a/www/saml2/sp/initSSO.php
+++ b/www/saml2/sp/initSSO.php
@@ -12,23 +12,25 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
 
 $config = SimpleSAML_Configuration::getInstance();
 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-$session = SimpleSAML_Session::getInstance(true);
+$session = SimpleSAML_Session::getInstance(TRUE);
 
 
+SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script');
+
+if (!$config->getValue('enable.saml20-sp', false))
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
 
-/**
+/*
  * Incomming URL parameters
  *
  * idpentityid 	optional	The entityid of the wanted IdP to authenticate with. If not provided will use default.
  * spentityid	optional	The entityid of the SP config to use. If not provided will use default to host.
  * RelayState	required	Where to send the user back to after authentication.
- * 
  */		
 
-SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script');
-
-if (!$config->getValue('enable.saml20-sp', false))
-	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
+if (empty($_GET['RelayState'])) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
+}
 
 try {
 
@@ -39,56 +41,40 @@ try {
 	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
 }
 
-if (!isset($session) || !$session->isValid('saml2') ) {
-	
-	
-	if ($idpentityid == null) {
-	
-		SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: No chosen or default IdP, go to SAML2disco');
-		
-		$returnURL = urlencode(SimpleSAML_Utilities::selfURL());
-		$discservice = '/' . $config->getBaseURL() . 'saml2/sp/idpdisco.php?entityID=' . $spentityid . 
-			'&return=' . $returnURL . '&returnIDParam=idpentityid';
-		SimpleSAML_Utilities::redirect($discservice);
-	}
-	
-	
-	try {
-		$sr = new SimpleSAML_XML_SAML20_AuthnRequest($config, $metadata);
-	
-		$md = $metadata->getMetaData($idpentityid, 'saml20-idp-remote');
-		$req = $sr->generate($spentityid, $md['SingleSignOnService']);
-
-		
-		$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
-		
-		$relayState = SimpleSAML_Utilities::selfURL();
-		if (isset($_GET['RelayState'])) {
-			$relayState = $_GET['RelayState'];
-		}
-		
-		SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
-		
-		$httpredirect->sendMessage($req, $spentityid, $idpentityid, $relayState);
 
-	
-	} catch(Exception $exception) {		
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception);
-	}
+/*
+ * If no IdP can be resolved, send the user to the SAML 2.0 Discovery Service
+ */
+if ($idpentityid == null) {
+
+	SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: No chosen or default IdP, go to SAML2disco');
+
+	SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/idpdisco.php', array(
+		'entityID' => $spentityid,
+		'return' => SimpleSAML_Utilities::selfURL(),
+		'returnIDParam' => 'idpentityid')
+	);
+}
 
-} else {
+
+/*
+ * Create and send authentication request to the IdP.
+ */
+try {
+
+	$sr = new SimpleSAML_XML_SAML20_AuthnRequest($config, $metadata);
+
+	$md = $metadata->getMetaData($idpentityid, 'saml20-idp-remote');
+	$req = $sr->generate($spentityid, $md['SingleSignOnService']);
+
+	$httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
 	
+	SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
 	
-	$relaystate = $_GET['RelayState'];
-		
-	if (isset($relaystate) && !empty($relaystate)) {
-		SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: Already Authenticated, Go back to RelayState');
-		SimpleSAML_Utilities::redirect($relaystate);
-	} else {
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
-	}
+	$httpredirect->sendMessage($req, $spentityid, $idpentityid, $_GET['RelayState']);
 
+} catch(Exception $exception) {		
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception);
 }
 
-
 ?>
\ No newline at end of file
-- 
GitLab