From 90e5a8e2ade9b54b18fcd6b653e009f6b5ff17c9 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 4 Oct 2010 13:36:53 +0000
Subject: [PATCH] saml: SAML 1.1: Prepare for IdP initiated authentication.

With IdP initiated authentication, we will not have the IdP entityID
available when receiving the response. This patch prepares the code for
that.

Unfortunately, the IdP entityID is required for the Artifact receiver,
so give an error when receiving an unsolicited response there.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2567 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/www/sp/saml1-acs.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index 80505483d..b30128a6f 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -28,18 +28,18 @@ if ($state['saml:sp:AuthId'] !== $sourceId) {
 	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 }
 
-if (!isset($state['saml:idp'])) {
-	/* We seem to have received a response without sending a request. */
-	throw new SimpleSAML_Error_Exception('SAML 1 response received before SAML 1 request.');
-}
+assert('isset($state["saml:idp"])');
 
 
 $spMetadata = $source->getMetadata();
 
-$idpEntityId = $state['saml:idp'];
-$idpMetadata = $source->getIdPMetadata($idpEntityId);
-
 if (array_key_exists('SAMLart', $_REQUEST)) {
+	if (!isset($state['saml:idp'])) {
+		/* Unsolicited response. */
+		throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.');
+	}
+	$idpMetadata = $source->getIdPMetadata($state['saml:idp']);
+
 	$responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata);
 	$isValidated = TRUE; /* Artifact binding validated with ssl certificate. */
 } elseif (array_key_exists('SAMLResponse', $_REQUEST)) {
@@ -59,7 +59,7 @@ $response->validate();
 $responseIssuer = $response->getIssuer();
 $attributes = $response->getAttributes();
 
-if ($responseIssuer !== $idpEntityId) {
+if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) {
 	throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.');
 }
 
@@ -68,7 +68,7 @@ $logoutState = array(
 	);
 $state['LogoutState'] = $logoutState;
 
-$source->handleResponse($state, $idpEntityId, $attributes);
+$source->handleResponse($state, $responseIssuer, $attributes);
 assert('FALSE');
 
 ?>
\ No newline at end of file
-- 
GitLab