Skip to content
Snippets Groups Projects
Commit 90e5a8e2 authored by Olav Morken's avatar Olav Morken
Browse files

saml: SAML 1.1: Prepare for IdP initiated authentication. 

With IdP initiated authentication, we will not have the IdP entityID
available when receiving the response. This patch prepares the code for
that.

Unfortunately, the IdP entityID is required for the Artifact receiver,
so give an error when receiving an unsolicited response there.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2567 44740490-163a-0410-bde0-09ae8108e29a
parent c52c82de
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/saml/www/sp/saml1-acs.php
+ 9
9
View file @ 90e5a8e2
...@@ -28,18 +28,18 @@ if ($state['saml:sp:AuthId'] !== $sourceId) { ...@@ -28,18 +28,18 @@ if ($state['saml:sp:AuthId'] !== $sourceId) {
throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.'); throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
} }
if (!isset($state['saml:idp'])) { assert('isset($state["saml:idp"])');
/* We seem to have received a response without sending a request. */
throw new SimpleSAML_Error_Exception('SAML 1 response received before SAML 1 request.');
}
$spMetadata = $source->getMetadata(); $spMetadata = $source->getMetadata();
$idpEntityId = $state['saml:idp'];
$idpMetadata = $source->getIdPMetadata($idpEntityId);
if (array_key_exists('SAMLart', $_REQUEST)) { if (array_key_exists('SAMLart', $_REQUEST)) {
if (!isset($state['saml:idp'])) {
/* Unsolicited response. */
throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.');
}
$idpMetadata = $source->getIdPMetadata($state['saml:idp']);
$responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata); $responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata);
$isValidated = TRUE; /* Artifact binding validated with ssl certificate. */ $isValidated = TRUE; /* Artifact binding validated with ssl certificate. */
} elseif (array_key_exists('SAMLResponse', $_REQUEST)) { } elseif (array_key_exists('SAMLResponse', $_REQUEST)) {
...@@ -59,7 +59,7 @@ $response->validate(); ...@@ -59,7 +59,7 @@ $response->validate();
$responseIssuer = $response->getIssuer(); $responseIssuer = $response->getIssuer();
$attributes = $response->getAttributes(); $attributes = $response->getAttributes();
if ($responseIssuer !== $idpEntityId) { if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) {
throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.'); throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.');
} }
...@@ -68,7 +68,7 @@ $logoutState = array( ...@@ -68,7 +68,7 @@ $logoutState = array(
); );
$state['LogoutState'] = $logoutState; $state['LogoutState'] = $logoutState;
$source->handleResponse($state, $idpEntityId, $attributes); $source->handleResponse($state, $responseIssuer, $attributes);
assert('FALSE'); assert('FALSE');
?> ?>
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment