saml: Move sourceid into AssertionConsumerService url.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1782 44740490-163a-0410-bde0-09ae8108e29a

saml: Move sourceid into AssertionConsumerService url.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1782 44740490-163a-0410-bde0-09ae8108e29a
931c8c01 · Olav Morken · 6891e33b · 931c8c01 · 931c8c01 · 931c8c01
Commit 931c8c01 authored 15 years ago by Olav Morken
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -149,7 +149,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:ssosent-saml1');
 		$ar->setRelayState($id);

-		$url = $ar->createRedirect($idpEntityId, SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php'));
+		$url = $ar->createRedirect($idpEntityId, SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId));

 		SimpleSAML_Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
 			' from ' . var_export($this->entityId, TRUE) . '.');
@@ -167,7 +167,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {

 		$ar = sspmod_saml2_Message::buildAuthnRequest($this->metadata, $idpMetadata);

-		$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php'));
+		$ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
 		$ar->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);

 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:ssosent-saml2');

--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -17,22 +17,22 @@ if (!($source instanceof sspmod_saml_Auth_Source_SP)) {

 $entityId = $source->getEntityId();
 $metaArray11 = array(
-	'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php'),
+	'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId),
 );

 $spconfig = $source->getMetadata();
 if ($spconfig->getBoolean('saml11.binding.artifact.enable', FALSE)) {
-	$metaArray11['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/artifact');
+	$metaArray11['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId . '/artifact');
 }


 $metaArray20 = array(
-	'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php'),
+	'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId),
 	'SingleLogoutService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-logout.php/' . $sourceId),
 );
 	
 if ($spconfig->getBoolean('saml20.binding.artifact.enable', FALSE)) {
-	$metaArray20['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php');
+	$metaArray20['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId);
 }

 $certInfo = SimpleSAML_Utilities::loadPublicKey($spconfig->toArray());

--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -8,19 +8,22 @@ if (!array_key_exists('TARGET', $_REQUEST)) {
 	throw new SimpleSAML_Error_BadRequest('Missing TARGET parameter.');
 }

+$sourceId = $_SERVER['PATH_INFO'];
+$end = strpos($sourceId, '/', 1);
+if ($end === FALSE) {
+	$end = strlen($sourceId);
+}
+$sourceId = substr($sourceId, 1, $end - 1);
+
+$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
+

 $state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:ssosent-saml1');

-/* Find authentication source. */
+/* Check that the authentication source is correct. */
 assert('array_key_exists("saml:sp:AuthId", $state)');
-$sourceId = $state['saml:sp:AuthId'];
-
-$source = SimpleSAML_Auth_Source::getById($sourceId);
-if ($source === NULL) {
-	throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $sourceId);
-}
-if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
-	throw new SimpleSAML_Error_Exception('Source type changed?');
+if ($state['saml:sp:AuthId'] !== $sourceId) {
+	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 }

 $idpEntityId = $state['saml:idp'];

--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -4,6 +4,9 @@
 * Assertion consumer service handler for SAML 2.0 SP authentication client.
 */

+$sourceId = substr($_SERVER['PATH_INFO'], 1);
+$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
+
 $b = SAML2_Binding::getCurrentBinding();
 $response = $b->receive();
 if (!($response instanceof SAML2_Response)) {
@@ -17,16 +20,10 @@ if (empty($relayState)) {

 $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');

-/* Find authentication source. */
+/* Check that the authentication source is correct. */
 assert('array_key_exists("saml:sp:AuthId", $state)');
-$sourceId = $state['saml:sp:AuthId'];
-
-$source = SimpleSAML_Auth_Source::getById($sourceId);
-if ($source === NULL) {
-	throw new Exception('Could not find authentication source with id ' . $sourceId);
-}
-if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
-	throw new SimpleSAML_Error_Exception('Source type changed?');
+if ($state['saml:sp:AuthId'] !== $sourceId) {
+	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
 }