From 931c8c01bfd4f200a8623fe749404a7e69ad1fc0 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 24 Sep 2009 11:54:08 +0000
Subject: [PATCH] saml: Move sourceid into AssertionConsumerService url.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1782 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml/lib/Auth/Source/SP.php | 4 ++--
modules/saml/www/sp/metadata.php | 8 ++++----
modules/saml/www/sp/saml1-acs.php | 21 ++++++++++++---------
modules/saml/www/sp/saml2-acs.php | 15 ++++++---------
4 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index c8bfaf525..48e1b2459 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -149,7 +149,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:ssosent-saml1');
$ar->setRelayState($id);
- $url = $ar->createRedirect($idpEntityId, SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php'));
+ $url = $ar->createRedirect($idpEntityId, SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId));
SimpleSAML_Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
' from ' . var_export($this->entityId, TRUE) . '.');
@@ -167,7 +167,7 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
$ar = sspmod_saml2_Message::buildAuthnRequest($this->metadata, $idpMetadata);
- $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php'));
+ $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
$ar->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);
$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:ssosent-saml2');
diff --git a/modules/saml/www/sp/metadata.php b/modules/saml/www/sp/metadata.php
index 72a7eb551..3db89da7d 100644
--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -17,22 +17,22 @@ if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
$entityId = $source->getEntityId();
$metaArray11 = array(
- 'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php'),
+ 'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId),
);
$spconfig = $source->getMetadata();
if ($spconfig->getBoolean('saml11.binding.artifact.enable', FALSE)) {
- $metaArray11['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/artifact');
+ $metaArray11['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId . '/artifact');
}
$metaArray20 = array(
- 'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php'),
+ 'AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId),
'SingleLogoutService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-logout.php/' . $sourceId),
);
if ($spconfig->getBoolean('saml20.binding.artifact.enable', FALSE)) {
- $metaArray20['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php');
+ $metaArray20['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId);
}
$certInfo = SimpleSAML_Utilities::loadPublicKey($spconfig->toArray());
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index 06cdf4ee2..336d47fa4 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -8,19 +8,22 @@ if (!array_key_exists('TARGET', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing TARGET parameter.');
}
+$sourceId = $_SERVER['PATH_INFO'];
+$end = strpos($sourceId, '/', 1);
+if ($end === FALSE) {
+ $end = strlen($sourceId);
+}
+$sourceId = substr($sourceId, 1, $end - 1);
+
+$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
+
$state = SimpleSAML_Auth_State::loadState($_REQUEST['TARGET'], 'saml:sp:ssosent-saml1');
-/* Find authentication source. */
+/* Check that the authentication source is correct. */
assert('array_key_exists("saml:sp:AuthId", $state)');
-$sourceId = $state['saml:sp:AuthId'];
-
-$source = SimpleSAML_Auth_Source::getById($sourceId);
-if ($source === NULL) {
- throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $sourceId);
-}
-if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
- throw new SimpleSAML_Error_Exception('Source type changed?');
+if ($state['saml:sp:AuthId'] !== $sourceId) {
+ throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
}
$idpEntityId = $state['saml:idp'];
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index df766fd5b..3c9ae269d 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -4,6 +4,9 @@
* Assertion consumer service handler for SAML 2.0 SP authentication client.
*/
+$sourceId = substr($_SERVER['PATH_INFO'], 1);
+$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
+
$b = SAML2_Binding::getCurrentBinding();
$response = $b->receive();
if (!($response instanceof SAML2_Response)) {
@@ -17,16 +20,10 @@ if (empty($relayState)) {
$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
-/* Find authentication source. */
+/* Check that the authentication source is correct. */
assert('array_key_exists("saml:sp:AuthId", $state)');
-$sourceId = $state['saml:sp:AuthId'];
-
-$source = SimpleSAML_Auth_Source::getById($sourceId);
-if ($source === NULL) {
- throw new Exception('Could not find authentication source with id ' . $sourceId);
-}
-if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
- throw new SimpleSAML_Error_Exception('Source type changed?');
+if ($state['saml:sp:AuthId'] !== $sourceId) {
+ throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
}
--
GitLab