From 96b18557c4ff8bab5f2a9674e0e5006523fbe101 Mon Sep 17 00:00:00 2001
From: peter <peter-@users.noreply.github.com>
Date: Tue, 25 Sep 2018 11:22:43 +0200
Subject: [PATCH] PasswordProtectedTransport authncontext when HTTPS

Following up on the idea mentioned in #937: If the transport is secure fall back to the `PasswordProtectedTransport` authn context class ref, otherwise keep the current default of `Password`.

Requires a version of the SAML2 library with simplesamlphp/saml2#129 merged due to the reference on a newly defined Constant.
---
 modules/saml/lib/IdP/SAML2.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/saml/lib/IdP/SAML2.php b/modules/saml/lib/IdP/SAML2.php
index 6dae8c4ca..99c98f542 100644
--- a/modules/saml/lib/IdP/SAML2.php
+++ b/modules/saml/lib/IdP/SAML2.php
@@ -897,6 +897,8 @@ class SAML2
 
         if (isset($state['saml:AuthnContextClassRef'])) {
             $a->setAuthnContextClassRef($state['saml:AuthnContextClassRef']);
+        } elseif (\SimpleSAML\Utils\HTTP::isHTTPS()) {
+            $a->setAuthnContextClassRef(\SAML2\Constants::AC_PASSWORD_PROTECTED_TRANSPORT);
         } else {
             $a->setAuthnContextClassRef(\SAML2\Constants::AC_PASSWORD);
         }
-- 
GitLab