modules/saml2: Verify that the responding IdP is the same as the one we sent the message to.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@980 44740490-163a-0410-bde0-09ae8108e29a

modules/saml2: Verify that the responding IdP is the same as the one we sent the message to.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@980 44740490-163a-0410-bde0-09ae8108e29a
9cd5b0e4 · Olav Morken · 8a321bb5 · 9cd5b0e4 · 9cd5b0e4
Commit 9cd5b0e4 authored 16 years ago by Olav Morken
--- a/modules/saml2/lib/Auth/Source/SP.php
+++ b/modules/saml2/lib/Auth/Source/SP.php
@@ -104,6 +104,28 @@ class sspmod_saml2_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		return $this->entityId;
 	}
+	/**
+	 * Check if the IdP entity id is allowed to authenticate users for this authentication source.
+	 *
+	 * @param string $idpEntityId  The entity id of the IdP.
+	 * @return boolean  TRUE if it is valid, FALSE if not.
+	 */
+	public function isIdPValid($idpEntityId) {
+		assert('is_string($idpEntityId)');
+		if ($this->idp === NULL) {
+			/* No IdP configured - all are allowed. */
+			return TRUE;
+		}
+		if ($this->idp === $idpEntityId) {
+			return TRUE;
+		}
+		return FALSE;
+	}
 }
 ?>
\ No newline at end of file
--- a/modules/saml2/www/sp/acs.php
+++ b/modules/saml2/www/sp/acs.php
@@ -41,7 +41,11 @@ if($result === FALSE) {
 /* The response should include the entity id of the IdP. */
 $idp = $authnResponse->getIssuer();
-/* TODO: Check that IdP is the correct IdP. */
+/* Check if the IdP is allowed to authenticate users for this authentication source. */
+if (!$source->isIdPValid($idp)) {
+	throw new Exception('Invalid IdP responded for authentication source with id ' . $sourceId .
+		'. The IdP was ' . var_export($idp, TRUE));
+}
 /* TODO: Save NameID & SessionIndex for logout. */