From 9cd5b0e49ad6e12cd89d226cde215f5942e1e0f5 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 10 Nov 2008 13:00:49 +0000
Subject: [PATCH] modules/saml2: Verify that the responding IdP is the same as
the one we sent the message to.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@980 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml2/lib/Auth/Source/SP.php | 22 ++++++++++++++++++++++
modules/saml2/www/sp/acs.php | 6 +++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/modules/saml2/lib/Auth/Source/SP.php b/modules/saml2/lib/Auth/Source/SP.php
index 6d711c429..5b0d8f6f4 100644
--- a/modules/saml2/lib/Auth/Source/SP.php
+++ b/modules/saml2/lib/Auth/Source/SP.php
@@ -104,6 +104,28 @@ class sspmod_saml2_Auth_Source_SP extends SimpleSAML_Auth_Source {
return $this->entityId;
}
+
+ /**
+ * Check if the IdP entity id is allowed to authenticate users for this authentication source.
+ *
+ * @param string $idpEntityId The entity id of the IdP.
+ * @return boolean TRUE if it is valid, FALSE if not.
+ */
+ public function isIdPValid($idpEntityId) {
+ assert('is_string($idpEntityId)');
+
+ if ($this->idp === NULL) {
+ /* No IdP configured - all are allowed. */
+ return TRUE;
+ }
+
+ if ($this->idp === $idpEntityId) {
+ return TRUE;
+ }
+
+ return FALSE;
+ }
+
}
?>
\ No newline at end of file
diff --git a/modules/saml2/www/sp/acs.php b/modules/saml2/www/sp/acs.php
index 8cf9f622e..6c0ba0e0c 100644
--- a/modules/saml2/www/sp/acs.php
+++ b/modules/saml2/www/sp/acs.php
@@ -41,7 +41,11 @@ if($result === FALSE) {
/* The response should include the entity id of the IdP. */
$idp = $authnResponse->getIssuer();
-/* TODO: Check that IdP is the correct IdP. */
+/* Check if the IdP is allowed to authenticate users for this authentication source. */
+if (!$source->isIdPValid($idp)) {
+ throw new Exception('Invalid IdP responded for authentication source with id ' . $sourceId .
+ '. The IdP was ' . var_export($idp, TRUE));
+}
/* TODO: Save NameID & SessionIndex for logout. */
--
GitLab