From b3386c7c5d3bead5d9b61bc66eb9348fb55be081 Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Mon, 31 Jan 2022 12:53:26 +0100
Subject: [PATCH] Reverse logics

---
 config-templates/config.php             | 2 +-
 docs/simplesamlphp-upgrade-notes-2.0.md | 3 +--
 modules/saml/lib/Auth/Source/SP.php     | 2 +-
 modules/saml/www/sp/saml2-acs.php       | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/config-templates/config.php b/config-templates/config.php
index f1f53d1e6..5f5e9634d 100644
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -461,7 +461,7 @@ $config = [
      * In example when you are setting up a federation bridge.
      */
     'enable.saml20-idp' => false,
-    'enable.saml20-unsolicited' => false,
+    'enable.saml20-unsolicited' => true,
     'enable.adfs-idp' => false,
 
 
diff --git a/docs/simplesamlphp-upgrade-notes-2.0.md b/docs/simplesamlphp-upgrade-notes-2.0.md
index 3c00209ab..dc305801e 100644
--- a/docs/simplesamlphp-upgrade-notes-2.0.md
+++ b/docs/simplesamlphp-upgrade-notes-2.0.md
@@ -30,8 +30,7 @@ Functional changes
   It is possible to switch back via the `sharedkey_algorithm`.
   Note however that CBC is vulnerable to the Padding oracle attack.
 - All support for the Shibboleth 1.3 / SAML 1.1 protocol has been removed.
-- Unsolicited responses are denied by default. If you need this functionality,
-  it can be enabled by setting `enable.saml20-unsolicited` to `true`.
+- Unsolicited responses can denied by disabling it by setting `enable.saml20-unsolicited` to `false`.
 
 Configuration changes
 ---------------------
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index ad5b7ab0e..b08ed9a1e 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -1139,7 +1139,7 @@ class SP extends \SimpleSAML\Auth\Source
         $state['Attributes'] = $authProcState['Attributes'];
 
         $config = Configuration::getInstance();
-        $allowUnsolicited = $config->getBoolean('enable.saml20-unsolicited', false);
+        $allowUnsolicited = $config->getBoolean('enable.saml20-unsolicited', true);
 
         Assert::true(
             $allowUnsolicited,
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 87b95ad36..7001c3a88 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -105,7 +105,7 @@ if (!empty($stateId)) {
 }
 
 $config = Configuration::getInstance();
-$allowUnsolicited = $config->getBoolean('enable.saml20-unsolicited', false);
+$allowUnsolicited = $config->getBoolean('enable.saml20-unsolicited', true);
 
 Assert::true(
     $allowUnsolicited,
-- 
GitLab