Multiple enhancements and fixes to IDPList support in proxy mode.
- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
Showing
- lib/SimpleSAML/Error/NoAvailableIDP.php 15 additions, 0 deletionslib/SimpleSAML/Error/NoAvailableIDP.php
- lib/SimpleSAML/Error/NoSupportedIDP.php 15 additions, 0 deletionslib/SimpleSAML/Error/NoSupportedIDP.php
- modules/saml/lib/Auth/Source/SP.php 41 additions, 5 deletionsmodules/saml/lib/Auth/Source/SP.php
- modules/saml/lib/Error.php 15 additions, 2 deletionsmodules/saml/lib/Error.php
- modules/saml/www/proxy/invalid_session.php 2 additions, 2 deletionsmodules/saml/www/proxy/invalid_session.php
Loading
Please register or sign in to comment