Use the new SAML error exceptions in the saml module.

Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.

modules/saml/lib/Auth/Source/SP.php

@@ -392,11 +392,17 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
 			if (empty($intersection)) { // all requested IdPs are unknown
-				throw new SimpleSAML\Error\NoSupportedIDP('None of the IdPs requested are supported by this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are supported by this proxy.'
+				);
 			}
 
 			if (!is_null($idp) && !in_array($idp, $intersection)) { // the IdP is enforced but not in the IDPList
-				throw new SimpleSAML\Error\NoAvailableIDP('None of the IdPs requested are available to this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are available to this proxy.'
+				);
 			}
 
 			if (is_null($idp) && sizeof($intersection) === 1) { // only one IdP requested or valid
@@ -447,7 +453,10 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
 			if (empty($intersection)) { // all requested IdPs are unknown
-				throw new SimpleSAML\Error\NoSupportedIDP('None of the IdPs requested are supported by this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are supported by this proxy.'
+				);
 			}
 
 			/*
@@ -455,7 +464,10 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			 * see if this proxy enforces the use of one single IdP.
 			 */
 			if (!is_null($this->idp) && !in_array($this->idp, $intersection)) { // an IdP is enforced but not requested
-				throw new SimpleSAML\Error\NoAvailableIDP('None of the IdPs requested are available to this proxy.');
+				throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
+					\SAML2\Constants::STATUS_REQUESTER,
+					'None of the IdPs requested are available to this proxy.'
+				);
 			}
 
 			/*

modules/saml/lib/Error.php

@@ -118,20 +118,6 @@ class sspmod_saml_Error extends SimpleSAML_Error_Exception {
 				$exception->getMessage(),
 				$exception
 			);
-		} elseif ($exception instanceof SimpleSAML\Error\NoAvailableIDP) {
-			$e = new self(
-				\SAML2\Constants::STATUS_RESPONDER,
-				\SAML2\Constants::STATUS_NO_AVAILABLE_IDP,
-				$exception->getMessage(),
-				$exception
-			);
-		} elseif ($exception instanceof SimpleSAML\Error\NoSupportedIDP) {
-			$e = new self(
-				\SAML2\Constants::STATUS_RESPONDER,
-				\SAML2\Constants::STATUS_NO_SUPPORTED_IDP,
-				$exception->getMessage(),
-				$exception
-			);
 		} else {
 			$e = new self(
 				\SAML2\Constants::STATUS_RESPONDER,

modules/saml/www/proxy/invalid_session.php

@@ -28,8 +28,13 @@ try {
 
 if (isset($_POST['cancel'])) {
     // the user does not want to logout, cancel login
-    $e = new \SimpleSAML\Error\NoAvailableIDP('User refused to reauthenticate with any of the IdPs requested.');
-    SimpleSAML_Auth_State::throwException($state, $e);
+    SimpleSAML_Auth_State::throwException(
+        $state,
+        new \SimpleSAML\Module\saml\Error\NoAvailableIDP(
+            \SAML2\Constants::STATUS_RESPONDER,
+            'User refused to reauthenticate with any of the IdPs requested.'
+        )
+    );
 }
 
 if (isset($_POST['continue'])) {