saml: Support unsoliced authentication response.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1784 44740490-163a-0410-bde0-09ae8108e29a

modules/saml/lib/Auth/Source/SP.php

@@ -384,6 +384,12 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		$source->addLogoutCallback($idp, $state);
 
 		$state['Attributes'] = $authProcState['Attributes'];
+
+		if (isset($state['saml:sp:isUnsoliced']) && (bool)$state['saml:sp:isUnsoliced']) {
+			$redirectTo = $source->getMetadata()->getString('RelayState', '/');
+			SimpleSAML_Auth_Default::handleUnsolicedAuth($sourceId, $state, $redirectTo);
+		}
+
 		SimpleSAML_Auth_Source::completeAuth($state);
 	}
 

modules/saml/www/sp/saml2-acs.php

@@ -14,16 +14,21 @@ if (!($response instanceof SAML2_Response)) {
 }
 
 $relayState = $response->getRelayState();
-if (empty($relayState)) {
-	throw new SimpleSAML_Error_BadRequest('Missing relaystate in message received on AssertionConsumerService endpoint.');
-}
-
-$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
+if (!empty($relayState)) {
+	/* This is a response to a request we sent earlier. */
+	$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
 
-/* Check that the authentication source is correct. */
-assert('array_key_exists("saml:sp:AuthId", $state)');
-if ($state['saml:sp:AuthId'] !== $sourceId) {
-	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	/* Check that the authentication source is correct. */
+	assert('array_key_exists("saml:sp:AuthId", $state)');
+	if ($state['saml:sp:AuthId'] !== $sourceId) {
+		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	}
+} else {
+	/* This is an unsoliced response. */
+	$state = array(
+		'saml:sp:isUnsoliced' => TRUE,
+		'saml:sp:AuthId' => $sourceId,
+	);
 }