From d77f639553409c1cde706bc37da552b1335fa143 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 24 Sep 2009 11:54:29 +0000
Subject: [PATCH] saml: Support unsoliced authentication response.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1784 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/saml/lib/Auth/Source/SP.php |  6 ++++++
 modules/saml/www/sp/saml2-acs.php   | 23 ++++++++++++++---------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 48e1b2459..605b3c426 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -384,6 +384,12 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		$source->addLogoutCallback($idp, $state);
 
 		$state['Attributes'] = $authProcState['Attributes'];
+
+		if (isset($state['saml:sp:isUnsoliced']) && (bool)$state['saml:sp:isUnsoliced']) {
+			$redirectTo = $source->getMetadata()->getString('RelayState', '/');
+			SimpleSAML_Auth_Default::handleUnsolicedAuth($sourceId, $state, $redirectTo);
+		}
+
 		SimpleSAML_Auth_Source::completeAuth($state);
 	}
 
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 3c9ae269d..8b28d504c 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -14,16 +14,21 @@ if (!($response instanceof SAML2_Response)) {
 }
 
 $relayState = $response->getRelayState();
-if (empty($relayState)) {
-	throw new SimpleSAML_Error_BadRequest('Missing relaystate in message received on AssertionConsumerService endpoint.');
-}
-
-$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
+if (!empty($relayState)) {
+	/* This is a response to a request we sent earlier. */
+	$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:sp:ssosent-saml2');
 
-/* Check that the authentication source is correct. */
-assert('array_key_exists("saml:sp:AuthId", $state)');
-if ($state['saml:sp:AuthId'] !== $sourceId) {
-	throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	/* Check that the authentication source is correct. */
+	assert('array_key_exists("saml:sp:AuthId", $state)');
+	if ($state['saml:sp:AuthId'] !== $sourceId) {
+		throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
+	}
+} else {
+	/* This is an unsoliced response. */
+	$state = array(
+		'saml:sp:isUnsoliced' => TRUE,
+		'saml:sp:AuthId' => $sourceId,
+	);
 }
 
 
-- 
GitLab