Skip to content
Snippets Groups Projects
Commit e543fe5f authored by Thijs Kinkhorst's avatar Thijs Kinkhorst
Browse files

If issuer does not match ExpectedIssuer, log warning instead of throwing exception.

It does not seem like something that is normal so a warning seems in
place. However, forbidding it does not add much value since we accept
unsollicited responses (from any idp) anyway.

Closes: #975
parent af333cbb
No related branches found
No related tags found
No related merge requests found
......@@ -16,6 +16,8 @@ Released TBD
* Introduce new UI based on Twig templates.
The new templates co-exist next to the old ones.
* SimpleSAMLphp can now be used with applications that use Twig 2.
* Generate sessionID complying with PHP config settings.
* Update OpenSSL RSA bit length in docs.
* Update configuration templates and documentation to PHP
short array syntax.
* All clases moved to namespaces and reformatted code to PSR-2.
......@@ -35,6 +37,10 @@ Released TBD
* Allow to specifiy NameIDPolicy Format and AllowCreate in hosted SP
and remote IdP configurtion, and restore possibility to omit it
from AuthnRequests entirely.
* Add setting `assertion.allowed_clock_skew` to influence how lenient
we should be with the timestamps in received SAML messages.
* If Issuer of IdP does not match the entity we sent the request to,
log a warning instead of bailing out with an exception.
## Version 1.16.2
......
......@@ -17,7 +17,7 @@ try {
} catch (Exception $e) {
// TODO: look for a specific exception
// This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should throw
// an specific exception when the binding is unknown, and we should capture that here
// a specific exception when the binding is unknown, and we should capture that here
if ($e->getMessage() === 'Unable to find the current binding.') {
throw new \SimpleSAML\Error\Error('ACSPARAMS', $e, 400);
} else {
......@@ -102,9 +102,7 @@ if ($state) {
$idpMetadata = $source->getIdPMetadata($idp);
$idplist = $idpMetadata->getArrayize('IDPList', []);
if (!in_array($state['ExpectedIssuer'], $idplist, true)) {
throw new \SimpleSAML\Error\Exception(
'The issuer of the response does not match to the identity provider we sent the request to.'
);
SimpleSAML\Logger::warning('The issuer of the response not match to the identity provider we sent the request to.');
}
}
} else {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment