If issuer does not match ExpectedIssuer, log warning instead of throwing exception.

It does not seem like something that is normal so a warning seems in place. However, forbidding it does not add much value since we accept unsollicited responses (from any idp) anyway. Closes: #975

If issuer does not match ExpectedIssuer, log warning instead of throwing exception.
e543fe5f · Thijs Kinkhorst · af333cbb · e543fe5f · e543fe5f
Commit e543fe5f authored 6 years ago by Thijs Kinkhorst
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -16,6 +16,8 @@ Released TBD
  * Introduce new UI based on Twig templates.
    The new templates co-exist next to the old ones.
  * SimpleSAMLphp can now be used with applications that use Twig 2.
+  * Generate sessionID complying with PHP config settings.
+  * Update OpenSSL RSA bit length in docs.
  * Update configuration templates and documentation to PHP
    short array syntax.
  * All clases moved to namespaces and reformatted code to PSR-2.
@@ -35,6 +37,10 @@ Released TBD
  * Allow to specifiy NameIDPolicy Format and AllowCreate in hosted SP
    and remote IdP configurtion, and restore possibility to omit it
    from AuthnRequests entirely.
+  * Add setting `assertion.allowed_clock_skew` to influence how lenient
+    we should be with the timestamps in received SAML messages.
+  * If Issuer of IdP does not match the entity we sent the request to,
+    log a warning instead of bailing out with an exception.

 ## Version 1.16.2


--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -17,7 +17,7 @@ try {
 } catch (Exception $e) {
    // TODO: look for a specific exception
    // This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should throw
-    // an specific exception when the binding is unknown, and we should capture that here
+    // a specific exception when the binding is unknown, and we should capture that here
    if ($e->getMessage() === 'Unable to find the current binding.') {
        throw new \SimpleSAML\Error\Error('ACSPARAMS', $e, 400);
    } else {
@@ -102,9 +102,7 @@ if ($state) {
        $idpMetadata = $source->getIdPMetadata($idp);
        $idplist = $idpMetadata->getArrayize('IDPList', []);
        if (!in_array($state['ExpectedIssuer'], $idplist, true)) {
-            throw new \SimpleSAML\Error\Exception(
-                'The issuer of the response does not match to the identity provider we sent the request to.'
-            );
+            SimpleSAML\Logger::warning('The issuer of the response not match to the identity provider we sent the request to.');
        }
    }
 } else {