From e543fe5f8ac225734cf745db5ab440b328ab99af Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst <thijs@kinkhorst.com>
Date: Wed, 21 Nov 2018 15:44:07 +0000
Subject: [PATCH] If issuer does not match ExpectedIssuer, log warning instead
 of throwing exception.

It does not seem like something that is normal so a warning seems in
place. However, forbidding it does not add much value since we accept
unsollicited responses (from any idp) anyway.

Closes: #975
---
 docs/simplesamlphp-changelog.md   | 6 ++++++
 modules/saml/www/sp/saml2-acs.php | 6 ++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/simplesamlphp-changelog.md b/docs/simplesamlphp-changelog.md
index 9ef80f9a0..4d75fa020 100644
--- a/docs/simplesamlphp-changelog.md
+++ b/docs/simplesamlphp-changelog.md
@@ -16,6 +16,8 @@ Released TBD
   * Introduce new UI based on Twig templates.
     The new templates co-exist next to the old ones.
   * SimpleSAMLphp can now be used with applications that use Twig 2.
+  * Generate sessionID complying with PHP config settings.
+  * Update OpenSSL RSA bit length in docs.
   * Update configuration templates and documentation to PHP
     short array syntax.
   * All clases moved to namespaces and reformatted code to PSR-2.
@@ -35,6 +37,10 @@ Released TBD
   * Allow to specifiy NameIDPolicy Format and AllowCreate in hosted SP
     and remote IdP configurtion, and restore possibility to omit it
     from AuthnRequests entirely.
+  * Add setting `assertion.allowed_clock_skew` to influence how lenient
+    we should be with the timestamps in received SAML messages.
+  * If Issuer of IdP does not match the entity we sent the request to,
+    log a warning instead of bailing out with an exception.
 
 ## Version 1.16.2
 
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 9dcec80c5..ae10a2cbd 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -17,7 +17,7 @@ try {
 } catch (Exception $e) {
     // TODO: look for a specific exception
     // This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should throw
-    // an specific exception when the binding is unknown, and we should capture that here
+    // a specific exception when the binding is unknown, and we should capture that here
     if ($e->getMessage() === 'Unable to find the current binding.') {
         throw new \SimpleSAML\Error\Error('ACSPARAMS', $e, 400);
     } else {
@@ -102,9 +102,7 @@ if ($state) {
         $idpMetadata = $source->getIdPMetadata($idp);
         $idplist = $idpMetadata->getArrayize('IDPList', []);
         if (!in_array($state['ExpectedIssuer'], $idplist, true)) {
-            throw new \SimpleSAML\Error\Exception(
-                'The issuer of the response does not match to the identity provider we sent the request to.'
-            );
+            SimpleSAML\Logger::warning('The issuer of the response not match to the identity provider we sent the request to.');
         }
     }
 } else {
-- 
GitLab