From efd37879a707ffc6912033b8c757322c5aa838c9 Mon Sep 17 00:00:00 2001
From: Hans Zandbelt <hans.zandbelt@surfnet.nl>
Date: Mon, 15 Feb 2010 19:18:18 +0000
Subject: [PATCH] add support in core IDP for association groups which are used
 to share associations between SAML 2 and ADFS IDPs, to enable cross-protocol
 single-logout (thanks Olav)

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2181 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/IdP.php | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/lib/SimpleSAML/IdP.php b/lib/SimpleSAML/IdP.php
index b7ab3bc1a..89b44f7e8 100644
--- a/lib/SimpleSAML/IdP.php
+++ b/lib/SimpleSAML/IdP.php
@@ -26,6 +26,17 @@ class SimpleSAML_IdP {
 	private $id;
 
 
+	/**
+	 * The "association group" for this IdP.
+	 *
+	 * We use this to support cross-protocol logout until
+	 * we implement a cross-protocol IdP.
+	 *
+	 * @var string
+	 */
+	private $associationGroup;
+
+
 	/**
 	 * The configuration for this IdP.
 	 *
@@ -62,10 +73,23 @@ class SimpleSAML_IdP {
 				throw new SimpleSAML_Error_Exception('enable.adfs-idp disabled in config.php.');
 			}
 			$this->config = $metadata->getMetaDataConfig(substr($id, 5), 'adfs-idp-hosted');
+
+			try {
+				/* This makes the ADFS IdP use the same SP associations as the SAML 2.0 IdP. */
+				$saml2EntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+				$this->associationGroup = 'saml2:' . $saml2EntityId;
+								
+			} catch (Exception $e) {
+				/* Probably no SAML 2 IdP configured for this host. Ignore the error. */
+			}
 		} else {
 			assert(FALSE);
 		}
 
+		if ($this->associationGroup === NULL) {
+			$this->associationGroup = $this->id;
+		}
+
 	}
 
 
@@ -157,7 +181,7 @@ class SimpleSAML_IdP {
 		assert('isset($association["Handler"])');
 
 		$session = SimpleSAML_Session::getInstance();
-		$session->addAssociation($this->id, $association);
+		$session->addAssociation($this->associationGroup, $association);
 	}
 
 
@@ -169,7 +193,7 @@ class SimpleSAML_IdP {
 	public function getAssociations() {
 
 		$session = SimpleSAML_Session::getInstance();
-		return $session->getAssociations($this->id);
+		return $session->getAssociations($this->associationGroup);
 	}
 
 
@@ -182,7 +206,7 @@ class SimpleSAML_IdP {
 		assert('is_string($assocId)');
 
 		$session = SimpleSAML_Session::getInstance();
-		$session->terminateAssociation($this->id, $assocId);
+		$session->terminateAssociation($this->associationGroup, $assocId);
 	}
 
 
-- 
GitLab