Revision: 3189
Author: jaim...@gmail.com
Date: Mon Oct 15 03:36:12 2012
Log: The issuer of an AuthnResponse is now validated to check if we
get the response from the same entity ID we sent the request to.
http://code.google.com/p/simplesamlphp/source/detail?r=3189
Modified:
/trunk/modules/saml/lib/Auth/Source/SP.php
/trunk/modules/saml/www/sp/saml2-acs.php
=======================================
--- /trunk/modules/saml/lib/Auth/Source/SP.php Fri Jun 22 04:36:57 2012
+++ /trunk/modules/saml/lib/Auth/Source/SP.php Mon Oct 15 03:36:12 2012
@@ -251,6 +251,9 @@
if (isset($state['saml:Extensions'])) {
$ar->setExtensions($state['saml:Extensions']);
}
+
+ // save IdP entity ID as part of the state
+ $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso',
TRUE);
$ar->setId($id);
=======================================
--- /trunk/modules/saml/www/sp/saml2-acs.php Wed May 23 23:08:13 2012
+++ /trunk/modules/saml/www/sp/saml2-acs.php Mon Oct 15 03:36:12 2012
@@ -58,6 +58,12 @@
if ($state['saml:sp:AuthId'] !== $sourceId) {
throw new SimpleSAML_Error_Exception('The authentication source id in
the URL does not match the authentication source which sent the request.');
}
+
+ /* Check that the issuer is the one we are expecting. */
+ assert('array_key_exists("ExpectedIssuer", $state)');
+ if ($state['ExpectedIssuer'] !== $idp) {
+ throw new SimpleSAML_Error_Exception('The issuer of the response does
not match to the identity provider we sent the request to.');
+ }
} else {
/* This is an unsolicited response. */
$state = array(
--
You received this message because you are subscribed to the Google Groups
"simpleSAMLphp commits" group.
To post to this group, send email to simplesamlphp-commits@googlegroups.com.
To unsubscribe from this group, send email to
simplesamlphp-commits+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/simplesamlphp-commits?hl=en.
