diff options
| author | Jaime Pérez <jaime.perez@uninett.no> | 2016-08-15 15:49:05 +0200 |
|---|---|---|
| committer | Jaime Pérez <jaime.perez@uninett.no> | 2016-08-15 15:49:05 +0200 |
| commit | c70e0b7564acd0dbf54d9ac805a92ca024c98212 (patch) | |
| tree | c2db9c40ed6b327ac581fccdf8553d5fbe11b07a /lib/SimpleSAML | |
| parent | 0bd93f6f4d2d37b6f362997f64236871026252ac (diff) | |
| download | simplesamlphp-c70e0b7564acd0dbf54d9ac805a92ca024c98212.zip simplesamlphp-c70e0b7564acd0dbf54d9ac805a92ca024c98212.tar.gz simplesamlphp-c70e0b7564acd0dbf54d9ac805a92ca024c98212.tar.bz2 | |
Multiple enhancements and fixes to IDPList support in proxy mode.
- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
Diffstat (limited to 'lib/SimpleSAML')
| -rw-r--r-- | lib/SimpleSAML/Error/NoAvailableIDP.php | 15 | ||||
| -rw-r--r-- | lib/SimpleSAML/Error/NoSupportedIDP.php | 15 |
2 files changed, 30 insertions, 0 deletions
diff --git a/lib/SimpleSAML/Error/NoAvailableIDP.php b/lib/SimpleSAML/Error/NoAvailableIDP.php new file mode 100644 index 0000000..d3c99dc --- /dev/null +++ b/lib/SimpleSAML/Error/NoAvailableIDP.php @@ -0,0 +1,15 @@ +<?php +/** + * Simple exception to model the NoAvailableIDP SAML error. + * + * @author Jaime Pérez Crespo, UNINETT AS <jaime.perez@uninett.no> + * @package SimpleSAMLphp + */ + +namespace SimpleSAML\Error; + + +class NoAvailableIDP extends \SimpleSAML_Error_Exception +{ + +}
\ No newline at end of file diff --git a/lib/SimpleSAML/Error/NoSupportedIDP.php b/lib/SimpleSAML/Error/NoSupportedIDP.php new file mode 100644 index 0000000..0ef97ed --- /dev/null +++ b/lib/SimpleSAML/Error/NoSupportedIDP.php @@ -0,0 +1,15 @@ +<?php +/** + * Simple exception to model the NoSupportedIDP SAML error. + * + * @author Jaime Pérez Crespo, UNINETT AS <jaime.perez@uninett.no> + * @package SimpleSAMLphp + */ + +namespace SimpleSAML\Error; + + +class NoSupportedIDP extends \SimpleSAML_Error_Exception +{ + +}
\ No newline at end of file |