Disabled unnecessary issuer check as proposed in issue simplesamlphp#975

lhaemmerle · Oct 31, 2018 · 96a0033 · 96a0033
1 parent 9afb0b3
commit 96a0033
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 15 deletions.
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
@@ -280,9 +280,6 @@ private function startSSO2(\SimpleSAML\Configuration $idpMetadata, array $state)
             $ar->setExtensions($state['saml:Extensions']);
         }
 
-        // save IdP entity ID as part of the state
-        $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
-
         $id = State::saveState($state, 'saml:sp:sso', true);
         $ar->setId($id);
 

diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
@@ -95,18 +95,6 @@
             'The authentication source id in the URL does not match the authentication source which sent the request.'
         );
     }
-
-    // check that the issuer is the one we are expecting
-    assert(array_key_exists('ExpectedIssuer', $state));
-    if ($state['ExpectedIssuer'] !== $idp) {
-        $idpMetadata = $source->getIdPMetadata($idp);
-        $idplist = $idpMetadata->getArrayize('IDPList', []);
-        if (!in_array($state['ExpectedIssuer'], $idplist, true)) {
-            throw new \SimpleSAML\Error\Exception(
-                'The issuer of the response does not match to the identity provider we sent the request to.'
-            );
-        }
-    }
 } else {
     // this is an unsolicited response
     $state = [