Disable scoping for broken IdPs

simplesamlphp · May 29, 2018 · 1bf82f6 · 1bf82f6
1 parent 808b9ec
commit 1bf82f6
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 21 deletions.
diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
@@ -117,6 +117,11 @@ The following SAML 2.0 options are available:
     discouraged to do so. For your own safety, please include the string 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' if
     you make use of this option.
 
+`disable.scoping`
+:   Whether to avoid sending Scoping elements to this IdP. This may be
+    necessary in some broken implementations (such as AD FS versions prior
+    to 4.0).
+
 `hide.from.discovery`
 :   Whether to hide hide this IdP from the local discovery or not. Set to true to hide it. Defaults to false.
 

diff --git a/docs/simplesamlphp-scoping.md b/docs/simplesamlphp-scoping.md
@@ -39,6 +39,10 @@ ProxyCount is unspecified the number of proxy indirections is not limited.
 : The list of trusted IdPs, i.e. the list of entityIDs for identity providers
 that are relevant for a service provider in an authnRequest. 
 
+Scoping can be disabled for IdPs which don't support it (including AD FS
+versions prior to 4.0) by setting the `disable.scoping` option in either a
+hosted SP or remote IdP configuration.
+
 ### Note ###
 SimpleSAMLphp does not support specifying the GetComplete option.
 

diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
@@ -30,6 +30,13 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source
      */
     private $discoURL;
 
+    /**
+     * Disable Scoping element from IdP communications?
+     *
+     * @var boolean
+     */
+    private $disableScoping;
+
     /**
      * Constructor for SAML SP authentication source.
      *
@@ -57,6 +64,7 @@ public function __construct($info, $config)
         $this->entityId = $this->metadata->getString('entityID');
         $this->idp = $this->metadata->getString('idp', null);
         $this->discoURL = $this->metadata->getString('discoURL', null);
+        $this->disableScoping = $this->metadata->getBoolean('disable.scoping', false);
 
         if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
             $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
@@ -234,33 +242,36 @@ private function startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
             $ar->setNameIdPolicy($policy);
         }
 
-        if (isset($state['saml:IDPList'])) {
-            $IDPList = $state['saml:IDPList'];
-        } else {
-            $IDPList = array();
-        }
+        $IDPList = array();
+        $requesterID = array();
+
+        if (!$this->disableScoping && !$idpMetadata->getBoolean('disable.scoping', false)) {
+            if (isset($state['saml:IDPList'])) {
+                $IDPList = $state['saml:IDPList'];
+            }
 
-        $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()), 
-                                                $idpMetadata->getArray('IDPList', array()),
-                                                (array) $IDPList)));
+            if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
+                $ar->setProxyCount($state['saml:ProxyCount']);
+            } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
+                $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
+            } elseif ($this->metadata->getInteger('ProxyCount', null)) {
+                $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
+            }
 
-        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
-            $ar->setProxyCount($state['saml:ProxyCount']);
-        } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
-        } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
-            $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
-        }
+            if (isset($state['saml:RequesterID'])) {
+                $requesterID = $state['saml:RequesterID'];
+            }
 
-        $requesterID = array();
-        if (isset($state['saml:RequesterID'])) {
-            $requesterID = $state['saml:RequesterID'];
-        }
+            if (isset($state['core:SP'])) {
+                $requesterID[] = $state['saml:RequesterID'];
+            }
 
-        if (isset($state['core:SP'])) {
-            $requesterID[] = $state['core:SP'];
         }
 
+        $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
+                $idpMetadata->getArray('IDPList', array()),
+                (array) $IDPList)));
+
         $ar->setRequesterID($requesterID);
 
         if (isset($state['saml:Extensions'])) {