Skip to content

Commit 0aee0e5

Browse files
tvdijentvdijen
committed
Migrate saml:AuthnContext
1 parent e92da19 commit 0aee0e5

2 files changed

Lines changed: 19 additions & 10 deletions

File tree

modules/saml/src/Controller/ServiceProvider.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -415,7 +415,7 @@ public function assertionConsumerService(Request $request, string $sourceId): Re
415415
$state['PersistentAuthData'][] = 'saml:AuthnInstant';
416416
$state['saml:sp:SessionIndex'] = $sessionIndex;
417417
$state['PersistentAuthData'][] = 'saml:sp:SessionIndex';
418-
$state['saml:sp:AuthnContext'] = $assertion->getAuthnContextClassRef();
418+
$state['saml:sp:AuthnContext'] = $assertion->getAuthnContext()?->getAuthnContextClassRef();
419419
$state['PersistentAuthData'][] = 'saml:sp:AuthnContext';
420420

421421
if ($expire !== null) {

modules/saml/src/IdP/SAML2.php

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
use SimpleSAML\SAML2\Exception\ArrayValidationException;
2020
use SimpleSAML\SAML2\XML\md\ContactPerson;
2121
use SimpleSAML\SAML2\XML\saml\{AttributeValue, Issuer, NameID, SubjectConfirmation, SubjectConfirmationData};
22+
use SimpleSAML\SAML2\XML\saml\{AuthenticatingAuthority, AuthnContext, AuthnContextClassRef}; // AuthnContext
2223
use SimpleSAML\SAML2\XML\samlp\{Status, StatusCode, StatusMessage}; // Status
2324
use SimpleSAML\XML\DOMDocumentFactory;
2425
use SimpleSAML\XMLSecurity\XML\ds\{X509Certificate, X509Data, KeyInfo};
@@ -86,10 +87,6 @@ public static function sendResponse(array $state): Response
8687

8788
$assertion = self::buildAssertion($idpMetadata, $spMetadata, $state);
8889

89-
if (isset($state['saml:AuthenticatingAuthority'])) {
90-
$assertion->setAuthenticatingAuthority($state['saml:AuthenticatingAuthority']);
91-
}
92-
9390
// create the session association (for logout)
9491
$association = [
9592
'id' => 'saml:' . $spEntityId,
@@ -1184,16 +1181,28 @@ private static function buildAssertion(
11841181

11851182
$passAuthnContextClassRef = $config->getOptionalBoolean('proxymode.passAuthnContextClassRef', false);
11861183
if (isset($state['saml:AuthnContextClassRef'])) {
1187-
$a->setAuthnContextClassRef($state['saml:AuthnContextClassRef']);
1184+
$classRef = $state['saml:AuthnContextClassRef'];
11881185
} elseif ($passAuthnContextClassRef && isset($state['saml:sp:AuthnContext'])) {
11891186
// AuthnContext has been set by the upper IdP in front of the proxy, pass it back to the SP behind the proxy
1190-
$a->setAuthnContextClassRef($state['saml:sp:AuthnContext']);
1191-
} elseif ($httpUtils->isHTTPS()) {
1192-
$a->setAuthnContextClassRef(C::AC_PASSWORD_PROTECTED_TRANSPORT);
1187+
$classRef = $state['saml:sp:AuthnContext'];
11931188
} else {
1194-
$a->setAuthnContextClassRef(C::AC_PASSWORD);
1189+
$classRef = $httpUtils->isHTTPS() ? C::AC_PASSWORD_PROTECTED_TRANSPORT : C::AC_PASSWORD;
1190+
}
1191+
1192+
$authorities = [];
1193+
if (isset($state['saml:AuthenticatingAuthority'])) {
1194+
$authorities[] = new AuthenticatingAuthority($state['saml:AuthenticatingAuthority']);
11951195
}
11961196

1197+
$a->setAuthnContext(
1198+
new AuthnContext(
1199+
authnContextClassRef: new AuthnContextClassRef($classRef),
1200+
authnContextDecl: null,
1201+
authnContextDeclRef: null,
1202+
authenticatingAuthorities: $authorities,
1203+
)
1204+
);
1205+
11971206
$sessionStart = $now;
11981207
if (isset($state['AuthnInstant'])) {
11991208
$a->setAuthnInstant($state['AuthnInstant']);

0 commit comments

Comments
 (0)