simplesamlphp
diff --git a/‎modules/saml/src/Auth/Process/ExpectedAuthnContextClassRef.php‎
Lines changed: 2 additions & 1 deletion b/‎modules/saml/src/Auth/Process/ExpectedAuthnContextClassRef.php‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎modules/saml/src/Auth/Source/SP.php‎
Lines changed: 59 additions & 36 deletions b/‎modules/saml/src/Auth/Source/SP.php‎
Lines changed: 59 additions & 36 deletions
diff --git a/‎modules/saml/src/Controller/Disco.php‎
Lines changed: 7 additions & 5 deletions b/‎modules/saml/src/Controller/Disco.php‎
Lines changed: 7 additions & 5 deletions
@@ -107,6 +107,7 @@ protected function unauthorized(array &$state): void
         );
 
         $httpUtils = new Utils\HTTP();
-        $httpUtils->redirectTrustedURL($url, ['StateId' => $id]);
+        $response = $httpUtils->redirectTrustedURL($url, ['StateId' => $id]);
+        $response->send();
     }
 }
@@ -88,6 +88,13 @@ class SP extends Auth\Source
      */
     private bool $requestInitiation;
 
+    /**
+     * The global configuration.
+     *
+     * @var \SimpleSAML\Configuration
+     */
+    private Configuration $config;
+
 
     /**
      * Constructor for SAML SP authentication source.
@@ -126,6 +133,7 @@ public function __construct(array $info, array $config)
             'Please set a valid and unique SP entityID',
         );
 
+        $this->config = Configuration::getInstance();
         $this->entityId = $entityId;
         $this->idp = $this->metadata->getOptionalString('idp', null);
         $this->discoURL = $this->metadata->getOptionalString('discoURL', null);
@@ -232,12 +240,11 @@ public function getHostedMetadata(): array
         }
 
         // add technical contact
-        $globalConfig = Configuration::getInstance();
-        $email = $globalConfig->getOptionalString('technicalcontact_email', 'na@example.org');
+        $email = $this->config->getOptionalString('technicalcontact_email', 'na@example.org');
         if (!empty($email) && $email !== 'na@example.org') {
             $contact = [
                 'emailAddress' => $email,
-                'givenName' => $globalConfig->getOptionalString('technicalcontact_name', null),
+                'givenName' => $this->config->getOptionalString('technicalcontact_name', null),
                 'contactType' => 'technical',
             ];
             $metadata['contacts'][] = Utils\Config\Metadata::getContact($contact);
@@ -320,17 +327,18 @@ public function getHostedMetadata(): array
     /**
      * Retrieve the metadata of an IdP.
      *
+     * @param \SimpleSAML\Configuration $config  The configuration
      * @param string $entityId  The entity id of the IdP.
      * @return \SimpleSAML\Configuration  The metadata of the IdP.
      */
-    public function getIdPMetadata(string $entityId): Configuration
+    public function getIdPMetadata(Configuration $config, string $entityId): Configuration
     {
         if ($this->idp !== null && $this->idp !== $entityId) {
             throw new Error\Exception('Cannot retrieve metadata for IdP ' .
                 var_export($entityId, true) . ' because it isn\'t a valid IdP for this SP.');
         }
 
-        $metadataHandler = MetaDataStorageHandler::getMetadataHandler();
+        $metadataHandler = MetaDataStorageHandler::getMetadataHandler($config);
 
         return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
     }
@@ -423,8 +431,7 @@ private function getACSEndpoints(): array
      */
     private function getSLOEndpoints(): array
     {
-        $config = Configuration::getInstance();
-        $storeType = $config->getOptionalString('store.type', 'phpsession');
+        $storeType = $this->config->getOptionalString('store.type', 'phpsession');
 
         $store = StoreFactory::getInstance($storeType);
         $bindings = $this->metadata->getOptionalArray(
@@ -726,12 +733,13 @@ public function sendSAML2LogoutRequest(Binding $binding, LogoutRequest $lr): nev
     /**
      * Send a SSO request to an IdP.
      *
+     * @param \SimpleSAML\Configuration $config
      * @param string $idp  The entity ID of the IdP.
      * @param array $state  The state array for the current authentication.
      */
-    public function startSSO(string $idp, array $state): never
+    public function startSSO(Configuration $config, string $idp, array $state): never
     {
-        $idpMetadata = $this->getIdPMetadata($idp);
+        $idpMetadata = $this->getIdPMetadata($config, $idp);
 
         $type = $idpMetadata->getString('metadata-set');
         Assert::oneOf($type, ['saml20-idp-remote']);
@@ -744,8 +752,9 @@ public function startSSO(string $idp, array $state): never
      * Start an IdP discovery service operation.
      *
      * @param array $state  The state array.
+     * @return \Symfony\Component\HttpFoundation\RedirectResponse
      */
-    private function startDisco(array $state): never
+    private function startDisco(array $state): RedirectResponse
     {
         $id = Auth\State::saveState($state, 'saml:sp:sso');
 
@@ -772,7 +781,7 @@ private function startDisco(array $state): never
         }
 
         $httpUtils = new Utils\HTTP();
-        $httpUtils->redirectTrustedURL($discoURL, $params);
+        return $httpUtils->redirectTrustedURL($discoURL, $params);
     }
 
 
@@ -781,9 +790,10 @@ private function startDisco(array $state): never
      *
      * This function saves the information about the login, and redirects to the IdP.
      *
+     * @param \Symfony\Component\HttpFoundation\Request  The current request
      * @param array &$state  Information about the current authentication.
      */
-    public function authenticate(array &$state): never
+    public function authenticate(Request $request, array &$state): Response
     {
         // We are going to need the authId in order to retrieve this authentication source later
         $state['saml:sp:AuthId'] = $this->authId;
@@ -796,7 +806,7 @@ public function authenticate(array &$state): never
 
         if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
             // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
-            $mdh = MetaDataStorageHandler::getMetadataHandler();
+            $mdh = MetaDataStorageHandler::getMetadataHandler($this->config);
             $matchedEntities = $mdh->getMetaDataForEntities($state['saml:IDPList'], 'saml20-idp-remote');
 
             if (empty($matchedEntities)) {
@@ -820,10 +830,12 @@ public function authenticate(array &$state): never
         }
 
         if ($idp === null) {
-            $this->startDisco($state);
+            $response = $this->startDisco($state);
         } else {
-            $this->startSSO($idp, $state);
+            $response = $this->startSSO($this->config, $idp, $state);
         }
+
+        return $response;
     }
 
 
@@ -861,7 +873,7 @@ public function reauthenticate(array &$state): void
              * First, check if we recognize any of the IdPs requested.
              */
 
-            $mdh = MetaDataStorageHandler::getMetadataHandler();
+            $mdh = MetaDataStorageHandler::getMetadataHandler($this->config);
             $known_idps = $mdh->getList();
             $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
@@ -896,9 +908,11 @@ public function reauthenticate(array &$state): void
                 $state['core:SP'],
             ));
 
-            $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
+            $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($this->config, $state['saml:sp:IdP']);
             $state['saml:sp:AuthId'] = $this->authId;
-            self::askForIdPChange($state);
+
+            $response = self::askForIdPChange($state);
+            return $response;
         }
 
         /*
@@ -943,10 +957,11 @@ public function reauthenticate(array &$state): void
      * - 'saml:sp:AuthId': the identifier of the current authentication source.
      * - 'core:IdP': the identifier of the local IdP.
      * - 'SPMetadata': an array with the metadata of this local SP.
+     * @return \Symfony\Component\HttpFoundation\RedirectResponse
      *
      * @throws \SAML2\Exception\Protocol\NoPassiveException In case the authentication request was passive.
      */
-    public static function askForIdPChange(array &$state): never
+    public static function askForIdPChange(array &$state): RedirectResponse
     {
         Assert::keyExists($state, 'saml:sp:IdPMetadata');
         Assert::keyExists($state, 'saml:sp:AuthId');
@@ -965,7 +980,7 @@ public static function askForIdPChange(array &$state): never
         $url = Module::getModuleURL('saml/proxy/invalidSession');
 
         $httpUtils = new Utils\HTTP();
-        $httpUtils->redirectTrustedURL($url, ['AuthState' => $id]);
+        return $httpUtils->redirectTrustedURL($url, ['AuthState' => $id]);
     }
 
 
@@ -1006,7 +1021,7 @@ public static function tryStepUpAuth(array &$state): never
      *
      * @param array $state The state array.
      */
-    public static function reauthLogout(array $state): never
+    public static function reauthLogout(Configuration $config, array $state): never
     {
         Logger::debug('Proxy: logging the user out before re-authentication.');
 
@@ -1024,8 +1039,9 @@ public static function reauthLogout(array $state): never
      * Complete login operation after re-authenticating the user on another IdP.
      *
      * @param array $state  The authentication state.
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public static function reauthPostLogin(array $state): never
+    public static function reauthPostLogin(array $state): Response
     {
         Assert::keyExists($state, 'ReturnCallback');
 
@@ -1035,7 +1051,7 @@ public static function reauthPostLogin(array $state): never
         $session->doLogin($authId, Auth\State::getPersistentAuthData($state));
 
         // resume the login process
-        call_user_func($state['ReturnCallback'], $state);
+        return call_user_func($state['ReturnCallback'], $state);
     }
 
 
@@ -1046,8 +1062,9 @@ public static function reauthPostLogin(array $state): never
      *
      * @param \SimpleSAML\IdP $idp The IdP we are logging out from.
      * @param array &$state The state array with the state during logout.
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public static function reauthPostLogout(IdP $idp, array $state): never
+    public static function reauthPostLogout(IdP $idp, array $state): Response
     {
         Assert::keyExists($state, 'saml:sp:AuthId');
 
@@ -1058,19 +1075,21 @@ public static function reauthPostLogout(IdP $idp, array $state): never
         }
 
         /** @var \SimpleSAML\Module\saml\Auth\Source\SP $sp */
-        $sp = Auth\Source::getById($state['saml:sp:AuthId'], Module\saml\Auth\Source\SP::class);
+        $sp = Auth\Source::getById($state['saml:sp:AuthId'], static::class);
 
         Logger::debug('Proxy: logging in again.');
-        $sp->authenticate($state);
+        $request = Request::createFromGlobals();
+        return $sp->authenticate($request, $state);
     }
 
 
     /**
      * Start a SAML 2 logout operation.
      *
+     * @param \SimpleSAML\Configuration $config  The configuration
      * @param array $state  The logout state.
      */
-    public function startSLO2(array &$state): void
+    public function startSLO2(Configuration $config, array &$state): void
     {
         Assert::keyExists($state, 'saml:logout:IdP');
         Assert::keyExists($state, 'saml:logout:NameID');
@@ -1082,7 +1101,7 @@ public function startSLO2(array &$state): void
         $nameId = $state['saml:logout:NameID'];
         $sessionIndex = $state['saml:logout:SessionIndex'];
 
-        $idpMetadata = $this->getIdPMetadata($idp);
+        $idpMetadata = $this->getIdPMetadata($config, $idp);
 
         /** @var array $endpoint */
         $endpoint = $idpMetadata->getEndpointPrioritizedByBinding(
@@ -1151,13 +1170,14 @@ public function logout(array &$state): void
      * @param array $state  The authentication state.
      * @param string $idp  The entity id of the IdP.
      * @param array $attributes  The attributes.
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public function handleResponse(array $state, string $idp, array $attributes): never
+    public function handleResponse(array $state, string $idp, array $attributes): Response
     {
         Assert::keyExists($state, 'LogoutState');
         Assert::keyExists($state['LogoutState'], 'saml:logout:Type');
 
-        $idpMetadata = $this->getIdPMetadata($idp);
+        $idpMetadata = $this->getIdPMetadata($this->config, $idp);
 
         $spMetadataArray = $this->metadata->toArray();
         $idpMetadataArray = $idpMetadata->toArray();
@@ -1187,19 +1207,20 @@ public function handleResponse(array $state, string $idp, array $attributes): ne
         $pc = new Auth\ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
         $pc->processState($authProcState);
 
-        self::onProcessingCompleted($authProcState);
+        return self::onProcessingCompleted($authProcState);
     }
 
 
     /**
      * Handle a logout request from an IdP.
      *
      * @param string $idpEntityId  The entity ID of the IdP.
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public function handleLogout(string $idpEntityId): never
+    public function handleLogout(string $idpEntityId): Response
     {
         /* Call the logout callback we registered in onProcessingCompleted(). */
-        $this->callLogoutCallback($idpEntityId);
+        return $this->callLogoutCallback($idpEntityId);
     }
 
 
@@ -1223,16 +1244,18 @@ public static function handleUnsolicitedAuth(string $authId, array $state, strin
         $session->doLogin($authId, Auth\State::getPersistentAuthData($state));
 
         $httpUtils = new Utils\HTTP();
-        $httpUtils->redirectUntrustedURL($redirectTo);
+        $response = $httpUtils->redirectUntrustedURL($redirectTo);
+        $response->send();
     }
 
 
     /**
      * Called when we have completed the procssing chain.
      *
      * @param array $authProcState  The processing chain state.
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public static function onProcessingCompleted(array $authProcState): never
+    public static function onProcessingCompleted(array $authProcState): Response
     {
         Assert::keyExists($authProcState, 'saml:sp:IdP');
         Assert::keyExists($authProcState, 'saml:sp:State');
@@ -1264,6 +1287,6 @@ public static function onProcessingCompleted(array $authProcState): never
             self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
         }
 
-        Auth\Source::completeAuth($state);
+        return Auth\Source::completeAuth($state);
     }
 }
@@ -5,8 +5,9 @@
 namespace SimpleSAML\Module\saml\Controller;
 
 use SimpleSAML\Configuration;
-use SimpleSAML\HTTP\RunnableResponse;
 use SimpleSAML\XHTML\IdPDisco;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
 /**
  * Controller class for the saml module.
@@ -33,11 +34,12 @@ public function __construct(
     /**
      * Built-in IdP discovery service
      *
-     * @return \SimpleSAML\HTTP\RunnableResponse
+     * @param \Symfony\Component\HttpFoundation\Request $request
+     * @return \Symfony\Component\HttpFoundation\Response
      */
-    public function disco(): RunnableResponse
+    public function disco(Request $request): Response
     {
-        $disco = new IdPDisco(['saml20-idp-remote'], 'saml');
-        return new RunnableResponse([$disco, 'handleRequest']);
+        $disco = new IdPDisco($request, ['saml20-idp-remote'], 'saml');
+        return $disco->handleRequest();
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,7 @@ protected function unauthorized(array &$state): void`
`107`	`107`	`);`
`108`	`108`
`109`	`109`	`$httpUtils = new Utils\HTTP();`
`110`		`- $httpUtils->redirectTrustedURL($url, ['StateId' => $id]);`
	`110`	`+ $response = $httpUtils->redirectTrustedURL($url, ['StateId' => $id]);`
	`111`	`+ $response->send();`
`111`	`112`	`}`
`112`	`113`	`}`