Delay samlGotAuthnRequest after signature validation (#2793)
This commit is contained in:
parent
ce0e4ff033
commit
9a8880e3c8
|
@ -398,50 +398,18 @@ sub run {
|
||||||
return PE_SAML_SSO_ERROR;
|
return PE_SAML_SSO_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $h =
|
|
||||||
$self->p->processHook( $req, 'samlGotAuthnRequest', $login );
|
|
||||||
return $h if ( $h != PE_OK );
|
|
||||||
|
|
||||||
# Get SP entityID
|
# Get SP entityID
|
||||||
my $sp = $request ? $login->remote_providerID() : $idp_initiated_sp;
|
my $sp = $request ? $login->remote_providerID() : $idp_initiated_sp;
|
||||||
|
|
||||||
$self->logger->debug("Found entityID $sp in SAML message");
|
$self->logger->debug("Found entityID $sp in SAML message");
|
||||||
$req->env->{llng_saml_sp} = $sp;
|
|
||||||
|
|
||||||
# SP conf key
|
# SP conf key
|
||||||
my $spConfKey = $self->spList->{$sp}->{confKey};
|
my $spConfKey = $self->spList->{$sp}->{confKey};
|
||||||
|
|
||||||
unless ($spConfKey) {
|
unless ($spConfKey) {
|
||||||
$self->userLogger->error(
|
$self->userLogger->error(
|
||||||
"$sp do not match any SP in configuration");
|
"$sp do not match any SP in configuration");
|
||||||
return PE_SAML_UNKNOWN_ENTITY;
|
return PE_SAML_UNKNOWN_ENTITY;
|
||||||
}
|
}
|
||||||
|
|
||||||
$self->logger->debug("$sp match $spConfKey SP in configuration");
|
$self->logger->debug("$sp match $spConfKey SP in configuration");
|
||||||
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
|
||||||
|
|
||||||
if ( $login->request ) {
|
|
||||||
my $acs = $login->request->AssertionConsumerServiceURL;
|
|
||||||
if ($acs) {
|
|
||||||
$req->env->{llng_saml_acs} = $acs;
|
|
||||||
$self->logger->debug(
|
|
||||||
"Using AssertionConsumerServiceURL $acs");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Check access rule
|
|
||||||
if ( my $rule = $self->spRules->{$spConfKey} ) {
|
|
||||||
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
|
||||||
$self->userLogger->warn( 'User '
|
|
||||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
|
||||||
. " is not authorized to access to $spConfKey" );
|
|
||||||
return PE_UNAUTHORIZEDPARTNER;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->userLogger->notice( 'User '
|
|
||||||
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
|
||||||
. " is authorized to access to $spConfKey" );
|
|
||||||
|
|
||||||
# Do we check signature?
|
# Do we check signature?
|
||||||
my $checkSSOMessageSignature =
|
my $checkSSOMessageSignature =
|
||||||
|
@ -473,6 +441,37 @@ sub run {
|
||||||
$self->logger->debug("Message signature will not be checked");
|
$self->logger->debug("Message signature will not be checked");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Hook must be run after processAuthnRequestMsg
|
||||||
|
my $h =
|
||||||
|
$self->p->processHook( $req, 'samlGotAuthnRequest', $login );
|
||||||
|
return $h if ( $h != PE_OK );
|
||||||
|
|
||||||
|
# Set environment for rule/macro evaluation
|
||||||
|
$req->env->{llng_saml_sp} = $sp;
|
||||||
|
$req->env->{llng_saml_spconfkey} = $spConfKey;
|
||||||
|
if ( $login->request ) {
|
||||||
|
my $acs = $login->request->AssertionConsumerServiceURL;
|
||||||
|
if ($acs) {
|
||||||
|
$req->env->{llng_saml_acs} = $acs;
|
||||||
|
$self->logger->debug(
|
||||||
|
"Using AssertionConsumerServiceURL $acs");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check access rule
|
||||||
|
if ( my $rule = $self->spRules->{$spConfKey} ) {
|
||||||
|
unless ( $rule->( $req, $req->sessionInfo ) ) {
|
||||||
|
$self->userLogger->warn( 'User '
|
||||||
|
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||||
|
. " is not authorized to access to $spConfKey" );
|
||||||
|
return PE_UNAUTHORIZEDPARTNER;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$self->userLogger->notice( 'User '
|
||||||
|
. $req->sessionInfo->{ $self->conf->{whatToTrace} }
|
||||||
|
. " is authorized to access to $spConfKey" );
|
||||||
|
|
||||||
my $nameIDFormat;
|
my $nameIDFormat;
|
||||||
|
|
||||||
# Check NameID Policy in request
|
# Check NameID Policy in request
|
||||||
|
|
Loading…
Reference in New Issue