From de8f5adf964aba90b0b1b8d10a5743dad3ffd93c Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Thu, 23 Sep 2021 16:28:26 +0200
Subject: [PATCH] Reorder SAML bindings to put default ACS first (#2621)

This is just in case we interact with a dumb SP who doesn't implement
isDefault correctly. And to preserve (almost) byte-for-byte metadata
content for existing installations
---
 .../Lemonldap/NG/Common/Conf/SAML/Metadata.pm | 31 ++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
index d75e71917..cc8d59e7f 100644
--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
+++ b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm
@@ -164,12 +164,22 @@ sub serviceToXML {
       samlIDPSSODescriptorArtifactResolutionServiceArtifact
     );
 
+    my %indexed_endpoints;
     foreach (@param_assertion) {
         my @_tab = split( /;/, $self->getValue( $_, $conf ) );
-        $template->param( $_ . 'Default', $_tab[0] ? 'true' : 'false' );
-        $template->param( $_ . 'Index',   $_tab[1] );
-        $template->param( $_ . 'Binding', $_tab[2] );
-        $template->param( $_ . 'Location', $_tab[3] );
+        $indexed_endpoints{ $_ . 'Default' }  = ( $_tab[0] ? 'true' : 'false' );
+        $indexed_endpoints{ $_ . 'Index' }    = $_tab[1];
+        $indexed_endpoints{ $_ . 'Binding' }  = $_tab[2];
+        $indexed_endpoints{ $_ . 'Location' } = $_tab[3];
+    }
+    $template->param(%indexed_endpoints);
+
+    if (
+        $indexed_endpoints{samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactDefault}
+        eq 'true'
+      )
+    {
+        $template->param( "ACSArtifactDefault" => 1 );
     }
 
     # Return the XML metadata.
@@ -310,6 +320,7 @@ __DATA__
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:entity</NameIDFormat>
     <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+    <TMPL_IF ACSArtifactDefault>
     <AssertionConsumerService
       isDefault="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactDefault">"
       index="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactIndex">"
@@ -320,6 +331,18 @@ __DATA__
       index="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostIndex">"
       Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostBinding">"
       Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostLocation">" />
+    <TMPL_ELSE>
+    <AssertionConsumerService
+      isDefault="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostDefault">"
+      index="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostIndex">"
+      Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostBinding">"
+      Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPPostLocation">" />
+    <AssertionConsumerService
+      isDefault="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactDefault">"
+      index="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactIndex">"
+      Binding="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactBinding">"
+      Location="<TMPL_VAR NAME="samlSPSSODescriptorAssertionConsumerServiceHTTPArtifactLocation">" />
+    </TMPL_IF>
   </SPSSODescriptor>
   </TMPL_UNLESS>