search

kingstarter / laravel-saml

A laravel 5.4 / 5.5 SAML plugin that transforms laravel into an IDP.
MIT License
55 stars 29 forks source link

inResponseTo Error #20

Open Tazoeur opened 5 years ago

Tazoeur commented 5 years ago

Hi

I think the response created in Http/Traits/SamlAuth.php:138 should also contain a "set in response to"

 // Generate the response object
        $response = new \LightSaml\Model\Protocol\Response();
        $response
           ->addAssertion($assertion = new \LightSaml\Model\Assertion\Assertion())
            ->setID(\LightSaml\Helper::generateID())
            ->setIssueInstant(new \DateTime())
            ->setInResponseTo($authnRequest->getId())
            ->setDestination($destination)
            ->setIssuer(new \LightSaml\Model\Assertion\Issuer($issuer))
            ->setStatus(new \LightSaml\Model\Protocol\Status(new \LightSaml\Model\Protocol\StatusCode(\LightSaml\SamlConstants::STATUS_SUCCESS)))
            ->setSignature(new \LightSaml\Model\XmlDSig\SignatureWriter($certificate, $privateKey))

        ;

so the sp that checks where the response come from could not assume that the request is unsolicited.