You are here

protected function SamlService::processLoginResponse in SAML Authentication 4.x

Same name and namespace in other branches
  1. 8.3 src/SamlService.php \Drupal\samlauth\SamlService::processLoginResponse()

Processes a SAML authentication response; throws an exception if invalid.

The mechanics of checking whether there are any errors are not so straightforward, so this helper function hopes to abstract that away.

@todo should we also check a Response against the ID of the request we sent earlier? Seems to be not absolutely required on top of the validity / signature checks which the library already does - but every extra check is good. Maybe make it optional.

1 call to SamlService::processLoginResponse()
SamlService::acs in src/SamlService.php
Processes a SAML response (Assertion Consumer Service).

File

src/SamlService.php, line 397

Class

SamlService
Governs communication between the SAML toolkit and the IdP / login behavior.

Namespace

Drupal\samlauth

Code

protected function processLoginResponse() {
  $config = $this->configFactory
    ->get('samlauth.authentication');
  $auth = $this
    ->getSamlAuth('acs');

  // This call can throw various kinds of exceptions if the 'SAMLResponse'
  // request parameter is not present or cannot be decoded into a valid SAML
  // (XML) message, and can also set error conditions instead - if the XML
  // contains data that is not considered valid. We should likely treat all
  // error conditions the same.
  $auth
    ->processResponse();
  if ($config
    ->get('debug_log_saml_in')) {
    $this->logger
      ->debug('ACS received SAML response: <pre>@message</pre>', [
      '@message' => $auth
        ->getLastResponseXML(),
    ]);
  }
  $errors = $auth
    ->getErrors();
  if ($errors) {

    // We have one or multiple error types / short descriptions, and one
    // 'reason' for the last error.
    throw new \RuntimeException('Error(s) encountered during processing of authentication response. Type(s): ' . implode(', ', array_unique($errors)) . '; reason given for last error: ' . $auth
      ->getLastErrorReason());
  }
  if (!$auth
    ->isAuthenticated()) {

    // Looking at the current code, isAuthenticated() just means "response
    // is valid" because it is mutually exclusive with $errors and exceptions
    // being thrown. So we should never get here. We're just checking it in
    // case the library code changes - in which case we should reevaluate.
    throw new \RuntimeException('SAML authentication response was apparently not fully validated even when no error was provided.');
  }
}