From ef48a8c0959ca7beb2c6c25dd2aadcbe3eb8abd3 Mon Sep 17 00:00:00 2001
From: Francis Devine <francis@catalyst.net.nz>
Date: Wed, 27 Mar 2024 14:50:27 +1300
Subject: [PATCH] auth_saml2 Ignore invalid idp request parameters

If the client sends us an idp request parameter that doesn't exist, we
simply ignore it, instead of setting it in the session.

This can happen if user's store an old link, becuase saml2 sends you to
default idp if it doesn't match, but the session variable still gets set
to the invalid nonexisting idp
---
 classes/auth.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/classes/auth.php b/classes/auth.php
index b10686683..d416b443f 100644
--- a/classes/auth.php
+++ b/classes/auth.php
@@ -619,7 +619,14 @@ public function saml_login() {
                 $this->error_page(get_string('noidpfound', 'auth_saml2', $idpalias));
             }
         } else if (isset($_GET['idp'])) {
-            $SESSION->saml2idp = $_GET['idp'];
+            // Requested IDP by parameter.
+            $idp == $_GET['idp'];
+            // Check it exists in our list of valid IDP's otherwise ignore it, the default should be used instead.
+            foreach ($this->metadataentities as $md5identityhash => $idpentity) {
+                if ($idp == $md5identityhash) {
+                    $SESSION->saml2idp = $idpentity->md5entityid;
+                }
+            }
         } else if (!is_null($this->defaultidp)) {
             $SESSION->saml2idp = $this->defaultidp->md5entityid;
         } else if ($this->multiidp) {