From 04172e21ac5c1a0e4f64a5deac4b8b025ee7aa7a Mon Sep 17 00:00:00 2001
From: Francis Devine <francis@catalyst.net.nz>
Date: Wed, 27 Mar 2024 14:50:27 +1300
Subject: [PATCH] auth_saml2 Ignore invalid idp request parameters

If the client sends us an idp request parameter that doesn't exist, we
simply ignore it, instead of setting it in the session.

This can happen if user's store an old link, becuase saml2 sends you to
default idp if it doesn't match, but the session variable still gets set
to the invalid nonexisting idp
---
 classes/auth.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/classes/auth.php b/classes/auth.php
index b4841ee48..d2b373347 100644
--- a/classes/auth.php
+++ b/classes/auth.php
@@ -577,7 +577,14 @@ public function saml_login() {
                 $this->error_page(get_string('noidpfound', 'auth_saml2', $idpalias));
             }
         } else if (isset($_GET['idp'])) {
-            $SESSION->saml2idp = $_GET['idp'];
+            // Requested IDP by parameter.
+            $idp == $_GET['idp'];
+            // Check it exists in our list of valid IDP's otherwise ignore it, the default should be used instead.
+            foreach ($this->metadataentities as $md5identityhash => $idpentity) {
+                if ($idp == $md5identityhash) {
+                    $SESSION->saml2idp = $idpentity->md5entityid;
+                }
+            }
         } else if (!is_null($this->defaultidp)) {
             $SESSION->saml2idp = $this->defaultidp->md5entityid;
         } else if ($this->multiidp) {