Added the option to send users straight to selfserviceUrl when they don't have token with high enough LOA

doedje · thijskh · commit 6f33dc7872fe · 2024-03-19T13:26:56.000+01:00
In stead of throwing an error we send people to a nice readable page with information about how to get a token with the right LOA.
diff --git a/src/Controller/SFO.php b/src/Controller/SFO.php
@@ -108,17 +108,30 @@ public function acs(): Template
             $assertions = Message::processResponse($spMetadata, $idpMetadata, $response);
         } catch (Module\saml\Error $e) {
             // the status of the response wasn't "success"
-            Logger::debug('SFO - status response received, showing error page.');
+            $redirect = $idpMetadata->getOptionalBoolean('sfo:redirectToSelfserviceUrl', false);
+            $selfserviceUrl = $idpMetadata->getOptionalString('sfo:selfserviceUrl', '');
 
-            $t = new Template($this->config, 'stepupsfo:handlestatus.twig');
-            $t->data['status'] = $e->getStatus();
-            $t->data['subStatus'] = $e->getSubStatus();
-            $t->data['statusMessage'] = $e->getStatusMessage();
-            $t->data['selfserviceUrl'] = $idpMetadata->getOptionalString('sfo:selfserviceUrl', '');
+            if ($redirect &&
+                !empty($selfserviceUrl) &&
+                $e->getStatus() == 'urn:oasis:names:tc:SAML:2.0:status:Responder' &&
+                $e->getSubStatus() == 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext') {
+                Logger::debug('SFO - token of demanded LOA is not available, redirecting to selfserviceUrl.');
 
-            return $t;
-        }
+                header('Location: '. $selfserviceUrl);
+                exit();
+
+            } else {
+                Logger::debug('SFO - status response received, showing error page.');
 
+                $t = new Template($this->config, 'stepupsfo:handlestatus.twig');
+                $t->data['status'] = $e->getStatus();
+                $t->data['subStatus'] = $e->getSubStatus();
+                $t->data['statusMessage'] = $e->getStatusMessage();
+                $t->data['selfserviceUrl'] = $selfserviceUrl;
+
+                return $t;
+            }
+        }
         Logger::debug('SFO - successful response received, resume processing');
         Auth\ProcessingChain::resumeProcessing($prestate);
     }
