Ensure compatibility with SSP >= 1.17

Author: thijskh

templates/handlestatus.twig

@@ -0,0 +1,36 @@
+{% set pagetitle = 'Error while performing second factor authentication'|trans %}
+{% extends "base.twig" %}
+{% block content %}
+
+<h2>{{ pagetitle }}</h2>
+
+{% if status == "urn:oasis:names:tc:SAML:2.0:status:Responder" and subStatus == "urn:oasis:names:tc:SAML:2.0:status:AuthnFailed" %}
+
+	<p>{{ 'Authentication not successful:' | trans }}<br/><br/>
+
+	<strong>
+	    {{ statusMessage }}
+	</strong></p>
+
+{% elseif status == "urn:oasis:names:tc:SAML:2.0:status:Responder" and subStatus == "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext" %}
+
+	<p>{{ 'You could not be authenticated at the requested level.' | trans }}<br/>
+
+	{{ statusMessage }}</p>
+
+	<p>{{ 'Do you have a token registered with the required level?' | trans }}<br/><br/>
+	{% trans %}Please go to the <a href="{{ selfserviceUrl }}">Selfservice Registration Portal</a>
+	to review or enroll your token.{% endtrans %}</p>
+
+{% else %}
+
+	<p>Unexpected error occurred while performing second factor authentication.<br/><br/>
+	{{ status }}<br/>
+	{{ subStatus }}<br/>
+	{{ statusMessage }}</p>
+
+	<p>Please try again or contact your support desk.</p>
+
+{% endif %}
+
+{% endblock %}

www/acs.php

@@ -7,6 +7,21 @@
  * @package SimpleSAMLphp
  */
 
+function handleStatusResponse($exception, $selfserviceurl)
+{
+    // the status of the response wasn't "success"
+    SimpleSAML\Logger::debug('SFO - status response received, showing error page.');
+    $config = SimpleSAML_Configuration::getInstance();
+
+    $t = new SimpleSAML_XHTML_Template($config, 'stepupsfo:handlestatus.php');
+    $t->data['status'] = $exception->getStatus();
+    $t->data['subStatus'] = $exception->getSubStatus();
+    $t->data['statusMessage'] = $exception->getStatusMessage();
+    $t->data['selfserviceUrl'] = $selfserviceurl;
+    $t->show();
+    exit();
+}
+
 SimpleSAML\Logger::debug('SFO - receiving response');
 
 $b = \SAML2\Binding::getCurrentBinding();
@@ -54,17 +69,11 @@
 try {
     $assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
 } catch (sspmod_saml_Error $e) {
-    // the status of the response wasn't "success"
-    SimpleSAML\Logger::debug('SFO - status response received, showing error page.');
-    $config = SimpleSAML_Configuration::getInstance();
-
-    $t = new SimpleSAML_XHTML_Template($config, 'stepupsfo:handlestatus.php');
-    $t->data['status'] = $e->getStatus();
-    $t->data['subStatus'] = $e->getSubStatus();
-    $t->data['statusMessage'] = $e->getStatusMessage();
-    $t->data['selfserviceUrl'] = $idpMetadata->getString('sfo:selfserviceUrl', '');
-    $t->show();
-    exit();
+    // the status of the response wasn't "success" (SSP < 1.17)
+    handleStatusResponse($e, $idpMetadata->getString('sfo:selfserviceUrl', ''));
+} catch (SimpleSAML\Module\saml\Error $e) {
+    // the status of the response wasn't "success" (SSP >= 1.17)
+    handleStatusResponse($e, $idpMetadata->getString('sfo:selfserviceUrl', ''));
 }
 
 SimpleSAML\Logger::debug('SFO - successful response received, resume processing');