diff --git a/app/services/saml_request_validator.rb b/app/services/saml_request_validator.rb index 3baaa584367..6ed756cd567 100644 --- a/app/services/saml_request_validator.rb +++ b/app/services/saml_request_validator.rb @@ -59,6 +59,9 @@ def authorized_service_provider end def authorized_authn_context + # if there is no service provider, an error has already been added + return unless service_provider.present? + if !valid_authn_context? || (identity_proofing_requested? && !service_provider.identity_proofing_allowed?) || (ial_max_requested? && !service_provider.ialmax_allowed?) || @@ -74,7 +77,7 @@ def parsable_vtr end def registered_cert_exists - # if there is no service provider, this error has already been added + # if there is no service provider, an error has already been added return if service_provider.blank? return if service_provider.certs.present? return unless service_provider.encrypt_responses? diff --git a/spec/controllers/saml_idp_controller_spec.rb b/spec/controllers/saml_idp_controller_spec.rb index a64c70fa9ef..901b5ed18bd 100644 --- a/spec/controllers/saml_idp_controller_spec.rb +++ b/spec/controllers/saml_idp_controller_spec.rb @@ -1418,14 +1418,12 @@ def name_id_version(format_urn) expect(controller).to render_template('saml_idp/auth/error') expect(response.status).to eq(400) - expect(response.body).to include(t('errors.messages.unauthorized_authn_context')) expect(response.body).to include(t('errors.messages.unauthorized_service_provider')) expect(@analytics).to have_logged_event( 'SAML Auth', hash_including( success: false, error_details: { - authn_context: { unauthorized_authn_context: true }, service_provider: { unauthorized_service_provider: true }, }, nameid_format: Saml::Idp::Constants::NAME_ID_FORMAT_PERSISTENT, @@ -1440,7 +1438,7 @@ def name_id_version(format_urn) ) expect(@analytics).to have_logged_event( :sp_integration_errors_present, - error_details: ['Unauthorized Service Provider', 'Unauthorized authentication context'], + error_details: ['Unauthorized Service Provider'], error_types: { saml_request_errors: true }, event: :saml_auth_request, integration_exists: false, diff --git a/spec/services/saml_request_validator_spec.rb b/spec/services/saml_request_validator_spec.rb index 34dfcccef0b..ecfae1008e8 100644 --- a/spec/services/saml_request_validator_spec.rb +++ b/spec/services/saml_request_validator_spec.rb @@ -87,7 +87,7 @@ end context 'valid authn context and invalid sp and authorized nameID format' do - let(:sp) { ServiceProvider.find_by(issuer: 'foo') } + let(:sp) { nil } it 'returns FormResponse with success: false' do expect(response.to_h).to eq( @@ -96,6 +96,42 @@ **extra, ) end + + context 'when identity proofing is requested' do + let(:authn_context) { [Saml::Idp::Constants::IAL_VERIFIED_ACR] } + + it 'returns FormResponse with success: false' do + expect(response.to_h).to eq( + success: false, + error_details: { service_provider: { unauthorized_service_provider: true } }, + **extra, + ) + end + end + + context 'when IALmax is requested' do + let(:authn_context) { [Saml::Idp::Constants::IALMAX_AUTHN_CONTEXT_CLASSREF] } + + it 'returns FormResponse with success: false' do + expect(response.to_h).to eq( + success: false, + error_details: { service_provider: { unauthorized_service_provider: true } }, + **extra, + ) + end + end + + context 'when facial matching is requested' do + let(:authn_context) { [Saml::Idp::Constants::IAL_VERIFIED_FACIAL_MATCH_REQUIRED_ACR] } + + it 'returns FormResponse with success: false' do + expect(response.to_h).to eq( + success: false, + error_details: { service_provider: { unauthorized_service_provider: true } }, + **extra, + ) + end + end end context 'valid authn context and unauthorized nameid format' do @@ -302,7 +338,6 @@ expect(response.to_h).to eq( success: false, error_details: { - authn_context: { unauthorized_authn_context: true }, service_provider: { unauthorized_service_provider: true }, }, **extra,