Produits Entr'ouvert » Lasso

Currently it can happen that we accept a response, or an assertion not
coming from the expected issuer. We should always check for it, if
possible (for asynchronous binding, if the user did not keep the
original profile object, we will not be able to know which provider was
s targeted by a request).

It should be possible to desactivate this check for debugging purpose.

From the point of view of a caller using an asynchronous binding (redirect or POST) it should be simple, no dumping of the whole profile should be necessary. The two things to match are that the response is to a request we emitted (so check inResponseTo attribute) and that the issuer is the one targetted by the request.

The first can be done by the profile himself if the request is still present, if it's not an accessor must be provided to get to the inResponseTo field easily for ID-FF 1.2 and SAMLv2 (lasso_profile_get_in_response_to() would be ok).

The second one can also be done easily if the request is still in the profile object are by the caller through other means helped by an accessor.

A flag on the profile should indicate that the caller will do the job instead of Lasso, otherwise the absence of the request would result in a failure.