SAML replay protection is not replaying authentication
As SAML SP, when we check replay protection, we should replay authentication if the check fails:
unless ( $self->replayProtection($assertion_responded) ) {
# Assertion was already consumed or is expired
# Force authentication replay
$self->userLogger->error(
"Message $assertion_responded already used or expired, replay authentication"
);
delete $req->{urldc};
$req->mustRedirect(1);
$req->steps( [] );
return PE_OK;
}
But at this moment we did not set $req->user so we end with this error in Portal/Main/Process.pm
sub extractFormInfo {
my ( $self, $req ) = @_;
return PE_ERROR unless ( $self->_authentication );
my $ret = $self->_authentication->extractFormInfo($req);
if ( $ret == PE_OK and not( $req->user or $req->continue ) ) {
$self->logger->error(
'Authentication module succeed but has not set $req->user');
return PE_ERROR;
}
Should we not set "$req->continue" in our SAML code?