Support selection of protocol binding for individual IdP's.

classes/admin/setting_idpmetadata.php

@@ -177,6 +177,7 @@ private function process_idp_xml(idp_data $idp, DOMElement $idpelements, DOMXPat
             $newidp->adminidp = 0;
             $newidp->defaultname = $idpname;
             $newidp->logo = $logo;
+            $newidp->protocolbinding = 0;
 
             $DB->insert_record('auth_saml2_idps', $newidp);
         }

classes/form/availableidps.php

@@ -27,6 +27,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
+use auth_saml2\protocol_binding;
 use moodleform;
 use core\output\notification;
 
@@ -92,6 +93,11 @@ public function definition() {
                 $mform->addHelpButton($fieldkey.'[whitelist]', 'multiidp:label:whitelist', 'auth_saml2');
                 $mform->setType($fieldkey.'[whitelist]', PARAM_TEXT);
 
+                $select = $mform->addElement('select', $fieldkey.'[protocolbinding]',
+                    get_string('multiidp:label:protocolbinding', 'auth_saml2'), protocol_binding::form_options());
+                $select->setSelected($idpentity['protocolbinding']);
+                $mform->addHelpButton($fieldkey.'[protocolbinding]', 'multiidp:label:protocolbinding', 'auth_saml2');
+
                 // Moodle Workplace - Tenant availability edit button.
                 if (class_exists('\tool_tenant\local\auth\saml2\manager')) {
                     $links = component_class_callback('\tool_tenant\local\auth\saml2\manager',

classes/protocol_binding.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace auth_saml2;
+
+defined('MOODLE_INTERNAL') || die();
+
+use coding_exception;
+
+/**
+ * Utility class for protocol bindings
+ *
+ * @package    auth_saml2
+ * @copyright  Copyright (c) 2023 KS DIF (http://www.blackboard.com)
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class protocol_binding {
+    public const HTTP_POST = 0;
+    public const HTTP_ARTIFACT = 1;
+
+    /**
+     * Map the internal id of the protocol bindings to the actual binding string.
+     * @param int $id
+     * @return string
+     * @throws coding_exception
+     */
+    public static function get_binding(int $id): string {
+        switch ($id) {
+            case self::HTTP_POST:
+                return 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST';
+            case self::HTTP_ARTIFACT:
+                return 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
+            default:
+                throw new coding_exception('Invalid binding');
+        }
+    }
+    public static function form_options(): array {
+        return [
+            self::HTTP_POST => 'HTTP Post',
+            self::HTTP_ARTIFACT => 'HTTP Artifact',
+        ];
+    }
+}

config/authsources.php

@@ -34,9 +34,11 @@
 
 if (!empty($SESSION->saml2idp) && array_key_exists($SESSION->saml2idp, $saml2auth->metadataentities)) {
     $idpentityid = $saml2auth->metadataentities[$SESSION->saml2idp]->entityid;
+    $protocolbinding = $saml2auth->metadataentities[$SESSION->saml2idp]->protocolbinding;
 } else {
     // Case for specifying no $SESSION IdP, select the first configured IdP as the default.
     $idpentityid = reset($saml2auth->metadataentities)->entityid;
+    $protocolbinding = reset($saml2auth->metadataentities)->protocolbinding;
 }
 
 $defaultspentityid = "$baseurl/auth/saml2/sp/metadata.php";
@@ -86,6 +88,7 @@
     ],
     'attributes' => $attributes,
     'attributes.required' => $attributesrequired,
+    'ProtocolBinding' => \auth_saml2\protocol_binding::get_binding($protocolbinding),
 ];
 
 if (!empty($saml2auth->config->assertionsconsumerservices)) {

db/install.xml

@@ -32,6 +32,7 @@
         <FIELD NAME="logo" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="alias" TYPE="char" LENGTH="50" NOTNULL="false" SEQUENCE="false"/>
         <FIELD NAME="whitelist" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
+        <FIELD NAME="protocolbinding" TYPE="int" LENGTH="4" NOTNULL="true" DEFAULT="0" SEQUENCE="false"/>
       </FIELDS>
       <KEYS>
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>

db/upgrade.php

@@ -410,5 +410,17 @@ function xmldb_auth_saml2_upgrade($oldversion) {
         upgrade_plugin_savepoint(true, 2023100300, 'auth', 'saml2');
     }
 
+    if ($oldversion < 2023112000) {
+
+        $table = new xmldb_table('auth_saml2_idps');
+        $field = new xmldb_field('protocolbinding', XMLDB_TYPE_INTEGER, '4', null, XMLDB_NOTNULL, null, '0', 'whitelist');
+
+        if (!$dbman->field_exists($table, $field)) {
+            $dbman->add_field($table, $field);
+        }
+
+        upgrade_plugin_savepoint(true, 2023112000, 'auth', 'saml2');
+    }
+
     return true;
 }

lang/en/auth_saml2.php

@@ -136,6 +136,8 @@
 $string['multiidp:label:admin_help'] = 'Any users that log in using this IdP will automatically be made an site administrator';
 $string['multiidp:label:whitelist'] = 'Redirected IP addresses';
 $string['multiidp:label:whitelist_help'] = 'If set, it will force clients to this IdP. Format: xxx.xxx.xxx.xxx/bitmask. Separate multiple subnets on a new line.';
+$string['multiidp:label:protocolbinding'] = 'Protocol Binding';
+$string['multiidp:label:protocolbinding_help'] = 'This specifies which binding should be used to respond by the IdP when we send the AuthnRequest. The Binding must be supported by the IdP.';
 $string['multiidpinfo'] = '
 <ul>
 <li>An IdP can only be used if it is set as Active</li>

version.php

@@ -24,8 +24,8 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version   = 2023100300;    // The current plugin version (Date: YYYYMMDDXX).
-$plugin->release   = 2023100300;    // Match release exactly to version.
+$plugin->version   = 2023112000;    // The current plugin version (Date: YYYYMMDDXX).
+$plugin->release   = 2023112000;    // Match release exactly to version.
 $plugin->requires  = 2017051509;    // Requires PHP 7, 2017051509 = T12. M3.3
                                     // Strictly we require either Moodle 3.5 OR
                                     // we require Totara 3.3, but the version number