From 794aa926cb4e60cf6f582cffa041efb68f9cf275 Mon Sep 17 00:00:00 2001
From: Ross Kinder <ross@kndr.org>
Date: Wed, 21 Feb 2018 08:55:41 -0500
Subject: [PATCH] idp: handle assertions where no ACS url is specified (#139)

---
 identity_provider.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/identity_provider.go b/identity_provider.go
index 7d21d7de..8ee6d6c1 100644
--- a/identity_provider.go
+++ b/identity_provider.go
@@ -428,6 +428,36 @@ func (req *IdpAuthnRequest) getACSEndpoint() error {
 		}
 	}
 
+	// Some service providers, like the Microsoft Azure AD service provider, issue
+	// assertion requests that don't specify an ACS url at all.
+	if req.Request.AssertionConsumerServiceURL == "" && req.Request.AssertionConsumerServiceIndex == "" {
+		// find a default ACS binding in the metadata that we can use
+		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
+			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
+				if spAssertionConsumerService.IsDefault != nil && *spAssertionConsumerService.IsDefault {
+					switch spAssertionConsumerService.Binding {
+					case HTTPPostBinding, HTTPRedirectBinding:
+						req.SPSSODescriptor = &spssoDescriptor
+						req.ACSEndpoint = &spAssertionConsumerService
+						return nil
+					}
+				}
+			}
+		}
+
+		// if we can't find a default, use *any* ACS binding
+		for _, spssoDescriptor := range req.ServiceProviderMetadata.SPSSODescriptors {
+			for _, spAssertionConsumerService := range spssoDescriptor.AssertionConsumerServices {
+				switch spAssertionConsumerService.Binding {
+				case HTTPPostBinding, HTTPRedirectBinding:
+					req.SPSSODescriptor = &spssoDescriptor
+					req.ACSEndpoint = &spAssertionConsumerService
+					return nil
+				}
+			}
+		}
+	}
+
 	return os.ErrNotExist // no ACS url found or specified
 }