Memorize idp only if auth was successful

This also means that we memorize the IdP regardless of the disco.

Signed-off-by: Ivan Kanakarakis <[email protected]>

Author: c00kiemon5ter

src/satosa/backends/saml2.py

@@ -317,7 +317,9 @@ def authn_response(self, context, binding):
             raise SATOSAAuthenticationError(context.state, "State did not match relay state")
 
         context.decorate(Context.KEY_BACKEND_METADATA_STORE, self.sp.metadata)
-
+        if self.config.get(SAMLBackend.KEY_MEMORIZE_DISCO_IDP):
+            issuer = authn_response.response.issuer.text.strip()
+            context.state[Context.KEY_MEMORIZED_DISCO_IDP] = issuer
         context.state.pop(self.name, None)
         context.state.pop(Context.KEY_FORCE_AUTHN, None)
         return self.auth_callback_func(context, self._translate_response(authn_response, context.state))
@@ -341,9 +343,6 @@ def disco_response(self, context):
             satosa_logging(logger, logging.DEBUG, "No IDP chosen for state", state, exc_info=True)
             raise SATOSAAuthenticationError(state, "No IDP chosen") from err
 
-        if self.config.get(SAMLBackend.KEY_MEMORIZE_DISCO_IDP):
-            context.state[Context.KEY_MEMORIZED_DISCO_IDP] = entity_id
-
         return self.authn_request(context, entity_id)
 
     def _translate_response(self, response, state):