Ensure assertions containing an AuthzDecisionStatement also contain a subject

tvdijen · tvdijen · commit 15fbb7394aac · 2025-12-22T11:07:23.000+01:00
diff --git a/src/XML/saml/Assertion.php b/src/XML/saml/Assertion.php
@@ -95,6 +95,26 @@ public function __construct(
             return $statement instanceof AuthnStatement;
         }));
 
+        if (count($authnStatements) > 0) {
+            Assert::notNull(
+                $subject,
+                "Assertions containing an <AuthnStatement> element MUST contain a <Subject> element.",
+                ProtocolViolationException::class,
+            );
+        }
+
+        $authzDecisionStatements = array_values(array_filter($statements, function ($statement) {
+            return $statement instanceof AuthzDecisionStatement;
+        }));
+
+        if (count($authzDecisionStatements) > 0) {
+            Assert::notNull(
+                $subject,
+                "Assertions containing an <AuthzDecisionStatement> element MUST contain a <Subject> element.",
+                ProtocolViolationException::class,
+            );
+        }
+
         $attributeStatements = array_values(array_filter($statements, function ($statement) {
             return $statement instanceof AttributeStatement;
         }));
