simplesamlphp · tvdijen · Apr 24, 2025 · Apr 24, 2025
diff --git a/src/Auth/Source/Negotiate.php b/src/Auth/Source/Negotiate.php
@@ -31,12 +31,12 @@
 *
 * @package simplesamlphp/simplesamlphp-module-negotiate
 */
 class Negotiate extends Auth\Source
 {
    // Constants used in the module
    public const STAGEID = '\SimpleSAML\Module\negotiate\Auth\Source\Negotiate.StageId';

    public const AUTHID = '\SimpleSAML\Module\negotiate\Auth\Source\Negotiate.AuthId';

    /** @var string|null */
    protected ?string $backend = null;
@@ -71,7 +71,7 @@
     *
     * @throws \Exception If the KRB5 extension is not installed or active.
     */
    public function __construct(array $info, array $config)
    {
        if (!extension_loaded('krb5')) {
            throw new Exception('KRB5 Extension not installed');
@@ -103,7 +103,7 @@
     *
     * @param array &$state Information about the current authentication.
     */
    public function authenticate(array &$state): void
    {
        // set the default backend to config
        $state['LogoutState'] = [
@@ -154,7 +154,7 @@
                $reply = null;

                try {
                    if (version_compare(phpversion('krb5'), '1.1.6', '<')) {
                        Logger::debug('Negotiate - authenticate(): Trying to authenticate (channel binding not available).');
                        $auth = new KRB5NegotiateAuth($this->keytab, $this->spn);
                        $reply = $this->doAuthentication($auth);
@@ -178,7 +178,7 @@
                            }
                        }

                        if (!$auth->isChannelBound()) {
                            throw new Error\Exception(
                                'Negotiate - authenticate(): Failed to perform channel binding using '
                                . 'any of the configured certificate hashes.',
@@ -196,7 +196,7 @@
                    Logger::info('Negotiate - authenticate(): ' . $userPrincipalName . ' authenticated.');

                    // Search for the corresponding realm and set current variables
                    @list($uid, $realmName) = preg_split('/@/', $userPrincipalName, 2);
                    /** @psalm-var string $realmName */
                    Assert::notNull($realmName);

@@ -364,7 +364,7 @@
            throw new Error\Error([500, "Unable to determine auth source."]);
        }

        /** @psalm-var \SimpleSAML\Auth\Source|null $source */
        $source = Auth\Source::getById($authId);
        if ($source === null) {
            throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
@@ -406,7 +406,7 @@
        try {
            return $source->getAttributes($uid);
        } catch (Error\Exception $e) {
            Logger::debug('Negotiate - ldap lookup failed: ' . $e);
            return null;
        }
    }
@@ -423,7 +423,7 @@
     public function logout(array &$state): void
     {
         // get the source that was used to authenticate
-        $authId = $state['LogoutState']['negotiate:backend'];
+        $authId = $state['negotiate:backend'];
         Logger::debug('Negotiate - logout has the following authId: "' . $authId . '"');
 
         if ($authId === null) {