Some more work

src/SAML2/Entity/ServiceProvider.php

@@ -7,7 +7,15 @@
 use Exception;
 use Psr\Http\Message\ServerRequestInterface;
 use SimpleSAML\Assert\Assert;
-use SimpleSAML\SAML2\{Binding, HTTPArtifact, Metadata, StateProviderInterface, Utils};
+use SimpleSAML\SAML2\{
+    Binding,
+    HTTPArtifact,
+    Metadata,
+    MetadataProviderInterface,
+    StateProviderInterface,
+    StorageProviderInterface,
+    Utils,
+};
 use SimpleSAML\SAML2\Exception\{MetadataNotFoundException, RemoteException, RuntimeException};
 use SimpleSAML\SAML2\Exception\Protocol\{RequestDeniedException, ResourceNotRecognizedException};
 use SimpleSAML\SAML2\Process\Validator\ResponseValidator;
@@ -38,7 +46,6 @@
  */
 final class ServiceProvider
 {
-    protected ?Metadata\MetadataProviderInterface $metadataProvider = null;
     protected ?StateProviderInterface $stateProvider = null;
     protected ?StorageProviderInterface $storageProvider = null;
     protected ?Metadata\IdentityProvider $idpMetadata = null;
@@ -54,6 +61,7 @@ final class ServiceProvider
      * @param bool $validateLogout  Whether to validate the signature of LogoutRequest/LogoutResponse received
      */
     public function __construct(
+        protected MetadataProviderInterface $metadataProvider,
         protected Metadata\ServiceProvider $spMetadata,
         protected readonly bool $encryptedAssertions = false,
         protected readonly bool $disableScoping = false,
@@ -78,6 +86,14 @@ public function setStateProvider(StateProviderInterface $stateProvider): void
     }
 
 
+    /**
+     */
+    public function setStorageProvider(StorageProviderInterface $storageProvider): void
+    {
+        $this->storageProvider = $storageProvider;
+    }
+
+
     /**
      * Receive a verified, and optionally validated Response.
      *
@@ -95,11 +111,7 @@ public function receiveResponse(ServerRequestInterface $request): Response
         $binding = Binding::getCurrentBinding($request);
 
         if ($binding instanceof HTTPArtifact) {
-            if ($this->metadataProvider === null) {
-                throw new RuntimeException(
-                    "A MetadataProvider is required to use the HTTP-Artifact binding.",
-                );
-            } elseif ($this->storageProvider === null) {
+            if ($this->storageProvider === null) {
                 throw new RuntimeException(
                     "A StorageProvider is required to use the HTTP-Artifact binding.",
                 );
@@ -110,7 +122,7 @@ public function receiveResponse(ServerRequestInterface $request): Response
 
             if ($this->idpMetadata === null) {
                 throw new MetadataNotFoundException(sprintf(
-                    'No metadata found for remote provider with SHA1 ID: %s',
+                    'No metadata found for remote entity with SHA1 ID: %s',
                     $artifact->getSourceId(),
                 ));
             }
@@ -127,6 +139,18 @@ public function receiveResponse(ServerRequestInterface $request): Response
             return $rawResponse;
         }
 
+        // Fetch the metadata for the remote entity
+        if (!($binding instanceof HTTPArtifact)) {
+            $this->idpMetadata = $this->metadataProvider->getIdPMetadata($rawResponse->getIssuer()->getContent());
+
+            if ($this->idpMetadata === null) {
+                throw new MetadataNotFoundException(sprintf(
+                    'No metadata found for remote entity with entityID: %s',
+                    $rawResponse->getIssuer()->getContent(),
+                ));
+            }
+        }
+
         // Verify the signature (if any)
         $verifiedResponse = $rawResponse->isSigned() ? $this->verifyElementSignature($rawResponse) : $rawResponse;
 
@@ -152,32 +176,26 @@ public function receiveResponse(ServerRequestInterface $request): Response
             }
         }
 
+        $issuer = $verifiedResponse->getIssuer()->getContent();
         if ($state === null) {
             if ($this->enableUnsolicited === false) {
                 throw new RequestDeniedException('Unsolicited responses are denied by configuration.');
             }
         } else {
             // check that the issuer is the one we are expecting
             Assert::keyExists($state, 'ExpectedIssuer');
-            $issuer = $verifiedResponse->getIssuer()->getContent();
 
             if ($state['ExpectedIssuer'] !== $issuer) {
                 throw new ResourceNotRecognizedException("Issuer doesn't match the one the AuthnRequest was sent to.");
             }
+        }
 
-            if ($this->metadataProvider === null) {
-                throw new RuntimeException(
-                    "A MetadataProvider is required to be able to perform token decryption.",
-                );
-            }
-
-            $this->idpMetadata = $this->metadataProvider->getIdPMetadata($issuer);
-            if ($this->idpMetadata === null) {
-                throw new MetadataNotFoundException(sprintf(
-                    'No metadata found for remote identity provider with entityID: %s',
-                    $issuer,
-                ));
-            }
+        $this->idpMetadata = $this->metadataProvider->getIdPMetadata($issuer);
+        if ($this->idpMetadata === null) {
+            throw new MetadataNotFoundException(sprintf(
+                'No metadata found for remote identity provider with entityID: %s',
+                $issuer,
+            ));
         }
 
         $responseValidator = ResponseValidator::createResponseValidator(
@@ -308,7 +326,7 @@ protected function verifyElementSignature(SignedElementInterface $element): Sign
         $factory = $this->spMetadata->getSignatureAlgorithmFactory();
         $signatureAlgorithm = $element->getSignature()->getSignedInfo()->getSignatureMethod()->getAlgorithm();
 
-        foreach ($this->spMetadata->getValidatingKeys() as $validatingKey) {
+        foreach ($this->idpMetadata->getValidatingKeys() as $validatingKey) {
             $verifier = $factory->getAlgorithm($signatureAlgorithm, $validatingKey);
 
             try {

src/SAML2/Metadata/MetadataProviderInterface.php → src/SAML2/MetadataProviderInterface.php

@@ -2,30 +2,33 @@
 
 declare(strict_types=1);
 
-namespace SimpleSAML\SAML2\Metadata;
+namespace SimpleSAML\SAML2;
+
+use SimpleSAML\SAML2\Metadata\IdentityProvider;
+use SimpleSAML\SAML2\Metadata\ServiceProvider;
 
 interface MetadataProviderInterface
 {
     /**
      * Find IdP-metadata based on a SHA-1 hash of the entityID. Return `null` if not found.
      */
-    public function getIdPMetadataForSha1(string $hash): IdentityProvider;
+    public function getIdPMetadataForSha1(string $hash): ?IdentityProvider;
 
 
     /**
      * Find SP-metadata based on a SHA-1 hash of the entityID. Return `null` if not found.
      */
-    public function getSPMetadataForSha1(string $hash): ServiceProvider;
+    public function getSPMetadataForSha1(string $hash): ?ServiceProvider;
 
 
     /**
      * Find IdP-metadata based on an entityID. Return `null` if not found.
      */
-    public function getIdPMetadata(string $entityId): IdentityProvider;
+    public function getIdPMetadata(string $entityId): ?IdentityProvider;
 
 
     /**
      * Find SP-metadata based on an entityID. Return `null` if not found.
      */
-    public function getSPMetadata(string $entityId): ServiceProvider;
+    public function getSPMetadata(string $entityId): ?ServiceProvider;
 }

src/SAML2/Process/Validation/Response/DestinationMatches.php

@@ -8,7 +8,6 @@
 use SimpleSAML\SAML2\Exception\Protocol\ResourceNotRecognizedException;
 use SimpleSAML\SAML2\Process\{ServiceProviderAwareInterface, ServiceProviderAwareTrait};
 use SimpleSAML\SAML2\Process\Validation\ConstraintValidatorInterface;
-use SimpleSAML\SAML2\XML\samlp\Response;
 use SimpleSAML\XML\SerializableElementInterface;
 
 final class DestinationMatches implements ConstraintValidatorInterface

src/SAML2/Process/Validator/ValidatorInterface.php

@@ -4,8 +4,8 @@
 
 namespace SimpleSAML\SAML2\Process\Validator;
 
-use SimpleSAML\XML\SerializableElementInterface;
 use SimpleSAML\SAML2\Process\Validation\ConstraintValidatorInterface;
+use SimpleSAML\XML\SerializableElementInterface;
 
 interface ValidatorInterface
 {