From 335d6edd115369259e9dad308f891f668bc5adee Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 31 Oct 2021 17:21:15 +0100
Subject: [PATCH] providers/saml: fix error on missing
 AssertionConsumerServiceURL, fall back to default ACS

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/saml/processors/request_parser.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/authentik/providers/saml/processors/request_parser.py b/authentik/providers/saml/processors/request_parser.py
index fcfeed25e..f33f17a1b 100644
--- a/authentik/providers/saml/processors/request_parser.py
+++ b/authentik/providers/saml/processors/request_parser.py
@@ -59,11 +59,13 @@ class AuthNRequestParser:
     ) -> AuthNRequest:
         root = ElementTree.fromstring(decoded_xml)
 
+        # http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
+        # `AssertionConsumerServiceURL` can be omitted, and we should fallback to the
+        # default ACS URL
         if "AssertionConsumerServiceURL" not in root.attrib:
-            msg = "Missing 'AssertionConsumerServiceURL' attribute"
-            LOGGER.warning(msg)
-            raise CannotHandleAssertion(msg)
-        request_acs_url = root.attrib["AssertionConsumerServiceURL"]
+            request_acs_url = self.provider.acs_url.lower()
+        else:
+            request_acs_url = root.attrib["AssertionConsumerServiceURL"]
 
         if self.provider.acs_url.lower() != request_acs_url.lower():
             msg = (