From 4bd1cd127b481bc595dab3161c741c0803d69cf6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 2 Dec 2021 20:30:03 +0100
Subject: [PATCH] providers/saml: fix IndexError in signature check

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/saml/processors/request_parser.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/authentik/providers/saml/processors/request_parser.py b/authentik/providers/saml/processors/request_parser.py
index f33f17a1b..6965766cf 100644
--- a/authentik/providers/saml/processors/request_parser.py
+++ b/authentik/providers/saml/processors/request_parser.py
@@ -100,14 +100,13 @@ class AuthNRequestParser:
         xmlsec.tree.add_ids(root, ["ID"])
         signature_nodes = root.xpath("/samlp:AuthnRequest/ds:Signature", namespaces=NS_MAP)
         # No signatures, no verifier configured -> decode xml directly
-        if len(signature_nodes) < 1 and not verifier:
-            return self._parse_xml(decoded_xml, relay_state)
+        if len(signature_nodes) < 1:
+            if not verifier:
+                return self._parse_xml(decoded_xml, relay_state)
+            raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)
 
         signature_node = signature_nodes[0]
 
-        if verifier and signature_node is None:
-            raise CannotHandleAssertion(ERROR_SIGNATURE_REQUIRED_BUT_ABSENT)
-
         if signature_node is not None:
             if not verifier:
                 raise CannotHandleAssertion(ERROR_SIGNATURE_EXISTS_BUT_NO_VERIFIER)