commit fda2216c11f86a874bb8d03ea430492524ea36f5
Author: Florian Best <best@univention.de>
Date:   Tue Oct 5 09:45:39 2021 +0200

    Bug #52888: force re-authentication at UMC-Server when a new SAML message is available

diff --git management/univention-management-console/univention-management-console-web-server management/univention-management-console/univention-management-console-web-server
index 65b5436b65..dabc67a7b1 100755
--- management/univention-management-console/univention-management-console-web-server
+++ management/univention-management-console/univention-management-console-web-server
@@ -1259,7 +1259,8 @@ class SAML(Ressource):
 	def attribute_consuming_service(self, binding, message, relay_state):
 		response = self.acs(message, binding)
 		saml = SAMLUser(response, message)
-		self.set_session(self.create_sessionid(), saml.username, saml=saml)
+		user = self.set_session(self.create_sessionid(), saml.username, saml=saml)
+		self.drop_umcp_authentication(user.sessionid)
 
 		# protect against javascript:alert('XSS'), mailto:foo and other non relative links!
 		location = urlparse(relay_state)
@@ -1275,10 +1276,17 @@ class SAML(Ressource):
 		saml = SAMLUser(response, message)
 		sessionid = self.create_sessionid()
 		self.set_session(sessionid, saml.username, saml=saml)
+		self.drop_umcp_authentication(sessionid)
 		cherrypy.response.headers['Content-Type'] = 'text/html'
 		data = {"status": 200, "result": {"username": saml.username}}
 		return b'<html><body><textarea>%s</textarea></body></html>' % (json.dumps(data).encode('ASCII'),)
 
+	def drop_umcp_authentication(self, sessionid):
+		"""Force re-authentication if we get a new SAML message"""
+		client = UMCP_Dispatcher.sessions.get(sessionid)
+		if client:
+			client.authenticated = False
+
 	@cherrypy.expose
 	def slo(self, *args, **kwargs):  # single logout service
 		binding, message, relay_state = self._get_saml_message()