Prevent panic caused by IDP-initiated login (crewjam#183)

* - Check if IDP-initiated login is allowed and if so assume that the RelayState is a deep-link.
- Guard against an IDP-initiated request that may not have the request ID in the claims.
- Attempt to retrieve a state value using the RelayState first before checking if IDP-initiated flow is allowed.

* Only address the panic in IDP-initiated login (#1)

This change undoes some of the changes made in 4908b26, to just address the panic for IDP-initiated logins.

I'll file an issue in the `crewjam/saml` repo about the other issue blocking IDP-initiated logins, which is how to support relay states from the IDP.

Author: praneetloke

samlsp/middleware.go

@@ -186,11 +186,13 @@ func (m *Middleware) getPossibleRequestIDs(r *http.Request) []string {
 			m.ServiceProvider.Logger.Printf("... invalid token %s", err)
 			continue
 		}
+		// If IDP initiated requests are allowed, then we can expect an empty response ID.
 		claims := token.Claims.(jwt.MapClaims)
-		rv = append(rv, claims["id"].(string))
+		if id, ok := claims["id"]; ok {
+			rv = append(rv, id.(string))
+		}
 	}
 
-	// If IDP initiated requests are allowed, then we can expect an empty response ID.
 	if m.AllowIDPInitiated {
 		rv = append(rv, "")
 	}