[shibboleth-sp2] 56/89: SSPCPP-424 - Configuration to allow contents of metadata to affect behavior of SP

Ferenc Wágner wferi at moszumanska.debian.org
Thu Sep 1 09:24:09 UTC 2016 

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch master
in repository shibboleth-sp2.

commit b9904a8c26826c02a803c7ef37bcf3324fc6cff7
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Mon Jun 13 12:08:01 2016 -0400

    SSPCPP-424 - Configuration to allow contents of metadata to affect behavior of SP
    
    https://issues.shibboleth.net/jira/browse/SSPCPP-424
---
 schemas/shibboleth-2.0-native-sp-config.xsd   |  5 ++++
 shibsp/handler/impl/SAML2SessionInitiator.cpp | 33 ++++++++++++++++++++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/schemas/shibboleth-2.0-native-sp-config.xsd b/schemas/shibboleth-2.0-native-sp-config.xsd
index c8b9772..e50534a 100644
--- a/schemas/shibboleth-2.0-native-sp-config.xsd
+++ b/schemas/shibboleth-2.0-native-sp-config.xsd
@@ -471,6 +471,11 @@
     <attribute name="requireSignedAssertions" type="boolean"/>
     <attribute name="sessionHook" type="anyURI"/>
     <attribute name="artifactByFilesystem" type="boolean"/>
+    <attribute name="authnContextClassRef" type="conf:listOfURIs"/>
+    <attribute name="authnContextComparison" type="samlp:AuthnContextComparisonType"/>
+    <attribute name="NameIDFormat" type="anyURI"/>
+    <attribute name="SPNameQualifier" type="conf:string"/>
+    <attribute name="requestDelegation" type="boolean"/>
   </attributeGroup>
     
   <complexType name="SessionsType">
diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index cb2c19a..91ae5a4 100644
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -619,6 +619,8 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
 
     preserveRelayState(app, httpResponse, relayState);
 
+    const PropertySet* relyingParty = app.getRelyingParty(entity.first);
+
     auto_ptr<AuthnRequest> req(m_requestTemplate ? m_requestTemplate->cloneAuthnRequest() : AuthnRequestBuilder::buildAuthnRequest());
     if (m_requestTemplate) {
         // Freshen TS and ID.
@@ -643,21 +645,43 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
     if (!req->getIssuer()) {
         Issuer* issuer = IssuerBuilder::buildIssuer();
         req->setIssuer(issuer);
-        issuer->setName(app.getRelyingParty(entity.first)->getXMLString("entityID").second);
+        issuer->setName(relyingParty->getXMLString("entityID").second);
     }
     if (!req->getNameIDPolicy()) {
         NameIDPolicy* namepol = NameIDPolicyBuilder::buildNameIDPolicy();
         req->setNameIDPolicy(namepol);
         namepol->AllowCreate(true);
     }
+
+    // Format may be specified, or inferred from RelyingParty.
     if (NameIDFormat && *NameIDFormat) {
         auto_ptr_XMLCh wideform(NameIDFormat);
         req->getNameIDPolicy()->setFormat(wideform.get());
     }
+    else {
+        pair<bool,const XMLCh*> rpFormat = relyingParty->getXMLString("NameIDFormat");
+        if (rpFormat.first)
+            req->getNameIDPolicy()->setFormat(rpFormat.second);
+    }
+
+    // SPNameQualifier may be specified, or inferred from RelyingParty.
     if (SPNameQualifier && *SPNameQualifier) {
         auto_ptr_XMLCh widequal(SPNameQualifier);
         req->getNameIDPolicy()->setSPNameQualifier(widequal.get());
     }
+    else {
+        pair<bool,const XMLCh*> rpQual = relyingParty->getXMLString("SPNameQualifier");
+        if (rpQual.first)
+            req->getNameIDPolicy()->setSPNameQualifier(rpQual.second);
+    }
+
+    // If no specified AC class, infer from RelyingParty.
+    if (!authnContextClassRef || !*authnContextClassRef) {
+        pair<bool,const char*> rpContextClassRef = relyingParty->getString("authnContextClassRef");
+        if (rpContextClassRef.first)
+            authnContextClassRef = rpContextClassRef.second;
+    }
+
     if (authnContextClassRef || authnContextComparison) {
         RequestedAuthnContext* reqContext = req->getRequestedAuthnContext();
         if (!reqContext) {
@@ -685,10 +709,17 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
         else if (authnContextComparison) {
             auto_ptr_XMLCh widecomp(authnContextComparison);
             reqContext->setComparison(widecomp.get());
+        } else {
+            pair<bool,const XMLCh*> rpComp = relyingParty->getXMLString("authnContextComparison");
+            if (rpComp.first)
+                reqContext->setComparison(rpComp.second);
         }
     }
 
     pair<bool,bool> requestDelegation = getBool("requestDelegation");
+    if (!requestDelegation.first)
+        requestDelegation = relyingParty->getBool("requestDelegation");
+
     if (requestDelegation.first && requestDelegation.second) {
         if (entity.first) {
             // Request delegation by including the IdP as an Audience.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git

More information about the Pkg-shibboleth-devel mailing list