diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 7862afc1cade81dc7212c2f37c35a229476534d7..f5da60f3b4f64fb99eae90dd4f645e905de53a24 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -75,7 +75,9 @@
<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
+ <prop key="saml.acrs.appendAcrs">true</prop>
<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,https://refeds.org/profile/sfa</prop>
+ <prop key="saml.acrs.verifyAuthnContext">true</prop>
<prop key="saml.user.attrIdentifier">eppn</prop><!-- eppn|epuid|eptid|uid|uniqueIdentifier|perunUserId -->
<prop key="saml.user.lookup">original_auth</prop><!-- original_auth|perun_user_id|static_ext_source -->
<prop key="saml.static_ext_idp"/>
@@ -160,6 +162,7 @@
<property name="idpMetadataFile" value="${saml.idp.metadataLocation}"/>
<property name="idpMetadataUrl" value="${saml.idp.metadataUrl}"/>
<property name="acrReservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+ <property name="appendAcrs" value="#{'${saml.acrs.appendAcrs}'}"/>
<property name="acrsToBeAdded" value="#{'${saml.acrs.onlyreserved.append}'.split('\s*,\s*')}"/>
<property name="userIdentifierAttribute" value="${saml.user.attrIdentifier}"/>
<property name="userLookupMode" value="${saml.user.lookup}"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 6738b486956c98a10b810e82cd0c5e4b0cf6a36c..1275123c07ad831f984d6e5968e9db6344078447 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -647,6 +647,7 @@
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
<property name="maxAuthenticationAge" value="360"/>
+ <property name="verifyAuthnContext" value="#{'${saml.acrs.verifyAuthnContext}'}"/>
</bean>
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
index 013cd6e6519bd15e825baa49375d83fb26beece1..f6842d774e3824fc36ecdfa4eb2313326fa51ccc 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlEntryPoint.java
@@ -306,7 +306,7 @@ public class PerunSamlEntryPoint extends SAMLEntryPoint {
}
}
- if (!hasNonReserved) {
+ if (!hasNonReserved && samlProperties.shouldAppendAcrs()) {
List<String> toBeAdded = new LinkedList<>(Arrays.asList(samlProperties.getAcrsToBeAdded()));
log.debug("NO ACR with non reserved prefix found, adding following: {}", toBeAdded);
acrs.addAll(toBeAdded);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
index 4db6839690e95e706f96ddb4a937e66561b03c45..912c7653d920afda17ce38f397aea7d3dbf41e58 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunWebSSOProfileConsumerImpl.java
@@ -18,11 +18,19 @@ import java.util.stream.Collectors;
public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
private Set<String> reservedPrefixes;
+ private String verifyAuthnContext;
+ private boolean shouldVerifyAuthnContext;
public void setReservedPrefixes(Set<String> reservedPrefixes) {
this.reservedPrefixes = reservedPrefixes;
}
+ public void setVerifyAuthnContext(String verifyAuthnContext) {
+ this.verifyAuthnContext = verifyAuthnContext;
+ this.shouldVerifyAuthnContext = Boolean.parseBoolean(verifyAuthnContext);
+ }
+
+
@Override
protected void verifyAuthenticationStatement(AuthnStatement auth,
RequestedAuthnContext requestedAuthnContext,
@@ -66,7 +74,9 @@ public class PerunWebSSOProfileConsumerImpl extends WebSSOProfileConsumerImpl {
log.debug("No Requested AuthnContext(s)");
}
log.debug("Received AuthnContext: {}", receivedContext.getAuthnContextClassRef().getAuthnContextClassRef());
- super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+ if (shouldVerifyAuthnContext) {
+ super.verifyAuthnContext(requestedAuthnContext, receivedContext, context);
+ }
}
private boolean filterOutConditionsMet(RequestedAuthnContext requestedAuthnContext) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
index a25430a4504afa219ed529a4e33a83196ef708b0..91bc2d717c96ff9686066c9c371cf85aef3826ae 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlProperties.java
@@ -36,6 +36,7 @@ public class SamlProperties implements InitializingBean {
private String idpMetadataUrl;
private String[] acrReservedPrefixes;
private String[] acrsToBeAdded;
+ private String appendAcrs;
private String userIdentifierAttribute;
private String userLookupMode;
private String staticUserExtSource;
@@ -97,4 +98,12 @@ public class SamlProperties implements InitializingBean {
}
}
+ public void setAppendAcrs(String appendAcrs) {
+ this.appendAcrs = appendAcrs;
+ }
+
+ public boolean shouldAppendAcrs() {
+ return Boolean.parseBoolean(appendAcrs);
+ }
+
}