From 0a29156b16b99b49027fd2626937fa54cd4a65ea Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 19 May 2010 09:26:36 +0000
Subject: [PATCH] IdP/SAML2: Add https.certificate option

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2303 44740490-163a-0410-bde0-09ae8108e29a
---
 docs/simplesamlphp-reference-idp-hosted.txt |  5 +++++
 lib/SimpleSAML/Metadata/SAMLBuilder.php     | 14 +++++++-------
 www/saml2/idp/metadata.php                  |  6 ++++++
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index ca70f4f64..9e2d14d09 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -156,6 +156,11 @@ The following SAML 2.0 options are available:
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
+`https.certificate`
+:   The certificate used by the webserver when handling connections.
+    This certificate will be added to the generated metadata of the IdP,
+    which is required by some SPs when using the HTTP-Artifact binding.
+
 `SingleSignOnService`
 :   Override the default URL for the SingleSignOnService for this
     IdP. This is an absolute URL. The default value is
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index aeffb1af6..edd176e52 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -586,15 +586,15 @@ class SimpleSAML_Metadata_SAMLBuilder {
 	private function addCertificate(SAML2_XML_md_RoleDescriptor $rd, SimpleSAML_Configuration $metadata) {
 
 		$certInfo = SimpleSAML_Utilities::loadPublicKey($metadata);
-		if ($certInfo === NULL || !array_key_exists('certData', $certInfo)) {
-			/* No certificate to add. */
-			return;
+		if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
+			$certData = $certInfo['certData'];
+			$this->addX509KeyDescriptor($rd, 'signing', $certData);
+			$this->addX509KeyDescriptor($rd, 'encryption', $certData);
 		}
 
-		$certData = $certInfo['certData'];
-
-		$this->addX509KeyDescriptor($rd, 'signing', $certData);
-		$this->addX509KeyDescriptor($rd, 'encryption', $certData);
+		if ($metadata->hasValue('https.certData')) {
+			$this->addX509KeyDescriptor($rd, 'signing', $metadata->getString('https.certData'));
+		}
 	}
 
 }
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 965fa3914..9cd1f9601 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -60,6 +60,12 @@ try {
 		$metaArray['scope'] = $idpmeta->getArray('scope');
 	}
 
+	if ($idpmeta->hasValue('https.certificate')) {
+		$httpsCert = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE, 'https.');
+		assert('isset($httpsCert["certData"])');
+		$metaArray['https.certData'] = $httpsCert['certData'];
+	}
+
 
 	$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
 
-- 
GitLab