Skip to content
Snippets Groups Projects
Commit 1be2670f authored by Thijs Kinkhorst's avatar Thijs Kinkhorst
Browse files

properly calculate supported protocols based on config 

replaces unconditional claim for SAML1 and 2 support

Based on work proposed by Stefan Winter.

Closes: #310
parent bca83906
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/saml/www/sp/metadata.php
+ 16
2
View file @ 1be2670f
...@@ -59,6 +59,7 @@ $assertionsconsumerservices = $spconfig->getArray('acs.Bindings', $assertionscon ...@@ -59,6 +59,7 @@ $assertionsconsumerservices = $spconfig->getArray('acs.Bindings', $assertionscon
$index = 0; $index = 0;
$eps = array(); $eps = array();
$supported_protocols = array();
foreach ($assertionsconsumerservices as $services) { foreach ($assertionsconsumerservices as $services) {
$acsArray = array('index' => $index); $acsArray = array('index' => $index);
...@@ -66,23 +67,38 @@ foreach ($assertionsconsumerservices as $services) { ...@@ -66,23 +67,38 @@ foreach ($assertionsconsumerservices as $services) {
case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST': case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':
$acsArray['Binding'] = \SAML2\Constants::BINDING_HTTP_POST; $acsArray['Binding'] = \SAML2\Constants::BINDING_HTTP_POST;
$acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId); $acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId);
if (!in_array(\SAML2\Constants::NS_SAMLP, $supported_protocolsi, true)) {
$supported_protocols[] = \SAML2\Constants::NS_SAMLP;
}
break; break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post': case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post';
$acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$sourceId); $acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$sourceId);
if (!in_array('urn:oasis:names:tc:SAML:1.1:protocol', $supported_protocols, true)) {
$supported_protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
}
break; break;
case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact': case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
$acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId); $acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId);
if (!in_array(\SAML2\Constants::NS_SAMLP, $supported_protocols, true)) {
$supported_protocols[] = \SAML2\Constants::NS_SAMLP;
}
break; break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01': case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01';
$acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$sourceId.'/artifact'); $acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$sourceId.'/artifact');
if (!in_array('urn:oasis:names:tc:SAML:1.1:protocol', $supported_protocols, true)) {
$supported_protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
}
break; break;
case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser': case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser':
$acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser'; $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
$acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId); $acsArray['Location'] = SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$sourceId);
$acsArray['hoksso:ProtocolBinding'] = \SAML2\Constants::BINDING_HTTP_REDIRECT; $acsArray['hoksso:ProtocolBinding'] = \SAML2\Constants::BINDING_HTTP_REDIRECT;
if (!in_array(\SAML2\Constants::NS_SAMLP, $supported_protocols, true)) {
$supported_protocols[] = \SAML2\Constants::NS_SAMLP;
}
break; break;
} }
$eps[] = $acsArray; $eps[] = $acsArray;
...@@ -214,8 +230,6 @@ if ($spconfig->hasValue('redirect.sign')) { ...@@ -214,8 +230,6 @@ if ($spconfig->hasValue('redirect.sign')) {
$metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest'); $metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
} }
$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', \SAML2\Constants::NS_SAMLP);
$metaArray20['metadata-set'] = 'saml20-sp-remote'; $metaArray20['metadata-set'] = 'saml20-sp-remote';
$metaArray20['entityid'] = $entityId; $metaArray20['entityid'] = $entityId;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment