From 3ce8642c690d8c140594c8c89e879af2208dff47 Mon Sep 17 00:00:00 2001
From: Jaime Perez <jaime.perez@uninett.no>
Date: Tue, 24 Jun 2014 16:06:37 +0200
Subject: [PATCH] Set WantAuthnRequestsSigned in the generated IdP XML metadata
 if validate.authnrequest or redirect.validate options are set in
 saml20-idp-hosted metadata (with that order of precedence). Fixes #43.

---
 lib/SimpleSAML/Metadata/SAMLBuilder.php | 6 ++++--
 www/saml2/idp/metadata.php              | 8 ++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index 057f9886c..da0107296 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -488,8 +488,10 @@ class SimpleSAML_Metadata_SAMLBuilder {
 		$e = new SAML2_XML_md_IDPSSODescriptor();
 		$e->protocolSupportEnumeration[] = 'urn:oasis:names:tc:SAML:2.0:protocol';
 
-		if ($metadata->getBoolean('redirect.sign', FALSE)) {
-			$e->WantAuthnRequestsSigned = TRUE;
+		if ($metadata->hasValue('sign.authnrequest')) {
+			$e->WantAuthnRequestsSigned = $metadata->getBoolean('sign.authnrequest');
+		} elseif ($metadata->hasValue('redirect.sign')) {
+			$e->WantAuthnRequestsSigned = $metadata->getBoolean('redirect.sign');
 		}
 
 		$this->addExtensions($metadata, $e);
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index cf24b788f..0b5f943df 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -150,6 +150,14 @@ try {
 		$metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
 	}
 
+	if ($idpmeta->hasValue('validate.authnrequest')) {
+		$metaArray['sign.authnrequest'] = $idpmeta->getBoolean('validate.authnrequest');
+	}
+
+	if ($idpmeta->hasValue('redirect.validate')) {
+		$metaArray['redirect.sign'] = $idpmeta->getBoolean('redirect.validate');
+	}
+
 	$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
 
 	$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
-- 
GitLab