Alot of template options is now moved from beeing required to beeing optional.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@249 44740490-163a-0410-bde0-09ae8108e29a

Alot of template options is now moved from beeing required to beeing optional.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@249 44740490-163a-0410-bde0-09ae8108e29a
5e52d6b8 · Andreas Åkre Solberg · d10bcd6f · 5e52d6b8 · 5e52d6b8 · 5e52d6b8
Commit 5e52d6b8 authored 17 years ago by Andreas Åkre Solberg
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -491,12 +491,17 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		 * Handling attributes.
 		 */
 		$base64 = isset($spmd['base64attributes']) ? $spmd['base64attributes'] : false;
+		$nameidformat = isset($spmd['NameIDFormat']) ? $spmd['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+		
 		$encodedattributes = '';
 		foreach ($attributes AS $name => $values) {
 			$encodedattributes .= self::enc_attribute($name, $values, $base64);
 		}
 		$attributestatement = '<saml:AttributeStatement>' . $encodedattributes . '</saml:AttributeStatement>';
-		if (!$spmd['simplesaml.attributes']) 
+		
+		$sendattributes = isset($spmd['simplesaml.attributes']) ? $spmd['simplesaml.attributes'] : true;
+		
+		if (!$sendattributes) 
 			$attributestatement = '';
 		
 		
@@ -504,10 +509,10 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		 * Handling NameID
 		 */
 		$nameid = null;
-		if ($spmd['NameIDFormat'] == self::EMAIL) {
-			$nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]);
+		if ($nameidformat == self::EMAIL) {
+			$nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0]);
 		} else {
-			$nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID());
+			$nameid = $this->generateNameID($nameidformat, self::generateID());
 		}
 		
 		/**

--- a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
@@ -83,7 +83,11 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
 		$idpmetadata = $this->metadata->getMetaData($destination, 'shib13-idp-remote');
 		$spmetadata = $this->metadata->getMetaData($this->getIssuer(), 'shib13-sp-hosted');
 	
-		$desturl = $idpmetadata['SingleSignOnUrl'];
+		if (!isset($idpmetadata['SingleSignOnService'])) {
+			throw new Exception('Could not find the SingleSignOnService parameter in the Shib 1.3 IdP Remote metadata. This parameter has changed name from an earlier version of simpleSAMLphp, when it was called SingleSignOnUrl. Please check your shib13-sp-remote.php configuration the IdP with entity id ' . $destination . ' and make sure the SingleSignOnService parameter is set.');
+		}
+		
+		$desturl = $idpmetadata['SingleSignOnService'];
 		$shire = $this->metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted');
 		$target = $this->getRelayState();
 		

--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -4,6 +4,24 @@
 *
 * The SAML 2.0 IdP Hosted config is used by the SAML 2.0 IdP to identify itself.
 *
+ * Required parameters:
+ *   - host
+ *   - privatekey
+ *   - certificate
+ *   - auth
+ *   - authority
+ *
+ * Optional Parameters:
+ *
+ *
+ * Request signing (optional paramters)
+ *    When request.signing is true the privatekey and certificate of the SP
+ *    will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ *    The certificate and privatekey from above will be used for signing and 
+ *    verification purposes.  
+ *
+ *   - request.signing
+ *
 */


@@ -20,16 +38,7 @@ $metadata = array(
 		'certificate'		=>	'server.crt',
 		
 		// Authentication plugin to use. login.php is the default one that uses LDAP.
-		'auth'				=>	'auth/login.php',
-		
-		/*
-		 * When request.signing is true the privatekey and certificate of the SP
-		 * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
-		 * 
-		 * The certificate and privatekey from above will be used for signing and 
-		 * verification purposes.  
-		 */
-		'request.signing' => true
+		'auth'				=>	'auth/login.php'
 	)

 );

--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -16,6 +16,7 @@ $metadata = array(
 	'idp.example.org' =>  array(
 		'name'					=>	'Test',
 		'description'			=> 'Description of this example entry',
+		
 		'SingleSignOnService'	=>	'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
 		'SingleLogoutService'	=>	'https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php',
 		'certFingerprint'		=>	'3fa158e8abfd4b5203315b08c0b791b6ee4715f6',

--- a/metadata-templates/saml20-sp-hosted.php
+++ b/metadata-templates/saml20-sp-hosted.php
@@ -4,6 +4,22 @@
 *
 * The SAML 2.0 IdP Remote config is used by the SAML 2.0 SP to identify itself.
 *
+ * Required fields:
+ *  - host
+ *
+ * Optional fields:
+ *  - NameIDFormat
+ *  - ForceAuthn  
+ *
+ * Authentication request signing
+ *    When request.signing is true the privatekey and certificate of the SP 
+ *    will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ *    Certificate and privatekey must be placed in the cert directory.
+ *    All these attributes are optional:
+ *
+ *  - 'request.signing' => true,
+ *  - 'privatekey' => 'server.pem',
+ *  - 'certificate' => 'server.pem',
 */
 
 $metadata = array( 
@@ -11,23 +27,8 @@ $metadata = array(
 	/*
 	 * Example of a hosted SP 
 	 */
-	'sp.example.org' => array(
-		'host'							=>	'sp.example.org',
-		'spNameQualifier' 				=>	'sp.example.org',
-		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-		'ForceAuthn'					=>	'false',
-
-		
-		/*
-		 * When request.signing is true the privatekey and certificate of the SP
-		 * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
-		 * 
-		 * Certificate and privatekey must be placed in the cert directory.
-		 */
-		'request.signing' => true,
-		'privatekey' => 'server.pem',
-		'certificate' => 'server.pem',
-		
+	'sp-entityid' => array(
+		'host'  => 'sp.example.org'
 	)

 );

--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -4,16 +4,30 @@
 *
 * The SAML 2.0 SP Remote config is used by the SAML 2.0 IdP to identify trusted SAML 2.0 SPs.
 *
- *	Required parameters:
- * 
- *		spNameQualifier
- *		NameIDFormat
- *		simplesaml.attributes (Will you send an attributestatement [true/false])
+ * Required parameters:
+ *   - AssertionConsumerService
+ *   - SingleLogoutService
 *
- *	Optional parameters:
+ * Optional parameters:
 *
- *		ForceAuthn (default: "false")
- *		simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *   - simplesaml.attributes (Will you send an attributestatement [true/false])
+ *   - NameIDFormat
+ *   - ForceAuthn (default: "false")
+ *   - simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *
+ *   - 'base64attributes'	=>	false,
+ *   - 'simplesaml.attributes'	=>	true,
+ *   - 'attributemap'		=>	'test',
+ *   - 'attributes'			=>	array('mail'),
+ *
+ * Request signing
+ *    When request.signing is true the certificate of the sp 
+ *    will be used to verify all messages received with the HTTPRedirect binding.
+ *    The certificate from the SP must be installed in the cert directory 
+ *    before verification can be done.  
+ *
+ *   'request.signing' => false,
+ *   'certificate' => "saml2sp.example.org.crt"
 *
 */

@@ -24,28 +38,7 @@ $metadata = array(
 	 */
 	'saml2sp.example.org' => array(
 		'AssertionConsumerService'		=>	'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php', 
- 		'SingleLogoutService'			=>	'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
-		'ForceAuthn'					=>	'false',
-		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-		
-		/* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
-		 * that you set the SP to have the same value for this.
-		 */
-		'base64attributes'	=>	false,
-		'simplesaml.attributes'			=>	true,
-		//'attributemap'				=>	'test',
-		//'attributes'					=>	array('mail'),
-		
-		
-		/*
-		 * When request.signing is true the certificate of the sp 
-		 * will be used to verify all messages received with the HTTPRedirect binding.
-		 * 
-		 * The certificate from the SP must be installed in the cert directory 
-		 * before verification can be done.  
-		 */
-		'request.signing' => false,
-		'certificate' => "saml2sp.example.org.crt"
+ 		'SingleLogoutService'			=>	'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php'
 	),
 	
 	/*
@@ -57,9 +50,7 @@ $metadata = array(
 	'google.com' => array(
 		'AssertionConsumerService'		=>	'https://www.google.com/a/g.feide.no/acs', 
 		'SingleLogoutService'			=> 	'',
-		'ForceAuthn'					=>	'false',
 		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
-		
 		'simplesaml.nameidattribute'	=>	'uid',
 		'simplesaml.attributes'			=>	false
 	)

--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -33,8 +33,8 @@ try {
 		$metalist = $metadata->getList('saml20-sp-hosted');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
-				array('request.signing','certificate','privatekey')
+				array('entityid', 'host'),
+				array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn')
 			);
 		}
 		$et->data['metadata.saml20-sp-hosted'] = $results;
@@ -66,8 +66,8 @@ try {
 		$metalist = $metadata->getList('saml20-sp-remote');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
-				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate')
+				array('entityid', 'AssertionConsumerService', 'SingleLogoutService'),
+				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'NameIDFormat')
 			);
 		}
 		$et->data['metadata.saml20-sp-remote'] = $results;
@@ -83,8 +83,8 @@ try {
 		$metalist = $metadata->getList('shib13-sp-hosted');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
-				array()
+				array('entityid', 'host'),
+				array('NameIDFormat', 'ForceAuthn')
 			);
 		}
 		$et->data['metadata.shib13-sp-hosted'] = $results;

--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -196,6 +196,9 @@ if (!isset($session) || !$session->isValid($authority) ) {
 		}
 		$filteredattributes = $afilter->getAttributes();
 		
+		
+		//echo '<pre>before filter:' ; print_r($session->getAttributes()); echo "\n\n"; print_r($filteredattributes); echo '</pre>'; exit;
+		
 		// Generate an SAML 2.0 AuthNResponse message
 		$authnResponseXML = $ar->generate($idpentityid, $spentityid, 
 			$requestid, null, $filteredattributes);

--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -68,7 +68,7 @@ if (isset($_GET['shire'])) {
 		$logger->log(LOG_INFO, $session->getTrackID(), 'Shib1.3', 'IdP.SSOService', 'EVENT', $requestid, 'Got incomming Shib authnRequest');
 	
 	} catch(Exception $exception) {
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST');
+		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception);
 	}