From 5e52d6b85b442af31acae08ad972d26f352b2c19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Mon, 4 Feb 2008 15:34:34 +0000
Subject: [PATCH] Alot of template options is now moved from beeing required to
 beeing optional.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@249 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 13 +++--
 lib/SimpleSAML/XML/Shib13/AuthnRequest.php  |  6 ++-
 metadata-templates/saml20-idp-hosted.php    | 29 +++++++----
 metadata-templates/saml20-idp-remote.php    |  1 +
 metadata-templates/saml20-sp-hosted.php     | 35 ++++++-------
 metadata-templates/saml20-sp-remote.php     | 55 +++++++++------------
 www/admin/metadata.php                      | 12 ++---
 www/saml2/idp/SSOService.php                |  3 ++
 www/shib13/idp/SSOService.php               |  2 +-
 9 files changed, 85 insertions(+), 71 deletions(-)

diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index c7ffb9b19..d0e8ccaec 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -491,12 +491,17 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		 * Handling attributes.
 		 */
 		$base64 = isset($spmd['base64attributes']) ? $spmd['base64attributes'] : false;
+		$nameidformat = isset($spmd['NameIDFormat']) ? $spmd['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+		
 		$encodedattributes = '';
 		foreach ($attributes AS $name => $values) {
 			$encodedattributes .= self::enc_attribute($name, $values, $base64);
 		}
 		$attributestatement = '<saml:AttributeStatement>' . $encodedattributes . '</saml:AttributeStatement>';
-		if (!$spmd['simplesaml.attributes']) 
+		
+		$sendattributes = isset($spmd['simplesaml.attributes']) ? $spmd['simplesaml.attributes'] : true;
+		
+		if (!$sendattributes) 
 			$attributestatement = '';
 		
 		
@@ -504,10 +509,10 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
 		 * Handling NameID
 		 */
 		$nameid = null;
-		if ($spmd['NameIDFormat'] == self::EMAIL) {
-			$nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]);
+		if ($nameidformat == self::EMAIL) {
+			$nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0]);
 		} else {
-			$nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID());
+			$nameid = $this->generateNameID($nameidformat, self::generateID());
 		}
 		
 		/**
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
index 1fe6972aa..ef3ae1666 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
@@ -83,7 +83,11 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
 		$idpmetadata = $this->metadata->getMetaData($destination, 'shib13-idp-remote');
 		$spmetadata = $this->metadata->getMetaData($this->getIssuer(), 'shib13-sp-hosted');
 	
-		$desturl = $idpmetadata['SingleSignOnUrl'];
+		if (!isset($idpmetadata['SingleSignOnService'])) {
+			throw new Exception('Could not find the SingleSignOnService parameter in the Shib 1.3 IdP Remote metadata. This parameter has changed name from an earlier version of simpleSAMLphp, when it was called SingleSignOnUrl. Please check your shib13-sp-remote.php configuration the IdP with entity id ' . $destination . ' and make sure the SingleSignOnService parameter is set.');
+		}
+		
+		$desturl = $idpmetadata['SingleSignOnService'];
 		$shire = $this->metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted');
 		$target = $this->getRelayState();
 		
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index 3d46c4c2f..1dada8ea5 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -4,6 +4,24 @@
  *
  * The SAML 2.0 IdP Hosted config is used by the SAML 2.0 IdP to identify itself.
  *
+ * Required parameters:
+ *   - host
+ *   - privatekey
+ *   - certificate
+ *   - auth
+ *   - authority
+ *
+ * Optional Parameters:
+ *
+ *
+ * Request signing (optional paramters)
+ *    When request.signing is true the privatekey and certificate of the SP
+ *    will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ *    The certificate and privatekey from above will be used for signing and 
+ *    verification purposes.  
+ *
+ *   - request.signing
+ *
  */
 
 
@@ -20,16 +38,7 @@ $metadata = array(
 		'certificate'		=>	'server.crt',
 		
 		// Authentication plugin to use. login.php is the default one that uses LDAP.
-		'auth'				=>	'auth/login.php',
-		
-		/*
-		 * When request.signing is true the privatekey and certificate of the SP
-		 * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
-		 * 
-		 * The certificate and privatekey from above will be used for signing and 
-		 * verification purposes.  
-		 */
-		'request.signing' => true
+		'auth'				=>	'auth/login.php'
 	)
 
 );
diff --git a/metadata-templates/saml20-idp-remote.php b/metadata-templates/saml20-idp-remote.php
index a9e934c7d..1f3851219 100644
--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -16,6 +16,7 @@ $metadata = array(
 	'idp.example.org' =>  array(
 		'name'					=>	'Test',
 		'description'			=> 'Description of this example entry',
+		
 		'SingleSignOnService'	=>	'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
 		'SingleLogoutService'	=>	'https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php',
 		'certFingerprint'		=>	'3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
diff --git a/metadata-templates/saml20-sp-hosted.php b/metadata-templates/saml20-sp-hosted.php
index 1600ce357..4a38eef75 100644
--- a/metadata-templates/saml20-sp-hosted.php
+++ b/metadata-templates/saml20-sp-hosted.php
@@ -4,6 +4,22 @@
  *
  * The SAML 2.0 IdP Remote config is used by the SAML 2.0 SP to identify itself.
  *
+ * Required fields:
+ *  - host
+ *
+ * Optional fields:
+ *  - NameIDFormat
+ *  - ForceAuthn  
+ *
+ * Authentication request signing
+ *    When request.signing is true the privatekey and certificate of the SP 
+ *    will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ *    Certificate and privatekey must be placed in the cert directory.
+ *    All these attributes are optional:
+ *
+ *  - 'request.signing' => true,
+ *  - 'privatekey' => 'server.pem',
+ *  - 'certificate' => 'server.pem',
  */
  
 $metadata = array( 
@@ -11,23 +27,8 @@ $metadata = array(
 	/*
 	 * Example of a hosted SP 
 	 */
-	'sp.example.org' => array(
-		'host'							=>	'sp.example.org',
-		'spNameQualifier' 				=>	'sp.example.org',
-		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-		'ForceAuthn'					=>	'false',
-
-		
-		/*
-		 * When request.signing is true the privatekey and certificate of the SP
-		 * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
-		 * 
-		 * Certificate and privatekey must be placed in the cert directory.
-		 */
-		'request.signing' => true,
-		'privatekey' => 'server.pem',
-		'certificate' => 'server.pem',
-		
+	'sp-entityid' => array(
+		'host'  => 'sp.example.org'
 	)
 
 );
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index eee631f75..077857384 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -4,16 +4,30 @@
  *
  * The SAML 2.0 SP Remote config is used by the SAML 2.0 IdP to identify trusted SAML 2.0 SPs.
  *
- *	Required parameters:
- * 
- *		spNameQualifier
- *		NameIDFormat
- *		simplesaml.attributes (Will you send an attributestatement [true/false])
+ * Required parameters:
+ *   - AssertionConsumerService
+ *   - SingleLogoutService
  *
- *	Optional parameters:
+ * Optional parameters:
  *
- *		ForceAuthn (default: "false")
- *		simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *   - simplesaml.attributes (Will you send an attributestatement [true/false])
+ *   - NameIDFormat
+ *   - ForceAuthn (default: "false")
+ *   - simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *
+ *   - 'base64attributes'	=>	false,
+ *   - 'simplesaml.attributes'	=>	true,
+ *   - 'attributemap'		=>	'test',
+ *   - 'attributes'			=>	array('mail'),
+ *
+ * Request signing
+ *    When request.signing is true the certificate of the sp 
+ *    will be used to verify all messages received with the HTTPRedirect binding.
+ *    The certificate from the SP must be installed in the cert directory 
+ *    before verification can be done.  
+ *
+ *   'request.signing' => false,
+ *   'certificate' => "saml2sp.example.org.crt"
  *
  */
 
@@ -24,28 +38,7 @@ $metadata = array(
 	 */
 	'saml2sp.example.org' => array(
  		'AssertionConsumerService'		=>	'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php', 
- 		'SingleLogoutService'			=>	'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
-		'ForceAuthn'					=>	'false',
-		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-		
-		/* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
-		 * that you set the SP to have the same value for this.
-		 */
-		'base64attributes'	=>	false,
-		'simplesaml.attributes'			=>	true,
-		//'attributemap'				=>	'test',
-		//'attributes'					=>	array('mail'),
-		
-		
-		/*
-		 * When request.signing is true the certificate of the sp 
-		 * will be used to verify all messages received with the HTTPRedirect binding.
-		 * 
-		 * The certificate from the SP must be installed in the cert directory 
-		 * before verification can be done.  
-		 */
-		'request.signing' => false,
-		'certificate' => "saml2sp.example.org.crt"
+ 		'SingleLogoutService'			=>	'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php'
 	),
 	
 	/*
@@ -57,9 +50,7 @@ $metadata = array(
 	'google.com' => array(
  		'AssertionConsumerService'		=>	'https://www.google.com/a/g.feide.no/acs', 
  		'SingleLogoutService'			=> 	'',
-		'ForceAuthn'					=>	'false',
 		'NameIDFormat'					=>	'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
-		
 		'simplesaml.nameidattribute'	=>	'uid',
 		'simplesaml.attributes'			=>	false
 	)
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index 1217f40a4..d6f1761ea 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -33,8 +33,8 @@ try {
 		$metalist = $metadata->getList('saml20-sp-hosted');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
-				array('request.signing','certificate','privatekey')
+				array('entityid', 'host'),
+				array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn')
 			);
 		}
 		$et->data['metadata.saml20-sp-hosted'] = $results;
@@ -66,8 +66,8 @@ try {
 		$metalist = $metadata->getList('saml20-sp-remote');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
-				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate')
+				array('entityid', 'AssertionConsumerService', 'SingleLogoutService'),
+				array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'NameIDFormat')
 			);
 		}
 		$et->data['metadata.saml20-sp-remote'] = $results;
@@ -83,8 +83,8 @@ try {
 		$metalist = $metadata->getList('shib13-sp-hosted');
 		foreach ($metalist AS $entityid => $mentry) {
 			$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
-				array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
-				array()
+				array('entityid', 'host'),
+				array('NameIDFormat', 'ForceAuthn')
 			);
 		}
 		$et->data['metadata.shib13-sp-hosted'] = $results;
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 5c2c6fdcd..2bee68216 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -196,6 +196,9 @@ if (!isset($session) || !$session->isValid($authority) ) {
 		}
 		$filteredattributes = $afilter->getAttributes();
 		
+		
+		//echo '<pre>before filter:' ; print_r($session->getAttributes()); echo "\n\n"; print_r($filteredattributes); echo '</pre>'; exit;
+		
 		// Generate an SAML 2.0 AuthNResponse message
 		$authnResponseXML = $ar->generate($idpentityid, $spentityid, 
 			$requestid, null, $filteredattributes);
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index 71ac5b1a8..731cdd13c 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -68,7 +68,7 @@ if (isset($_GET['shire'])) {
 		$logger->log(LOG_INFO, $session->getTrackID(), 'Shib1.3', 'IdP.SSOService', 'EVENT', $requestid, 'Got incomming Shib authnRequest');
 	
 	} catch(Exception $exception) {
-		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST');
+		SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception);
 	}
 
 
-- 
GitLab