diff --git a/dictionaries/admin.definition.json b/dictionaries/admin.definition.json
index 5c75f855b6a8651e5071c9e38a4e891aa25dd9c3..fc9739fc6e3643aa7a51f9dc47c714d690d8eac3 100644
--- a/dictionaries/admin.definition.json
+++ b/dictionaries/admin.definition.json
@@ -104,6 +104,12 @@
"metadata_metadata": {
"en": "Metadata"
},
+ "metadata_cert": {
+ "en": "Certificates"
+ },
+ "metadata_cert_intro": {
+ "en": "Download the X509 certificates as PEM-encoded files."
+ },
"metadata_xmlformat": {
"en": "In SAML 2.0 Metadata XML format:"
},
diff --git a/dictionaries/admin.translation.json b/dictionaries/admin.translation.json
index fca3af672b7cc2e05a5691b7c314caaff680fed2..3a415978f83f9b450f8c0ae9ab0f7110b24bccbd 100644
--- a/dictionaries/admin.translation.json
+++ b/dictionaries/admin.translation.json
@@ -984,5 +984,11 @@
"ja": "\u304a\u77e5\u3089\u305b",
"lt": "Prane\u0161imai",
"zh-tw": "\u5099\u8a3b"
+ },
+ "metadata_cert": {
+ "nl": "Certificaten"
+ },
+ "metadata_cert_intro": {
+ "nl": "Download de X509-certificaten in PEM-formaat."
}
}
diff --git a/modules/saml/www/idp/certs.php b/modules/saml/www/idp/certs.php
new file mode 100644
index 0000000000000000000000000000000000000000..a26da33792b24b13ef2586882e8ad898cfc7fadd
--- /dev/null
+++ b/modules/saml/www/idp/certs.php
@@ -0,0 +1,37 @@
+<?php
+
+/* Load simpleSAMLphp, configuration and metadata */
+$config = SimpleSAML_Configuration::getInstance();
+$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+
+if (!$config->getBoolean('enable.saml20-idp', false))
+ throw new SimpleSAML_Error_Error('NOACCESS');
+
+/* Check if valid local session exists.. */
+if ($config->getBoolean('admin.protectmetadata', false)) {
+ SimpleSAML_Utilities::requireAdmin();
+}
+
+$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted');
+
+switch($_SERVER['PATH_INFO']) {
+ case '/new_idp.crt':
+ $certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, FALSE, 'new_');
+ break;
+ case '/idp.crt':
+ $certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE);
+ break;
+ case '/https.crt':
+ $certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE, 'https.');
+ break;
+ default:
+ throw new SimpleSAML_Error_NotFound('Unknown certificate.');
+}
+
+header('Content-Disposition: attachment; filename='.substr($_SERVER['PATH_INFO'], 1));
+header('Content-Type: application/x-x509-ca-cert');
+echo $certInfo['PEM'];
+exit(0);
+
+?>
diff --git a/templates/metadata.php b/templates/metadata.php
index 855cb04dfdf0285908660378b98a4bd1ab996a1f..3d2ca520f921976cc7dbc9bc70049a824c37634d 100644
--- a/templates/metadata.php
+++ b/templates/metadata.php
@@ -26,7 +26,25 @@ $this->includeAtTemplateBase('includes/header.php');
</pre>
-
+<?php
+if(array_key_exists('available_certs', $this->data)) { ?>
+ <h2><?php echo($this->t('metadata_cert')); ?></h2>
+ <p><?php echo($this->t('metadata_cert_intro')); ?></p>
+ <ul>
+ <?php
+ foreach(array_keys($this->data['available_certs']) as $certName) {
+ echo ('<li><a href="'.
+ htmlspecialchars(SimpleSAML_Module::getModuleURL('saml/idp/certs.php').'/'.$certName).'">'.$certName.'</a>');
+ if($this->data['available_certs'][$certName]['certFingerprint'][0] == 'afe71c28ef740bc87425be13a2263d37971da1f9') {
+ echo (' <img style="display: inline;" src="/' . $this->data['baseurlpath'] .
+ 'resources/icons/silk/exclamation.png" alt="default certificate" />
+ This is the default certificate. Generate a new certificate if this is a production system.');
+ }
+ echo '</li>';
+ }
+ echo '</ul>';
+}
+?>
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 359a6d8b0b04b129593f58d2f8e7bb57b7001a4b..3821cb2feeeddddc90557c573f753cf57ee20f22 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -19,9 +19,12 @@ try {
$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-hosted');
+ $availableCerts = array();
+
$keys = array();
$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, FALSE, 'new_');
if ($certInfo !== NULL) {
+ $availableCerts['new_idp.crt'] = $certInfo;
$keys[] = array(
'type' => 'X509Certificate',
'signing' => TRUE,
@@ -34,6 +37,7 @@ try {
}
$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE);
+ $availableCerts['idp.crt'] = $certInfo;
$keys[] = array(
'type' => 'X509Certificate',
'signing' => TRUE,
@@ -44,6 +48,7 @@ try {
if ($idpmeta->hasValue('https.certificate')) {
$httpsCert = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE, 'https.');
assert('isset($httpsCert["certData"])');
+ $availableCerts['https.crt'] = $httpsCert;
$keys[] = array(
'type' => 'X509Certificate',
'signing' => TRUE,
@@ -112,7 +117,7 @@ try {
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
-
+ $t->data['available_certs'] = $availableCerts;
$t->data['header'] = 'saml20-idp';
$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
$t->data['metadata'] = htmlspecialchars($metaxml);