saml2: Introduce sign.logout and sign.authnrequest options.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2550 44740490-163a-0410-bde0-09ae8108e29a

saml2: Introduce sign.logout and sign.authnrequest options.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2550 44740490-163a-0410-bde0-09ae8108e29a
6d4ca5c3 · Olav Morken · e9cd4256 · 6d4ca5c3 · 6d4ca5c3 · 6d4ca5c3
Commit 6d4ca5c3 authored 14 years ago by Olav Morken
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -203,6 +203,13 @@ The following SAML 2.0 options are available:
 :   Whether `<saml:Assertion> elements should be signed.
    Defaults to `TRUE`.

+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+`sign.logout`
+:   Whether to sign logout messages sent from this IdP.
+
 :   Note that this option also exists in the SP-remote metadata, and
    any value in the SP-remote metadata overrides the one configured
    in the IdP metadata.

--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -110,6 +110,18 @@ The following SAML 2.0 options are available:
    -   `noauthnstatement` - Ignore missing &lt;AuthnStatement&gt; in &lt;Assertion&gt;.
    -   `noattributestatement` - Ignore missing &lt;AttributeStatement&gt; in &lt;Assertion&gt;.

+`sign.authnrequest`
+:   Whether to sign authentication requests sent to this IdP.
+
+:   Note that this option also exists in the SP configuration.
+    This value in the IdP remote metadata overrides the value in the SP configuration.
+
+`sign.logout`
+:   Whether to sign logout messages sent to this IdP.
+
+:   Note that this option also exists in the SP configuration.
+    This value in the IdP remote metadata overrides the value in the SP configuration.
+
 `SingleLogoutService`
 :   Endpoint URL for logout requests and responses. You should obtain this from the IdP. Users who log out from your service is redirected to this URL with the LogoutRequest using HTTP-REDIRECT.


--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -238,6 +238,12 @@ The following SAML 2.0 options are available:
 :   -   `raw`: Store the attribute without any modifications. This
        makes it possible to include raw XML in the response.

+`sign.logout`
+:   Whether to sign logout messages sent to this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
 `validate.authnrequest`
 :   Whether we require signatures on authentication requests sent from this SP.


--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -252,6 +252,24 @@ Options

 :   *Note*: SAML 1 specific.

+`sign.authnrequest`
+:   Whether to sign authentication requests sent from this SP.
+
+:   Note that this option also exists in the IdP-remote metadata, and
+    any value in the IdP-remote metadata overrides the one configured
+    in the SP configuration.
+
+:   *Note*: SAML 2 specific.
+
+`sign.logout`
+:   Whether to sign logout messages sent from this SP.
+
+:   Note that this option also exists in the IdP-remote metadata, and
+    any value in the IdP-remote metadata overrides the one configured
+    in the SP configuration.
+
+:   *Note*: SAML 2 specific.
+
 `redirect.sign`
 :   Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.


--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -53,9 +53,23 @@ class sspmod_saml_Message {
 	 */
 	private static function addRedirectSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_message $message) {

-		$signingEnabled = $dstMetadata->getBoolean('redirect.sign', NULL);
+		if ($message instanceof SAML2_LogoutRequest || $message instanceof SAML2_LogoutResponse) {
+			$signingEnabled = $srcMetadata->getBoolean('sign.logout', NULL);
+			if ($signingEnabled === NULL) {
+				$signingEnabled = $dstMetadata->getBoolean('sign.logout', NULL);
+			}
+		} elseif ($message instanceof SAML2_AuthnRequest) {
+			$signingEnabled = $srcMetadata->getBoolean('sign.authnrequest', NULL);
+			if ($signingEnabled === NULL) {
+				$signingEnabled = $dstMetadata->getBoolean('sign.authnrequest', NULL);
+			}
+		}
+
 		if ($signingEnabled === NULL) {
-			$signingEnabled = $srcMetadata->getBoolean('redirect.sign', FALSE);
+			$signingEnabled = $dstMetadata->getBoolean('redirect.sign', NULL);
+			if ($signingEnabled === NULL) {
+				$signingEnabled = $srcMetadata->getBoolean('redirect.sign', FALSE);
+			}
 		}
 		if (!$signingEnabled) {
 			return;