From 6d4ca5c38acd3fbd4cef43aa41f4fe9fb912a18a Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 15 Sep 2010 11:10:04 +0000
Subject: [PATCH] saml2: Introduce sign.logout and sign.authnrequest options.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2550 44740490-163a-0410-bde0-09ae8108e29a
---
docs/simplesamlphp-reference-idp-hosted.txt | 7 +++++++
docs/simplesamlphp-reference-idp-remote.txt | 12 ++++++++++++
docs/simplesamlphp-reference-sp-remote.txt | 6 ++++++
modules/saml/docs/sp.txt | 18 ++++++++++++++++++
modules/saml/lib/Message.php | 18 ++++++++++++++++--
5 files changed, 59 insertions(+), 2 deletions(-)
diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index 0ea132587..50b5c0da5 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -203,6 +203,13 @@ The following SAML 2.0 options are available:
: Whether `<saml:Assertion> elements should be signed.
Defaults to `TRUE`.
+: Note that this option also exists in the SP-remote metadata, and
+ any value in the SP-remote metadata overrides the one configured
+ in the IdP metadata.
+
+`sign.logout`
+: Whether to sign logout messages sent from this IdP.
+
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index a903d2c5b..0edad94e6 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -110,6 +110,18 @@ The following SAML 2.0 options are available:
- `noauthnstatement` - Ignore missing <AuthnStatement> in <Assertion>.
- `noattributestatement` - Ignore missing <AttributeStatement> in <Assertion>.
+`sign.authnrequest`
+: Whether to sign authentication requests sent to this IdP.
+
+: Note that this option also exists in the SP configuration.
+ This value in the IdP remote metadata overrides the value in the SP configuration.
+
+`sign.logout`
+: Whether to sign logout messages sent to this IdP.
+
+: Note that this option also exists in the SP configuration.
+ This value in the IdP remote metadata overrides the value in the SP configuration.
+
`SingleLogoutService`
: Endpoint URL for logout requests and responses. You should obtain this from the IdP. Users who log out from your service is redirected to this URL with the LogoutRequest using HTTP-REDIRECT.
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index ab6fd4a41..7a5a841e6 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -238,6 +238,12 @@ The following SAML 2.0 options are available:
: - `raw`: Store the attribute without any modifications. This
makes it possible to include raw XML in the response.
+`sign.logout`
+: Whether to sign logout messages sent to this SP.
+
+: Note that this option also exists in the IdP-hosted metadata.
+ The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
`validate.authnrequest`
: Whether we require signatures on authentication requests sent from this SP.
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 63d61e407..7d4fd1f63 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -252,6 +252,24 @@ Options
: *Note*: SAML 1 specific.
+`sign.authnrequest`
+: Whether to sign authentication requests sent from this SP.
+
+: Note that this option also exists in the IdP-remote metadata, and
+ any value in the IdP-remote metadata overrides the one configured
+ in the SP configuration.
+
+: *Note*: SAML 2 specific.
+
+`sign.logout`
+: Whether to sign logout messages sent from this SP.
+
+: Note that this option also exists in the IdP-remote metadata, and
+ any value in the IdP-remote metadata overrides the one configured
+ in the SP configuration.
+
+: *Note*: SAML 2 specific.
+
`redirect.sign`
: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index e8a96aeb2..a9df3f957 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -53,9 +53,23 @@ class sspmod_saml_Message {
*/
private static function addRedirectSign(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2_message $message) {
- $signingEnabled = $dstMetadata->getBoolean('redirect.sign', NULL);
+ if ($message instanceof SAML2_LogoutRequest || $message instanceof SAML2_LogoutResponse) {
+ $signingEnabled = $srcMetadata->getBoolean('sign.logout', NULL);
+ if ($signingEnabled === NULL) {
+ $signingEnabled = $dstMetadata->getBoolean('sign.logout', NULL);
+ }
+ } elseif ($message instanceof SAML2_AuthnRequest) {
+ $signingEnabled = $srcMetadata->getBoolean('sign.authnrequest', NULL);
+ if ($signingEnabled === NULL) {
+ $signingEnabled = $dstMetadata->getBoolean('sign.authnrequest', NULL);
+ }
+ }
+
if ($signingEnabled === NULL) {
- $signingEnabled = $srcMetadata->getBoolean('redirect.sign', FALSE);
+ $signingEnabled = $dstMetadata->getBoolean('redirect.sign', NULL);
+ if ($signingEnabled === NULL) {
+ $signingEnabled = $srcMetadata->getBoolean('redirect.sign', FALSE);
+ }
}
if (!$signingEnabled) {
return;
--
GitLab