Skip to content
Snippets Groups Projects
Commit 7c4723b4 authored by Olav Morken's avatar Olav Morken
Browse files

saml2: Add options to control signing of assertion/response.

Also update the documentation to reflect these changes.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1653 44740490-163a-0410-bde0-09ae8108e29a
parent 9f77da4e
No related branches found
No related tags found
No related merge requests found
......@@ -214,14 +214,13 @@ $config = array (
'idpdisco.layout' => 'links',
/*
* Whether simpleSAMLphp should sign the response or the assertion in SAML 2.0 authentication
* Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
* responses.
*
* The default is to sign the assertion element, but that can be overridden by setting this
* option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
* same name to the metadata of the SP.
*/
'saml20.signresponse' => FALSE,
'shib13.signresponse' => TRUE,
......
......@@ -140,6 +140,22 @@ The following SAML 2.0 options are available:
configure your webserver to deliver this URL to the correct PHP
page.
`saml20.sign.response`
: Whether `<samlp:Response> messages should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
`saml20.sign.assertion`
: Whether `<saml:Assertion> elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
### Fields for signing and validating messages
......
......@@ -161,14 +161,19 @@ The following SAML 2.0 options are available:
(if `assertion.encryption` is set to TRUE and `sharedkey` is
unset.)
`signresponse`
: The default behaviour of simpleSAMLphp is to sign the Assertion
element in the SAML 2.0 response sent to SPs. This option allows
you to override this behaviour on a per SP basis. Set this to
`TRUE` to sign the Response element. `FALSE` will make the SP sign
the Assertion. If this option is unset, the value from
`saml2.signresponse` in `config.php` will be used. That value is
`FALSE` by default.
`saml20.sign.response`
: Whether `<samlp:Response> messages should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`saml20.sign.assertion`
: Whether `<saml:Assertion> elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either
......
......@@ -502,10 +502,18 @@ class sspmod_saml2_Message {
public static function buildAssertion(SimpleSAML_Configuration $srcMetadata,
SimpleSAML_Configuration $dstMetadata, array $attributes) {
$signAssertion = $dstMetadata->getBoolean('saml20.sign.assertion', NULL);
if ($signAssertion === NULL) {
$signAssertion = $srcMetadata->getBoolean('saml20.sign.assertion', TRUE);
}
$config = SimpleSAML_Configuration::getInstance();
$a = new SAML2_Assertion();
self::addSign($srcMetadata, $dstMetadata, $a);
if ($signAssertion) {
self::addSign($srcMetadata, $dstMetadata, $a);
}
$a->setIssuer($srcMetadata->getString('entityid'));
$a->setDestination($dstMetadata->getString('AssertionConsumerService'));
$a->setValidAudiences(array($dstMetadata->getString('entityid')));
......@@ -574,12 +582,19 @@ class sspmod_saml2_Message {
*/
public static function buildResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
$signResponse = $dstMetadata->getBoolean('saml20.sign.response', NULL);
if ($signResponse === NULL) {
$signResponse = $srcMetadata->getBoolean('saml20.sign.response', TRUE);
}
$r = new SAML2_Response();
$r->setIssuer($srcMetadata->getString('entityid'));
$r->setDestination($dstMetadata->getString('AssertionConsumerService'));
self::addSign($srcMetadata, $dstMetadata, $r);
if ($signResponse) {
self::addSign($srcMetadata, $dstMetadata, $r);
}
return $r;
}
......
......@@ -54,7 +54,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc')
array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
);
}
$et->data['metadata.saml20-idp-hosted'] = $results;
......@@ -64,7 +64,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'AssertionConsumerService'),
array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'signresponse', 'AttributeNameFormat', 'authproc')
array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'AttributeNameFormat', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
);
}
$et->data['metadata.saml20-sp-remote'] = $results;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment