Skip to content
Snippets Groups Projects
Commit 7c4723b4 authored by Olav Morken's avatar Olav Morken
Browse files

saml2: Add options to control signing of assertion/response. 

Also update the documentation to reflect these changes.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1653 44740490-163a-0410-bde0-09ae8108e29a
parent 9f77da4e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
config-templates/config.php
+ 1
2
View file @ 7c4723b4
...@@ -214,14 +214,13 @@ $config = array ( ...@@ -214,14 +214,13 @@ $config = array (
'idpdisco.layout' => 'links', 'idpdisco.layout' => 'links',
/* /*
* Whether simpleSAMLphp should sign the response or the assertion in SAML 2.0 authentication * Whether simpleSAMLphp should sign the response or the assertion in SAML 1.1 authentication
* responses. * responses.
* *
* The default is to sign the assertion element, but that can be overridden by setting this * The default is to sign the assertion element, but that can be overridden by setting this
* option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the * option to TRUE. It can also be overridden on a pr. SP basis by adding an option with the
* same name to the metadata of the SP. * same name to the metadata of the SP.
*/ */
'saml20.signresponse' => FALSE,
'shib13.signresponse' => TRUE, 'shib13.signresponse' => TRUE,
......
docs/simplesamlphp-reference-idp-hosted.txt
+ 16
0
View file @ 7c4723b4
...@@ -140,6 +140,22 @@ The following SAML 2.0 options are available: ...@@ -140,6 +140,22 @@ The following SAML 2.0 options are available:
configure your webserver to deliver this URL to the correct PHP configure your webserver to deliver this URL to the correct PHP
page. page.
`saml20.sign.response`
: Whether `<samlp:Response> messages should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
`saml20.sign.assertion`
: Whether `<saml:Assertion> elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the SP-remote metadata, and
any value in the SP-remote metadata overrides the one configured
in the IdP metadata.
### Fields for signing and validating messages ### Fields for signing and validating messages
......
docs/simplesamlphp-reference-sp-remote.txt
+ 13
8
View file @ 7c4723b4
...@@ -161,14 +161,19 @@ The following SAML 2.0 options are available: ...@@ -161,14 +161,19 @@ The following SAML 2.0 options are available:
(if `assertion.encryption` is set to TRUE and `sharedkey` is (if `assertion.encryption` is set to TRUE and `sharedkey` is
unset.) unset.)
`signresponse` `saml20.sign.response`
: The default behaviour of simpleSAMLphp is to sign the Assertion : Whether `<samlp:Response> messages should be signed.
element in the SAML 2.0 response sent to SPs. This option allows Defaults to `TRUE`.
you to override this behaviour on a per SP basis. Set this to
`TRUE` to sign the Response element. `FALSE` will make the SP sign : Note that this option also exists in the IdP-hosted metadata.
the Assertion. If this option is unset, the value from The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`saml2.signresponse` in `config.php` will be used. That value is
`FALSE` by default. `saml20.sign.assertion`
: Whether `<saml:Assertion> elements should be signed.
Defaults to `TRUE`.
: Note that this option also exists in the IdP-hosted metadata.
The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
`simplesaml.nameidattribute` `simplesaml.nameidattribute`
: When the value of the `NameIDFormat`-option is set to either : When the value of the `NameIDFormat`-option is set to either
......
modules/saml2/lib/Message.php
+ 17
2
View file @ 7c4723b4
...@@ -502,10 +502,18 @@ class sspmod_saml2_Message { ...@@ -502,10 +502,18 @@ class sspmod_saml2_Message {
public static function buildAssertion(SimpleSAML_Configuration $srcMetadata, public static function buildAssertion(SimpleSAML_Configuration $srcMetadata,
SimpleSAML_Configuration $dstMetadata, array $attributes) { SimpleSAML_Configuration $dstMetadata, array $attributes) {
$signAssertion = $dstMetadata->getBoolean('saml20.sign.assertion', NULL);
if ($signAssertion === NULL) {
$signAssertion = $srcMetadata->getBoolean('saml20.sign.assertion', TRUE);
}
$config = SimpleSAML_Configuration::getInstance(); $config = SimpleSAML_Configuration::getInstance();
$a = new SAML2_Assertion(); $a = new SAML2_Assertion();
if ($signAssertion) {
self::addSign($srcMetadata, $dstMetadata, $a); self::addSign($srcMetadata, $dstMetadata, $a);
}
$a->setIssuer($srcMetadata->getString('entityid')); $a->setIssuer($srcMetadata->getString('entityid'));
$a->setDestination($dstMetadata->getString('AssertionConsumerService')); $a->setDestination($dstMetadata->getString('AssertionConsumerService'));
$a->setValidAudiences(array($dstMetadata->getString('entityid'))); $a->setValidAudiences(array($dstMetadata->getString('entityid')));
...@@ -574,12 +582,19 @@ class sspmod_saml2_Message { ...@@ -574,12 +582,19 @@ class sspmod_saml2_Message {
*/ */
public static function buildResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) { public static function buildResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
$signResponse = $dstMetadata->getBoolean('saml20.sign.response', NULL);
if ($signResponse === NULL) {
$signResponse = $srcMetadata->getBoolean('saml20.sign.response', TRUE);
}
$r = new SAML2_Response(); $r = new SAML2_Response();
$r->setIssuer($srcMetadata->getString('entityid')); $r->setIssuer($srcMetadata->getString('entityid'));
$r->setDestination($dstMetadata->getString('AssertionConsumerService')); $r->setDestination($dstMetadata->getString('AssertionConsumerService'));
if ($signResponse) {
self::addSign($srcMetadata, $dstMetadata, $r); self::addSign($srcMetadata, $dstMetadata, $r);
}
return $r; return $r;
} }
......
www/admin/metadata.php
+ 2
2
View file @ 7c4723b4
...@@ -54,7 +54,7 @@ try { ...@@ -54,7 +54,7 @@ try {
foreach ($metalist AS $entityid => $mentry) { foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry, $results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host', 'privatekey', 'certificate', 'auth'), array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc') array('redirect.sign', 'redirect.validate', 'privatekey_pass', 'authority', 'userid.attribute', 'metadata.sign.enable', 'metadata.sign.privatekey', 'metadata.sign.privatekey_pass', 'metadata.sign.certificate', 'AttributeNameFormat', 'name', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
); );
} }
$et->data['metadata.saml20-idp-hosted'] = $results; $et->data['metadata.saml20-idp-hosted'] = $results;
...@@ -64,7 +64,7 @@ try { ...@@ -64,7 +64,7 @@ try {
foreach ($metalist AS $entityid => $mentry) { foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry, $results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'AssertionConsumerService'), array('entityid', 'AssertionConsumerService'),
array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'signresponse', 'AttributeNameFormat', 'authproc') array('SingleLogoutService', 'NameIDFormat', 'SPNameQualifier', 'base64attributes', 'simplesaml.nameidattribute', 'simplesaml.attributes', 'attributes', 'name', 'description', 'redirect.sign', 'redirect.validate', 'certificate', 'ForceAuthn', 'sharedkey', 'assertion.encryption', 'userid.attribute', 'AttributeNameFormat', 'authproc', 'saml20.sign.assertion', 'saml20.sign.response')
); );
} }
$et->data['metadata.saml20-sp-remote'] = $results; $et->data['metadata.saml20-sp-remote'] = $results;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment