From b828582868fb8d7d470cca51df5a317a334a74e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no> Date: Tue, 29 Jan 2008 18:58:50 +0000 Subject: [PATCH] Removed references to SPNameIdentifier, and added support for at SP to define ForceAuthn = true in metadata. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@216 44740490-163a-0410-bde0-09ae8108e29a --- lib/SimpleSAML/XML/SAML20/AuthnRequest.php | 6 +++--- lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 13 +++++-------- lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 7 ++----- metadata-templates/saml20-sp-remote.php | 2 -- metadata-templates/shib13-sp-remote.php | 4 ---- www/admin/metadata.php | 4 ++-- 6 files changed, 12 insertions(+), 24 deletions(-) diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php index c0624b302..2799840c5 100644 --- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php +++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php @@ -115,10 +115,10 @@ class SimpleSAML_XML_SAML20_AuthnRequest { //$assertionConsumerServiceURL = $md['AssertionConsumerService']; $assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted'); - - $spNameQualifier = $md['spNameQualifier']; $nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; + $forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; + // TODO: Make an option in the metadata to allow adding a RequestedAuthnContext $requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> @@ -127,7 +127,7 @@ class SimpleSAML_XML_SAML20_AuthnRequest { $authnRequest = '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="' . $id . '" Version="2.0" - IssueInstant="' . $issueInstant . '" + IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '" Destination="' . htmlspecialchars($destination) . '" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '"> diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php index 4827da4a3..8f0866566 100644 --- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php +++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php @@ -308,8 +308,8 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { if ($node = $nodelist->item(0)) { $nameID["NameID"] = $node->nodeValue; - $nameID["NameQualifier"] = $node->getAttribute('NameQualifier'); - $nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier'); + //$nameID["NameQualifier"] = $node->getAttribute('NameQualifier'); + //$nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier'); $nameID["Format"] = $node->getAttribute('Format'); } } @@ -367,7 +367,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { $issuer = $idpentityid; $assertionConsumerServiceURL = $spmd['AssertionConsumerService']; - $spNameQualifier = $spmd['spNameQualifier']; $destination = $spmd['AssertionConsumerService']; @@ -386,7 +385,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { if ($spmd['NameIDFormat'] == self::EMAIL) { $nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]); } else { - $nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID(), $issuer, $spNameQualifier); + $nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID()); } $authnResponse = '<samlp:Response @@ -438,15 +437,13 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse { private function generateNameID($type = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', - $value = 'anonymous', $namequalifier = null, $spnamequalifier = null) { + $value = 'anonymous') { if ($type == self::EMAIL) { return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">' . htmlspecialchars($value) . '</saml:NameID>'; } else { - return '<saml:NameID NameQualifier="' . htmlspecialchars($namequalifier) . '" SPNameQualifier="'. htmlspecialchars($spnamequalifier). '" - Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" - >' . htmlspecialchars($value). '</saml:NameID>'; + return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">' . htmlspecialchars($value). '</saml:NameID>'; } } diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php index d928030fb..3be04c8ee 100644 --- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php +++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php @@ -299,7 +299,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { $shire = $spmd['shire']; $audience = $spmd['audience']; - $spnamequalifier = $spmd['spnamequalifier']; $base64 = $idpmd['base64']; $encodedattributes = ''; @@ -308,8 +307,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { $encodedattributes .= '<AttributeStatement> <Subject> - <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '" - >' . htmlspecialchars($nameid) . '</NameIdentifier> + <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier> </Subject>'; foreach ($attributes AS $name => $value) { @@ -348,8 +346,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse { <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"> <Subject> - <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '" - >' . htmlspecialchars($nameid) . '</NameIdentifier> + <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier> <SubjectConfirmation> <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod> </SubjectConfirmation> diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php index 026e6e8af..d1b759362 100644 --- a/metadata-templates/saml20-sp-remote.php +++ b/metadata-templates/saml20-sp-remote.php @@ -25,7 +25,6 @@ $metadata = array( 'saml2sp.example.org' => array( 'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php', 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php', - 'spNameQualifier' => 'dev.andreas.feide.no', 'ForceAuthn' => 'false', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', @@ -52,7 +51,6 @@ $metadata = array( 'google.com' => array( 'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs', 'SingleLogoutService' => '', - 'spNameQualifier' => 'google.com', 'ForceAuthn' => 'false', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email', diff --git a/metadata-templates/shib13-sp-remote.php b/metadata-templates/shib13-sp-remote.php index e998cfa1d..62f4e2bc8 100644 --- a/metadata-templates/shib13-sp-remote.php +++ b/metadata-templates/shib13-sp-remote.php @@ -12,22 +12,18 @@ $metadata = array( 'https://sp.shiblab.feide.no' => array( 'AssertionConsumerService' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST', - 'spnamequalifier' => 'urn:feide.no', 'audience' => 'urn:mace:feide:shiblab' ), 'urn:geant:edugain:component:be:switchaai-test:central' => array( 'AssertionConsumerService' => 'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener', - 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es', 'audience' => 'urn:geant:edugain:component:be:switchaai-test:central' ), 'urn:geant:edugain:component:be:rediris:rediris.es' => array( 'AssertionConsumerService' => 'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request', - 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es', 'audience' => 'urn:geant:edugain:component:be:rediris:rediris.es' ), 'https://skjak.uninett.no/shibboleth/target' => array( 'AssertionConsumerService' => 'https://skjak.uninett.no/Shibboleth.shire', - 'spnamequalifier' => 'https://skjak.uninett.no/shibboleth/target', 'audience' => 'https://skjak.uninett.no/shibboleth/target' ) diff --git a/www/admin/metadata.php b/www/admin/metadata.php index 4f02d559c..2580ac876 100644 --- a/www/admin/metadata.php +++ b/www/admin/metadata.php @@ -66,7 +66,7 @@ try { $metalist = $metadata->getList('saml20-sp-remote'); foreach ($metalist AS $entityid => $mentry) { $results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry, - array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'), + array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'), array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate') ); } @@ -116,7 +116,7 @@ try { $metalist = $metadata->getList('shib13-sp-remote'); foreach ($metalist AS $entityid => $mentry) { $results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry, - array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'audience', 'NameIDFormat'), + array('entityid', 'AssertionConsumerService', 'audience', 'NameIDFormat'), array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description') ); } -- GitLab