From b828582868fb8d7d470cca51df5a317a334a74e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no>
Date: Tue, 29 Jan 2008 18:58:50 +0000
Subject: [PATCH] Removed references to SPNameIdentifier, and added support for
at SP to define ForceAuthn = true in metadata.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@216 44740490-163a-0410-bde0-09ae8108e29a
---
lib/SimpleSAML/XML/SAML20/AuthnRequest.php | 6 +++---
lib/SimpleSAML/XML/SAML20/AuthnResponse.php | 13 +++++--------
lib/SimpleSAML/XML/Shib13/AuthnResponse.php | 7 ++-----
metadata-templates/saml20-sp-remote.php | 2 --
metadata-templates/shib13-sp-remote.php | 4 ----
www/admin/metadata.php | 4 ++--
6 files changed, 12 insertions(+), 24 deletions(-)
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
index c0624b302..2799840c5 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -115,10 +115,10 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
//$assertionConsumerServiceURL = $md['AssertionConsumerService'];
$assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
-
- $spNameQualifier = $md['spNameQualifier'];
$nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+ $forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+
// TODO: Make an option in the metadata to allow adding a RequestedAuthnContext
$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
@@ -127,7 +127,7 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
$authnRequest = '<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="' . $id . '" Version="2.0"
- IssueInstant="' . $issueInstant . '"
+ IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '"
Destination="' . htmlspecialchars($destination) . '"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '">
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index 4827da4a3..8f0866566 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -308,8 +308,8 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
if ($node = $nodelist->item(0)) {
$nameID["NameID"] = $node->nodeValue;
- $nameID["NameQualifier"] = $node->getAttribute('NameQualifier');
- $nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier');
+ //$nameID["NameQualifier"] = $node->getAttribute('NameQualifier');
+ //$nameID["SPNameQualifier"] = $node->getAttribute('SPNameQualifier');
$nameID["Format"] = $node->getAttribute('Format');
}
}
@@ -367,7 +367,6 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$issuer = $idpentityid;
$assertionConsumerServiceURL = $spmd['AssertionConsumerService'];
- $spNameQualifier = $spmd['spNameQualifier'];
$destination = $spmd['AssertionConsumerService'];
@@ -386,7 +385,7 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
if ($spmd['NameIDFormat'] == self::EMAIL) {
$nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]);
} else {
- $nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID(), $issuer, $spNameQualifier);
+ $nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID());
}
$authnResponse = '<samlp:Response
@@ -438,15 +437,13 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
private function generateNameID($type = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- $value = 'anonymous', $namequalifier = null, $spnamequalifier = null) {
+ $value = 'anonymous') {
if ($type == self::EMAIL) {
return '<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">' . htmlspecialchars($value) . '</saml:NameID>';
} else {
- return '<saml:NameID NameQualifier="' . htmlspecialchars($namequalifier) . '" SPNameQualifier="'. htmlspecialchars($spnamequalifier). '"
- Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
- >' . htmlspecialchars($value). '</saml:NameID>';
+ return '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">' . htmlspecialchars($value). '</saml:NameID>';
}
}
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index d928030fb..3be04c8ee 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -299,7 +299,6 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$shire = $spmd['shire'];
$audience = $spmd['audience'];
- $spnamequalifier = $spmd['spnamequalifier'];
$base64 = $idpmd['base64'];
$encodedattributes = '';
@@ -308,8 +307,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
$encodedattributes .= '<AttributeStatement>
<Subject>
- <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '"
- >' . htmlspecialchars($nameid) . '</NameIdentifier>
+ <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier>
</Subject>';
foreach ($attributes AS $name => $value) {
@@ -348,8 +346,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
<AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<Subject>
- <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier" NameQualifier="' . htmlspecialchars($spnamequalifier) . '"
- >' . htmlspecialchars($nameid) . '</NameIdentifier>
+ <NameIdentifier Format="urn:mace:shibboleth:1.0:nameIdentifier">' . htmlspecialchars($nameid) . '</NameIdentifier>
<SubjectConfirmation>
<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
</SubjectConfirmation>
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index 026e6e8af..d1b759362 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -25,7 +25,6 @@ $metadata = array(
'saml2sp.example.org' => array(
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
- 'spNameQualifier' => 'dev.andreas.feide.no',
'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
@@ -52,7 +51,6 @@ $metadata = array(
'google.com' => array(
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'SingleLogoutService' => '',
- 'spNameQualifier' => 'google.com',
'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
diff --git a/metadata-templates/shib13-sp-remote.php b/metadata-templates/shib13-sp-remote.php
index e998cfa1d..62f4e2bc8 100644
--- a/metadata-templates/shib13-sp-remote.php
+++ b/metadata-templates/shib13-sp-remote.php
@@ -12,22 +12,18 @@ $metadata = array(
'https://sp.shiblab.feide.no' => array(
'AssertionConsumerService' => 'http://sp.shiblab.feide.no/Shibboleth.sso/SAML/POST',
- 'spnamequalifier' => 'urn:feide.no',
'audience' => 'urn:mace:feide:shiblab'
),
'urn:geant:edugain:component:be:switchaai-test:central' => array(
'AssertionConsumerService' => 'https://edugain-login.switch.ch/ShiBE-R/WebSSOResponseListener',
- 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
'audience' => 'urn:geant:edugain:component:be:switchaai-test:central'
),
'urn:geant:edugain:component:be:rediris:rediris.es' => array(
'AssertionConsumerService' => 'http://serrano.rediris.es:8080/PAPIWebSSOResponseListener/request',
- 'spnamequalifier' => 'urn:geant:edugain:component:be:rediris:rediris.es',
'audience' => 'urn:geant:edugain:component:be:rediris:rediris.es'
),
'https://skjak.uninett.no/shibboleth/target' => array(
'AssertionConsumerService' => 'https://skjak.uninett.no/Shibboleth.shire',
- 'spnamequalifier' => 'https://skjak.uninett.no/shibboleth/target',
'audience' => 'https://skjak.uninett.no/shibboleth/target'
)
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index 4f02d559c..2580ac876 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -66,7 +66,7 @@ try {
$metalist = $metadata->getList('saml20-sp-remote');
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
- array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
+ array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate')
);
}
@@ -116,7 +116,7 @@ try {
$metalist = $metadata->getList('shib13-sp-remote');
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
- array('entityid', 'spNameQualifier', 'AssertionConsumerService', 'audience', 'NameIDFormat'),
+ array('entityid', 'AssertionConsumerService', 'audience', 'NameIDFormat'),
array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description')
);
}
--
GitLab