Skip to content
Snippets Groups Projects
Unverified Commit ba351d40 authored by Jaime Perez Crespo's avatar Jaime Perez Crespo
Browse files

Support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP...

Support for WantAssertionsSigned and AuthnRequestsSigned in SAML 2.0 SP metadata. New hosted SP configuration option WantAssertionsSigned to control this attribute in exported metadata.
parent e24c2fa1
No related branches found
No related tags found
No related merge requests found
......@@ -441,6 +441,15 @@ class SimpleSAML_Metadata_SAMLBuilder {
$e = new SAML2_XML_md_SPSSODescriptor();
$e->protocolSupportEnumeration = $protocols;
if ($metadata->hasValue('saml20.sign.assertion')) {
$e->WantAssertionsSigned = $metadata->getBoolean('saml20.sign.assertion');
}
if ($metadata->hasValue('redirect.validate')) {
$e->AuthnRequestsSigned = $metadata->getBoolean('redirect.validate');
} elseif ($metadata->hasValue('validate.authnrequest')) {
$e->AuthnRequestsSigned = $metadata->getBoolean('validate.authnrequest');
}
$this->addExtensions($metadata, $e);
......
......@@ -270,11 +270,13 @@ Options
`redirect.sign`
: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
If set, the `AuthnRequestsSigned` attribute of the `SPSSODescriptor` element in SAML 2.0 metadata will contain its value. This
option takes precedence over the `sign.authnrequest` option in any metadata generated for this SP.
: *Note*: SAML 2 specific.
`redirect.validate`
: Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
: Whether logout requests and logout responses received by this SP should be validated. The default is `FALSE`.
: *Note*: SAML 2 specific.
......@@ -312,7 +314,8 @@ Options
See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
`sign.authnrequest`
: Whether to sign authentication requests sent from this SP.
: Whether to sign authentication requests sent from this SP. If set, the `AuthnRequestsSigned` attribute of the
`SPSSODescriptor` element in SAML 2.0 metadata will contain its value.
: Note that this option also exists in the IdP-remote metadata, and
any value in the IdP-remote metadata overrides the one configured
......@@ -366,6 +369,11 @@ Options
: *Note*: SAML 2 specific.
`WantAssertionsSigned`
: Whether assertions received by this SP must be signed. The default value is `FALSE`.
The value set for this option will be used to set the `WantAssertionsSigned` attribute of the `SPSSODescriptor` element in
the exported SAML 2.0 metadata.
Examples
--------
......
......@@ -194,6 +194,16 @@ if ($spconfig->hasValue('RegistrationInfo')) {
$metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
}
// add signature options
if ($spconfig->hasValue('WantAssertionsSigned')) {
$metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
}
if ($spconfig->hasValue('redirect.sign')) {
$metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
} elseif ($spconfig->hasValue('sign.authnrequest')) {
$metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
}
$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
$metaArray20['metadata-set'] = 'saml20-sp-remote';
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment