From ba351d40987e84cf3d2c7e646b9144fc8b84e5e5 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Tue, 31 Mar 2015 17:00:15 +0200
Subject: [PATCH] Support for WantAssertionsSigned and AuthnRequestsSigned in
SAML 2.0 SP metadata. New hosted SP configuration option WantAssertionsSigned
to control this attribute in exported metadata.
---
lib/SimpleSAML/Metadata/SAMLBuilder.php | 9 +++++++++
modules/saml/docs/sp.txt | 12 ++++++++++--
modules/saml/www/sp/metadata.php | 10 ++++++++++
3 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php
index f684d82bd..70f92f565 100644
--- a/lib/SimpleSAML/Metadata/SAMLBuilder.php
+++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php
@@ -441,6 +441,15 @@ class SimpleSAML_Metadata_SAMLBuilder {
$e = new SAML2_XML_md_SPSSODescriptor();
$e->protocolSupportEnumeration = $protocols;
+ if ($metadata->hasValue('saml20.sign.assertion')) {
+ $e->WantAssertionsSigned = $metadata->getBoolean('saml20.sign.assertion');
+ }
+
+ if ($metadata->hasValue('redirect.validate')) {
+ $e->AuthnRequestsSigned = $metadata->getBoolean('redirect.validate');
+ } elseif ($metadata->hasValue('validate.authnrequest')) {
+ $e->AuthnRequestsSigned = $metadata->getBoolean('validate.authnrequest');
+ }
$this->addExtensions($metadata, $e);
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 45c1e60ff..063be47c1 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -270,11 +270,13 @@ Options
`redirect.sign`
: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
+ If set, the `AuthnRequestsSigned` attribute of the `SPSSODescriptor` element in SAML 2.0 metadata will contain its value. This
+ option takes precedence over the `sign.authnrequest` option in any metadata generated for this SP.
: *Note*: SAML 2 specific.
`redirect.validate`
-: Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
+: Whether logout requests and logout responses received by this SP should be validated. The default is `FALSE`.
: *Note*: SAML 2 specific.
@@ -312,7 +314,8 @@ Options
See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
`sign.authnrequest`
-: Whether to sign authentication requests sent from this SP.
+: Whether to sign authentication requests sent from this SP. If set, the `AuthnRequestsSigned` attribute of the
+ `SPSSODescriptor` element in SAML 2.0 metadata will contain its value.
: Note that this option also exists in the IdP-remote metadata, and
any value in the IdP-remote metadata overrides the one configured
@@ -366,6 +369,11 @@ Options
: *Note*: SAML 2 specific.
+`WantAssertionsSigned`
+: Whether assertions received by this SP must be signed. The default value is `FALSE`.
+ The value set for this option will be used to set the `WantAssertionsSigned` attribute of the `SPSSODescriptor` element in
+ the exported SAML 2.0 metadata.
+
Examples
--------
diff --git a/modules/saml/www/sp/metadata.php b/modules/saml/www/sp/metadata.php
index 5a747095a..6547db14c 100644
--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -194,6 +194,16 @@ if ($spconfig->hasValue('RegistrationInfo')) {
$metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
}
+// add signature options
+if ($spconfig->hasValue('WantAssertionsSigned')) {
+ $metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
+}
+if ($spconfig->hasValue('redirect.sign')) {
+ $metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
+} elseif ($spconfig->hasValue('sign.authnrequest')) {
+ $metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
+}
+
$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
$metaArray20['metadata-set'] = 'saml20-sp-remote';
--
GitLab