From c5c34576821e0a2bc83f6e87d84ea7f88a594d8e Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Thu, 18 Oct 2012 10:31:00 +0000
Subject: [PATCH] saml: Add separate option to enable HoK support on SP.

Instead of always adding the endpoint to the metadata, require
setting a separate option to enable it.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3194 44740490-163a-0410-bde0-09ae8108e29a
---
 docs/simplesamlphp-hok-sp.txt             |  8 +++++---
 docs/simplesamlphp-upgrade-notes-1.11.txt |  6 ++++++
 modules/saml/docs/sp.txt                  |  4 ++++
 modules/saml/lib/Message.php              | 11 +++++------
 modules/saml/www/sp/metadata.php          |  5 ++++-
 5 files changed, 24 insertions(+), 10 deletions(-)
 create mode 100644 docs/simplesamlphp-upgrade-notes-1.11.txt

diff --git a/docs/simplesamlphp-hok-sp.txt b/docs/simplesamlphp-hok-sp.txt
index 8bf604b55..7734f79ad 100644
--- a/docs/simplesamlphp-hok-sp.txt
+++ b/docs/simplesamlphp-hok-sp.txt
@@ -27,12 +27,14 @@ environment variable `SSL_CLIENT_CERT` of the webserver.
 Enable HoK on SP
 ----------------
 
-Which binding/profile the Identity Provider (IdP) should use when sending authentication responses to the SP is controlled by the `ProtocolBinding` option in the SP configuration.
-To make your SP request that the response from the IdP is send using the HoK SSO Profile, this option must be set accordingly:
+To enable support for the HoK SSO Profile in the SP, the `saml20.hok.assertion` option must be set to TRUE in the SP configuration.
+This option can also be enabled in the `saml20-idp-remote` metadata file, but in that case the endpoint will not be added to the SP metadata.
+You must also send authentication requests specifying the Holder-of-Key profile to the IdP. This is controlled by the `ProtocolBinding` option in the SP configuration.
 
     'hok-sp' => array(
         'saml:SP',
-		'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
+        'saml20.hok.assertion' => TRUE,
+        'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
     ),
 
 When this is done, you can add the metadata of your SP to the IdP and test the authentication.
diff --git a/docs/simplesamlphp-upgrade-notes-1.11.txt b/docs/simplesamlphp-upgrade-notes-1.11.txt
new file mode 100644
index 000000000..89f3491ec
--- /dev/null
+++ b/docs/simplesamlphp-upgrade-notes-1.11.txt
@@ -0,0 +1,6 @@
+Upgrade notes for simpleSAMLphp 1.11
+====================================
+
+  * Support for the Holder-of-Key profile in the SAML 2.0 SP has been disabled by default.
+    To enable it, set `saml20.hok.assertion` to `TRUE` in `config/authsources.php`.
+
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index e536aac29..a3dfb8675 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -347,6 +347,10 @@ Options
 
 :   *Note*: SAML 1 specific.
 
+`saml20.hok.assertion`
+:   Enable support for the SAML 2.0 Holder-of-Key SSO profile.
+    See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
+
 `sign.authnrequest`
 :   Whether to sign authentication requests sent from this SP.
 
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index 3e0c7b51c..5b6c91a3c 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -600,17 +600,16 @@ class sspmod_saml_Message {
 			/* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */
 			$hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL);
 			if ($hok === NULL) {
-			    $protocolBinding = $spMetadata->getString('ProtocolBinding', SAML2_Const::BINDING_HTTP_POST);
-			    if ($protocolBinding === SAML2_Const::BINDING_HOK_SSO) {
-				$hok = TRUE;
-			    } else {
-				$hok = FALSE;
-			    }
+				$hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE);
 			}
 			if ($sc->Method === SAML2_Const::CM_BEARER && $hok) {
 				$lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
 				continue;
 			}
+			if ($sc->Method === SAML2_Const::CM_HOK && !$hok) {
+				$lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.';
+				continue;
+			}
 
 			$scd = $sc->SubjectConfirmationData;
 			if ($sc->Method === SAML2_Const::CM_HOK) {
diff --git a/modules/saml/www/sp/metadata.php b/modules/saml/www/sp/metadata.php
index 4111a6eb1..34dacffb8 100644
--- a/modules/saml/www/sp/metadata.php
+++ b/modules/saml/www/sp/metadata.php
@@ -52,9 +52,12 @@ $assertionsconsumerservicesdefault = array(
 	'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
 	'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
 	'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
-	'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
 );
 
+if ($spconfig->getBoolean('saml20.hok.assertion', FALSE)) {
+	$assertionsconsumerservicesdefault[] = 	'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
+}
+
 $assertionsconsumerservices = $spconfig->getArray('acs.Bindings', $assertionsconsumerservicesdefault);
 
 $index = 0;
-- 
GitLab