From c65dba2f85a7913508909ec0419b26d73ac4f802 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 7 Mar 2011 13:25:01 +0000
Subject: [PATCH] SAML2_SOAPClient: Add option to disable the inclusion of
 client certificates.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2750 44740490-163a-0410-bde0-09ae8108e29a
---
 lib/SAML2/SOAPClient.php | 9 ++++++---
 modules/saml/docs/sp.txt | 2 ++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/SAML2/SOAPClient.php b/lib/SAML2/SOAPClient.php
index fc1824fea..15b0690a9 100644
--- a/lib/SAML2/SOAPClient.php
+++ b/lib/SAML2/SOAPClient.php
@@ -31,9 +31,12 @@ class SAML2_SOAPClient {
 
 		// Determine if we are going to do a MutualSSL connection between the IdP and SP  - Shoaib
 		if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
-			$ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate'));
-			if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
-				$ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
+			$cert = $srcMetadata->getValue('saml.SOAPClient.certificate');
+			if ($cert !== FALSE) {
+				$ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate'));
+				if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
+					$ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
+				}
 			}
 		} else {
 			/* Use the SP certificate and privatekey if it is configured. */
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 7d4fd1f63..9c7bc94f2 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -241,6 +241,8 @@ Options
 :   A file with a certificate _and_ private key that should be used when issuing SOAP requests from this SP.
     If this option isn't specified, the SP private key and certificate will be used.
 
+:   This option can also be set to `FALSE`, in which case no client certificate will be used.
+
 `saml.SOAPClient.privatekey_pass`
 :   The passphrase of the privatekey in `saml.SOAPClient.certificate`.
 
-- 
GitLab