Skip to content
Snippets Groups Projects
Commit d6d38a3b authored by Andreas Åkre Solberg's avatar Andreas Åkre Solberg
Browse files

Adding support for signing Assertions in shib13 protocol. Request from eduGAIN folks

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@840 44740490-163a-0410-bde0-09ae8108e29a
parent 6cca9d31
No related branches found
No related tags found
No related merge requests found
......@@ -212,6 +212,8 @@ $config = array (
* same name to the metadata of the SP.
*/
'saml20.signresponse' => FALSE,
'shib13.signresponse' => TRUE,
/*
* Configuration of Consent storage used for attribute consent.
......
......@@ -112,13 +112,47 @@ class SimpleSAML_Bindings_Shib13_HTTPPost {
$responsedom->loadXML(str_replace ("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if(array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
$signResponse = $spmd['signresponse'];
if(!is_bool($signResponse)) {
throw new Exception('Expected the \'signresponse\' option in the metadata of the' .
' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
}
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
}
/* Check if we have an assertion to sign. Force to sign the response if not. */
if($firstassertionroot === NULL) {
$signResponse = TRUE;
}
if(!$signResponse) {
$signer->sign($firstassertionroot, $firstassertionroot);
}
if($signResponse) {
/* Sign the response - this must be done after encrypting the assertion. */
/* We insert the signature before the saml1p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
/* We insert the signature before the saml2p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
}
$response = $responsedom->saveXML();
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment