saml2: Introduce validate.logout and validate.authnrequest options.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2549 44740490-163a-0410-bde0-09ae8108e29a

docs/simplesamlphp-reference-idp-hosted.txt

@@ -207,6 +207,20 @@ The following SAML 2.0 options are available:
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
+`validate.authnrequest`
+:   Whether we require signatures on authentication requests sent to this IdP.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent to this IdP.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
 
 ### Fields for signing and validating messages
 

docs/simplesamlphp-reference-idp-remote.txt

@@ -121,6 +121,12 @@ The following SAML 2.0 options are available:
 `SPNameQualifier`
 :   This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, simpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
 
+`validate.logout`
+:   Whether we require signatures on logout messages sent from this IdP.
+
+:   Note that this option also exists in the SP configuration.
+    This value in the IdP remote metadata overrides the value in the SP configuration.
+
 
 ### Decrypting assertions
 

docs/simplesamlphp-reference-sp-remote.txt

@@ -238,6 +238,18 @@ The following SAML 2.0 options are available:
 :   -   `raw`: Store the attribute without any modifications. This
         makes it possible to include raw XML in the response.
 
+`validate.authnrequest`
+:   Whether we require signatures on authentication requests sent from this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent from this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
 
 ### Encrypting assertions
 

modules/saml/docs/sp.txt

@@ -276,3 +276,12 @@ Options
             'en' => 'http://sp.example.net/en/info.html',
             'no' => 'http://sp.example.net/no/info.html',
         ),
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent to this SP.
+
+:   Note that this option also exists in the IdP-remote metadata, and
+    any value in the IdP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+:   *Note*: SAML 2 specific.

modules/saml/lib/Message.php

@@ -216,9 +216,23 @@ class sspmod_saml_Message {
 		SAML2_Message $message
 		) {
 
-		$enabled = $srcMetadata->getBoolean('redirect.validate', NULL);
+		if ($message instanceof SAML2_LogoutRequest || $message instanceof SAML2_LogoutResponse) {
+			$enabled = $srcMetadata->getBoolean('validate.logout', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('validate.logout', NULL);
+			}
+		} elseif ($message instanceof SAML2_AuthnRequest) {
+			$enabled = $srcMetadata->getBoolean('validate.authnrequest', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('validate.authnrequest', NULL);
+			}
+		}
+
 		if ($enabled === NULL) {
-			$enabled = $dstMetadata->getBoolean('redirect.validate', FALSE);
+			$enabled = $srcMetadata->getBoolean('redirect.validate', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('redirect.validate', FALSE);
+			}
 		}
 
 		if (!$enabled) {