From e9cd425675aef56831413f780b096af18f2920d3 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 15 Sep 2010 11:09:51 +0000
Subject: [PATCH] saml2: Introduce validate.logout and validate.authnrequest
 options.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2549 44740490-163a-0410-bde0-09ae8108e29a
---
 docs/simplesamlphp-reference-idp-hosted.txt | 14 ++++++++++++++
 docs/simplesamlphp-reference-idp-remote.txt |  6 ++++++
 docs/simplesamlphp-reference-sp-remote.txt  | 12 ++++++++++++
 modules/saml/docs/sp.txt                    |  9 +++++++++
 modules/saml/lib/Message.php                | 18 ++++++++++++++++--
 5 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/docs/simplesamlphp-reference-idp-hosted.txt b/docs/simplesamlphp-reference-idp-hosted.txt
index 47f7842de..0ea132587 100644
--- a/docs/simplesamlphp-reference-idp-hosted.txt
+++ b/docs/simplesamlphp-reference-idp-hosted.txt
@@ -207,6 +207,20 @@ The following SAML 2.0 options are available:
     any value in the SP-remote metadata overrides the one configured
     in the IdP metadata.
 
+`validate.authnrequest`
+:   Whether we require signatures on authentication requests sent to this IdP.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent to this IdP.
+
+:   Note that this option also exists in the SP-remote metadata, and
+    any value in the SP-remote metadata overrides the one configured
+    in the IdP metadata.
+
 
 ### Fields for signing and validating messages
 
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index e24666c2c..a903d2c5b 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -121,6 +121,12 @@ The following SAML 2.0 options are available:
 `SPNameQualifier`
 :   This corresponds to the SPNameQualifier in the SAML 2.0 specification. It allows to give subjects a SP specific namespace. This option is rarely used, so if you don't need it, leave it out. When left out, simpleSAMLphp assumes the entityID of your SP as the SPNameQualifier.
 
+`validate.logout`
+:   Whether we require signatures on logout messages sent from this IdP.
+
+:   Note that this option also exists in the SP configuration.
+    This value in the IdP remote metadata overrides the value in the SP configuration.
+
 
 ### Decrypting assertions
 
diff --git a/docs/simplesamlphp-reference-sp-remote.txt b/docs/simplesamlphp-reference-sp-remote.txt
index f0b9916c8..ab6fd4a41 100644
--- a/docs/simplesamlphp-reference-sp-remote.txt
+++ b/docs/simplesamlphp-reference-sp-remote.txt
@@ -238,6 +238,18 @@ The following SAML 2.0 options are available:
 :   -   `raw`: Store the attribute without any modifications. This
         makes it possible to include raw XML in the response.
 
+`validate.authnrequest`
+:   Whether we require signatures on authentication requests sent from this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent from this SP.
+
+:   Note that this option also exists in the IdP-hosted metadata.
+    The value in the SP-remote metadata overrides the value in the IdP-hosted metadata.
+
 
 ### Encrypting assertions
 
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index d710245fc..63d61e407 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -276,3 +276,12 @@ Options
             'en' => 'http://sp.example.net/en/info.html',
             'no' => 'http://sp.example.net/no/info.html',
         ),
+
+`validate.logout`
+:   Whether we require signatures on logout messages sent to this SP.
+
+:   Note that this option also exists in the IdP-remote metadata, and
+    any value in the IdP-remote metadata overrides the one configured
+    in the IdP metadata.
+
+:   *Note*: SAML 2 specific.
diff --git a/modules/saml/lib/Message.php b/modules/saml/lib/Message.php
index e00bce2af..e8a96aeb2 100644
--- a/modules/saml/lib/Message.php
+++ b/modules/saml/lib/Message.php
@@ -216,9 +216,23 @@ class sspmod_saml_Message {
 		SAML2_Message $message
 		) {
 
-		$enabled = $srcMetadata->getBoolean('redirect.validate', NULL);
+		if ($message instanceof SAML2_LogoutRequest || $message instanceof SAML2_LogoutResponse) {
+			$enabled = $srcMetadata->getBoolean('validate.logout', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('validate.logout', NULL);
+			}
+		} elseif ($message instanceof SAML2_AuthnRequest) {
+			$enabled = $srcMetadata->getBoolean('validate.authnrequest', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('validate.authnrequest', NULL);
+			}
+		}
+
 		if ($enabled === NULL) {
-			$enabled = $dstMetadata->getBoolean('redirect.validate', FALSE);
+			$enabled = $srcMetadata->getBoolean('redirect.validate', NULL);
+			if ($enabled === NULL) {
+				$enabled = $dstMetadata->getBoolean('redirect.validate', FALSE);
+			}
 		}
 
 		if (!$enabled) {
-- 
GitLab