diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index eb796367d3920525afd1169e7beba80f5fff83f4..9148d7271514d2ab9a3453b606a07a9ea8fdd364 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -379,8 +379,11 @@ class sspmod_saml2_Message {
));
}
+ $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ $dst = $dst['Location'];
+
$ar->setIssuer($spMetadata->getString('entityid'));
- $ar->setDestination($idpMetadata->getString('SingleSignOnService'));
+ $ar->setDestination($dst);
$ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
$ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
@@ -399,10 +402,13 @@ class sspmod_saml2_Message {
*/
public static function buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
+ $dst = $dstMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ $dst = $dst['Location'];
+
$lr = new SAML2_LogoutRequest();
$lr->setIssuer($srcMetadata->getString('entityid'));
- $lr->setDestination($dstMetadata->getString('SingleLogoutService'));
+ $lr->setDestination($dst);
self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
@@ -418,14 +424,16 @@ class sspmod_saml2_Message {
*/
public static function buildLogoutResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
+ $dst = $dstMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ if (isset($dst['ResponseLocation'])) {
+ $dst = $dst['ResponseLocation'];
+ } else {
+ $dst = $dst['Location'];
+ }
+
$lr = new SAML2_LogoutResponse();
$lr->setIssuer($srcMetadata->getString('entityid'));
-
- $dst = $dstMetadata->getString('SingleLogoutServiceResponse', NULL);
- if ($dst === NULL) {
- $dst = $dstMetadata->getString('SingleLogoutService');
- }
$lr->setDestination($dst);
self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 1f7177806f6fe975dbb5dd763490a12d897a1abd..9f6e6d3151b3a0f456580a6e8f381b920d65f3e7 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -73,8 +73,8 @@ function handleError(Exception $exception) {
if (array_key_exists('ConsumerURL', $requestcache)) {
$consumerURL = $requestcache['ConsumerURL'];
} else {
- $urlArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- $consumerURL = $urlArray[0];
+ $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array(SAML2_Const::BINDING_HTTP_POST));
+ $consumerURL = $consumerURL['Location'];
}
$ar = sspmod_saml2_Message::buildResponse($idpMetadata, $spMetadata, $consumerURL);
@@ -149,13 +149,22 @@ if (isset($_REQUEST['SAMLRequest'])) {
$consumerURL = $authnrequest->getAssertionConsumerServiceURL();
if ($consumerURL !== NULL) {
- $consumerArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- if (in_array($consumerURL, $consumerArray, TRUE)) {
+ $found = FALSE;
+ foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
+ if ($ep['Binding'] !== SAML2_Const::BINDING_HTTP_POST) {
+ continue;
+ }
+ if ($ep['Location'] !== $consumerURL) {
+ continue;
+ }
$requestcache['ConsumerURL'] = $consumerURL;
- } else {
+ break;
+ }
+
+ if (!$found) {
SimpleSAML_Logger::warning('Authentication request from ' . var_export($issuer, TRUE) .
' contains invalid AssertionConsumerService URL. Was ' .
- var_export($consumerURL, TRUE) . ', could be ' . var_export($consumerArray, TRUE) . '.');
+ var_export($consumerURL, TRUE) . '.');
}
}
@@ -441,8 +450,8 @@ if($needAuth && !$isPassive) {
if (array_key_exists('ConsumerURL', $requestcache)) {
$consumerURL = $requestcache['ConsumerURL'];
} else {
- $urlArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- $consumerURL = $urlArray[0];
+ $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array(SAML2_Const::BINDING_HTTP_POST));
+ $consumerURL = $consumerURL['Location'];
}
$assertion = sspmod_saml2_Message::buildAssertion($idpMetadata, $spMetadata, $attributes, $consumerURL);
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index a0aa2a5ce08f14280351cb179b7f9ac6a46c63e3..c8afe8beb5749a7209689c9a6a68fb32ec63a82d 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -211,9 +211,9 @@ while (TRUE) {
continue;
}
- $singleLogoutService = $spMetadata->getString('SingleLogoutService', NULL);
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
if ($singleLogoutService === NULL) {
- SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: No SingleLogoutService for ' .
+ SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: No supported SingleLogoutService for ' .
$spEntityId . '; looking for more SPs.');
continue;
}
diff --git a/www/saml2/idp/SingleLogoutServiceiFrame.php b/www/saml2/idp/SingleLogoutServiceiFrame.php
index c27ce3a84267b8b60dc2d40f6f93b756c024b93c..38af9e35596ee6c3726b8a4fd806f026ec68922f 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrame.php
@@ -110,7 +110,7 @@ function updateslostatus() {
}
try {
- $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-remote');
} catch (Exception $e) {
/*
* For some reason, the metadata for this SP is no longer available. Most
@@ -121,7 +121,8 @@ function updateslostatus() {
continue;
}
- if (!isset($spmetadata['SingleLogoutService'])) {
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($singleLogoutService === NULL) {
/* No logout endpoint. */
$listofsps[] = $spentityid;
continue;
diff --git a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
index 3db8a69ac3a48fd5da857f86865ccf6c42efd5ae..24f8c666f299849d54dc4d9a2dddd6e95f7db07a 100644
--- a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
@@ -103,7 +103,7 @@ function updateslostatus() {
}
try {
- $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-remote');
} catch (Exception $e) {
/*
* For some reason, the metadata for this SP is no longer available. Most
@@ -114,7 +114,8 @@ function updateslostatus() {
continue;
}
- if (!isset($spmetadata['SingleLogoutService'])) {
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($singleLogoutService === NULL) {
/* No logout endpoint. */
$listofsps[] = $spentityid;
continue;
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
index 410fa2411653aebbe3026d7530a12c3032732fcd..c45c31d87a9f6f88f4c934c4fde6d7ab090e1f20 100644
--- a/www/saml2/sp/initSLO.php
+++ b/www/saml2/sp/initSLO.php
@@ -28,8 +28,9 @@ try {
SimpleSAML_Utilities::redirect($returnTo);
}
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
- if (!$idpMetadata->hasValue('SingleLogoutService')) {
- SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No SingleLogoutService endpoint in IdP.');
+ $SLOendpoint = $idpMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($SLOendpoint === NULL) {
+ SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
SimpleSAML_Utilities::redirect($returnTo);
}