From ef80342a858a8f3bf87ebf619a40fa8bcddd36f2 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 4 Nov 2009 13:53:09 +0000
Subject: [PATCH] saml2: Support new endpoint format.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1950 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml2/lib/Message.php | 22 ++++++++++------
www/saml2/idp/SSOService.php | 25 +++++++++++++------
www/saml2/idp/SingleLogoutService.php | 4 +--
www/saml2/idp/SingleLogoutServiceiFrame.php | 5 ++--
.../idp/idpInitSingleLogoutServiceiFrame.php | 5 ++--
www/saml2/sp/initSLO.php | 5 ++--
6 files changed, 43 insertions(+), 23 deletions(-)
diff --git a/modules/saml2/lib/Message.php b/modules/saml2/lib/Message.php
index eb796367d..9148d7271 100644
--- a/modules/saml2/lib/Message.php
+++ b/modules/saml2/lib/Message.php
@@ -379,8 +379,11 @@ class sspmod_saml2_Message {
));
}
+ $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ $dst = $dst['Location'];
+
$ar->setIssuer($spMetadata->getString('entityid'));
- $ar->setDestination($idpMetadata->getString('SingleSignOnService'));
+ $ar->setDestination($dst);
$ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
$ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
@@ -399,10 +402,13 @@ class sspmod_saml2_Message {
*/
public static function buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
+ $dst = $dstMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ $dst = $dst['Location'];
+
$lr = new SAML2_LogoutRequest();
$lr->setIssuer($srcMetadata->getString('entityid'));
- $lr->setDestination($dstMetadata->getString('SingleLogoutService'));
+ $lr->setDestination($dst);
self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
@@ -418,14 +424,16 @@ class sspmod_saml2_Message {
*/
public static function buildLogoutResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata) {
+ $dst = $dstMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT));
+ if (isset($dst['ResponseLocation'])) {
+ $dst = $dst['ResponseLocation'];
+ } else {
+ $dst = $dst['Location'];
+ }
+
$lr = new SAML2_LogoutResponse();
$lr->setIssuer($srcMetadata->getString('entityid'));
-
- $dst = $dstMetadata->getString('SingleLogoutServiceResponse', NULL);
- if ($dst === NULL) {
- $dst = $dstMetadata->getString('SingleLogoutService');
- }
$lr->setDestination($dst);
self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 1f7177806..9f6e6d315 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -73,8 +73,8 @@ function handleError(Exception $exception) {
if (array_key_exists('ConsumerURL', $requestcache)) {
$consumerURL = $requestcache['ConsumerURL'];
} else {
- $urlArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- $consumerURL = $urlArray[0];
+ $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array(SAML2_Const::BINDING_HTTP_POST));
+ $consumerURL = $consumerURL['Location'];
}
$ar = sspmod_saml2_Message::buildResponse($idpMetadata, $spMetadata, $consumerURL);
@@ -149,13 +149,22 @@ if (isset($_REQUEST['SAMLRequest'])) {
$consumerURL = $authnrequest->getAssertionConsumerServiceURL();
if ($consumerURL !== NULL) {
- $consumerArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- if (in_array($consumerURL, $consumerArray, TRUE)) {
+ $found = FALSE;
+ foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
+ if ($ep['Binding'] !== SAML2_Const::BINDING_HTTP_POST) {
+ continue;
+ }
+ if ($ep['Location'] !== $consumerURL) {
+ continue;
+ }
$requestcache['ConsumerURL'] = $consumerURL;
- } else {
+ break;
+ }
+
+ if (!$found) {
SimpleSAML_Logger::warning('Authentication request from ' . var_export($issuer, TRUE) .
' contains invalid AssertionConsumerService URL. Was ' .
- var_export($consumerURL, TRUE) . ', could be ' . var_export($consumerArray, TRUE) . '.');
+ var_export($consumerURL, TRUE) . '.');
}
}
@@ -441,8 +450,8 @@ if($needAuth && !$isPassive) {
if (array_key_exists('ConsumerURL', $requestcache)) {
$consumerURL = $requestcache['ConsumerURL'];
} else {
- $urlArray = $spMetadata->getArrayizeString('AssertionConsumerService');
- $consumerURL = $urlArray[0];
+ $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array(SAML2_Const::BINDING_HTTP_POST));
+ $consumerURL = $consumerURL['Location'];
}
$assertion = sspmod_saml2_Message::buildAssertion($idpMetadata, $spMetadata, $attributes, $consumerURL);
diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php
index a0aa2a5ce..c8afe8beb 100644
--- a/www/saml2/idp/SingleLogoutService.php
+++ b/www/saml2/idp/SingleLogoutService.php
@@ -211,9 +211,9 @@ while (TRUE) {
continue;
}
- $singleLogoutService = $spMetadata->getString('SingleLogoutService', NULL);
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
if ($singleLogoutService === NULL) {
- SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: No SingleLogoutService for ' .
+ SimpleSAML_Logger::info('SAML2.0 - IDP.SingleLogoutService: No supported SingleLogoutService for ' .
$spEntityId . '; looking for more SPs.');
continue;
}
diff --git a/www/saml2/idp/SingleLogoutServiceiFrame.php b/www/saml2/idp/SingleLogoutServiceiFrame.php
index c27ce3a84..38af9e355 100644
--- a/www/saml2/idp/SingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/SingleLogoutServiceiFrame.php
@@ -110,7 +110,7 @@ function updateslostatus() {
}
try {
- $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-remote');
} catch (Exception $e) {
/*
* For some reason, the metadata for this SP is no longer available. Most
@@ -121,7 +121,8 @@ function updateslostatus() {
continue;
}
- if (!isset($spmetadata['SingleLogoutService'])) {
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($singleLogoutService === NULL) {
/* No logout endpoint. */
$listofsps[] = $spentityid;
continue;
diff --git a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
index 3db8a69ac..24f8c666f 100644
--- a/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
+++ b/www/saml2/idp/idpInitSingleLogoutServiceiFrame.php
@@ -103,7 +103,7 @@ function updateslostatus() {
}
try {
- $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
+ $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-remote');
} catch (Exception $e) {
/*
* For some reason, the metadata for this SP is no longer available. Most
@@ -114,7 +114,8 @@ function updateslostatus() {
continue;
}
- if (!isset($spmetadata['SingleLogoutService'])) {
+ $singleLogoutService = $spMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($singleLogoutService === NULL) {
/* No logout endpoint. */
$listofsps[] = $spentityid;
continue;
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
index 410fa2411..c45c31d87 100644
--- a/www/saml2/sp/initSLO.php
+++ b/www/saml2/sp/initSLO.php
@@ -28,8 +28,9 @@ try {
SimpleSAML_Utilities::redirect($returnTo);
}
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
- if (!$idpMetadata->hasValue('SingleLogoutService')) {
- SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No SingleLogoutService endpoint in IdP.');
+ $SLOendpoint = $idpMetadata->getDefaultEndpoint('SingleLogoutService', array(SAML2_Const::BINDING_HTTP_REDIRECT), NULL);
+ if ($SLOendpoint === NULL) {
+ SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No supported SingleLogoutService endpoint in IdP.');
SimpleSAML_Utilities::redirect($returnTo);
}
--
GitLab