- AttributeFilter* filter = application.getAttributeFilter();
- if (filter && !resolvedAttributes.empty()) {
- BasicFilteringContext fc(application, resolvedAttributes, policy.getIssuerMetadata(), ssoStatement->getAuthenticationMethod());
- Locker filtlocker(filter);
- try {
- filter->filterAttributes(fc, resolvedAttributes);
- }
- catch (exception& ex) {
- m_log.error("caught exception filtering attributes: %s", ex.what());
- m_log.error("dumping extracted attributes due to filtering exception");
- for_each(resolvedAttributes.begin(), resolvedAttributes.end(), xmltooling::cleanup<shibsp::Attribute>());
- resolvedAttributes.clear();
- }
+ saml1name = saml1statement->getSubject()->getNameIdentifier();
+ authMethod = saml1statement->getAuthenticationMethod();
+ if (saml1statement->getAuthenticationInstant())
+ authInstant = saml1statement->getAuthenticationInstant()->getRawData();
+
+ // Session expiration.
+ pair<bool,unsigned int> lifetime = sessionProps ? sessionProps->getUnsignedInt("lifetime") : pair<bool,unsigned int>(true,28800);
+ if (!lifetime.first || lifetime.second == 0)
+ lifetime.second = 28800;
+ sessionExp = now + lifetime.second;
+ }
+ else {
+ const saml2::Assertion* saml2token = dynamic_cast<const saml2::Assertion*>(token);
+ if (!saml2token)
+ throw FatalProfileException("Incoming message did not contain a recognized type of SAML assertion.");
+
+ // Now do profile validation to ensure we can use it for SSO.
+ if (!saml2token->getConditions() || !saml2token->getConditions()->getNotBefore() || !saml2token->getConditions()->getNotOnOrAfter())
+ throw FatalProfileException("Assertion did not contain time conditions.");
+ else if (saml2token->getAuthnStatements().empty())
+ throw FatalProfileException("Assertion did not contain an authentication statement.");
+
+ // authnskew allows rejection of SSO if AuthnInstant is too old.
+ pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
+
+ saml2statement = saml2token->getAuthnStatements().front();
+ if (authnskew.first && authnskew.second &&
+ saml2statement->getAuthnInstant() && (now - saml2statement->getAuthnInstantEpoch() > authnskew.second))
+ throw FatalProfileException("The gap between now and the time you logged into your identity provider exceeds the limit.");
+
+ // Address checking.
+ saml2::SubjectLocality* locality = saml2statement->getSubjectLocality();
+ if (locality && locality->getAddress()) {
+ auto_ptr_char ip(locality->getAddress());
+ checkAddress(application, httpRequest, ip.get());