-
- log.debug("attempting to find artifact issuing role...");
- issuer=provider->getRoleDescriptor(*role, samlconstants::SAML20P_NS);
- if (!issuer || !dynamic_cast<const SSODescriptorType*>(issuer)) {
- log.error("unable to find compatible SAML role (%s) in metadata", role->toString().c_str());
- BindingException ex("Unable to find compatible metadata role for artifact issuer.");
- annotateException(&ex,provider); // throws it
- }
-
- try {
- auto_ptr<ArtifactResponse> response(
- m_artifactResolver->resolve(
- securityMech,
- *(artifact2.get()),
- dynamic_cast<const SSODescriptorType&>(*issuer),
- dynamic_cast<const X509TrustEngine*>(trustEngine)
- )
- );
-
- // Check Issuer of outer message.
- if (!issuerMatches(response->getIssuer(), provider->getEntityID())) {
- log.error("issuer of ArtifactResponse did not match source of artifact");
- throw BindingException("Issuer of ArtifactResponse did not match source of artifact.");
- }
-
- // Extract payload and check that Issuer.
- XMLObject* payload = response->getPayload();
- RequestAbstractType* req = NULL;
- StatusResponseType* res = dynamic_cast<StatusResponseType*>(payload);
- if (!res)
- req = dynamic_cast<RequestAbstractType*>(payload);
- if (!res && !req)
- throw BindingException("ArtifactResponse payload was not a recognized SAML 2.0 protocol message.");
-
- if (!issuerMatches(res ? res->getIssuer() : req->getIssuer(), provider->getEntityID())) {
- log.error("issuer of ArtifactResponse payload did not match source of artifact");
- throw BindingException("Issuer of ArtifactResponse payload did not match source of artifact.");
- }
-
- // Check payload freshness.
- time_t now = time(NULL);
- if ((res ? res->getIssueInstant() : req->getIssueInstant())->getEpoch() < now-(2*XMLToolingConfig::getConfig().clock_skew_secs))
- throw BindingException("Detected expired ArtifactResponse payload.");