- try {
- auto_ptr<ArtifactResponse> response(
- m_artifactResolver->resolve(
- issuerTrusted,
- *(artifact2.get()),
- dynamic_cast<const SSODescriptorType&>(*issuer),
- dynamic_cast<const X509TrustEngine*>(trustEngine)
- )
- );
-
- // Check Issuer of outer message.
- if (!issuerMatches(response->getIssuer(), provider->getEntityID())) {
- log.error("issuer of ArtifactResponse did not match source of artifact");
- throw BindingException("Issuer of ArtifactResponse did not match source of artifact.");
- }
-
- // Extract payload and check that Issuer.
- XMLObject* payload = response->getPayload();
- RequestAbstractType* req = NULL;
- StatusResponseType* res = dynamic_cast<StatusResponseType*>(payload);
- if (!res)
- req = dynamic_cast<RequestAbstractType*>(payload);
- if (!res && !req)
- throw BindingException("ArtifactResponse payload was not a recognized SAML 2.0 protocol message.");
-
- if (!issuerMatches(res ? res->getIssuer() : req->getIssuer(), provider->getEntityID())) {
- log.error("issuer of ArtifactResponse payload did not match source of artifact");
- throw BindingException("Issuer of ArtifactResponse payload did not match source of artifact.");
- }
-
- // Check payload freshness.
- time_t now = time(NULL);
- if ((res ? res->getIssueInstant() : req->getIssueInstant())->getEpoch() < now-(2*XMLToolingConfig::getConfig().clock_skew_secs))
- throw BindingException("Detected expired ArtifactResponse payload.");
+ auto_ptr<ArtifactResponse> response(
+ m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*roledesc), policy)
+ );
+
+ // The policy should be enforced against the ArtifactResponse by the resolve step.