}
void receive(DDF& in, ostream& out);
- pair<bool,long> run(SPRequest& request, const char* entityID=NULL, bool isHandler=true) const;
+ pair<bool,long> run(SPRequest& request, string& entityID, bool isHandler=true) const;
private:
pair<bool,long> doRequest(
*/
}
-pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, const char* entityID, bool isHandler) const
+pair<bool,long> ADFSSessionInitiator::run(SPRequest& request, string& entityID, bool isHandler) const
{
// We have to know the IdP to function.
- if (!entityID || !*entityID)
+ if (entityID.empty())
return make_pair(false,0L);
string target;
target = option;
}
- m_log.debug("attempting to initiate session using ADFS with provider (%s)", entityID);
+ m_log.debug("attempting to initiate session using ADFS with provider (%s)", entityID.c_str());
if (SPConfig::getConfig().isEnabled(SPConfig::OutOfProcess))
- return doRequest(app, request, entityID, ACSloc.c_str(), target);
+ return doRequest(app, request, entityID.c_str(), ACSloc.c_str(), target);
// Remote the call.
DDF out,in = DDF(m_address.c_str()).structure();
DDFJanitor jin(in), jout(out);
in.addmember("application_id").string(app.getId());
- in.addmember("entity_id").string(entityID);
+ in.addmember("entity_id").string(entityID.c_str());
in.addmember("acsLocation").string(ACSloc.c_str());
if (!target.empty())
in.addmember("RelayState").string(target.c_str());
}
else if (!entity.second) {
m_log.warn("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
- return make_pair(false,0L);
+ if (getParent())
+ return make_pair(false,0L);
+ throw MetadataException("Unable to locate ADFS-aware identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
}
const EndpointType* ep = EndpointManager<SingleSignOnService>(
dynamic_cast<const IDPSSODescriptor*>(entity.second)->getSingleSignOnServices()
).getByBinding(m_binding.get());
if (!ep) {
m_log.warn("unable to locate compatible SSO service for provider (%s)", entityID);
- return make_pair(false,0L);
+ if (getParent())
+ return make_pair(false,0L);
+ throw MetadataException("Unable to locate compatible SSO service for provider ($entityID)", namedparams(1, "entityID", entityID));
}
preserveRelayState(app, httpResponse, relayState);
if (!policy.isAuthenticated())
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
+ const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
// Now do profile and core semantic validation to ensure we can use it for SSO.
// Profile validator.
time_t now = time(NULL);
- saml1::AssertionValidator ssoValidator(application.getAudiences(), now);
+ saml1::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
ssoValidator.validateAssertion(*token);
if (!token->getConditions() || !token->getConditions()->getNotBefore() || !token->getConditions()->getNotOnOrAfter())
throw FatalProfileException("Assertion did not contain time conditions.");
// authnskew allows rejection of SSO if AuthnInstant is too old.
const PropertySet* sessionProps = application.getPropertySet("Sessions");
- pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("authnskew") : pair<bool,unsigned int>(false,0);
+ pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
if (authnskew.first && authnskew.second &&
ssoStatement->getAuthenticationInstant() && (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second))
httpRequest,
httpResponse,
now + lifetime.second,
- policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+ entity,
m_protocol.get(),
nameid.get(),
ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL,
if (param)
return make_pair(true, request.sendRedirect(param));
- return sendLogoutPage(app, request, false, "Logout complete.");
+ return sendLogoutPage(app, request, request, false, "Logout complete.");
}