string contextualError;
for (vector<saml1::Assertion*>::const_iterator a = assertions.begin(); a!=assertions.end(); ++a) {
- // Skip unsigned assertion?
- if (!(*a)->getSignature() && flag.first && flag.second) {
- m_log.warn("found unsigned assertion in SAML response, ignoring it per signedAssertions policy");
- badtokens.push_back(*a);
- continue;
- }
-
try {
+ // Skip unsigned assertion?
+ if (!(*a)->getSignature() && flag.first && flag.second)
+ throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+
// We clear the security flag, so we can tell whether the token was secured on its own.
policy.setAuthenticated(false);
policy.reset(true);
policy.evaluate(*(*a));
// If no security is in place now, we kick it.
- if (!alreadySecured && !policy.isAuthenticated()) {
- m_log.warn("unable to establish security of assertion");
- badtokens.push_back(*a);
- continue;
- }
+ if (!alreadySecured && !policy.isAuthenticated())
+ throw SecurityPolicyException("Unable to establish security of incoming assertion.");
// Now do profile and core semantic validation to ensure we can use it for SSO.
ssoValidator.validateAssertion(*(*a));
}
catch (exception& ex) {
m_log.warn("detected a problem with assertion: %s", ex.what());
+ if (!ssoStatement)
+ contextualError = ex.what();
badtokens.push_back(*a);
}
}