X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=shibsp%2Fhandler%2Fimpl%2FSAML2SessionInitiator.cpp;h=6556f0a48422b2f7c00567053e5699a94fbdbfa0;hb=db3dd0f8110b3daa89123ef9994dc86121a92b31;hp=97ca7cf9756a8e433f248a852e30c2be3bdbe4f0;hpb=01b6226823bfabeecab61d51b62472db1fc3bf5b;p=shibboleth%2Fsp.git

diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp
index 97ca7cf..6556f0a 100644
--- a/shibsp/handler/impl/SAML2SessionInitiator.cpp
+++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp
@@ -250,17 +250,35 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, const char* entit
             recoverRelayState(request.getApplication(), request, request, target, false);
         }
 
+        pair<bool,bool> flag;
         option = request.getParameter("isPassive");
-        isPassive = (option && (*option=='1' || *option=='t'));
+        if (option) {
+            isPassive = (*option=='1' || *option=='t');
+        }
+        else {
+            flag = getBool("isPassive");
+            isPassive = (flag.first && flag.second);
+        }
         if (!isPassive) {
             option = request.getParameter("forceAuthn");
-            forceAuthn = (option && (*option=='1' || *option=='t'));
+            if (option) {
+                forceAuthn = (*option=='1' || *option=='t');
+            }
+            else {
+                flag = getBool("forceAuthn");
+                forceAuthn = (flag.first && flag.second);
+            }
         }
 
-        acClass.second = request.getParameter("authnContextClassRef");
-        acClass.first = (acClass.second!=NULL);
-        acComp.second = request.getParameter("authnContextComparison");
-        acComp.first = (acComp.second!=NULL);
+        if (acClass.second = request.getParameter("authnContextClassRef"))
+            acClass.first = true;
+        else
+            acClass = getString("authnContextClassRef");
+
+        if (acComp.second = request.getParameter("authnContextComparison"))
+            acComp.first = true;
+        else
+            acComp = getString("authnContextComparison");
     }
     else {
         // We're running as a "virtual handler" from within the filter.
@@ -269,14 +287,22 @@ pair<bool,long> SAML2SessionInitiator::run(SPRequest& request, const char* entit
         const PropertySet* settings = request.getRequestSettings().first;
 
         pair<bool,bool> flag = settings->getBool("isPassive");
+        if (!flag.first)
+            flag = getBool("isPassive");
         isPassive = flag.first && flag.second;
         if (!isPassive) {
             flag = settings->getBool("forceAuthn");
+            if (!flag.first)
+                flag = getBool("forceAuthn");
             forceAuthn = flag.first && flag.second;
         }
 
         acClass = settings->getString("authnContextClassRef");
+        if (!acClass.first)
+            acClass = getString("authnContextClassRef");
         acComp = settings->getString("authnContextComparison");
+        if (!acComp.first)
+            acComp = getString("authnContextComparison");
     }
 
     if (ECP)
@@ -466,6 +492,10 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
     const IDPSSODescriptor* role = NULL;
     const EndpointType* ep = NULL;
     const MessageEncoder* encoder = NULL;
+
+    // We won't need this for ECP, but safety dictates we get the lock here.
+    MetadataProvider* m=app.getMetadataProvider();
+    Locker locker(m);
     
     if (ECP) {
         encoder = m_ecp;
@@ -476,8 +506,6 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
     }
     else {
         // Use metadata to locate the IdP's SSO service.
-        MetadataProvider* m=app.getMetadataProvider();
-        Locker locker(m);
         MetadataProvider::Criteria mc(entityID, &IDPSSODescriptor::ELEMENT_QNAME, samlconstants::SAML20P_NS);
         entity=m->getEntityDescriptor(mc);
         if (!entity.first) {
@@ -486,7 +514,9 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
         }
         else if (!entity.second) {
             m_log.warn("unable to locate SAML 2.0 identity provider role for provider (%s)", entityID);
-            return make_pair(false,0L);
+            if (getParent())
+                return make_pair(false,0L);
+            throw MetadataException("Unable to locate SAML 2.0 identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
         }
 
         // Loop over the supportable outgoing bindings.
@@ -502,7 +532,9 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
         }
         if (!ep || !encoder) {
             m_log.warn("unable to locate compatible SSO service for provider (%s)", entityID);
-            return make_pair(false,0L);
+            if (getParent())
+                return make_pair(false,0L);
+            throw MetadataException("Unable to locate compatible SSO service for provider ($entityID)", namedparams(1, "entityID", entityID));
         }
     }
 
@@ -532,7 +564,7 @@ pair<bool,long> SAML2SessionInitiator::doRequest(
     if (!req->getIssuer()) {
         Issuer* issuer = IssuerBuilder::buildIssuer();
         req->setIssuer(issuer);
-        issuer->setName(app.getXMLString("entityID").second);
+        issuer->setName(app.getRelyingParty(entity.first)->getXMLString("entityID").second);
     }
     if (!req->getNameIDPolicy()) {
         NameIDPolicy* namepol = NameIDPolicyBuilder::buildNameIDPolicy();