X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=shibsp%2Fhandler%2Fimpl%2FSAML2SessionInitiator.cpp;h=9906907903ee312ff05138e8ec0ce752264dc6d0;hb=3a10103a9aeae36d33ae20be43a12fd4dd16466a;hp=644772c6e0b09fa5939291513f9a64dfdc018517;hpb=ecf9d4c0f9a11418d530d90ee0be6ff903845ca5;p=shibboleth%2Fcpp-sp.git diff --git a/shibsp/handler/impl/SAML2SessionInitiator.cpp b/shibsp/handler/impl/SAML2SessionInitiator.cpp index 644772c..9906907 100644 --- a/shibsp/handler/impl/SAML2SessionInitiator.cpp +++ b/shibsp/handler/impl/SAML2SessionInitiator.cpp @@ -331,10 +331,13 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, // To invoke the request builder, the key requirement is to figure out how // to express the ACS, by index or value, and if by value, where. - + // We have to compute the handlerURL no matter what, because we may need to + // flip the index to an SSL-version. + string ACSloc=request.getHandlerURL(target.c_str()); + SPConfig& conf = SPConfig::getConfig(); if (conf.isEnabled(SPConfig::OutOfProcess)) { - if (!acsByIndex.first || acsByIndex.second) { + if (!acsByIndex.first || acsByIndex.second) { // Pass by Index. if (isHandler) { // We may already have RelayState set if we looped back here, @@ -344,9 +347,23 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, if (option) target = option; } + + // Determine index to use. + pair ix = pair(false,NULL); + if (ACS) { + if (!strncmp(ACSloc.c_str(), "https", 5)) { + ix = ACS->getXMLString("sslIndex", shibspconstants::ASCII_SHIB2SPCONFIG_NS); + if (!ix.first) + ix = ACS->getXMLString("index"); + } + else { + ix = ACS->getXMLString("index"); + } + } + return doRequest( app, request, entityID.c_str(), - ACS ? ACS->getXMLString("index").second : NULL, NULL, NULL, + ix.second, NULL, NULL, isPassive, forceAuthn, acClass.first ? acClass.second : NULL, acComp.first ? acComp.second : NULL, @@ -356,7 +373,6 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, // Since we're not passing by index, we need to fully compute the return URL and binding. // Compute the ACS URL. We add the ACS location to the base handlerURL. - string ACSloc=request.getHandlerURL(target.c_str()); pair loc=ACS ? ACS->getString("Location") : pair(false,NULL); if (loc.first) ACSloc+=loc.second; @@ -394,13 +410,23 @@ pair SAML2SessionInitiator::run(SPRequest& request, string& entityID, if (acComp.first) in.addmember("authnContextComparison").string(acComp.second); if (!acsByIndex.first || acsByIndex.second) { - if (ACS) - in.addmember("acsIndex").string(ACS->getString("index").second); + if (ACS) { + // Determine index to use. + pair ix = pair(false,NULL); + if (!strncmp(ACSloc.c_str(), "https", 5)) { + ix = ACS->getString("sslIndex", shibspconstants::ASCII_SHIB2SPCONFIG_NS); + if (!ix.first) + ix = ACS->getString("index"); + } + else { + ix = ACS->getString("index"); + } + in.addmember("acsIndex").string(ix.second); + } } else { // Since we're not passing by index, we need to fully compute the return URL and binding. // Compute the ACS URL. We add the ACS location to the base handlerURL. - string ACSloc=request.getHandlerURL(target.c_str()); pair loc=ACS ? ACS->getString("Location") : pair(false,NULL); if (loc.first) ACSloc+=loc.second; in.addmember("acsLocation").string(ACSloc.c_str());