X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=util_saml.cpp;h=0c6475225514c0bc6df51f45c7d043f07bc73e02;hb=refs%2Fheads%2Fddf-name;hp=669458ba1c0545943543ef4f180a20922ff562ff;hpb=9fbf219c8f39f0aceb67ff605025ba84ed5588c6;p=mech_eap.orig

diff --git a/util_saml.cpp b/util_saml.cpp
index 669458b..0c64752 100644
--- a/util_saml.cpp
+++ b/util_saml.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, JANET(UK)
+ * Copyright (c) 2011, JANET(UK)
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,17 +30,26 @@
  * SUCH DAMAGE.
  */
 
+/*
+ * SAML attribute provider implementation.
+ */
+
 #include "gssapiP_eap.h"
 
 #include <sstream>
 
 #include <xercesc/util/XMLUniDefs.hpp>
-#include <xmltooling/XMLToolingConfig.h> 
+#include <xmltooling/unicode.h>
+#include <xmltooling/XMLToolingConfig.h>
 #include <xmltooling/util/XMLHelper.h>
+#include <xmltooling/util/ParserPool.h>
+#include <xmltooling/util/DateTime.h>
 
-#include <saml/saml1/core/Assertions.h> 
+#include <saml/exceptions.h>
+#include <saml/saml1/core/Assertions.h>
 #include <saml/saml2/core/Assertions.h>
 #include <saml/saml2/metadata/Metadata.h>
+#include <saml/saml2/metadata/MetadataProvider.h>
 
 using namespace xmltooling;
 using namespace opensaml::saml2md;
@@ -48,76 +57,100 @@ using namespace opensaml;
 using namespace xercesc;
 using namespace std;
 
-class auto_ptr_gss_buffer {
-    MAKE_NONCOPYABLE(auto_ptr_gss_buffer);
-    public:
-        auto_ptr_gss_buffer() : m_buf(NULL) {
-        }
-        auto_ptr_gss_buffer(const gss_buffer_t src) {
-            m_buf = new XMLCh[src->length + 1];
-            XMLString::transcode((const char *)src->value, m_buf, src->length);
-        }
-        ~auto_ptr_gss_buffer() {
-            xercesc::XMLString::release(&m_buf);
-        }
-        const XMLCh* get() const {
-            return m_buf;
-        }
-        XMLCh* release() {
-            XMLCh *temp = m_buf; m_buf = NULL; return temp;
-        }
-    private:
-        XMLCh *m_buf;
-};
-
 /*
  * gss_eap_saml_assertion_provider is for retrieving the underlying
  * assertion.
  */
-gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(const gss_eap_attr_ctx *
-ctx)
-    : gss_eap_attr_provider(ctx)
+gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(void)
+{
+    m_assertion = NULL;
+    m_authenticated = false;
+}
+
+gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
+{
+    delete m_assertion;
+}
+
+bool
+gss_eap_saml_assertion_provider::initFromExistingContext(const gss_eap_attr_ctx *manager,
+                                                         const gss_eap_attr_provider *ctx)
 {
     /* Then we may be creating from an existing attribute context */
-    gss_eap_saml_assertion_provider *saml;
+    const gss_eap_saml_assertion_provider *saml;
+
+    assert(m_assertion == NULL);
+
+    if (!gss_eap_attr_provider::initFromExistingContext(manager, ctx))
+        return false;
+
+    saml = static_cast<const gss_eap_saml_assertion_provider *>(ctx);
+    setAssertion(saml->getAssertion(), saml->authenticated());
 
-    saml = dynamic_cast<gss_eap_saml_assertion_provider *>
-        (ctx->getProvider(ATTR_TYPE_SAML_ASSERTION));
-    if (saml != NULL)
-        setAssertion(saml->getAssertion());
+    return true;
 }
 
-gss_eap_saml_assertion_provider::gss_eap_saml_assertion_provider(const gss_eap_attr_ctx *ctx,
-                                                                 gss_cred_id_t gssCred,
-                                                                 gss_ctx_id_t gssCtx)
-    : gss_eap_attr_provider(ctx)
+bool
+gss_eap_saml_assertion_provider::initFromGssContext(const gss_eap_attr_ctx *manager,
+                                                    const gss_cred_id_t gssCred,
+                                                    const gss_ctx_id_t gssCtx)
 {
-    gss_eap_radius_attr_provider *radius;
+    const gss_eap_radius_attr_provider *radius;
     gss_buffer_desc value = GSS_C_EMPTY_BUFFER;
-    int authenticated, complete, more = -1;
+    int authenticated, complete;
     OM_uint32 minor;
 
-    radius = dynamic_cast<gss_eap_radius_attr_provider *>
-        (ctx->getProvider(ATTR_TYPE_RADIUS));
+    assert(m_assertion == NULL);
+
+    if (!gss_eap_attr_provider::initFromGssContext(manager, gssCred, gssCtx))
+        return false;
+
+    /*
+     * XXX TODO we need to support draft-howlett-radius-saml-attr-00
+     */
+    radius = static_cast<const gss_eap_radius_attr_provider *>
+        (m_manager->getProvider(ATTR_TYPE_RADIUS));
     if (radius != NULL &&
-        radius->getAttribute(512, &authenticated, &complete,
-                             &value, NULL, &more)) {
-        m_assertion = parseAssertion(&value);
+        radius->getFragmentedAttribute(PW_SAML_AAA_ASSERTION,
+                                       VENDORPEC_UKERNA,
+                                       &authenticated, &complete, &value)) {
+        setAssertion(&value, authenticated);
         gss_release_buffer(&minor, &value);
+    } else {
+        m_assertion = NULL;
     }
+
+    return true;
 }
 
-gss_eap_saml_assertion_provider::~gss_eap_saml_assertion_provider(void)
+void
+gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion,
+                                              bool authenticated)
 {
+
     delete m_assertion;
+
+    if (assertion != NULL) {
+#ifdef __APPLE__
+        m_assertion = (saml2::Assertion *)((void *)assertion->clone());
+#else
+        m_assertion = dynamic_cast<saml2::Assertion *>(assertion->clone());
+#endif
+        m_authenticated = authenticated;
+    } else {
+        m_assertion = NULL;
+        m_authenticated = false;
+    }
 }
 
 void
-gss_eap_saml_assertion_provider::setAssertion(const saml2::Assertion *assertion)
+gss_eap_saml_assertion_provider::setAssertion(const gss_buffer_t buffer,
+                                              bool authenticated)
 {
-
     delete m_assertion;
-    m_assertion = dynamic_cast<saml2::Assertion*>(assertion->clone());
+
+    m_assertion = parseAssertion(buffer);
+    m_authenticated = (m_assertion != NULL && authenticated);
 }
 
 saml2::Assertion *
@@ -128,33 +161,98 @@ gss_eap_saml_assertion_provider::parseAssertion(const gss_buffer_t buffer)
     DOMDocument *doc;
     const XMLObjectBuilder *b;
 
-    doc = XMLToolingConfig::getConfig().getParser().parse(istream);
-    b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+    try {
+        doc = XMLToolingConfig::getConfig().getParser().parse(istream);
+        if (doc == NULL)
+            return NULL;
 
-    return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+        b = XMLObjectBuilder::getBuilder(doc->getDocumentElement());
+
+#ifdef __APPLE__
+        return (saml2::Assertion *)((void *)b->buildFromDocument(doc));
+#else
+        return dynamic_cast<saml2::Assertion *>(b->buildFromDocument(doc));
+#endif
+    } catch (exception &e) {
+        return NULL;
+    }
 }
 
 bool
-gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute, void *data) const
+gss_eap_saml_assertion_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
+                                                   void *data) const
 {
-    return addAttribute(this, GSS_C_NO_BUFFER, data);
+    bool ret;
+
+    /* just add the prefix */
+    if (m_assertion != NULL)
+        ret = addAttribute(this, GSS_C_NO_BUFFER, data);
+    else
+        ret = true;
+
+    return ret;
 }
 
-void
-gss_eap_saml_assertion_provider::setAttribute(int complete,
+bool
+gss_eap_saml_assertion_provider::setAttribute(int complete GSSEAP_UNUSED,
                                               const gss_buffer_t attr,
                                               const gss_buffer_t value)
 {
-    saml2::Assertion *assertion = parseAssertion(value);
+    if (attr == GSS_C_NO_BUFFER || attr->length == 0) {
+        setAssertion(value);
+        return true;
+    }
 
-    m_assertion = assertion;
+    return false;
 }
 
-void
-gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value)
+bool
+gss_eap_saml_assertion_provider::deleteAttribute(const gss_buffer_t value GSSEAP_UNUSED)
 {
     delete m_assertion;
     m_assertion = NULL;
+    m_authenticated = false;
+
+    return true;
+}
+
+time_t
+gss_eap_saml_assertion_provider::getExpiryTime(void) const
+{
+    saml2::Conditions *conditions;
+    time_t expiryTime = 0;
+
+    if (m_assertion == NULL)
+        return 0;
+
+    conditions = m_assertion->getConditions();
+
+    if (conditions != NULL && conditions->getNotOnOrAfter() != NULL)
+        expiryTime = conditions->getNotOnOrAfter()->getEpoch();
+
+    return expiryTime;
+}
+
+OM_uint32
+gss_eap_saml_assertion_provider::mapException(OM_uint32 *minor,
+                                              std::exception &e) const
+{
+    if (typeid(e) == typeid(SecurityPolicyException))
+        *minor = GSSEAP_SAML_SEC_POLICY_FAILURE;
+    else if (typeid(e) == typeid(BindingException))
+        *minor = GSSEAP_SAML_BINDING_FAILURE;
+    else if (typeid(e) == typeid(ProfileException))
+        *minor = GSSEAP_SAML_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(FatalProfileException))
+        *minor = GSSEAP_SAML_FATAL_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(RetryableProfileException))
+        *minor = GSSEAP_SAML_RETRY_PROFILE_FAILURE;
+    else if (typeid(e) == typeid(MetadataException))
+        *minor = GSSEAP_SAML_METADATA_FAILURE;
+    else
+        return GSS_S_CONTINUE_NEEDED;
+
+    return GSS_S_FAILURE;
 }
 
 bool
@@ -162,186 +260,356 @@ gss_eap_saml_assertion_provider::getAttribute(const gss_buffer_t attr,
                                               int *authenticated,
                                               int *complete,
                                               gss_buffer_t value,
-                                              gss_buffer_t display_value,
+                                              gss_buffer_t display_value GSSEAP_UNUSED,
                                               int *more) const
 {
     string str;
 
-    if (attr->length != 0 || m_assertion == NULL)
+    if (attr != GSS_C_NO_BUFFER && attr->length != 0)
         return false;
 
-    if (*more == -1)
-        *more = 0;
+    if (m_assertion == NULL)
+        return false;
+
+    if (*more != -1)
+        return false;
 
-    if (*more == 0) {
-        *authenticated = true;
-        *complete = false;
+    if (authenticated != NULL)
+        *authenticated = m_authenticated;
+    if (complete != NULL)
+        *complete = true;
 
-        XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
+    XMLHelper::serialize(m_assertion->marshall((DOMDocument *)NULL), str);
 
-        duplicateBuffer(str, value);
-    }
+    duplicateBuffer(str, value);
+    *more = 0;
 
     return true;
 }
 
 gss_any_t
 gss_eap_saml_assertion_provider::mapToAny(int authenticated,
-                                          gss_buffer_t type_id) const
+                                          gss_buffer_t type_id GSSEAP_UNUSED) const
 {
+    if (authenticated && !m_authenticated)
+        return (gss_any_t)NULL;
+
     return (gss_any_t)m_assertion;
 }
 
 void
-gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id,
+gss_eap_saml_assertion_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
                                                        gss_any_t input) const
 {
     delete ((saml2::Assertion *)input);
 }
 
-void
-gss_eap_saml_assertion_provider::marshall(gss_buffer_t buffer) const
-{
-    ostringstream sink;
-    string str;
-
-    buffer->length = 0;
-    buffer->value = NULL;
-
-    if (m_assertion == NULL)
-        return;
-
-    sink << *m_assertion;
-    str = sink.str();
-
-    duplicateBuffer(str, buffer);
-}
-
-bool
-gss_eap_saml_assertion_provider::unmarshall(const gss_eap_attr_ctx *ctx,
-                                            const gss_buffer_t buffer)
-{
-    assert(m_assertion == NULL);
-
-    m_assertion = parseAssertion(buffer);
-
-    return (m_assertion != NULL);
-}
-
 bool
 gss_eap_saml_assertion_provider::init(void)
 {
+    gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML_ASSERTION,
+                                       "urn:ietf:params:gss-eap:saml-aaa-assertion",
+                                       createAttrContext);
     return true;
 }
 
 void
 gss_eap_saml_assertion_provider::finalize(void)
 {
+    gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML_ASSERTION);
 }
 
 gss_eap_attr_provider *
-gss_eap_saml_assertion_provider::createAttrContext(const gss_eap_attr_ctx *ctx,
-                                                   gss_cred_id_t gssCred,
-                                                   gss_ctx_id_t gssCtx)
+gss_eap_saml_assertion_provider::createAttrContext(void)
+{
+    return new gss_eap_saml_assertion_provider;
+}
+
+saml2::Assertion *
+gss_eap_saml_assertion_provider::initAssertion(void)
 {
-    return new gss_eap_saml_assertion_provider(ctx, gssCred, gssCtx);
+    delete m_assertion;
+    m_assertion = saml2::AssertionBuilder::buildAssertion();
+    m_authenticated = false;
+
+    return m_assertion;
 }
 
 /*
  * gss_eap_saml_attr_provider is for retrieving the underlying attributes.
  */
-const saml2::Assertion *
-gss_eap_saml_attr_provider::getAssertion(void) const
+bool
+gss_eap_saml_attr_provider::getAssertion(int *authenticated,
+                                         saml2::Assertion **pAssertion,
+                                         bool createIfAbsent) const
 {
     gss_eap_saml_assertion_provider *saml;
-    
-    saml = dynamic_cast<gss_eap_saml_assertion_provider *>(m_source->getProvider(ATTR_TYPE_SAML_ASSERTION));
-    assert(saml != NULL);
 
-    return saml->getAssertion();
-}
+    if (authenticated != NULL)
+        *authenticated = false;
+    if (pAssertion != NULL)
+        *pAssertion = NULL;
 
-gss_eap_saml_attr_provider::gss_eap_saml_attr_provider(const gss_eap_attr_ctx *ctx,
-                                                       gss_cred_id_t gssCred,
-                                                       gss_ctx_id_t gssCtx)
-    : gss_eap_attr_provider(ctx, gssCred, gssCtx)
-{
-    /* Nothing to do, we're just a wrapper around the assertion provider. */
-}
+    saml = static_cast<const gss_eap_saml_assertion_provider *>
+        (m_manager->getProvider(ATTR_TYPE_SAML_ASSERTION));
+    if (saml == NULL)
+        return false;
 
-gss_eap_saml_attr_provider::~gss_eap_saml_attr_provider(void)
-{
-    /* Nothing to do, we're just a wrapper around the assertion provider. */
+    if (authenticated != NULL)
+        *authenticated = saml->authenticated();
+    if (pAssertion != NULL)
+        *pAssertion = saml->getAssertion();
+
+    if (saml->getAssertion() == NULL) {
+        if (createIfAbsent) {
+            if (authenticated != NULL)
+                *authenticated = false;
+            if (pAssertion != NULL)
+                *pAssertion = saml->initAssertion();
+        } else
+            return false;
+    }
+
+    return true;
 }
 
 bool
 gss_eap_saml_attr_provider::getAttributeTypes(gss_eap_attr_enumeration_cb addAttribute,
                                               void *data) const
 {
-    const saml2::Assertion *assertion = getAssertion();
+    saml2::Assertion *assertion;
+    int authenticated;
 
-    if (assertion == NULL)
+    if (!getAssertion(&authenticated, &assertion))
         return true;
 
-    const vector<saml2::Attribute*>& attrs2 =
-        const_cast<const saml2::AttributeStatement*>(assertion->getAttributeStatements().front())->getAttributes();
-    for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
-        a != attrs2.end();
-        ++a)
-    {
-        gss_buffer_desc attribute;
+    /*
+     * Note: the first prefix is added by the attribute provider manager
+     *
+     * From draft-hartman-gss-eap-naming-00:
+     *
+     *   Each attribute carried in the assertion SHOULD also be a GSS name
+     *   attribute.  The name of this attribute has three parts, all separated
+     *   by an ASCII space character.  The first part is
+     *   urn:ietf:params:gss-eap:saml-attr.  The second part is the URI for
+     *   the SAML attribute name format.  The final part is the name of the
+     *   SAML attribute.  If the mechanism performs an additional attribute
+     *   query, the retrieved attributes SHOULD be GSS-API name attributes
+     *   using the same name syntax.
+     */
+    /* For each attribute statement, look for an attribute match */
+    const vector <saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+
+    for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+        s != statements.end();
+        ++s) {
+        const vector<saml2::Attribute*> &attrs =
+            const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
+
+        for (vector<saml2::Attribute*>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+            const XMLCh *attributeName, *attributeNameFormat;
+            XMLCh *qualifiedName;
+            XMLCh space[2] = { ' ', 0 };
+            gss_buffer_desc utf8;
+            bool ret;
+
+            attributeName = (*a)->getName();
+            attributeNameFormat = (*a)->getNameFormat();
+            if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
+                attributeNameFormat = saml2::Attribute::UNSPECIFIED;
+
+            qualifiedName = new XMLCh[XMLString::stringLen(attributeNameFormat) + 1 +
+                                      XMLString::stringLen(attributeName) + 1];
+            XMLString::copyString(qualifiedName, attributeNameFormat);
+            XMLString::catString(qualifiedName, space);
+            XMLString::catString(qualifiedName, attributeName);
+
+            utf8.value = (void *)toUTF8(qualifiedName);
+            utf8.length = strlen((char *)utf8.value);
+
+            ret = addAttribute(this, &utf8, data);
+
+            delete qualifiedName;
+
+            if (!ret)
+                return ret;
+        }
+    }
 
-        attribute.value = (void *)toUTF8((*a)->getName(), true);
-        attribute.length = strlen((char *)attribute.value);
+    return true;
+}
 
-        if (!addAttribute(this, &attribute, data))
-            return false;
+static BaseRefVectorOf<XMLCh> *
+decomposeAttributeName(const gss_buffer_t attr)
+{
+    XMLCh *qualifiedAttr = new XMLCh[attr->length + 1];
+    XMLString::transcode((const char *)attr->value, qualifiedAttr, attr->length);
+
+    BaseRefVectorOf<XMLCh> *components = XMLString::tokenizeString(qualifiedAttr);
+
+    delete qualifiedAttr;
 
-        delete (char *)attribute.value;
+    if (components->size() != 2) {
+        delete components;
+        components = NULL;
     }
 
-    return true;
+    return components;
 }
 
-void
-gss_eap_saml_attr_provider::setAttribute(int complete,
+bool
+gss_eap_saml_attr_provider::setAttribute(int complete GSSEAP_UNUSED,
                                          const gss_buffer_t attr,
                                          const gss_buffer_t value)
 {
+    saml2::Assertion *assertion;
+    saml2::Attribute *attribute;
+    saml2::AttributeValue *attributeValue;
+    saml2::AttributeStatement *attributeStatement;
+
+    if (!getAssertion(NULL, &assertion, true))
+        return false;
+
+    if (assertion->getAttributeStatements().size() != 0) {
+        attributeStatement = assertion->getAttributeStatements().front();
+    } else {
+        attributeStatement = saml2::AttributeStatementBuilder::buildAttributeStatement();
+        assertion->getAttributeStatements().push_back(attributeStatement);
+    }
+
+    /* Check the attribute name consists of name format | whsp | name */
+    BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+    if (components == NULL)
+        return false;
+
+    attribute = saml2::AttributeBuilder::buildAttribute();
+    attribute->setNameFormat(components->elementAt(0));
+    attribute->setName(components->elementAt(1));
+
+    XMLCh *xmlValue = new XMLCh[value->length + 1];
+    XMLString::transcode((const char *)value->value, xmlValue, attr->length);
+
+    attributeValue = saml2::AttributeValueBuilder::buildAttributeValue();
+    attributeValue->setTextContent(xmlValue);
+
+    attribute->getAttributeValues().push_back(attributeValue);
+
+    assert(attributeStatement != NULL);
+    attributeStatement->getAttributes().push_back(attribute);
+
+    delete components;
+    delete xmlValue;
+
+    return true;
 }
 
-void
-gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t value)
+bool
+gss_eap_saml_attr_provider::deleteAttribute(const gss_buffer_t attr)
 {
+    saml2::Assertion *assertion;
+    bool ret = false;
+
+    if (!getAssertion(NULL, &assertion) ||
+        assertion->getAttributeStatements().size() == 0)
+        return false;
+
+    /* Check the attribute name consists of name format | whsp | name */
+    BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+    if (components == NULL)
+        return false;
+
+    /* For each attribute statement, look for an attribute match */
+    const vector<saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+
+    for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+        s != statements.end();
+        ++s) {
+        const vector<saml2::Attribute *> &attrs =
+            const_cast<const saml2::AttributeStatement *>(*s)->getAttributes();
+        ssize_t index = -1, i = 0;
+
+        /* There's got to be an easier way to do this */
+        for (vector<saml2::Attribute *>::const_iterator a = attrs.begin();
+             a != attrs.end();
+             ++a) {
+            if (XMLString::equals((*a)->getNameFormat(), components->elementAt(0)) &&
+                XMLString::equals((*a)->getName(), components->elementAt(1))) {
+                index = i;
+                break;
+            }
+            ++i;
+        }
+        if (index != -1) {
+            (*s)->getAttributes().erase((*s)->getAttributes().begin() + index);
+            ret = true;
+        }
+    }
+
+    delete components;
+
+    return ret;
 }
 
-const saml2::Attribute *
-gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr) const
+bool
+gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
+                                         int *authenticated,
+                                         int *complete,
+                                         const saml2::Attribute **pAttribute) const
 {
-    const saml2::Assertion *assertion = getAssertion();
-    saml2::AttributeStatement *statement;
-
-    if (assertion == NULL)
-        return NULL;
+    saml2::Assertion *assertion;
 
-    if (assertion->getAttributeStatements().size() == 0)
-        return NULL;
+    if (authenticated != NULL)
+        *authenticated = false;
+    if (complete != NULL)
+        *complete = true;
+    *pAttribute = NULL;
 
-    statement = assertion->getAttributeStatements().front();
+    if (!getAssertion(authenticated, &assertion) ||
+        assertion->getAttributeStatements().size() == 0)
+        return false;
 
-    auto_ptr_gss_buffer attrname(attr);
+    /* Check the attribute name consists of name format | whsp | name */
+    BaseRefVectorOf<XMLCh> *components = decomposeAttributeName(attr);
+    if (components == NULL)
+        return false;
 
-    const vector<saml2::Attribute*>& attrs2 =
-        const_cast<const saml2::AttributeStatement*>(statement)->getAttributes();
+    /* For each attribute statement, look for an attribute match */
+    const vector <saml2::AttributeStatement *> &statements =
+        const_cast<const saml2::Assertion *>(assertion)->getAttributeStatements();
+    const saml2::Attribute *ret = NULL;
+
+    for (vector<saml2::AttributeStatement *>::const_iterator s = statements.begin();
+        s != statements.end();
+        ++s) {
+        const vector<saml2::Attribute *> &attrs =
+            const_cast<const saml2::AttributeStatement*>(*s)->getAttributes();
+
+        for (vector<saml2::Attribute *>::const_iterator a = attrs.begin(); a != attrs.end(); ++a) {
+            const XMLCh *attributeName, *attributeNameFormat;
+
+            attributeName = (*a)->getName();
+            attributeNameFormat = (*a)->getNameFormat();
+            if (attributeNameFormat == NULL || attributeNameFormat[0] == '\0')
+                attributeNameFormat = saml2::Attribute::UNSPECIFIED;
+
+            if (XMLString::equals(attributeNameFormat, components->elementAt(0)) &&
+                XMLString::equals(attributeName, components->elementAt(1))) {
+                ret = *a;
+                break;
+            }
+        }
 
-    for (vector<saml2::Attribute*>::const_iterator a = attrs2.begin();
-        a != attrs2.end();
-        ++a) {
-        if (XMLString::equals((*a)->getName(), attrname.get()))
-            return *a;
+        if (ret != NULL)
+            break;
     }
 
-    return NULL;
+    delete components;
+
+    *pAttribute = ret;
+
+    return (ret != NULL);
 }
 
 bool
@@ -358,8 +626,7 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
 
     *more = 0;
 
-    a = getAttribute(attr);
-    if (a == NULL)
+    if (!getAttribute(attr, authenticated, complete, &a))
         return false;
 
     nvalues = a->getAttributeValues().size();
@@ -368,16 +635,21 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
         i = 0;
     else if (i >= nvalues)
         return false;
-    av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i)
-);
-    if (av == NULL)
-        return false;
-
-    *authenticated = TRUE;
-    *complete = FALSE;
-
-    value->value = toUTF8(av->getTextContent(), true);
-    value->length = strlen((char *)value->value);
+#ifdef __APPLE__
+    av = (const saml2::AttributeValue *)((void *)(a->getAttributeValues().at(i)));
+#else
+    av = dynamic_cast<const saml2::AttributeValue *>(a->getAttributeValues().at(i));
+#endif
+    if (av != NULL) {
+        if (value != NULL) {
+            value->value = toUTF8(av->getTextContent(), true);
+            value->length = strlen((char *)value->value);
+        }
+        if (display_value != NULL) {
+            display_value->value = toUTF8(av->getTextContent(), true);
+            display_value->length = strlen((char *)value->value);
+        }
+    }
 
     if (nvalues > ++i)
         *more = i;
@@ -386,48 +658,57 @@ gss_eap_saml_attr_provider::getAttribute(const gss_buffer_t attr,
 }
 
 gss_any_t
-gss_eap_saml_attr_provider::mapToAny(int authenticated,
-                                          gss_buffer_t type_id) const
-{
-    return (gss_any_t)0;
-}
-
-void
-gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id,
-                                                  gss_any_t input) const
+gss_eap_saml_attr_provider::mapToAny(int authenticated GSSEAP_UNUSED,
+                                     gss_buffer_t type_id GSSEAP_UNUSED) const
 {
+    return (gss_any_t)NULL;
 }
 
 void
-gss_eap_saml_attr_provider::marshall(gss_buffer_t buffer) const
+gss_eap_saml_attr_provider::releaseAnyNameMapping(gss_buffer_t type_id GSSEAP_UNUSED,
+                                                  gss_any_t input GSSEAP_UNUSED) const
 {
 }
 
 bool
-gss_eap_saml_attr_provider::unmarshall(const gss_eap_attr_ctx *ctx,
-                                       const gss_buffer_t buffer)
-{
-    return false;
-}
-
-bool
 gss_eap_saml_attr_provider::init(void)
 {
+    gss_eap_attr_ctx::registerProvider(ATTR_TYPE_SAML,
+                                       "urn:ietf:params:gss-eap:saml-attr",
+                                       createAttrContext);
     return true;
 }
 
 void
 gss_eap_saml_attr_provider::finalize(void)
 {
+    gss_eap_attr_ctx::unregisterProvider(ATTR_TYPE_SAML);
 }
 
 gss_eap_attr_provider *
-gss_eap_saml_attr_provider::createAttrContext(const gss_eap_attr_ctx *ctx,
-                                              gss_cred_id_t gssCred,
-                                              gss_ctx_id_t gssCtx)
+gss_eap_saml_attr_provider::createAttrContext(void)
 {
-    if (gssCtx != GSS_C_NO_CONTEXT)
-        return new gss_eap_saml_attr_provider(ctx, gssCred, gssCtx);
-    else
-        return new gss_eap_saml_attr_provider(ctx);
+    return new gss_eap_saml_attr_provider;
+}
+
+OM_uint32
+gssEapSamlAttrProvidersInit(OM_uint32 *minor)
+{
+    if (!gss_eap_saml_assertion_provider::init() ||
+        !gss_eap_saml_attr_provider::init()) {
+        *minor = GSSEAP_SAML_INIT_FAILURE;
+        return GSS_S_FAILURE;
+    }
+
+    return GSS_S_COMPLETE;
+}
+
+OM_uint32
+gssEapSamlAttrProvidersFinalize(OM_uint32 *minor)
+{
+    gss_eap_saml_attr_provider::finalize();
+    gss_eap_saml_assertion_provider::finalize();
+
+    *minor = 0;
+    return GSS_S_COMPLETE;
 }