using namespace shibboleth;
using namespace shibtarget;
-SAMLBrowserProfile::ArtifactMapper::ArtifactMapperResponse STArtifactMapper::map(const SAMLArtifact* artifact)
+SAMLBrowserProfile::ArtifactMapper::ArtifactMapperResponse STArtifactMapper::map(const SAMLArtifact* artifact, int minorVersion)
{
Category& log=Category::getInstance("shibtarget.ArtifactMapper");
// Depends on type of artifact.
const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
if (type1) {
- // With type 01, any endpoint will do. Try SAML 1.1 first.
- const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
- if (idp) {
- const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
- Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
- while (eps.hasNext()) {
- const IEndpoint* ep=eps.next();
- amr.binding = m_app->getBinding(ep->getBinding());
- if (amr.binding) {
- auto_ptr_char loc(ep->getLocation());
- amr.endpoint = loc.get();
- amr.callCtx = new ShibHTTPHook::ShibHTTPHookCallContext(credUse ? credUse->getString("TLS").second : NULL,idp);
- return amr;
- }
- }
- }
-
- // No compatible 1.1 binding, try 1.0...
- idp=entity->getIDPSSODescriptor(saml::XML::SAML10_PROTOCOL_ENUM);
+ // With type 01, any endpoint will do.
+ const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
+ minorVersion==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
+ );
if (idp) {
const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
else {
const SAMLArtifactType0002* type2=dynamic_cast<const SAMLArtifactType0002*>(artifact);
if (type2) {
- // With type 02, we have to find the matching location. Try SAML 1.1 first.
- const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
- if (idp) {
- const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
- Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
- while (eps.hasNext()) {
- const IEndpoint* ep=eps.next();
- auto_ptr_char loc(ep->getLocation());
- if (!strcmp(loc.get(),type2->getSourceLocation())) {
- amr.binding = m_app->getBinding(ep->getBinding());
- if (amr.binding) {
- amr.endpoint = loc.get();
- amr.callCtx = new ShibHTTPHook::ShibHTTPHookCallContext(credUse ? credUse->getString("TLS").second : NULL,idp);
- return amr;
- }
- }
- }
- }
-
- // No match for 1.1, try 1.0...
- idp=entity->getIDPSSODescriptor(saml::XML::SAML10_PROTOCOL_ENUM);
+ // With type 02, we have to find the matching location.
+ const IIDPSSODescriptor* idp=entity->getIDPSSODescriptor(
+ minorVersion==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
+ );
if (idp) {
const IEndpointManager* mgr=idp->getArtifactResolutionServiceManager();
Iterator<const IEndpoint*> eps=mgr ? mgr->getEndpoints() : EMPTY(const IEndpoint*);
mutable RPCHandlePool* m_rpcpool;
};
- // Helper class for SAML 2.0 Common Domain Cookie operations
- class CommonDomainCookie
- {
- public:
- CommonDomainCookie(const char* cookie);
- ~CommonDomainCookie() {}
- saml::Iterator<std::string> get() {return m_list;}
- const char* set(const char* providerId);
- static const char CDCName[];
- private:
- std::string m_encoded;
- std::vector<std::string> m_list;
- };
-
// Generic class, which handles the IPropertySet configuration interface.
// Most of the basic configuration details are exposed via this interface.
// This implementation extracts the XML tree structure and caches it in a map
: m_app(application), m_localcopy(application->getMetadataProviders()), m_metadata(m_localcopy), m_ctx(NULL) {}
virtual ~STArtifactMapper() {delete m_ctx;}
- saml::SAMLBrowserProfile::ArtifactMapper::ArtifactMapperResponse map(const saml::SAMLArtifact* artifact);
+ saml::SAMLBrowserProfile::ArtifactMapper::ArtifactMapperResponse
+ map(const saml::SAMLArtifact* artifact, int minorVersion);
private:
const IApplication* m_app;
}
// Try to locate an AA role.
+ int minorVersion=1;
const IAttributeAuthorityDescriptor* AA=site->getAttributeAuthorityDescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
if (!AA) {
- log->error("unable to locate metadata for identity provider's Attribute Authority");
- MetadataException ex("Unable to locate metadata for identity provider's Attribute Authority.");
- annotateException(&ex,site);
+ AA=site->getAttributeAuthorityDescriptor(saml::XML::SAML10_PROTOCOL_ENUM);
+ if (!AA) {
+ log->error("unable to locate metadata for identity provider's Attribute Authority");
+ MetadataException ex("Unable to locate metadata for identity provider's Attribute Authority.");
+ annotateException(&ex,site);
+ }
+ minorVersion=0;
}
// Get protocol signing policy.
application->getAttributeDesignators().clone()
);
auto_ptr<SAMLRequest> req(new SAMLRequest(q));
+ req->setMinorVersion(minorVersion);
// Sign it? Highly doubtful we'll ever use this, but just for fun...
if (signRequest.first && signRequest.second && signingCred.first) {
map<string,char*> kvp_map;
};
+ // Helper class for SAML 2.0 Common Domain Cookie operations
+ class CommonDomainCookie
+ {
+ public:
+ CommonDomainCookie(const char* cookie);
+ ~CommonDomainCookie() {}
+ saml::Iterator<std::string> get() {return m_list;}
+ const char* set(const char* providerId);
+ static const char CDCName[];
+ private:
+ std::string m_encoded;
+ std::vector<std::string> m_list;
+ };
+
class SessionInitiator : virtual public IHandler
{
public:
# End Source File
# Begin Source File
+SOURCE=".\shib-handlers.cpp"
+# End Source File
+# Begin Source File
+
SOURCE=".\shib-ini.cpp"
# End Source File
# Begin Source File
delete m_profile;
}
-void ShibBrowserProfile::setVersion(int major, int minor)
-{
- m_profile->setVersion(major,minor);
-}
-
SAMLBrowserProfile::BrowserProfileResponse ShibBrowserProfile::receive(
const char* packet,
const XMLCh* recipient,
int supportedProfiles,
IReplayCache* replayCache,
- SAMLBrowserProfile::ArtifactMapper* callback
+ SAMLBrowserProfile::ArtifactMapper* callback,
+ int minorVersion
) const
{
#ifdef _DEBUG
// as an exception.
SAMLBrowserProfile::BrowserProfileResponse bpr;
try {
- bpr=m_profile->receive(packet, recipient, supportedProfiles, replayCache, callback);
+ bpr=m_profile->receive(packet, recipient, supportedProfiles, replayCache, callback, minorVersion);
}
catch (SAMLException& e) {
// Try our best to attach additional information.
Metadata m(m_metadatas);
const IEntityDescriptor* provider=m.lookup(e.getProperty("issuer"),false);
if (provider) {
- const IIDPSSODescriptor* role=provider->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
+ const IIDPSSODescriptor* role=provider->getIDPSSODescriptor(
+ minorVersion==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
+ );
if (role) annotateException(&e,role); // throws it
annotateException(&e,provider); // throws it
}
}
// Is this provider an IdP?
- const IIDPSSODescriptor* role=provider->getIDPSSODescriptor(saml::XML::SAML11_PROTOCOL_ENUM);
+ const IIDPSSODescriptor* role=provider->getIDPSSODescriptor(
+ minorVersion==1 ? saml::XML::SAML11_PROTOCOL_ENUM : saml::XML::SAML10_PROTOCOL_ENUM
+ );
if (role) {
// Use this role to evaluate the signature(s). If the response is unsigned, we know
// it was an artifact profile run.
auto_ptr_char issuer(bpr.assertion->getIssuer());
auto_ptr_char nq(bpr.authnStatement->getSubject()->getNameIdentifier()->getNameQualifier());
- log.error("metadata for assertion issuer indicates no SAML 1.x identity provider role (Issuer='%s', NameQualifier='%s'",
- issuer.get(), (nq.get() ? nq.get() : "none"));
+ log.error("metadata for assertion issuer indicates no SAML 1.%d identity provider role (Issuer='%s', NameQualifier='%s'",
+ minorVersion, issuer.get(), (nq.get() ? nq.get() : "none"));
bpr.clear();
MetadataException ex("metadata lookup failed, issuer not registered as SAML 1.x identity provider");
annotateException(&ex,provider,false);
);
virtual ~ShibBrowserProfile();
- virtual void setVersion(int major, int minor);
virtual saml::SAMLBrowserProfile::BrowserProfileResponse receive(
const char* packet,
const XMLCh* recipient,
int supportedProfiles,
saml::IReplayCache* replayCache=NULL,
- saml::SAMLBrowserProfile::ArtifactMapper* callback=NULL
+ saml::SAMLBrowserProfile::ArtifactMapper* callback=NULL,
+ int minorVersion=1
) const;
private: