SAMLResponse* response = NULL;
bool authenticated = false;
+ static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
// Depends on type of artifact.
const SAMLArtifactType0001* type1=dynamic_cast<const SAMLArtifactType0001*>(artifact);
log.warn("skipping binding on unsupported protocol (%s)", prot.get());
continue;
}
- auto_ptr_char loc(ep->getLocation());
try {
response = binding->send(ep->getLocation(),*request,&callCtx);
if (log.isDebugEnabled())
delete response;
throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
}
- authenticated = callCtx.isAuthenticated();
+ authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
}
catch (SAMLException& ex) {
annotateException(&ex,idp); // rethrows it
delete response;
throw FatalProfileException("No SAML assertions returned in response to artifact profile request.");
}
- authenticated = callCtx.isAuthenticated();
+ authenticated = callCtx.isAuthenticated() && !XMLString::compareNString(ep->getLocation(),https,6);
}
catch (SAMLException& ex) {
annotateException(&ex,idp); // rethrows it
log->warn("skipping binding on unsupported protocol (%s)", prot.get());
continue;
}
+ static const XMLCh https[] = {chLatin_h, chLatin_t, chLatin_t, chLatin_p, chLatin_s, chColon, chNull};
auto_ptr<SAMLResponse> r(binding->send(ep->getLocation(), *(req.get()), &ctx));
if (r->isSigned()) {
if (!t.validate(*r,AA))
throw TrustException("Unable to verify signed response message.");
}
- else if (!ctx.isAuthenticated())
+ else if (!ctx.isAuthenticated() || XMLString::compareNString(ep->getLocation(),https,6))
throw TrustException("Response message was unauthenticated.");
response = r.release();
}
}
// Signal success. Hopefully it doesn't matter what's actually in the structure now.
- ctx->setAuthenticated();
return 1;
}
NULL
);
SSL_CTX_set_verify_depth(reinterpret_cast<SSL_CTX*>(ssl_ctx),reinterpret_cast<int>(userptr));
+
#endif
+ // The best we can do is assume authentication succeeds because when libcurl reuses
+ // SSL connections, no callback is made. Since we always authenticate SSL connections,
+ // the caller should check that the protocol is https.
+ ctx->setAuthenticated();
}
catch (SAMLException& e) {
log.error(string("caught a SAML exception while attaching credentials to request: ") + e.what());
return false;
}
#endif
+
return true;
}