2 * Licensed to the University Corporation for Advanced Internet
3 * Development, Inc. (UCAID) under one or more contributor license
4 * agreements. See the NOTICE file distributed with this work for
5 * additional information regarding copyright ownership.
7 * UCAID licenses this file to you under the Apache License,
8 * Version 2.0 (the "License"); you may not use this file except
9 * in compliance with the License. You may obtain a copy of the
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
17 * either express or implied. See the License for the specific
18 * language governing permissions and limitations under the License.
22 * BrowserSSOProfile20Validator.cpp
24 * SAML 2.0 Browser SSO Profile Assertion Validator.
28 #include "saml2/core/Assertions.h"
29 #include "saml2/profile/BrowserSSOProfileValidator.h"
31 #include <xmltooling/logging.h>
32 #include <xmltooling/XMLToolingConfig.h>
33 #include <xmltooling/util/NDC.h>
35 using namespace opensaml::saml2;
36 using namespace xmltooling::logging;
37 using namespace xmltooling;
40 BrowserSSOProfileValidator::BrowserSSOProfileValidator(
41 const XMLCh* recipient,
42 const vector<const XMLCh*>* audiences,
44 const char* destination,
46 ) : AssertionValidator(recipient, audiences, ts), m_destination(destination), m_requestID(requestID)
50 BrowserSSOProfileValidator::~BrowserSSOProfileValidator()
54 void BrowserSSOProfileValidator::validateAssertion(const Assertion& assertion) const
57 xmltooling::NDC ndc("validate");
59 Category& log = Category::getInstance(SAML_LOGCAT".AssertionValidator");
61 // The assertion MUST have proper confirmation requirements.
62 const char* msg="assertion is missing bearer SubjectConfirmation";
63 const Subject* subject = assertion.getSubject();
65 const vector<SubjectConfirmation*>& confs = subject->getSubjectConfirmations();
66 for (vector<SubjectConfirmation*>::const_iterator sc = confs.begin(); sc!=confs.end(); ++sc) {
67 if (XMLString::equals((*sc)->getMethod(), SubjectConfirmation::BEARER)) {
68 const SubjectConfirmationDataType* data = dynamic_cast<const SubjectConfirmationDataType*>((*sc)->getSubjectConfirmationData());
70 if (m_destination.get()) {
71 if (!XMLString::equals(m_destination.get(), data ? data->getRecipient() : nullptr)) {
72 msg = "bearer confirmation failed with recipient mismatch";
77 if (m_requestID.get()) {
78 if (!XMLString::equals(m_requestID.get(), data ? data->getInResponseTo() : nullptr)) {
79 msg = "bearer confirmation failed with request correlation mismatch";
85 if (!data || !data->getNotOnOrAfter()) {
86 msg = "bearer confirmation missing NotOnOrAfter attribute";
89 else if (data->getNotOnOrAfterEpoch() <= m_ts - XMLToolingConfig::getConfig().clock_skew_secs) {
90 msg = "bearer confirmation has expired";
95 // Save off client address.
97 auto_ptr_char ip(data->getAddress());
102 // Pass up for additional checking.
103 return AssertionValidator::validateAssertion(assertion);
108 log.error(msg ? msg : "no error message");
109 throw ValidationException("Unable to locate satisfiable bearer SubjectConfirmation in assertion.");
112 const char* BrowserSSOProfileValidator::getAddress() const
114 return m_address.c_str();