m_artifactResolver->resolve(artifacts, dynamic_cast<const IDPSSODescriptor&>(*roledesc), policy)
);
- policy.evaluate(*(response.get()), &genericRequest);
+ // The policy should be enforced against the Response by the resolve step.
for_each(artifacts.begin(), artifacts.end(), xmltooling::cleanup<SAMLArtifact>());
return response.release();
const QName& q = message.getElementQName();
policy.setMessageQName(&q);
+
+ if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML1P_NS)) {
+ log.debug("not a SAML 1.x protocol message");
+ return;
+ }
+
try {
const RootObject& samlRoot = dynamic_cast<const RootObject&>(message);
policy.setMessageID(samlRoot.getID());
policy.setIssueInstant(samlRoot.getIssueInstantEpoch());
- if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML1P_NS)) {
- log.warn("not a SAML 1.x protocol message");
- throw BindingException("Message was not a recognized SAML 1.x protocol element.");
- }
-
log.debug("extracting issuer from message");
// Only samlp:Response is known to carry issuer (via payload) in standard SAML 1.x.
m_artifactResolver->resolve(*(artifact2.get()), dynamic_cast<const SSODescriptorType&>(*roledesc), policy)
);
- policy.evaluate(*(response.get()), &genericRequest);
+ // The policy should be enforced against the ArtifactResponse by the resolve step.
// Extract payload and check that message.
XMLObject* payload = response->getPayload();
const QName& q = message.getElementQName();
policy.setMessageQName(&q);
+ if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20P_NS)) {
+ log.debug("not a SAML 2.0 protocol message");
+ return;
+ }
+
try {
- const opensaml::RootObject& samlRoot = dynamic_cast<const opensaml::RootObject&>(message);
+ const saml2::RootObject& samlRoot = dynamic_cast<const saml2::RootObject&>(message);
policy.setMessageID(samlRoot.getID());
policy.setIssueInstant(samlRoot.getIssueInstantEpoch());
- if (!XMLString::equals(q.getNamespaceURI(), samlconstants::SAML20P_NS)) {
- log.warn("not a SAML 2.0 protocol message");
- throw BindingException("Message was not a recognized SAML 2.0 protocol element.");
- }
-
log.debug("extracting issuer from message");
- const saml2::RootObject& saml2Root = dynamic_cast<const saml2::RootObject&>(samlRoot);
- Issuer* issuer = saml2Root.getIssuer();
+ Issuer* issuer = samlRoot.getIssuer();
if (issuer && issuer->getName()) {
auto_ptr<Issuer> copy(issuer->cloneIssuer());
policy.setIssuer(copy.get());
copy.release();
}
- else {
+ else if (XMLString::equals(q.getLocalPart(), Response::LOCAL_NAME)) {
// No issuer in the message, so we have to try the Response approach.
- const vector<Assertion*>& assertions = dynamic_cast<const Response&>(saml2Root).getAssertions();
+ const vector<Assertion*>& assertions = dynamic_cast<const Response&>(samlRoot).getAssertions();
if (!assertions.empty()) {
issuer = assertions.front()->getIssuer();
if (issuer && issuer->getName()) {
vector<Signature*> sigs(1,response->getSignature());\r
response->marshall((DOMDocument*)NULL,&sigs);\r
SchemaValidators.validate(response.get());\r
+ policy.evaluate(*(response.get()), this);\r
return response.release();\r
}\r
\r
sc->setValue(StatusCode::SUCCESS);\r
response->marshall();\r
SchemaValidators.validate(response.get());\r
+ policy.evaluate(*(response.get()), this);\r
return response.release();\r
}\r
};\r