const Application& app=request.getApplication();
if (isHandler) {
+ option=request.getParameter("acsIndex");
+ if (option) {
+ ACS = app.getAssertionConsumerServiceByIndex(atoi(option));
+ if (!ACS)
+ request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using default ACS location");
+ }
+
option = request.getParameter("target");
if (option)
target = option;
}
// Since we're not passing by index, we need to fully compute the return URL.
- // Get all the ADFS endpoints.
- const vector<const Handler*>& handlers = app.getAssertionConsumerServicesByBinding(m_binding.get());
-
- // Index comes from request, or default set in the handler, or we just pick the first endpoint.
- pair<bool,unsigned int> index(false,0);
- if (isHandler) {
- option = request.getParameter("acsIndex");
- if (option)
- index = pair<bool,unsigned int>(true, atoi(option));
- }
- if (!index.first)
- index = getUnsignedInt("defaultACSIndex");
- if (index.first) {
- for (vector<const Handler*>::const_iterator h = handlers.begin(); !ACS && h!=handlers.end(); ++h) {
- if (index.second == (*h)->getUnsignedInt("index").second)
- ACS = *h;
+ if (!ACS) {
+ pair<bool,unsigned int> index = getUnsignedInt("defaultACSIndex");
+ if (index.first) {
+ ACS = app.getAssertionConsumerServiceByIndex(index.second);
+ if (!ACS)
+ request.log(SPRequest::SPWarn, "invalid defaultACSIndex, using default ACS location");
}
+ if (!ACS)
+ ACS = app.getDefaultAssertionConsumerService();
}
- else if (!handlers.empty()) {
- ACS = handlers.front();
+
+ // Validate the ACS for use with this protocol.
+ pair<bool,const XMLCh*> ACSbinding = ACS ? ACS->getXMLString("Binding") : pair<bool,const XMLCh*>(false,NULL);
+ if (ACSbinding.first) {
+ if (!XMLString::equals(ACSbinding.second, m_binding.get())) {
+ m_log.info("configured or requested ACS has non-ADFS binding");
+ return make_pair(false,0L);
+ }
}
- if (!ACS)
- throw ConfigurationException("Unable to locate ADFS response endpoint.");
// Compute the ACS URL. We add the ACS location to the base handlerURL.
string ACSloc=request.getHandlerURL(target.c_str());
throw MetadataException("Unable to locate metadata for identity provider ($entityID)", namedparams(1, "entityID", entityID));
}
else if (!entity.second) {
- m_log.warn("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
+ m_log.log(getParent() ? Priority::INFO : Priority::WARN, "unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
if (getParent())
return make_pair(false,0L);
throw MetadataException("Unable to locate ADFS-aware identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
}
}
+ // Validate the ACS for use with this protocol.
+ if (!ECP) {
+ pair<bool,const char*> ACSbinding = ACS ? ACS->getString("Binding") : pair<bool,const char*>(false,NULL);
+ if (ACSbinding.first) {
+ pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
+ if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
+ m_log.info("configured or requested ACS has non-SAML 2.0 binding");
+ return make_pair(false,0L);
+ }
+ else if (strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_POST) &&
+ strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_ARTIFACT) &&
+ strcmp(ACSbinding.second, samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN)) {
+ m_log.info("configured or requested ACS has non-SAML 2.0 binding");
+ return make_pair(false,0L);
+ }
+ }
+ }
+
// To invoke the request builder, the key requirement is to figure out how
// to express the ACS, by index or value, and if by value, where.
// We have to compute the handlerURL no matter what, because we may need to
throw MetadataException("Unable to locate metadata for identity provider ($entityID)", namedparams(1, "entityID", entityID));
}
else if (!entity.second) {
- m_log.warn("unable to locate SAML 2.0 identity provider role for provider (%s)", entityID);
+ m_log.log(getParent() ? Priority::INFO : Priority::WARN, "unable to locate SAML 2.0 identity provider role for provider (%s)", entityID);
if (getParent())
return make_pair(false,0L);
throw MetadataException("Unable to locate SAML 2.0 identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
ACS = app.getDefaultAssertionConsumerService();
}
+ // Validate the ACS for use with this protocol.
+ pair<bool,const char*> ACSbinding = ACS ? ACS->getString("Binding") : pair<bool,const char*>(false,NULL);
+ if (ACSbinding.first) {
+ pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
+ if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
+ m_log.info("configured or requested ACS has non-SAML 1.x binding");
+ return make_pair(false,0L);
+ }
+ else if (strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_POST) &&
+ strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT)) {
+ m_log.info("configured or requested ACS has non-SAML 1.x binding");
+ return make_pair(false,0L);
+ }
+ }
+
// Compute the ACS URL. We add the ACS location to the base handlerURL.
string ACSloc=request.getHandlerURL(target.c_str());
pair<bool,const char*> loc=ACS ? ACS->getString("Location") : pair<bool,const char*>(false,NULL);
throw MetadataException("Unable to locate metadata for identity provider ($entityID)", namedparams(1, "entityID", entityID));
}
else if (!entity.second) {
- m_log.warn("unable to locate Shibboleth-aware identity provider role for provider (%s)", entityID);
+ m_log.log(getParent() ? Priority::INFO : Priority::WARN, "unable to locate Shibboleth-aware identity provider role for provider (%s)", entityID);
if (getParent())
return make_pair(false,0L);
throw MetadataException("Unable to locate Shibboleth-aware identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
ACS = app.getDefaultAssertionConsumerService();
}
+ // Validate the ACS for use with this protocol.
+ pair<bool,const char*> ACSbinding = ACS ? ACS->getString("Binding") : pair<bool,const char*>(false,NULL);
+ if (ACSbinding.first) {
+ pair<bool,const char*> compatibleBindings = getString("compatibleBindings");
+ if (compatibleBindings.first && strstr(compatibleBindings.second, ACSbinding.second) == NULL) {
+ m_log.info("configured or requested ACS has non-SAML 1.x binding");
+ return make_pair(false,0L);
+ }
+ else if (strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_POST) &&
+ strcmp(ACSbinding.second, samlconstants::SAML1_PROFILE_BROWSER_ARTIFACT)) {
+ m_log.info("configured or requested ACS has non-SAML 1.x binding");
+ return make_pair(false,0L);
+ }
+ }
+
m_log.debug("sending request to WAYF (%s)", m_url);
// Compute the ACS URL. We add the ACS location to the base handlerURL.