https://issues.shibboleth.net/jira/browse/SSPCPP-383

diff --git a/shibsp/handler/impl/AssertionConsumerService.cpp b/shibsp/handler/impl/AssertionConsumerService.cpp
index d8f0f36..111ef9e 100644 (file)
--- a/shibsp/handler/impl/AssertionConsumerService.cpp
+++ b/shibsp/handler/impl/AssertionConsumerService.cpp
@@ -159,7 +159,6 @@ pair<bool,long> AssertionConsumerService::processMessage(
         );
 
     string relayState;
-    bool relayStateOK = true;
     scoped_ptr<XMLObject> msg;
     try {
         // Decode the message and process it in a protocol-specific way.
@@ -190,15 +189,13 @@ pair<bool,long> AssertionConsumerService::processMessage(
         }
     }
     catch (XMLToolingException& ex) {
-        if (relayStateOK) {
-            // Check for isPassive error condition.
-            const char* sc2 = ex.getProperty("statusCode2");
-            if (sc2 && !strcmp(sc2, "urn:oasis:names:tc:SAML:2.0:status:NoPassive")) {
-                pair<bool,bool> ignore = getBool("ignoreNoPassive", m_configNS.get());  // namespace-qualified if inside handler element
-                if (ignore.first && ignore.second && !relayState.empty()) {
-                    m_log.debug("ignoring SAML status of NoPassive and redirecting to resource...");
-                    return make_pair(true, httpResponse.sendRedirect(relayState.c_str()));
-                }
+        // Check for isPassive error condition.
+        const char* sc2 = ex.getProperty("statusCode2");
+        if (sc2 && !strcmp(sc2, "urn:oasis:names:tc:SAML:2.0:status:NoPassive")) {
+            pair<bool,bool> ignore = getBool("ignoreNoPassive", m_configNS.get());  // namespace-qualified if inside handler element
+            if (ignore.first && ignore.second && !relayState.empty()) {
+                m_log.debug("ignoring SAML status of NoPassive and redirecting to resource...");
+                return make_pair(true, httpResponse.sendRedirect(relayState.c_str()));
             }
         }
         if (!relayState.empty())
@@ -226,8 +223,13 @@ pair<bool,long> AssertionConsumerService::processMessage(
                 m_log.warn("unable to audit event, log event object was of an incorrect type");
             }
         }
-        catch (std::exception& ex) {
-            m_log.warn("exception auditing event: %s", ex.what());
+        catch (std::exception& ex2) {
+            m_log.warn("exception auditing event: %s", ex2.what());
+        }
+
+        // If no sign of annotation, try to annotate it now.
+        if (!ex.getProperty("statusCode")) {
+            annotateException(&ex, policy->getIssuerMetadata(), nullptr, false);    // wait to throw it
         }
 
         throw;

diff --git a/shibsp/handler/impl/SAML1Consumer.cpp b/shibsp/handler/impl/SAML1Consumer.cpp
index 385c906..94469ab 100644 (file)
--- a/shibsp/handler/impl/SAML1Consumer.cpp
+++ b/shibsp/handler/impl/SAML1Consumer.cpp
@@ -146,7 +146,7 @@ void SAML1Consumer::implementProtocol(
     m_log.debug("processing message against SAML 1.x SSO profile");
 
     // Check for errors...this will throw if it's not a successful message.
-    checkError(&xmlObject);
+    checkError(&xmlObject, policy.getIssuerMetadata());
 
     // With the binding aspects now moved out to the MessageDecoder,
     // the focus here is on the assertion content. For SAML 1.x POST,