From 888673f2993e649ca103132b299781fa05020688 Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Fri, 2 Oct 2009 00:44:38 +0000 Subject: [PATCH] https://issues.shibboleth.net/jira/browse/SSPCPP-246 --- adfs/adfs.cpp | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/adfs/adfs.cpp b/adfs/adfs.cpp index 8a10777..fe942dd 100644 --- a/adfs/adfs.cpp +++ b/adfs/adfs.cpp @@ -57,11 +57,9 @@ # include # include # include -# include # include # include # include -# include # include # include # include @@ -621,30 +619,29 @@ void ADFSConsumer::implementProtocol( // Extract message and issuer details from assertion. extractMessageDetails(*token, m_protocol.get(), policy); + // Populate recipient as audience. + const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : NULL; + policy.getAudiences().push_back(application.getRelyingParty(entity)->getXMLString("entityID").second); + // Run the policy over the assertion. Handles replay, freshness, and - // signature verification, assuming the relevant rules are configured. + // signature verification, assuming the relevant rules are configured, + // along with condition enforcement. policy.evaluate(*token, &httpRequest); // If no security is in place now, we kick it. if (!policy.isAuthenticated()) throw SecurityPolicyException("Unable to establish security of incoming assertion."); - time_t now = time(NULL); - - const PropertySet* sessionProps = application.getPropertySet("Sessions"); - const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast(policy.getIssuerMetadata()->getParent()) : NULL; - saml1::NameIdentifier* saml1name=NULL; saml2::NameID* saml2name=NULL; const XMLCh* authMethod=NULL; const XMLCh* authInstant=NULL; - time_t sessionExp = 0; + time_t now = time(NULL), sessionExp = 0; + const PropertySet* sessionProps = application.getPropertySet("Sessions"); const saml1::Assertion* saml1token = dynamic_cast(token); if (saml1token) { - // Now do profile and core semantic validation to ensure we can use it for SSO. - saml1::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now); - ssoValidator.validateAssertion(*saml1token); + // Now do profile validation to ensure we can use it for SSO. if (!saml1token->getConditions() || !saml1token->getConditions()->getNotBefore() || !saml1token->getConditions()->getNotOnOrAfter()) throw FatalProfileException("Assertion did not contain time conditions."); else if (saml1token->getAuthenticationStatements().empty()) @@ -681,9 +678,7 @@ void ADFSConsumer::implementProtocol( if (!saml2token) throw FatalProfileException("Incoming message did not contain a recognized type of SAML assertion."); - // Now do profile and core semantic validation to ensure we can use it for SSO. - saml2::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now); - ssoValidator.validateAssertion(*saml2token); + // Now do profile validation to ensure we can use it for SSO. if (!saml2token->getConditions() || !saml2token->getConditions()->getNotBefore() || !saml2token->getConditions()->getNotOnOrAfter()) throw FatalProfileException("Assertion did not contain time conditions."); else if (saml2token->getAuthnStatements().empty()) -- 2.1.4