2 * Copyright 2001-2011 Internet2
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * WAYFSessionInitiator.cpp
20 * Shibboleth WAYF support.
24 #include "Application.h"
25 #include "exceptions.h"
26 #include "SPRequest.h"
27 #include "handler/AbstractHandler.h"
28 #include "handler/SessionInitiator.h"
31 # include <saml/util/SAMLConstants.h>
33 # include "lite/SAMLConstants.h"
37 #include <xmltooling/XMLToolingConfig.h>
38 #include <xmltooling/util/URLEncoder.h>
40 using namespace shibsp;
41 using namespace opensaml;
42 using namespace xmltooling;
47 #if defined (_MSC_VER)
48 #pragma warning( push )
49 #pragma warning( disable : 4250 )
52 class SHIBSP_DLLLOCAL WAYFSessionInitiator : public SessionInitiator, public AbstractHandler
55 WAYFSessionInitiator(const DOMElement* e, const char* appId)
56 : AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".SessionInitiator.WAYF"), nullptr, &m_remapper), m_url(nullptr) {
57 pair<bool,const char*> url = getString("URL");
59 throw ConfigurationException("WAYF SessionInitiator requires a URL property.");
62 virtual ~WAYFSessionInitiator() {}
64 pair<bool,long> run(SPRequest& request, string& entityID, bool isHandler=true) const;
66 const XMLCh* getProtocolFamily() const {
67 return samlconstants::SAML11_PROTOCOL_ENUM;
74 #if defined (_MSC_VER)
75 #pragma warning( pop )
78 SessionInitiator* SHIBSP_DLLLOCAL WAYFSessionInitiatorFactory(const pair<const DOMElement*,const char*>& p)
80 return new WAYFSessionInitiator(p.first, p.second);
85 pair<bool,long> WAYFSessionInitiator::run(SPRequest& request, string& entityID, bool isHandler) const
87 // The IdP CANNOT be specified for us to run. Otherwise, we'd be redirecting to a WAYF
88 // anytime the IdP's metadata was wrong.
89 if (!entityID.empty() || !checkCompatibility(request, isHandler))
90 return make_pair(false,0L);
93 pair<bool,const char*> prop;
94 const Handler* ACS=nullptr;
95 const Application& app=request.getApplication();
96 pair<bool,const char*> discoveryURL = pair<bool,const char*>(true, m_url);
99 prop.second = request.getParameter("acsIndex");
100 if (prop.second && *prop.second) {
101 ACS = app.getAssertionConsumerServiceByIndex(atoi(prop.second));
103 request.log(SPRequest::SPWarn, "invalid acsIndex specified in request, using acsIndex property");
106 prop = getString("target", request);
108 target = prop.second;
110 // Since we're passing the ACS by value, we need to compute the return URL,
111 // so we'll need the target resource for real.
112 recoverRelayState(request.getApplication(), request, request, target, false);
113 limitRelayState(m_log, request.getApplication(), request, target.c_str());
115 prop.second = request.getParameter("discoveryURL");
116 if (prop.second && *prop.second)
117 discoveryURL.second = prop.second;
120 // Check for a hardwired target value in the map or handler.
121 prop = getString("target", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
123 target = prop.second;
125 target = request.getRequestURL();
127 discoveryURL = request.getRequestSettings().first->getString("discoveryURL");
131 // Try fixed index property.
132 pair<bool,unsigned int> index = getUnsignedInt("acsIndex", request, HANDLER_PROPERTY_MAP|HANDLER_PROPERTY_FIXED);
134 ACS = app.getAssertionConsumerServiceByIndex(index.second);
137 // If we picked by index, validate the ACS for use with this protocol.
138 if (!ACS || !XMLString::equals(samlconstants::SAML11_PROTOCOL_ENUM, ACS->getProtocolFamily())) {
140 request.log(SPRequest::SPWarn, "invalid acsIndex property, or non-SAML 1.x ACS, using default SAML 1.x ACS");
141 ACS = app.getAssertionConsumerServiceByProtocol(getProtocolFamily());
143 throw ConfigurationException("Unable to locate a SAML 1.x ACS endpoint to use for response.");
146 if (!discoveryURL.first)
147 discoveryURL.second = m_url;
148 m_log.debug("sending request to WAYF (%s)", discoveryURL.second);
150 // Since we're not passing by index, we need to fully compute the return URL.
151 // Compute the ACS URL. We add the ACS location to the base handlerURL.
152 string ACSloc = request.getHandlerURL(target.c_str());
153 prop = ACS->getString("Location");
155 ACSloc += prop.second;
158 // We may already have RelayState set if we looped back here,
159 // but we've turned it back into a resource by this point, so if there's
160 // a target on the URL, reset to that value.
161 prop.second = request.getParameter("target");
162 if (prop.second && *prop.second)
163 target = prop.second;
166 preserveRelayState(app, request, target);
168 preservePostData(app, request, request, target.c_str());
170 // WAYF requires a target value.
175 sprintf(timebuf,"%lu",time(nullptr));
176 const URLEncoder* urlenc = XMLToolingConfig::getConfig().getURLEncoder();
177 string req=string(discoveryURL.second) + (strchr(discoveryURL.second,'?') ? '&' : '?') + "shire=" + urlenc->encode(ACSloc.c_str()) +
178 "&time=" + timebuf + "&target=" + urlenc->encode(target.c_str()) +
179 "&providerId=" + urlenc->encode(app.getString("entityID").second);
181 return make_pair(true, request.sendRedirect(req.c_str()));