MetadataProvider::Criteria mc(entityID, &IDPSSODescriptor::ELEMENT_QNAME, m_binding.get());
pair<const EntityDescriptor*,const RoleDescriptor*> entity=m->getEntityDescriptor(mc);
if (!entity.first) {
- m_log.error("unable to locate metadata for provider (%s)", entityID);
+ m_log.warn("unable to locate metadata for provider (%s)", entityID);
throw MetadataException("Unable to locate metadata for identity provider ($entityID)", namedparams(1, "entityID", entityID));
}
else if (!entity.second) {
- m_log.error("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
- return make_pair(false,0L);
+ m_log.warn("unable to locate ADFS-aware identity provider role for provider (%s)", entityID);
+ if (getParent())
+ return make_pair(false,0L);
+ throw MetadataException("Unable to locate ADFS-aware identity provider role for provider ($entityID)", namedparams(1, "entityID", entityID));
}
const EndpointType* ep = EndpointManager<SingleSignOnService>(
dynamic_cast<const IDPSSODescriptor*>(entity.second)->getSingleSignOnServices()
).getByBinding(m_binding.get());
if (!ep) {
- m_log.error("unable to locate compatible SSO service for provider (%s)", entityID);
- return make_pair(false,0L);
+ m_log.warn("unable to locate compatible SSO service for provider (%s)", entityID);
+ if (getParent())
+ return make_pair(false,0L);
+ throw MetadataException("Unable to locate compatible SSO service for provider ($entityID)", namedparams(1, "entityID", entityID));
}
preserveRelayState(app, httpResponse, relayState);
if (!policy.isAuthenticated())
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
+ const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
// Now do profile and core semantic validation to ensure we can use it for SSO.
// Profile validator.
time_t now = time(NULL);
- saml1::AssertionValidator ssoValidator(application.getAudiences(), now);
+ saml1::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
ssoValidator.validateAssertion(*token);
if (!token->getConditions() || !token->getConditions()->getNotBefore() || !token->getConditions()->getNotOnOrAfter())
throw FatalProfileException("Assertion did not contain time conditions.");
// authnskew allows rejection of SSO if AuthnInstant is too old.
const PropertySet* sessionProps = application.getPropertySet("Sessions");
- pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("authnskew") : pair<bool,unsigned int>(false,0);
+ pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
if (authnskew.first && authnskew.second &&
ssoStatement->getAuthenticationInstant() && (now - ssoStatement->getAuthenticationInstantEpoch() > authnskew.second))
}
application.getServiceProvider().getSessionCache()->insert(
- now + lifetime.second,
application,
httpRequest,
httpResponse,
- policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+ now + lifetime.second,
+ entity,
m_protocol.get(),
nameid.get(),
ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL,
}
// Best effort on back channel and to remove the user agent's session.
- string session_id = app.getServiceProvider().getSessionCache()->active(request, app);
+ string session_id = app.getServiceProvider().getSessionCache()->active(app, request);
if (!session_id.empty()) {
vector<string> sessions(1,session_id);
notifyBackChannel(app, request.getRequestURL(), sessions, false);
try {
- app.getServiceProvider().getSessionCache()->remove(request, &request, app);
+ app.getServiceProvider().getSessionCache()->remove(app, request, &request);
}
catch (exception& ex) {
m_log.error("error removing session (%s): %s", session_id.c_str(), ex.what());
if (param)
return make_pair(true, request.sendRedirect(param));
- return sendLogoutPage(app, request, false, "Logout complete.");
+ return sendLogoutPage(app, request, request, false, "Logout complete.");
}