Change audience handling and validators to separate out entityID.

[shibboleth/sp.git] / shibsp / handler / impl / SAML1Consumer.cpp

diff --git a/shibsp/handler/impl/SAML1Consumer.cpp b/shibsp/handler/impl/SAML1Consumer.cpp
index 74f13f8..475184c 100644 (file)
--- a/shibsp/handler/impl/SAML1Consumer.cpp
+++ b/shibsp/handler/impl/SAML1Consumer.cpp
@@ -147,10 +147,6 @@ void SAML1Consumer::implementProtocol(
     // This is necessary because there may be valid tokens not aimed at us.
     vector<const opensaml::Assertion*> badtokens;
 
-    // Profile validator.
-    time_t now = time(NULL);
-    BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now);
-
     // With this flag on, we ignore any unsigned assertions.
     const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
     pair<bool,bool> flag = application.getRelyingParty(entity)->getBool("signedAssertions");
@@ -162,6 +158,10 @@ void SAML1Consumer::implementProtocol(
     // Saves off error messages potentially helpful for users.
     string contextualError;
 
+    // Profile validator.
+    time_t now = time(NULL);
+    BrowserSSOProfileValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
+
     for (vector<saml1::Assertion*>::const_iterator a = assertions.begin(); a!=assertions.end(); ++a) {
         try {
             // Skip unsigned assertion?