// And also track "owned" tokens that we decrypt here.
vector<saml2::Assertion*> ownedtokens;
- // Profile validator.
+ // With this flag on, we ignore any unsigned assertions.
+ const EntityDescriptor* entity = NULL;
+ pair<bool,bool> flag = make_pair(false,false);
+ if (alreadySecured && policy.getIssuerMetadata()) {
+ entity = dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent());
+ flag = application.getRelyingParty(entity)->getBool("requireSignedAssertions");
+ }
+
time_t now = time(NULL);
string dest = httpRequest.getRequestURL();
- BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str());
-
- // With this flag on, we ignore any unsigned assertions.
- pair<bool,bool> flag = settings->getBool("signedAssertions");
// authnskew allows rejection of SSO if AuthnInstant is too old.
const PropertySet* sessionProps = application.getPropertySet("Sessions");
- pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("authnskew") : pair<bool,unsigned int>(false,0);
+ pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
// Saves off error messages potentially helpful for users.
string contextualError;
if (!alreadySecured && !policy.isAuthenticated())
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
+ // If we hadn't established Issuer yet, redo the signedAssertions check.
+ if (!entity && policy.getIssuerMetadata()) {
+ entity = dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent());
+ flag = application.getRelyingParty(entity)->getBool("requireSignedAssertions");
+ if (!(*a)->getSignature() && flag.first && flag.second)
+ throw SecurityPolicyException("The incoming assertion was unsigned, violating local security policy.");
+ }
+
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*(*a));
// Address checking.
auto_ptr<MetadataCredentialCriteria> mcc(
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
- auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getXMLString("entityID").second, mcc.get()));
+ auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
decrypted = dynamic_cast<saml2::Assertion*>(wrapper.get());
if (decrypted) {
wrapper.release();
ownedtokens.push_back(decrypted);
+ if (m_log.isDebugEnabled())
+ m_log.debugStream() << "decrypted Assertion: " << *decrypted << logging::eol;
}
}
catch (exception& ex) {
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*decrypted);
// Address checking.
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
ssoName = dynamic_cast<NameID*>(decryptedID.get());
if (ssoName) {
ownedName = true;
decryptedID.release();
+ if (m_log.isDebugEnabled())
+ m_log.debugStream() << "decrypted NameID: " << *ssoName << logging::eol;
}
}
catch (exception& ex) {
httpRequest,
httpResponse,
sessionExp,
- policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+ entity,
samlconstants::SAML20P_NS,
ssoName,
ssoStatement->getAuthnInstant() ? ssoStatement->getAuthnInstant()->getRawData() : NULL,