// And also track "owned" tokens that we decrypt here.
vector<saml2::Assertion*> ownedtokens;
- // Profile validator.
- time_t now = time(NULL);
- string dest = httpRequest.getRequestURL();
- BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str());
-
// With this flag on, we ignore any unsigned assertions.
const EntityDescriptor* entity = NULL;
pair<bool,bool> flag = make_pair(false,false);
flag = application.getRelyingParty(entity)->getBool("signedAssertions");
}
+ time_t now = time(NULL);
+ string dest = httpRequest.getRequestURL();
+
// authnskew allows rejection of SSO if AuthnInstant is too old.
const PropertySet* sessionProps = application.getPropertySet("Sessions");
pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
}
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*(*a));
// Address checking.
auto_ptr<MetadataCredentialCriteria> mcc(
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
- auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getXMLString("entityID").second, mcc.get()));
+ auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
decrypted = dynamic_cast<saml2::Assertion*>(wrapper.get());
if (decrypted) {
wrapper.release();
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*decrypted);
// Address checking.
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
ssoName = dynamic_cast<NameID*>(decryptedID.get());
if (ssoName) {
ownedName = true;