if (!policy.isAuthenticated())
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
+ const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
// Now do profile and core semantic validation to ensure we can use it for SSO.
// Profile validator.
time_t now = time(NULL);
- saml1::AssertionValidator ssoValidator(application.getAudiences(), now);
+ saml1::AssertionValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
ssoValidator.validateAssertion(*token);
if (!token->getConditions() || !token->getConditions()->getNotBefore() || !token->getConditions()->getNotOnOrAfter())
throw FatalProfileException("Assertion did not contain time conditions.");
httpRequest,
httpResponse,
now + lifetime.second,
- policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL,
+ entity,
m_protocol.get(),
nameid.get(),
ssoStatement->getAuthenticationInstant() ? ssoStatement->getAuthenticationInstant()->getRawData() : NULL,
<sequence/>\r
<attribute name="Name" type="conf:string" use="required"/>\r
<attributeGroup ref="conf:RelyingPartyGroup"/>\r
+ <attribute name="entityID" type="anyURI"/>\r
<anyAttribute namespace="##other" processContents="lax"/>\r
</complexType>\r
</element>\r
virtual const PropertySet* getRelyingParty(const opensaml::saml2md::EntityDescriptor* provider) const=0;
/**
- * Returns the set of audience values associated with this Application.
+ * Returns any additional audience values associated with this Application.
*
- * @return set of audience values associated with the Application
+ * @return additional audience values associated with the Application, or NULL
*/
- virtual const std::vector<const XMLCh*>& getAudiences() const=0;
+ virtual const std::vector<const XMLCh*>* getAudiences() const=0;
#endif
/**
}
const Application& application = ctx.getApplication();
+ const PropertySet* relyingParty = application.getRelyingParty(ctx.getEntityDescriptor());
shibsp::SecurityPolicy policy(application);
MetadataCredentialCriteria mcc(*AA);
shibsp::SOAPClient soaper(policy);
if (!XMLString::equals((*ep)->getBinding(),binding.get()))
continue;
auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(application.getString("entityID").second);
NameIdentifier* nameid = NameIdentifierBuilder::buildNameIdentifier();
nameid->setName(ctx.getNameID()->getName());
nameid->setFormat(ctx.getNameID()->getFormat());
subject->setNameIdentifier(nameid);
saml1p::AttributeQuery* query = saml1p::AttributeQueryBuilder::buildAttributeQuery();
query->setSubject(subject);
- query->setResource(issuer.get());
+ query->setResource(relyingParty->getXMLString("entityID").second);
for (vector<AttributeDesignator*>::const_iterator ad = m_SAML1Designators.begin(); ad!=m_SAML1Designators.end(); ++ad)
query->getAttributeDesignators().push_back((*ad)->cloneAttributeDesignator());
Request* request = RequestBuilder::buildRequest();
auto_ptr<saml1p::Response> wrapper(response);
saml1::Assertion* newtoken = assertions.front();
- pair<bool,bool> signedAssertions = application.getRelyingParty(ctx.getEntityDescriptor())->getBool("signedAssertions");
+ pair<bool,bool> signedAssertions = relyingParty->getBool("signedAssertions");
if (!newtoken->getSignature() && signedAssertions.first && signedAssertions.second) {
m_log.error("assertion unsigned, rejecting it based on signedAssertions policy");
return true;
throw SecurityPolicyException("Security of SAML 1.x query result not established.");
// Lastly, check it over.
- saml1::AssertionValidator tokval(application.getAudiences(), time(NULL));
+ saml1::AssertionValidator tokval(relyingParty->getXMLString("entityID").second, application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
if (!XMLString::equals((*ep)->getBinding(),binding.get()))
continue;
auto_ptr_char loc((*ep)->getLocation());
- auto_ptr_XMLCh issuer(application.getString("entityID").second);
-
auto_ptr<saml2::Subject> subject(saml2::SubjectBuilder::buildSubject());
// Encrypt the NameID?
saml2p::AttributeQuery* query = saml2p::AttributeQueryBuilder::buildAttributeQuery();
query->setSubject(subject.release());
Issuer* iss = IssuerBuilder::buildIssuer();
- iss->setName(issuer.get());
+ iss->setName(relyingParty->getXMLString("entityID").second);
query->setIssuer(iss);
for (vector<saml2::Attribute*>::const_iterator ad = m_SAML2Designators.begin(); ad!=m_SAML2Designators.end(); ++ad)
query->getAttributes().push_back((*ad)->cloneAttribute());
throw SecurityPolicyException("Security of SAML 2.0 query result not established.");
// Lastly, check it over.
- saml2::AssertionValidator tokval(application.getAudiences(), time(NULL));
+ saml2::AssertionValidator tokval(relyingParty->getXMLString("entityID").second, application.getAudiences(), time(NULL));
tokval.validateAssertion(*newtoken);
}
catch (exception& ex) {
ArtifactResolve* request = ArtifactResolveBuilder::buildArtifactResolve();
Issuer* iss = IssuerBuilder::buildIssuer();
request->setIssuer(iss);
- iss->setName(sppolicy.getApplication().getXMLString("entityID").second);
+ iss->setName(sppolicy.getApplication().getRelyingParty(dynamic_cast<EntityDescriptor*>(ssoDescriptor.getParent()))->getXMLString("entityID").second);
auto_ptr_XMLCh artbuf(artifact.encode().c_str());
Artifact* a = ArtifactBuilder::buildArtifact();
a->setArtifact(artbuf.get());
void receive(DDF& in, ostream& out);
private:
- pair<bool,long> processMessage(const Application& application, const char* handlerURL, HTTPResponse& httpResponse) const;
+ pair<bool,long> processMessage(
+ const Application& application,
+ const char* handlerURL,
+ const char* entityID,
+ HTTPResponse& httpResponse
+ ) const;
set<string> m_acl;
#ifndef SHIBSP_LITE
short m_http,m_https;
vector<string> m_bases;
- const char* m_mime;
#endif
};
MetadataGenerator::MetadataGenerator(const DOMElement* e, const char* appId)
: AbstractHandler(e, Category::getInstance(SHIBSP_LOGCAT".MetadataGenerator"), &g_Blocker)
#ifndef SHIBSP_LITE
- ,m_https(0), m_http(0), m_mime(NULL)
+ ,m_https(0), m_http(0)
#endif
{
string address(appId);
if (flag.first)
m_https = flag.second ? 1 : -1;
- pair<bool,const char*> mime = getString("mimeType");
- if (mime.first)
- m_mime = mime.second;
-
e = XMLHelper::getFirstChildElement(e, EndpointBase);
while (e) {
if (e->hasChildNodes()) {
try {
if (conf.isEnabled(SPConfig::OutOfProcess)) {
// When out of process, we run natively and directly process the message.
- return processMessage(request.getApplication(), request.getHandlerURL(), request);
+ return processMessage(request.getApplication(), request.getHandlerURL(), request.getParameter("entityID"), request);
}
else {
// When not out of process, we remote all the message processing.
DDF out,in = DDF(m_address.c_str());
in.addmember("application_id").string(request.getApplication().getId());
in.addmember("handler_url").string(request.getHandlerURL());
+ if (request.getParameter("entityID"))
+ in.addmember("entity_id").string(request.getParameter("entityID"));
DDFJanitor jin(in), jout(out);
out=request.getServiceProvider().getListenerService()->send(in);
// Since we're remoted, the result should either be a throw, a false/0 return,
// which we just return as an empty structure, or a response/redirect,
// which we capture in the facade and send back.
- processMessage(*app, hurl, *resp.get());
+ processMessage(*app, hurl, in["entity_id"].string(), *resp.get());
out << ret;
}
-pair<bool,long> MetadataGenerator::processMessage(const Application& application, const char* handlerURL, HTTPResponse& httpResponse) const
+pair<bool,long> MetadataGenerator::processMessage(
+ const Application& application, const char* handlerURL, const char* entityID, HTTPResponse& httpResponse
+ ) const
{
#ifndef SHIBSP_LITE
m_log.debug("processing metadata request");
+ const PropertySet* relyingParty=NULL;
+ if (entityID) {
+ MetadataProvider* m=application.getMetadataProvider();
+ Locker locker(m);
+ MetadataProvider::Criteria mc(entityID);
+ relyingParty = application.getRelyingParty(m->getEntityDescriptor(mc).first);
+ }
+ else {
+ relyingParty = application.getRelyingParty(NULL);
+ }
+
EntityDescriptor* entity;
pair<bool,const char*> prop = getString("template");
if (prop.first) {
DOMDocument* doc=XMLToolingConfig::getConfig().getParser().parse(dsrc);
XercesJanitor<DOMDocument> docjan(doc);
auto_ptr<XMLObject> xmlobj(XMLObjectBuilder::buildOneFromElement(doc->getDocumentElement(), true));
+ docjan.release();
entity = dynamic_cast<EntityDescriptor*>(xmlobj.get());
if (!entity)
throw ConfigurationException("Template file ($1) did not contain an EntityDescriptor", params(1, prop.second));
pair<bool,unsigned int> cache = getUnsignedInt("cacheDuration");
if (cache.first)
entity->setValidUntil(time(NULL) + cache.second);
- entity->setEntityID(application.getXMLString("entityID").second);
+ entity->setEntityID(relyingParty->getXMLString("entityID").second);
SPSSODescriptor* role;
if (entity->getSPSSODescriptors().empty()) {
}
// Policy flags.
- prop = application.getRelyingParty(NULL)->getString("signing");
+ prop = relyingParty->getString("signing");
if (prop.first && (!strcmp(prop.second,"true") || !strcmp(prop.second,"front")))
role->AuthnRequestsSigned(true);
- pair<bool,bool> flagprop = application.getRelyingParty(NULL)->getBool("signedAssertions");
+ pair<bool,bool> flagprop = relyingParty->getBool("signedAssertions");
if (flagprop.first && flagprop.second)
role->WantAssertionsSigned(true);
if (credResolver) {
Locker credLocker(credResolver);
CredentialCriteria cc;
+ prop = relyingParty->getString("keyName");
+ if (prop.first)
+ cc.getKeyNames().insert(prop.second);
cc.setUsage(Credential::SIGNING_CREDENTIAL);
vector<const Credential*> creds;
credResolver->resolve(creds,&cc);
XMLHelper::serialize(entity->marshall(), s, true);
}
- httpResponse.setContentType(m_mime ? m_mime : "application/samlmetadata+xml");
+ prop = getString("mimeType");
+ httpResponse.setContentType(prop.first ? prop.second : "application/samlmetadata+xml");
return make_pair(true, httpResponse.sendResponse(s));
#else
return make_pair(false,0L);
// This is necessary because there may be valid tokens not aimed at us.
vector<const opensaml::Assertion*> badtokens;
- // Profile validator.
- time_t now = time(NULL);
- BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now);
-
// With this flag on, we ignore any unsigned assertions.
const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<const EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
pair<bool,bool> flag = application.getRelyingParty(entity)->getBool("signedAssertions");
// Saves off error messages potentially helpful for users.
string contextualError;
+ // Profile validator.
+ time_t now = time(NULL);
+ BrowserSSOProfileValidator ssoValidator(application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now);
+
for (vector<saml1::Assertion*>::const_iterator a = assertions.begin(); a!=assertions.end(); ++a) {
try {
// Skip unsigned assertion?
const Application& app,
const ArtifactResolve& request,
HTTPResponse& httpResponse,
+ const EntityDescriptor* recipient,
const XMLCh* code,
const XMLCh* subcode=NULL,
const char* msg=NULL
if (!req)
throw FatalProfileException("Decoded message was not a samlp::ArtifactResolve request.");
+ const EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
try {
auto_ptr_char artifact(req->getArtifact() ? req->getArtifact()->getArtifact() : NULL);
if (!artifact.get() || !*artifact.get())
- return samlError(application, *req, httpResponse, StatusCode::REQUESTER, NULL, "Request did not contain an artifact to resolve.");
+ return samlError(application, *req, httpResponse, entity, StatusCode::REQUESTER, NULL, "Request did not contain an artifact to resolve.");
auto_ptr_char issuer(policy.getIssuer() ? policy.getIssuer()->getName() : NULL);
m_log.info("resolving artifact (%s) for (%s)", artifact.get(), issuer.get() ? issuer.get() : "unknown");
if (!policy.isAuthenticated()) {
m_log.error("request for artifact was unauthenticated, purging the artifact mapping");
- return samlError(application, *req, httpResponse, StatusCode::REQUESTER, StatusCode::AUTHN_FAILED, "Unable to authenticate request.");
+ return samlError(application, *req, httpResponse, entity, StatusCode::REQUESTER, StatusCode::AUTHN_FAILED, "Unable to authenticate request.");
}
m_log.debug("artifact resolved, preparing response");
auto_ptr<ArtifactResponse> resp(ArtifactResponseBuilder::buildArtifactResponse());
resp->setInResponseTo(req->getID());
Issuer* me = IssuerBuilder::buildIssuer();
- me->setName(application.getXMLString("entityID").second);
+ me->setName(application.getRelyingParty(entity)->getXMLString("entityID").second);
resp->setPayload(payload.release());
long ret = sendMessage(
catch (exception& ex) {
// Trap localized errors in a SAML Response.
m_log.error("error processing artifact request, returning SAML error: %s", ex.what());
- return samlError(application, *req, httpResponse, StatusCode::RESPONDER, NULL, ex.what());
+ return samlError(application, *req, httpResponse, entity, StatusCode::RESPONDER, NULL, ex.what());
}
#else
return make_pair(false,0L);
#ifndef SHIBSP_LITE
pair<bool,long> SAML2ArtifactResolution::samlError(
- const Application& app, const ArtifactResolve& request, HTTPResponse& httpResponse, const XMLCh* code, const XMLCh* subcode, const char* msg
+ const Application& app,
+ const ArtifactResolve& request,
+ HTTPResponse& httpResponse,
+ const EntityDescriptor* recipient,
+ const XMLCh* code,
+ const XMLCh* subcode,
+ const char* msg
) const
{
auto_ptr<ArtifactResponse> resp(ArtifactResponseBuilder::buildArtifactResponse());
resp->setInResponseTo(request.getID());
Issuer* me = IssuerBuilder::buildIssuer();
- me->setName(app.getXMLString("entityID").second);
+ me->setName(app.getRelyingParty(recipient)->getXMLString("entityID").second);
fillStatus(*resp.get(), code, subcode, msg);
long ret = m_encoder->encode(httpResponse, resp.get(), NULL);
resp.release(); // freed by encoder
// And also track "owned" tokens that we decrypt here.
vector<saml2::Assertion*> ownedtokens;
- // Profile validator.
- time_t now = time(NULL);
- string dest = httpRequest.getRequestURL();
- BrowserSSOProfileValidator ssoValidator(application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str());
-
// With this flag on, we ignore any unsigned assertions.
const EntityDescriptor* entity = NULL;
pair<bool,bool> flag = make_pair(false,false);
flag = application.getRelyingParty(entity)->getBool("signedAssertions");
}
+ time_t now = time(NULL);
+ string dest = httpRequest.getRequestURL();
+
// authnskew allows rejection of SSO if AuthnInstant is too old.
const PropertySet* sessionProps = application.getPropertySet("Sessions");
pair<bool,unsigned int> authnskew = sessionProps ? sessionProps->getUnsignedInt("maxTimeSinceAuthn") : pair<bool,unsigned int>(false,0);
}
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*(*a));
// Address checking.
auto_ptr<MetadataCredentialCriteria> mcc(
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
- auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getXMLString("entityID").second, mcc.get()));
+ auto_ptr<XMLObject> wrapper((*ea)->decrypt(*cr, application.getRelyingParty(entity)->getXMLString("entityID").second, mcc.get()));
decrypted = dynamic_cast<saml2::Assertion*>(wrapper.get());
if (decrypted) {
wrapper.release();
throw SecurityPolicyException("Unable to establish security of incoming assertion.");
// Now do profile and core semantic validation to ensure we can use it for SSO.
+ BrowserSSOProfileValidator ssoValidator(
+ application.getRelyingParty(entity)->getXMLString("entityID").second, application.getAudiences(), now, dest.substr(0,dest.find('?')).c_str()
+ );
ssoValidator.validateAssertion(*decrypted);
// Address checking.
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
ssoName = dynamic_cast<NameID*>(decryptedID.get());
if (ssoName) {
ownedName = true;
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(
+ encname->decrypt(
+ *cr,
+ application.getRelyingParty(policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL)->getXMLString("entityID").second,
+ mcc.get()
+ )
+ );
nameid = dynamic_cast<NameID*>(decryptedID.get());
if (nameid) {
ownedName = true;
}
Issuer* issuer = IssuerBuilder::buildIssuer();
logout->setIssuer(issuer);
- issuer->setName(application.getXMLString("entityID").second);
+ issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
fillStatus(*logout.get(), code, subcode, msg);
auto_ptr_char dest(logout->getDestination());
const Application& application, const Session& session, const RoleDescriptor& role, const MessageEncoder* encoder
) const
{
+ const PropertySet* relyingParty = application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role.getParent()));
+
auto_ptr<LogoutRequest> msg(LogoutRequestBuilder::buildLogoutRequest());
Issuer* issuer = IssuerBuilder::buildIssuer();
msg->setIssuer(issuer);
- issuer->setName(application.getXMLString("entityID").second);
+ issuer->setName(relyingParty->getXMLString("entityID").second);
auto_ptr_XMLCh index(session.getSessionIndex());
if (index.get() && *index.get()) {
SessionIndex* si = SessionIndexBuilder::buildSessionIndex();
}
const NameID* nameid = session.getNameID();
- const PropertySet* relyingParty = application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role.getParent()));
pair<bool,const char*> flag = relyingParty->getString("encryption");
if (flag.first &&
(!strcmp(flag.second, "true") || (encoder && !strcmp(flag.second, "front")) || (!encoder && !strcmp(flag.second, "back")))) {
true
);
}
-
+
+ EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
+
bool ownedName = false;
NameID* nameid = mgmtRequest->getNameID();
if (!nameid) {
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(encname->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
nameid = dynamic_cast<NameID*>(decryptedID.get());
if (nameid) {
ownedName = true;
// For a front-channel request, we have to match the information in the request
// against the current session.
- EntityDescriptor* entity = policy.getIssuerMetadata() ? dynamic_cast<EntityDescriptor*>(policy.getIssuerMetadata()->getParent()) : NULL;
if (!session_id.empty()) {
if (!cache->matches(application, request, entity, *nameid, NULL)) {
return sendResponse(
policy.getIssuerMetadata() ? new MetadataCredentialCriteria(*policy.getIssuerMetadata()) : NULL
);
try {
- auto_ptr<XMLObject> decryptedID(encnewid->decrypt(*cr,application.getXMLString("entityID").second,mcc.get()));
+ auto_ptr<XMLObject> decryptedID(encnewid->decrypt(*cr,application.getRelyingParty(entity)->getXMLString("entityID").second,mcc.get()));
newid = dynamic_cast<NewID*>(decryptedID.get());
if (newid) {
ownedNewID = true;
}
Issuer* issuer = IssuerBuilder::buildIssuer();
nim->setIssuer(issuer);
- issuer->setName(application.getXMLString("entityID").second);
+ issuer->setName(application.getRelyingParty(dynamic_cast<EntityDescriptor*>(role->getParent()))->getXMLString("entityID").second);
fillStatus(*nim.get(), code, subcode, msg);
auto_ptr_char dest(nim->getDestination());
if (!req->getIssuer()) {
Issuer* issuer = IssuerBuilder::buildIssuer();
req->setIssuer(issuer);
- issuer->setName(app.getXMLString("entityID").second);
+ issuer->setName(app.getRelyingParty(entity.first)->getXMLString("entityID").second);
}
if (!req->getNameIDPolicy()) {
NameIDPolicy* namepol = NameIDPolicyBuilder::buildNameIDPolicy();
auto_ptr_char dest(ep->getLocation());
string req=string(dest.get()) + (strchr(dest.get(),'?') ? '&' : '?') + "shire=" + urlenc->encode(acsLocation) +
"&time=" + timebuf + "&target=" + urlenc->encode(relayState.c_str()) +
- "&providerId=" + urlenc->encode(app.getString("entityID").second);
+ "&providerId=" + urlenc->encode(app.getRelyingParty(entity.first)->getString("entityID").second);
return make_pair(true, httpResponse.sendRedirect(req.c_str()));
#else
status = "<Partial/>";
}
- s << "<Application id='" << application.getId() << "' entityID='" << application.getString("entityID").second << "'/>";
+ const PropertySet* relyingParty=NULL;
+ param=httpRequest.getParameter("entityID");
+ if (param) {
+ MetadataProvider* m = application.getMetadataProvider();
+ Locker mlock(m);
+ relyingParty = application.getRelyingParty(m->getEntityDescriptor(MetadataProvider::Criteria(param)).first);
+ }
+ else {
+ relyingParty = application.getRelyingParty(NULL);
+ }
+
+ s << "<Application id='" << application.getId() << "' entityID='" << relyingParty->getString("entityID").second << "'/>";
s << "<Handlers>";
vector<const Handler*> handlers;
}
s << "</Handlers>";
- const PropertySet* relyingParty=NULL;
- param=httpRequest.getParameter("entityID");
- if (param) {
- MetadataProvider* m = application.getMetadataProvider();
- Locker mlock(m);
- relyingParty = application.getRelyingParty(m->getEntityDescriptor(MetadataProvider::Criteria(param)).first);
- }
- if (!relyingParty)
- relyingParty = application.getRelyingParty(NULL);
CredentialResolver* credResolver=application.getCredentialResolver();
if (credResolver) {
Locker credLocker(credResolver);
istringstream pstr(pending);
pstr >> pendobj;
// IdP.SP.index contains logout expiration, if any.
- DDF deadmenwalking = pendobj[issuer ? entity_id.get() : "_shibnull"][application.getString("entityID").second];
+ DDF deadmenwalking = pendobj[issuer ? entity_id.get() : "_shibnull"][application.getRelyingParty(issuer)->getString("entityID").second];
const char* logexpstr = deadmenwalking[session_index ? index.get() : "_shibnull"].string();
if (!logexpstr && session_index) // we tried an exact session match, now try for NULL
logexpstr = deadmenwalking["_shibnull"].string();
if (session) {
Locker locker(session, false);
if (XMLString::equals(session->getEntityID(), entityID.get()) && session->getNameID() &&
- stronglyMatches(issuer->getEntityID(), application.getXMLString("entityID").second, nameid, *session->getNameID())) {
+ stronglyMatches(issuer->getEntityID(), application.getRelyingParty(issuer)->getXMLString("entityID").second, nameid, *session->getNameID())) {
return (!indexes || indexes->empty() || (session->getSessionIndex() ? (indexes->count(session->getSessionIndex())>0) : false));
}
}
}
// Structure is keyed by the IdP and SP, with a member per session index containing the expiration.
- DDF root = obj.addmember(issuer ? entityID.get() : "_shibnull").addmember(application.getString("entityID").second);
+ DDF root = obj.addmember(issuer ? entityID.get() : "_shibnull").addmember(application.getRelyingParty(issuer)->getString("entityID").second);
if (indexes) {
for (set<string>::const_iterator x = indexes->begin(); x!=indexes->end(); ++x)
root.addmember(x->c_str()).string(timebuf);
// Same issuer?
if (XMLString::equals(session->getEntityID(), entityID.get())) {
// Same NameID?
- if (stronglyMatches(issuer->getEntityID(), application.getXMLString("entityID").second, nameid, *session->getNameID())) {
+ if (stronglyMatches(issuer->getEntityID(), application.getRelyingParty(issuer)->getXMLString("entityID").second, nameid, *session->getNameID())) {
sessionsKilled.push_back(key.string());
key.destroy();
}
SAML2Artifact* generateSAML2Artifact(const EntityDescriptor* relyingParty) const {
pair<bool,int> index = make_pair(false,0);
const PropertySet* props = getRelyingParty(relyingParty);
- if (props)
- index = getInt("artifactEndpointIndex");
+ index = props->getInt("artifactEndpointIndex");
if (!index.first)
index = getArtifactEndpointIndex();
- return new SAML2ArtifactType0004(SAMLConfig::getConfig().hashSHA1(getString("entityID").second),index.first ? index.second : 1);
+ return new SAML2ArtifactType0004(SAMLConfig::getConfig().hashSHA1(props->getString("entityID").second),index.first ? index.second : 1);
}
MetadataProvider* getMetadataProvider(bool required=true) const {
return (!m_credResolver && m_base) ? m_base->getCredentialResolver() : m_credResolver;
}
const PropertySet* getRelyingParty(const EntityDescriptor* provider) const;
- const vector<const XMLCh*>& getAudiences() const {
- return (m_audiences.empty() && m_base) ? m_base->getAudiences() : m_audiences;
+ const vector<const XMLCh*>* getAudiences() const {
+ return (m_audiences.empty() && m_base) ? m_base->getAudiences() : &m_audiences;
}
#endif
string getNotificationURL(const char* resource, bool front, unsigned int index) const;
if (nlist->item(i)->getParentNode()->isSameNode(e) && nlist->item(i)->hasChildNodes())
m_audiences.push_back(nlist->item(i)->getFirstChild()->getNodeValue());
- // Always include our own entityID as an audience.
- m_audiences.push_back(getXMLString("entityID").second);
-
if (conf.isEnabled(SPConfig::Metadata)) {
child = XMLHelper::getFirstChildElement(e,_MetadataProvider);
if (child) {