saml: Add separate option to enable HoK support on SP.
Instead of always adding the endpoint to the metadata, require setting a separate option to enable it. git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3194 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
262c97a619
commit
ea296a1684
|
@ -27,12 +27,14 @@ environment variable `SSL_CLIENT_CERT` of the webserver.
|
|||
Enable HoK on SP
|
||||
----------------
|
||||
|
||||
Which binding/profile the Identity Provider (IdP) should use when sending authentication responses to the SP is controlled by the `ProtocolBinding` option in the SP configuration.
|
||||
To make your SP request that the response from the IdP is send using the HoK SSO Profile, this option must be set accordingly:
|
||||
To enable support for the HoK SSO Profile in the SP, the `saml20.hok.assertion` option must be set to TRUE in the SP configuration.
|
||||
This option can also be enabled in the `saml20-idp-remote` metadata file, but in that case the endpoint will not be added to the SP metadata.
|
||||
You must also send authentication requests specifying the Holder-of-Key profile to the IdP. This is controlled by the `ProtocolBinding` option in the SP configuration.
|
||||
|
||||
'hok-sp' => array(
|
||||
'saml:SP',
|
||||
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
|
||||
'saml20.hok.assertion' => TRUE,
|
||||
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
|
||||
),
|
||||
|
||||
When this is done, you can add the metadata of your SP to the IdP and test the authentication.
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
Upgrade notes for simpleSAMLphp 1.11
|
||||
====================================
|
||||
|
||||
* Support for the Holder-of-Key profile in the SAML 2.0 SP has been disabled by default.
|
||||
To enable it, set `saml20.hok.assertion` to `TRUE` in `config/authsources.php`.
|
||||
|
|
@ -347,6 +347,10 @@ Options
|
|||
|
||||
: *Note*: SAML 1 specific.
|
||||
|
||||
`saml20.hok.assertion`
|
||||
: Enable support for the SAML 2.0 Holder-of-Key SSO profile.
|
||||
See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
|
||||
|
||||
`sign.authnrequest`
|
||||
: Whether to sign authentication requests sent from this SP.
|
||||
|
||||
|
|
|
@ -600,17 +600,16 @@ class sspmod_saml_Message {
|
|||
/* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */
|
||||
$hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL);
|
||||
if ($hok === NULL) {
|
||||
$protocolBinding = $spMetadata->getString('ProtocolBinding', SAML2_Const::BINDING_HTTP_POST);
|
||||
if ($protocolBinding === SAML2_Const::BINDING_HOK_SSO) {
|
||||
$hok = TRUE;
|
||||
} else {
|
||||
$hok = FALSE;
|
||||
}
|
||||
$hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE);
|
||||
}
|
||||
if ($sc->Method === SAML2_Const::CM_BEARER && $hok) {
|
||||
$lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
|
||||
continue;
|
||||
}
|
||||
if ($sc->Method === SAML2_Const::CM_HOK && !$hok) {
|
||||
$lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.';
|
||||
continue;
|
||||
}
|
||||
|
||||
$scd = $sc->SubjectConfirmationData;
|
||||
if ($sc->Method === SAML2_Const::CM_HOK) {
|
||||
|
|
|
@ -52,9 +52,12 @@ $assertionsconsumerservicesdefault = array(
|
|||
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
|
||||
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
|
||||
'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
|
||||
'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
|
||||
);
|
||||
|
||||
if ($spconfig->getBoolean('saml20.hok.assertion', FALSE)) {
|
||||
$assertionsconsumerservicesdefault[] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
|
||||
}
|
||||
|
||||
$assertionsconsumerservices = $spconfig->getArray('acs.Bindings', $assertionsconsumerservicesdefault);
|
||||
|
||||
$index = 0;
|
||||
|
|
Reference in New Issue