entrouvert
/
simplesamlphp
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

saml: Add separate option to enable HoK support on SP. 

Instead of always adding the endpoint to the metadata, require
setting a separate option to enable it.

git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3194 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
olavmrk 2012-10-18 10:31:00 +00:00
parent 262c97a619
commit ea296a1684
5 changed files with 24 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/simplesamlphp-hok-sp.txt
View File

@ -27,12 +27,14 @@ environment variable `SSL_CLIENT_CERT` of the webserver.
Enable HoK on SP
----------------
Which binding/profile the Identity Provider (IdP) should use when sending authentication responses to the SP is controlled by the `ProtocolBinding` option in the SP configuration.
To make your SP request that the response from the IdP is send using the HoK SSO Profile, this option must be set accordingly:
To enable support for the HoK SSO Profile in the SP, the `saml20.hok.assertion` option must be set to TRUE in the SP configuration.
This option can also be enabled in the `saml20-idp-remote` metadata file, but in that case the endpoint will not be added to the SP metadata.
You must also send authentication requests specifying the Holder-of-Key profile to the IdP. This is controlled by the `ProtocolBinding` option in the SP configuration.
'hok-sp' => array(
'saml:SP',
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
'saml20.hok.assertion' => TRUE,
'ProtocolBinding' => 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
),
When this is done, you can add the metadata of your SP to the IdP and test the authentication.

6
docs/simplesamlphp-upgrade-notes-1.11.txt Normal file
View File

@ -0,0 +1,6 @@
Upgrade notes for simpleSAMLphp 1.11
====================================
* Support for the Holder-of-Key profile in the SAML 2.0 SP has been disabled by default.
To enable it, set `saml20.hok.assertion` to `TRUE` in `config/authsources.php`.

4
modules/saml/docs/sp.txt
View File

@ -347,6 +347,10 @@ Options
: *Note*: SAML 1 specific.
`saml20.hok.assertion`
: Enable support for the SAML 2.0 Holder-of-Key SSO profile.
See the documentation for the [Holder-of-Key profile](./simplesamlphp-hok-sp).
`sign.authnrequest`
: Whether to sign authentication requests sent from this SP.

11
modules/saml/lib/Message.php
View File

@ -600,17 +600,16 @@ class sspmod_saml_Message {
/* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */
$hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL);
if ($hok === NULL) {
$protocolBinding = $spMetadata->getString('ProtocolBinding', SAML2_Const::BINDING_HTTP_POST);
if ($protocolBinding === SAML2_Const::BINDING_HOK_SSO) {
$hok = TRUE;
} else {
$hok = FALSE;
}
$hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE);
}
if ($sc->Method === SAML2_Const::CM_BEARER && $hok) {
$lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
continue;
}
if ($sc->Method === SAML2_Const::CM_HOK && !$hok) {
$lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.';
continue;
}
$scd = $sc->SubjectConfirmationData;
if ($sc->Method === SAML2_Const::CM_HOK) {

5
modules/saml/www/sp/metadata.php
View File

@ -52,9 +52,12 @@ $assertionsconsumerservicesdefault = array(
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser',
);
if ($spconfig->getBoolean('saml20.hok.assertion', FALSE)) {
$assertionsconsumerservicesdefault[] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
}
$assertionsconsumerservices = $spconfig->getArray('acs.Bindings', $assertionsconsumerservicesdefault);
$index = 0;