Force nameID encryption if NameIDPolicy requires it
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 11 Mar 2008 13:07:25 +0000 (13:07 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 11 Mar 2008 13:07:25 +0000 (13:07 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2689 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java

index f41b548..d8190e8 100644 (file)
@@ -260,7 +260,7 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
             assertion = buildAssertion(requestContext, issueInstant);
             assertion.getStatements().addAll(statements);
             assertion.setSubject(buildSubject(requestContext, subjectConfirmationMethod, issueInstant));
-            
+
             signAssertion(requestContext, assertion);
 
             SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
@@ -639,9 +639,19 @@ public abstract class AbstractSAML2ProfileHandler extends AbstractSAMLProfileHan
 
         requestContext.setSubjectNameIdentifier(nameID);
 
+        boolean nameIdEncRequiredByAuthnRequest = false;
+        if (requestContext.getInboundSAMLMessage() instanceof AuthnRequest) {
+            AuthnRequest authnRequest = (AuthnRequest) requestContext.getInboundSAMLMessage();
+            if (DatatypeHelper.safeEquals(DatatypeHelper.safeTrimOrNullString(authnRequest.getNameIDPolicy()
+                    .getFormat()), NameID.ENCRYPTED)) {
+                nameIdEncRequiredByAuthnRequest = true;
+            }
+        }
+
         SAMLMessageEncoder encoder = getMessageEncoders().get(requestContext.getPeerEntityEndpoint().getBinding());
         try {
-            if (requestContext.getProfileConfiguration().getEncryptNameID() == CryptoOperationRequirementLevel.always
+            if (nameIdEncRequiredByAuthnRequest
+                    || requestContext.getProfileConfiguration().getEncryptNameID() == CryptoOperationRequirementLevel.always
                     || (requestContext.getProfileConfiguration().getEncryptNameID() == CryptoOperationRequirementLevel.conditional && !encoder
                             .providesMessageConfidentiality(requestContext))) {
                 log.debug("Attempting to encrypt NameID to relying party {}", requestContext.getInboundMessageIssuer());