Rationalized signing support. Profile requirements, Relying Party configs, and SAML...
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 21 Mar 2005 20:10:35 +0000 (20:10 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 21 Mar 2005 20:10:35 +0000 (20:10 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1320 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/IdentityProvider.java
src/edu/internet2/middleware/shibboleth/common/RelyingParty.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/idp/IdPProtocolSupport.java
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java
src/schemas/shibboleth-idpconfig-1.0.xsd

index 7ff1d8b..cf4bb52 100644 (file)
@@ -42,10 +42,9 @@ public interface IdentityProvider {
        public String getProviderId();
 
        /**
        public String getProviderId();
 
        /**
-        * Returns the credential that this provider uses to sign SAML responses and assertions, or <code>null</code> if
-        * responses should not be signed.
+        * Returns the credential that this provider uses to sign SAML responses and assertions.
         * 
         * 
-        * @return the credential or <code>null</code>
+        * @return the credential
         */
        public Credential getSigningCredential();
 
         */
        public Credential getSigningCredential();
 
index 6f93945..3b77b7e 100644 (file)
@@ -103,4 +103,10 @@ public interface RelyingParty extends ServiceProvider {
         * and "false" indicates Artifact.
         */
        public boolean defaultToPOSTProfile();
         * and "false" indicates Artifact.
         */
        public boolean defaultToPOSTProfile();
+
+       /**
+        * A boolean indication of whether assertions issued to this Relying Party should be digitall signed (This is in
+        * addition to profile-specific signing).
+        */
+       public boolean wantsAssertionsSigned();
 }
 }
index d8ab603..ef59374 100644 (file)
@@ -226,6 +226,7 @@ public class ServiceProviderMapper {
                private boolean forceAttributePush = false;
                private boolean forceAttributeNoPush = false;
                private boolean defaultToPOST = true;
                private boolean forceAttributePush = false;
                private boolean forceAttributeNoPush = false;
                private boolean defaultToPOST = true;
+               private boolean wantsAssertionsSigned = false;
 
                public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
                                NameMapper nameMapper) throws ServiceProviderMapperException {
 
                public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
                                NameMapper nameMapper) throws ServiceProviderMapperException {
@@ -287,6 +288,17 @@ public class ServiceProviderMapper {
                                log.debug("Relying party defaults to Artifact profile.");
                        }
 
                                log.debug("Relying party defaults to Artifact profile.");
                        }
 
+                       // Relying Party wants assertions signed?
+                       attribute = ((Element) partyConfig).getAttribute("signAssertions");
+                       if (attribute != null && !attribute.equals("")) {
+                               wantsAssertionsSigned = Boolean.valueOf(attribute).booleanValue();
+                       }
+                       if (wantsAssertionsSigned) {
+                               log.debug("Relying party wants SAML Assertions to be signed.");
+                       } else {
+                               log.debug("Relying party does not want SAML Assertions to be signed.");
+                       }
+
                        // Determine whether or not we are forcing attribute push on or off
                        String forcePush = ((Element) partyConfig).getAttribute("forceAttributePush");
                        String forceNoPush = ((Element) partyConfig).getAttribute("forceAttributeNoPush");
                        // Determine whether or not we are forcing attribute push on or off
                        String forcePush = ((Element) partyConfig).getAttribute("forceAttributePush");
                        String forceNoPush = ((Element) partyConfig).getAttribute("forceAttributeNoPush");
@@ -423,6 +435,11 @@ public class ServiceProviderMapper {
                        return defaultToPOST;
                }
 
                        return defaultToPOST;
                }
 
+               public boolean wantsAssertionsSigned() {
+
+                       return wantsAssertionsSigned;
+               }
+
                /**
                 * Default identity provider implementation.
                 * 
                /**
                 * Default identity provider implementation.
                 * 
@@ -528,6 +545,11 @@ public class ServiceProviderMapper {
 
                        return wrapped.defaultToPOSTProfile();
                }
 
                        return wrapped.defaultToPOSTProfile();
                }
+
+               public boolean wantsAssertionsSigned() {
+
+                       return wrapped.wantsAssertionsSigned();
+               }
        }
 
        /**
        }
 
        /**
@@ -600,6 +622,11 @@ public class ServiceProviderMapper {
 
                        return true;
                }
 
                        return true;
                }
+
+               public boolean wantsAssertionsSigned() {
+
+                       return wrapped.wantsAssertionsSigned();
+               }
        }
 
        /**
        }
 
        /**
index 1c7aa68..b85483e 100644 (file)
@@ -60,7 +60,6 @@ import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationExcepti
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.Metadata;
 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.Metadata;
 import edu.internet2.middleware.shibboleth.metadata.MetadataException;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
 
 /**
  * Delivers core IdP functionality (Attribute resolution, ARP filtering, Metadata lookup, Signing, Mapping between local &
@@ -122,61 +121,53 @@ public class IdPProtocolSupport implements Metadata {
                return spMapper;
        }
 
                return spMapper;
        }
 
-       public static void addSignatures(SAMLResponse response, RelyingParty relyingParty, EntityDescriptor provider,
-                       boolean signResponse) throws SAMLException {
+       public static void signAssertions(SAMLAssertion[] assertions, RelyingParty relyingParty)
+                       throws InvalidCryptoException, SAMLException {
 
 
-               if (provider != null) {
-                       boolean signAssertions = false;
-
-                       SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-                       if (sp == null) {
-                               log.info("Inappropriate metadata for provider: " + provider.getId() + ".  Expected SPSSODescriptor.");
-                       }
-                       if (sp.getWantAssertionsSigned()) {
-                               signAssertions = true;
-                       }
-
-                       if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
-                                       && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
-
-                               Iterator assertions = response.getAssertions();
-
-                               while (assertions.hasNext()) {
-                                       SAMLAssertion assertion = (SAMLAssertion) assertions.next();
-                                       String assertionAlgorithm;
-                                       if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                                       } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-                                       } else {
-                                               throw new InvalidCryptoException(SAMLException.RESPONDER,
-                                                               "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
-                                       }
-
-                                       assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
-                                                       .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
-                                                       .getX509CertificateChain()));
-                               }
-                       }
+               if (relyingParty.getIdentityProvider().getSigningCredential() == null
+                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) {
+                       // TODO error out
                }
 
                }
 
-               // Sign the response, if appropriate
-               if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
-                               && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
-
-                       String responseAlgorithm;
+               for (int i = 0; i < assertions.length; i++) {
+                       String assertionAlgorithm;
                        if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
                        if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
                        } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
                        } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
-                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+                               assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
                        } else {
                                throw new InvalidCryptoException(SAMLException.RESPONDER,
                                                "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
                        }
 
                        } else {
                                throw new InvalidCryptoException(SAMLException.RESPONDER,
                                                "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
                        }
 
-                       response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
-                                       Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
+                       assertions[i].sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
+                                       .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
+                                       .getX509CertificateChain()));
+               }
+       }
+
+       public static void signResponse(SAMLResponse response, RelyingParty relyingParty) throws SAMLException {
+
+               // Make sure we have an appropriate credential
+               if (relyingParty.getIdentityProvider().getSigningCredential() == null
+                               || relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() == null) {
+
+                       // TODO error
                }
                }
+
+               // Sign the response
+               String responseAlgorithm;
+               if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
+                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+               } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
+                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+               } else {
+                       throw new InvalidCryptoException(SAMLException.RESPONDER,
+                                       "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+               }
+
+               response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
+                               Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
        }
 
        protected void addFederationProvider(Element element) {
        }
 
        protected void addFederationProvider(Element element) {
index 5d5ee23..6ccaf4c 100644 (file)
@@ -66,6 +66,7 @@ import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationExcepti
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
 import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
+import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * @author Walter Hoehn
 
 /**
  * @author Walter Hoehn
@@ -262,9 +263,22 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                                SAMLAssertion sAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), now,
                                                then, Collections.singleton(condition), null, Collections.singleton(statement));
 
                                SAMLAssertion sAssertion = new SAMLAssertion(relyingParty.getIdentityProvider().getProviderId(), now,
                                                then, Collections.singleton(condition), null, Collections.singleton(statement));
 
+                               // Sign the assertions, if necessary
+                               boolean metaDataIndicatesSignAssertions = false;
+                               EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
+                               if (descriptor != null) {
+                                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
+                                       if (sp != null) {
+                                               if (sp.getWantAssertionsSigned()) {
+                                                       metaDataIndicatesSignAssertions = true;
+                                               }
+                                       }
+                               }
+                               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
+                                       IdPProtocolSupport.signAssertions(new SAMLAssertion[]{sAssertion}, relyingParty);
+                               }
+
                                samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), null);
                                samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), null);
-                               IdPProtocolSupport.addSignatures(samlResponse, relyingParty, support.lookup(relyingParty
-                                               .getProviderId()), false);
                        }
 
                        if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
                        }
 
                        if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
index 9775353..bb2b01a 100644 (file)
@@ -33,6 +33,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Iterator;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Vector;
 
 import javax.servlet.RequestDispatcher;
 import java.util.Vector;
 
 import javax.servlet.RequestDispatcher;
@@ -136,19 +137,19 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                        }
 
                        // Grab the metadata for the provider
                        }
 
                        // Grab the metadata for the provider
-                       EntityDescriptor provider = support.lookup(relyingParty.getProviderId());
+                       EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
 
                        // Make sure that the selected relying party configuration is appropriate for this
                        // acceptance URL
                        String acceptanceURL = request.getParameter("shire");
                        if (!relyingParty.isLegacyProvider()) {
 
 
                        // Make sure that the selected relying party configuration is appropriate for this
                        // acceptance URL
                        String acceptanceURL = request.getParameter("shire");
                        if (!relyingParty.isLegacyProvider()) {
 
-                               if (provider == null) {
+                               if (descriptor == null) {
                                        log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
                                        relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
 
                                } else {
                                        log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
                                        relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
 
                                } else {
-                                       if (isValidAssertionConsumerURL(provider, acceptanceURL)) {
+                                       if (isValidAssertionConsumerURL(descriptor, acceptanceURL)) {
                                                log.info("Supplied consumer URL validated for this provider.");
                                        } else {
                                                log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
                                                log.info("Supplied consumer URL validated for this provider.");
                                        } else {
                                                log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
@@ -184,9 +185,7 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                        ArrayList assertions = new ArrayList();
 
                        // Is this artifact or POST?
                        ArrayList assertions = new ArrayList();
 
                        // Is this artifact or POST?
-                       boolean artifactProfile = useArtifactProfile(provider, acceptanceURL, relyingParty);
-
-                       // TODO make sure we support adding signatures to attribute assertion
+                       boolean artifactProfile = useArtifactProfile(descriptor, acceptanceURL, relyingParty);
 
                        // Package attributes for push, if necessary - don't attempt this for legacy providers (they don't support
                        // it)
 
                        // Package attributes for push, if necessary - don't attempt this for legacy providers (they don't support
                        // it)
@@ -200,16 +199,14 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                                }
                        }
 
                                }
                        }
 
-                       // TODO do assertion signing for artifact stuff
-
                        // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
                        if (!relyingParty.isLegacyProvider() && artifactProfile) {
                        // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
                        if (!relyingParty.isLegacyProvider() && artifactProfile) {
-                               respondWithArtifact(request, response, support, principal, relyingParty, provider, acceptanceURL,
+                               respondWithArtifact(request, response, support, principal, relyingParty, descriptor, acceptanceURL,
                                                nameId, authenticationMethod, authNSubject, assertions);
 
                                // SAML POST profile
                        } else {
                                                nameId, authenticationMethod, authNSubject, assertions);
 
                                // SAML POST profile
                        } else {
-                               respondWithPOST(request, response, support, principal, relyingParty, provider, acceptanceURL, nameId,
+                               respondWithPOST(request, response, support, principal, relyingParty, descriptor, acceptanceURL, nameId,
                                                authenticationMethod, authNSubject, assertions);
                        }
                } catch (InvalidClientDataException e) {
                                                authenticationMethod, authNSubject, assertions);
                        }
                } catch (InvalidClientDataException e) {
@@ -219,15 +216,29 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        }
 
        private void respondWithArtifact(HttpServletRequest request, HttpServletResponse response,
        }
 
        private void respondWithArtifact(HttpServletRequest request, HttpServletResponse response,
-                       IdPProtocolSupport support, AuthNPrincipal principal, RelyingParty relyingParty, EntityDescriptor provider,
-                       String acceptanceURL, SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject,
-                       ArrayList assertions) throws SAMLException, IOException, UnsupportedEncodingException {
+                       IdPProtocolSupport support, AuthNPrincipal principal, RelyingParty relyingParty,
+                       EntityDescriptor descriptor, String acceptanceURL, SAMLNameIdentifier nameId, String authenticationMethod,
+                       SAMLSubject authNSubject, List assertions) throws SAMLException, IOException, UnsupportedEncodingException {
 
                log.debug("Responding with Artifact profile.");
 
                authNSubject.addConfirmationMethod(SAMLSubject.CONF_ARTIFACT);
 
                log.debug("Responding with Artifact profile.");
 
                authNSubject.addConfirmationMethod(SAMLSubject.CONF_ARTIFACT);
-               assertions.add(generateAuthNAssertion(request, relyingParty, provider, nameId, authenticationMethod, new Date(
-                               System.currentTimeMillis()), authNSubject));
+               assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
+                               new Date(System.currentTimeMillis()), authNSubject));
+
+               // Sign the assertions, if necessary
+               boolean metaDataIndicatesSignAssertions = false;
+               if (descriptor != null) {
+                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
+                       if (sp != null) {
+                               if (sp.getWantAssertionsSigned()) {
+                                       metaDataIndicatesSignAssertions = true;
+                               }
+                       }
+               }
+               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
+                       IdPProtocolSupport.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
+               }
 
                // Create artifacts for each assertion
                ArrayList artifacts = new ArrayList();
 
                // Create artifacts for each assertion
                ArrayList artifacts = new ArrayList();
@@ -261,15 +272,29 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        }
 
        private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
        }
 
        private void respondWithPOST(HttpServletRequest request, HttpServletResponse response, IdPProtocolSupport support,
-                       AuthNPrincipal principal, RelyingParty relyingParty, EntityDescriptor provider, String acceptanceURL,
-                       SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject, ArrayList assertions)
+                       AuthNPrincipal principal, RelyingParty relyingParty, EntityDescriptor descriptor, String acceptanceURL,
+                       SAMLNameIdentifier nameId, String authenticationMethod, SAMLSubject authNSubject, List assertions)
                        throws SAMLException, IOException, ServletException {
 
                log.debug("Responding with POST profile.");
 
                authNSubject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
                        throws SAMLException, IOException, ServletException {
 
                log.debug("Responding with POST profile.");
 
                authNSubject.addConfirmationMethod(SAMLSubject.CONF_BEARER);
-               assertions.add(generateAuthNAssertion(request, relyingParty, provider, nameId, authenticationMethod, new Date(
-                               System.currentTimeMillis()), authNSubject));
+               assertions.add(generateAuthNAssertion(request, relyingParty, descriptor, nameId, authenticationMethod,
+                               new Date(System.currentTimeMillis()), authNSubject));
+
+               // Sign the assertions, if necessary
+               boolean metaDataIndicatesSignAssertions = false;
+               if (descriptor != null) {
+                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
+                       if (sp != null) {
+                               if (sp.getWantAssertionsSigned()) {
+                                       metaDataIndicatesSignAssertions = true;
+                               }
+                       }
+               }
+               if (relyingParty.wantsAssertionsSigned() || metaDataIndicatesSignAssertions) {
+                       IdPProtocolSupport.signAssertions((SAMLAssertion[]) assertions.toArray(new SAMLAssertion[0]), relyingParty);
+               }
 
                // Set attributes needed by form
                request.setAttribute("acceptanceURL", acceptanceURL);
 
                // Set attributes needed by form
                request.setAttribute("acceptanceURL", acceptanceURL);
@@ -277,7 +302,7 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
 
                SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, assertions, null);
 
 
                SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, assertions, null);
 
-               IdPProtocolSupport.addSignatures(samlResponse, relyingParty, provider, true);
+               IdPProtocolSupport.signResponse(samlResponse, relyingParty);
 
                createPOSTForm(request, response, samlResponse.toBase64());
 
 
                createPOSTForm(request, response, samlResponse.toBase64());
 
@@ -361,7 +386,7 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        }
 
        private SAMLAssertion generateAuthNAssertion(HttpServletRequest request, RelyingParty relyingParty,
        }
 
        private SAMLAssertion generateAuthNAssertion(HttpServletRequest request, RelyingParty relyingParty,
-                       EntityDescriptor provider, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
+                       EntityDescriptor descriptor, SAMLNameIdentifier nameId, String authenticationMethod, Date authTime,
                        SAMLSubject subject) throws SAMLException, IOException {
 
                Document doc = org.opensaml.XML.parserPool.newDocument();
                        SAMLSubject subject) throws SAMLException, IOException {
 
                Document doc = org.opensaml.XML.parserPool.newDocument();
@@ -457,14 +482,15 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        /**
         * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
         */
        /**
         * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
         */
-       private static boolean useArtifactProfile(EntityDescriptor provider, String acceptanceURL, RelyingParty relyingParty) {
+       private static boolean useArtifactProfile(EntityDescriptor descriptor, String acceptanceURL,
+                       RelyingParty relyingParty) {
 
                boolean artifactMeta = false;
                boolean postMeta = false;
 
                // Look at the metadata bindings, if we can find them
 
                boolean artifactMeta = false;
                boolean postMeta = false;
 
                // Look at the metadata bindings, if we can find them
-               if (provider != null) {
-                       SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
+               if (descriptor != null) {
+                       SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
 
                        if (sp != null) {
 
 
                        if (sp != null) {
 
@@ -530,10 +556,10 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        /**
         * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
         */
        /**
         * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
         */
-       private static boolean isValidAssertionConsumerURL(EntityDescriptor provider, String shireURL)
+       private static boolean isValidAssertionConsumerURL(EntityDescriptor descriptor, String shireURL)
                        throws InvalidClientDataException {
 
                        throws InvalidClientDataException {
 
-               SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
+               SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
                if (sp == null) {
                        log.info("Inappropriate metadata for provider.");
                        return false;
                if (sp == null) {
                        log.info("Inappropriate metadata for provider.");
                        return false;
index 209c81b..d037aac 100644 (file)
@@ -59,6 +59,7 @@
                                                        <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="forceAttributePush" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="forceAttributePush" type="xs:boolean" use="optional"/>
+                                                       <xs:attribute name="signAssertions" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="forceAttributeNoPush" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultToPOSTProfile" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
                                                        <xs:attribute name="forceAttributeNoPush" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultToPOSTProfile" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>