SIDP-464: additional checking to guard against an outbound mismatch
authorcantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 11 Feb 2011 19:32:26 +0000 (19:32 +0000)
committercantor <cantor@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 11 Feb 2011 19:32:26 +0000 (19:32 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2991 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java

index 4deb891..7ffde59 100644 (file)
@@ -617,7 +617,21 @@ public class SSOProfileHandler extends AbstractSAML2ProfileHandler {
             if (nameIdPolicy != null) {
                 String spNameQualifier = DatatypeHelper.safeTrimOrNullString(nameIdPolicy.getSPNameQualifier());
                 if (spNameQualifier != null) {
-                    nameId.setSPNameQualifier(spNameQualifier);
+                    // Right now the resolver/encoder layer doesn't support forcing the SPNameQualifier
+                    // to be set, but if it ever does, this should detect a mismatch with NameIDPolicy.
+                    if (nameId.getSPNameQualifier() != null) {
+                        if (!nameId.getSPNameQualifier().equals(spNameQualifier)) {
+                            // Requester specified a different qualifier than we produced.
+                            requestContext.setFailureStatus(buildStatus(StatusCode.REQUESTER_URI, StatusCode.INVALID_NAMEID_POLICY_URI,
+                                "Invalid SPNameQualifier for this request"));
+                            throw new ProfileException("Requested SPNameQualifier '{" + spNameQualifier
+                                    + "}' conflicts with generated value '{" + nameId.getSPNameQualifier() + "}'");
+                        }
+                    }
+                    else {
+                        // Set to the requester's preference.
+                        nameId.setSPNameQualifier(spNameQualifier);
+                    }
                 } else {
                     nameId.setSPNameQualifier(requestContext.getInboundMessageIssuer());
                 }