SAML: signatures on SSO/SLO messages issued from IDP (#66)

2010-05-20 13:08:07 +00:00 · 2010-05-20 13:08:07 +00:00 · f187851ba6
commit f187851ba6
parent bc618ce075
2 changed files with 41 additions and 5 deletions
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@ -232,10 +232,14 @@ sub issuerForUnAuthUser {
                $self->lmLog( "Set $relaystate in RelayState", 'debug' );
            }

-            # Logout response
-            unless ( $self->buildLogoutResponseMsg($logout) ) {
-                $self->lmLog( "Unable to build SLO response", 'error' );
-                return PE_ERROR;
+            # Signature
+            my $signSLOMessage =
+              $self->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsSignSLOMessage};
+
+            unless ($signSLOMessage) {
+                $self->lmLog( "Do not sign this SLO response", 'debug' );
+                return PE_ERROR unless ( $self->disableSignature($logout) );
            }

            # Send logout response
@ -683,6 +687,16 @@ sub issuerForAuthUser {
            # Set response assertion
            $login->response->Assertion(@response_assertions);

+            # Signature
+            my $signSSOMessage =
+              $self->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsSignSSOMessage};
+
+            unless ($signSSOMessage) {
+                $self->lmLog( "Do not sign this SSO response", 'debug' );
+                return PE_ERROR unless ( $self->disableSignature($login) );
+            }
+
            # Build SAML response
            $protocolProfile = $login->protocolProfile();

@ -942,6 +956,16 @@ sub issuerForAuthUser {
                    'debug' );
            }

+            # Signature
+            my $signSLOMessage =
+              $self->{samlSPMetaDataOptions}->{$spConfKey}
+              ->{samlSPMetaDataOptionsSignSLOMessage};
+
+            unless ($signSLOMessage) {
+                $self->lmLog( "Do not sign this SLO response", 'debug' );
+                return PE_ERROR unless ( $self->disableSignature($logout) );
+            }
+
            # Send logout response. The process could be stopped here, if no
            # there are no providers to wait for logout via HTTP-REDIRECT
            # method.
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -2069,8 +2069,9 @@ sub sendLogoutRequestToServiceProvider {
        return ( 0, undef, undef );
    }

-    # Get SP Name from EntityID
+    # Get SP Name and Conf Key from EntityID
    my $providerName = $self->{_spList}->{$providerID}->{name};
+    my $spConfKey    = $self->{_spList}->{$providerID}->{confKey};

    # Get first HTTP method
    my $protocolType = Lasso::Constants::MD_PROTOCOL_TYPE_SINGLE_LOGOUT;
@ -2082,6 +2083,17 @@ sub sendLogoutRequestToServiceProvider {
    # Fix a default value for the relay parameter
    $relay = 0 unless ( defined $relay );

+    # Signature
+    my $signSLOMessage =
+      $self->{samlSPMetaDataOptions}->{$spConfKey}
+      ->{samlSPMetaDataOptionsSignSLOMessage};
+
+    unless ($signSLOMessage) {
+        $self->lmLog( "Do not sign this SLO request", 'debug' );
+        return ( 0, undef, undef )
+          unless ( $self->disableSignature($logout) );
+    }
+
    # Build the request unless this is a SOAP relay logout request
    unless ( $method == Lasso::Constants::HTTP_METHOD_SOAP && $relay ) {