saml2 sso initiated by idp

3 files changed, 59 insertions, 9 deletions

diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 871e420c..b45713e0 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -1349,10 +1349,16 @@ lasso_login_init_idp_initiated_authn_request(LassoLogin *login,
 	int rc;
 	LassoProfile *profile;
 
+	profile = LASSO_PROFILE(login);
+
+	IF_SAML2(profile) {
+		return lasso_saml20_login_init_idp_initiated_authn_request(login,
+				remote_providerID);
+	}
+
 	rc = lasso_login_init_authn_request(login, remote_providerID, LASSO_HTTP_METHOD_POST);
 	if (rc)
 		return rc;
-	profile = LASSO_PROFILE(login);
 
 	/* no RequestID attribute or it would be used in response assertion */
 	g_free(LASSO_SAMLP_REQUEST_ABSTRACT(profile->request)->RequestID);
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index f1a340b0..e5e1e8a9 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -149,15 +149,18 @@ lasso_saml20_login_build_authn_request_msg(LassoLogin *login, LassoProvider *rem
 		} else {
 			/* artifact method */
 			char *artifact = lasso_saml20_profile_generate_artifact(profile, 0);
+			char *url_artifact = xmlURIEscapeStr((xmlChar*)artifact, NULL);
 			url = lasso_provider_get_metadata_one(
 					remote_provider, "SingleSignOnService HTTP-Artifact");
 			if (login->http_method == LASSO_HTTP_METHOD_ARTIFACT_GET) {
-				gchar *query = g_strdup_printf("SAMLart=%s", artifact);
+				gchar *query = g_strdup_printf("SAMLart=%s", url_artifact);
 				profile->msg_url = lasso_concat_url_query(url, query);
 				g_free(query);
+				g_free(url);
 			} else {
 				/* TODO: ARTIFACT POST */
 			}
+			xmlFree(url_artifact);
 		}
 	}
 
@@ -174,13 +177,24 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
 	LassoSamlp2AuthnRequest *authn_request;
 	gchar *protocol_binding;
 
-	request = authn_request = lasso_samlp2_authn_request_new();
-	format = lasso_node_init_from_message(request, authn_request_msg);
-	if (format == LASSO_MESSAGE_FORMAT_UNKNOWN ||
-			format == LASSO_MESSAGE_FORMAT_ERROR) {
-		return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
+	if (authn_request_msg == NULL) {
+		if (profile->request == NULL) {
+			return critical_error(LASSO_PROFILE_ERROR_MISSING_REQUEST);
+		}
+
+		/* AuthnRequest already set by .._init_idp_initiated_authn_request */
+		request = profile->request;
+	} else {
+		request = lasso_samlp2_authn_request_new();
+		format = lasso_node_init_from_message(request, authn_request_msg);
+		if (format == LASSO_MESSAGE_FORMAT_UNKNOWN ||
+				format == LASSO_MESSAGE_FORMAT_ERROR) {
+			return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
+		}
 	}
 
+	authn_request = LASSO_SAMLP2_AUTHN_REQUEST(request);
+
 	profile->request = request;
 	profile->remote_providerID = g_strdup(
 			LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Issuer->content);
@@ -523,9 +537,12 @@ lasso_saml20_login_build_artifact_msg(LassoLogin *login, LassoHttpMethod http_me
 	artifact = lasso_saml20_profile_generate_artifact(profile, 1);
 	login->assertionArtifact = g_strdup(artifact);
 	if (http_method == LASSO_HTTP_METHOD_ARTIFACT_GET) {
-		gchar *query = g_strdup_printf("SAMLart=%s", artifact);
+		gchar *query;
+		char *url_artifact = xmlURIEscapeStr((xmlChar*)artifact, NULL);
+		query = g_strdup_printf("SAMLart=%s", url_artifact);
 		profile->msg_url = lasso_concat_url_query(url, query);
 		g_free(query);
+		xmlFree(url_artifact);
 		/* XXX: RelayState */
 	} else {
 		/* XXX: ARTIFACT POST */
@@ -778,7 +795,9 @@ lasso_saml20_login_get_assertion_consumer_service_url(LassoLogin *login,
 	LassoProvider *remote_provider)
 {
 	char *url;
-	LassoSamlp2AuthnRequest *request = LASSO_PROFILE(login)->request;
+	LassoSamlp2AuthnRequest *request;
+	
+	request = LASSO_SAMLP2_AUTHN_REQUEST(LASSO_PROFILE(login)->request);
 
 	if (request->AssertionConsumerServiceURL) {
 		return g_strdup(request->AssertionConsumerServiceURL);
@@ -794,3 +813,25 @@ lasso_saml20_login_get_assertion_consumer_service_url(LassoLogin *login,
 	return lasso_saml20_provider_get_assertion_consumer_service_url(remote_provider, -1);
 }
 
+gint
+lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
+		const gchar *remote_providerID)
+{
+	LassoProfile *profile = LASSO_PROFILE(login);
+	int rc;
+
+	rc = lasso_login_init_authn_request(login, remote_providerID, LASSO_HTTP_METHOD_POST);
+	if (rc)
+		return rc;
+
+	g_free(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID);
+	LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->ID = NULL;
+
+	g_free(LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content);
+	LASSO_SAMLP2_REQUEST_ABSTRACT(profile->request)->Issuer->content =
+		g_strdup(remote_providerID);
+
+	return 0;
+}
+
+
diff --git a/lasso/saml-2.0/loginprivate.h b/lasso/saml-2.0/loginprivate.h
index 8ed01b6d..eee1e6f2 100644
--- a/lasso/saml-2.0/loginprivate.h
+++ b/lasso/saml-2.0/loginprivate.h
@@ -52,6 +52,9 @@ gint lasso_saml20_login_build_response_msg(LassoLogin *login, gchar *remote_prov
 gint lasso_saml20_login_process_response_msg(LassoLogin *login, gchar *response_msg);
 gint lasso_saml20_login_accept_sso(LassoLogin *login);
 
+gint lasso_saml20_login_init_idp_initiated_authn_request(LassoLogin *login,
+		const gchar *remote_providerID);
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */