Merge branch 'hotfixes-2.3.4' into release

18 files changed, 313 insertions, 58 deletions

diff --git a/NEWS b/NEWS
index 25b8d386..790088ca 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,29 @@
 NEWS
 ====
 
+2.3.4 - Otober 8th 2010
+-----------------------
+
+21 commits, 18 files changed, 312 insertions, 58 deletions
+
+Generic
+ * fix warning for compiling on Pardus and EL5
+ * the release tarball now contains the figures for the documentation
+ * lasso_login_process_authn_request documentation gained details on returned errors
+
+SAMLv2:
+ * report unknown provider instead of an error on parameter value when
+   resolving and artifact in an assertionConsumer endpoint and the provider is
+   not registered into the server object.
+ * lasso_provider_get_assertion_consumer_url now use specific SAMLv2 methods
+ * fixed a bug in the ordering of indexed endpoints which produced error when
+   looking up the default assertion consumer. It also improved ordering in
+   presence of the attribute isDefault="false". A non-regression test was
+   added for this functionality.
+
+ID-FFv1.2:
+ * respect the signature verify hint when handling authn requests
+
 2.3.3 - October 1st 2010
 ------------------------
 
diff --git a/configure.ac b/configure.ac
index 59c0a1f9..1ccb4146 100644
--- a/configure.ac
+++ b/configure.ac
@@ -15,7 +15,7 @@ dnl - Second number is the number of supported API versions where API version >
 dnl   first number.
 dnl - Third number is the current API version implementation version number.
 dnl See libtool explanations about current, age and release, later in this file.
-AC_INIT([lasso], 2.3.3, lasso-devel@lists.labs.libre-entreprise.org)
+AC_INIT([lasso], 2.3.4, lasso-devel@lists.labs.libre-entreprise.org)
 dnl Check if autoconf ver > 2.53
 AC_PREREQ(2.53)
 AC_CONFIG_MACRO_DIR([m4])
@@ -184,7 +184,7 @@ dnl - interfaces removed -> AGE = 0
 # m = a
 # r = r
 current=`expr $VERSION_MAJOR + $VERSION_MINOR`
-LASSO_VERSION_INFO="12:1:9"
+LASSO_VERSION_INFO="12:2:9"
 AC_SUBST(LASSO_VERSION_INFO)
 
 dnl Compute the minimal supported ABI version for Win32 scripts and resources files.
diff --git a/docs/lasso-book/figures/Makefile.am b/docs/lasso-book/figures/Makefile.am
index 4873db98..dd23b956 100644
--- a/docs/lasso-book/figures/Makefile.am
+++ b/docs/lasso-book/figures/Makefile.am
@@ -49,4 +49,5 @@ slo-sp-soap-4.svg: slo-sp-soap.svg step.xsl
 slo-sp-soap-5.svg: slo-sp-soap.svg step.xsl
 slo-sp-soap-6.svg: slo-sp-soap.svg step.xsl
 
-EXTRA_DIST = step.xsl sso-brws-art.svg sso-brws-post.svg slo-sp-soap.svg
+EXTRA_DIST = step.xsl sso-brws-art.svg sso-brws-post.svg slo-sp-soap.svg \
+	$(FIGURES_PNG_FILES) $(GENERATED_FIGURES_SVG_FILES)
diff --git a/docs/reference/lasso/lasso-docs.sgml b/docs/reference/lasso/lasso-docs.sgml
index 009813c6..e92d447e 100644
--- a/docs/reference/lasso/lasso-docs.sgml
+++ b/docs/reference/lasso/lasso-docs.sgml
@@ -21,7 +21,7 @@
     </legalnotice>
 
     <copyright>
-      <year>2004, 2005, 2006, 2007, 2008, 2009</year>
+      <year>2004, 2005, 2006, 2007, 2008, 2009, 2010</year>
       <holder>Entr'ouvert</holder>
     </copyright>
 
diff --git a/lasso.doap b/lasso.doap
index 81d9fe85..b1e171d0 100644
--- a/lasso.doap
+++ b/lasso.doap
@@ -62,6 +62,10 @@
     </repository>
     <release>
       <Version>
+        <created>2010-10-13</created>
+        <revision>2.3.4</revision>
+      </Version>
+      <Version>
         <created>2010-10-01</created>
         <revision>2.3.3</revision>
       </Version>
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c
index 85deb368..b605aff5 100644
--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@@ -307,8 +307,6 @@ static void lasso_login_build_assertion_artifact(LassoLogin *login);
  * </para></listitem>
  * <listitem><para>
  * #LASSO_PROFILE_ERROR_MISSING_RESPONSE if no response object is present ( it is normally initialized
- * </para></listitem>
- * <listitem><para>
  * by lasso_login_process_authn_request_msg() )
  * </para></listitem>
  * <listitem><para>
@@ -876,17 +874,11 @@ lasso_login_build_assertion_artifact(LassoLogin *login)
  * </para></listitem>
  * <listitem><para>
  * LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no remote provider ID was setup in the login
- * </para></listitem>
- * <listitem><para>
  * profile object, it's usually done by lasso_login_process_authn_request_msg,
  * </para></listitem>
  * <listitem><para>
  * LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT
- * </para></listitem>
- * <listitem><para>
  * or LASSO_HTTP_METHOD_POST (ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or
- * </para></listitem>
- * <listitem><para>
  * LASSO_HTTP_METHOD_ARTIFACT_POST (SAML 2.0 case) for SAML 2.0),
  * </para></listitem>
  * <listitem><para>
@@ -897,8 +889,6 @@ lasso_login_build_assertion_artifact(LassoLogin *login)
  * </para></listitem>
  * <listitem><para>
  * LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the remote provider is not known to our server object
- * </para></listitem>
- * <listitem><para>
  * which impeach us to find a service endpoint,
  * </para></listitem>
  * <listitem><para>
@@ -1602,18 +1592,44 @@ lasso_login_init_authn_request(LassoLogin *login, const gchar *remote_providerID
  * binding. You must set the @response_http_method argument according to the way you received the
  * artifact message.
  *
- * Return value: 0 on success; or a
+ * Return value: 0 on success; or
+ * <itemizedlist>
+ * <listitem>
+ * <para>
  * LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a #LassoLogin object,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
  * LASSO_PARAM_ERROR_INVALID_VALUE if @response_msg is NULL,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
  * LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT
  * or LASSO_HTTP_METHOD_POST (in the ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or
  * LASSO_HTTP_METHOD_ARTIFACT_POST (in the SAML 2.0 case),
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
  * LASSO_PROFILE_ERROR_MISSING_ARTIFACT if no artifact field was found in the query string (only
  * possible for the LASSO_HTTP_METHOD_REDIRECT case),
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
  * LASSO_PROFILE_ERROR_INVALID_ARTIFACT if decoding of the artifact failed -- whether because
  * the base64 encoding is invalid or because the type code is wrong --,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
  * LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no provider ID could be found corresponding to
  * the hash contained in the artifact.
+ * </para>
+ * </listitem>
+ * </itemizedlist>
  *
  **/
 gint
@@ -1896,7 +1912,87 @@ lasso_login_must_authenticate(LassoLogin *login)
  * Processes received authentication request, checks it is signed correctly,
  * checks if requested protocol profile is supported, etc.
  *
- * Return value: 0 on success; or a negative value otherwise.
+ * Return value: 0 on success; or
+ * <itemizedlist>
+ * <listitem>
+ * <para>
+ * #LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is no a #LassoLogin object,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ * #LASSO_PROFILE_ERROR_MISSING_REQUEST if @authn_request_msg is #NULL and no request as actually
+ * been processed or initialized &#151; see lasso_login_init_idp_initiated_authn_request(),
+ *
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ * #LASSO_PROFILE_ERROR_INVALID_MSG if the content of @authn_request_msg cannot be parsed to as a
+ * valid lib:AuthnRequest messages for any support binding (mainly HTTP-Redirect, HTTP-Post and
+ * SOAP),
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_PROFILE_ERROR_MISSING_ISSUER if the parsed samlp2:AuthnRequest does not have a proper Issuer element,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_PROFILE_ERROR_INVALID_REQUEST if the parsed message does not validate as a valid
+ * samlp2:AuthnRequest (SAMLv2) i.e. if there is no Issuer, or mutually exclusive attributes are
+ * used (ProtocolBinding and AssertionConsumerServiceIndex),
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE if the protocolProfile (ID-FFv1.2) or the
+ * protocolBinding (SAMLv2) is unsupported by Lasso,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE if the protocolProfile (ID-FFv1.2) or the protocolBinding
+ * (SAMLv2) for the AssertionConsumer is unsupported by this provider implementation as indicated by
+ * its metadata file,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER, or
+ * #LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the metadata for the issuer of the request are absent
+ * from the #LassoServer object of this profile,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_DS_ERROR_SIGNATURE_NOT_FOUND if no signature could be found and signature validation is
+ * forced &#151; by the service provider metadata with the AuthnRequestsSigned attribute
+ * (ID-FFv1.2&SAMLv2), the attribute WantAuthnRequestsSigned in the identity provider metadata file
+ * (SAMLv2) or as advised by the lasso_profile_set_signature_verify_hint() method),
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ *
+ * #LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED if the signature validation failed on a present
+ * signature,
+ * </para>
+ * </listitem>
+ * <listitem>
+ * <para>
+ * #LASSO_DS_ERROR_INVALID_SIGNATURE if the signature was malformed and a signature was present,
+ * </para>
+ * </listitem>
+ * </itemizedlist>
+ *
  **/
 gint
 lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_request_msg)
@@ -1934,7 +2030,11 @@ lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_reque
 			return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
 		}
 
-		lasso_assign_new_gobject(profile->request, LASSO_NODE(request));
+		lasso_assign_new_gobject(profile->request, request);
+		if (! LASSO_IS_LIB_AUTHN_REQUEST(profile->request)) {
+			lasso_release_gobject(profile->request);
+			return LASSO_PROFILE_ERROR_INVALID_MSG;
+		}
 
 		/* get remote ProviderID */
 		lasso_assign_string(profile->remote_providerID,
@@ -1972,28 +2072,38 @@ lasso_login_process_authn_request_msg(LassoLogin *login, const char *authn_reque
 
 	/* Check authnRequest signature. */
 	if (authn_request_msg != NULL) {
+		LassoProfileSignatureVerifyHint sig_verify_hint;
+
+		sig_verify_hint = lasso_profile_get_signature_verify_hint(profile);
 		remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
-		if (remote_provider != NULL) {
-			/* Is authnRequest signed ? */
-			authnRequestSigned = lasso_provider_get_metadata_one(
-					remote_provider, "AuthnRequestsSigned");
-			if (authnRequestSigned != NULL) {
-				must_verify_signature = strcmp(authnRequestSigned, "true") == 0;
-				lasso_release_string(authnRequestSigned);
-			} else {
-				/* missing element in metadata; shouldn't
-				 * happen, assume true */
-				must_verify_signature = TRUE;
-			}
-		} else {
+		if (remote_provider == NULL) {
 			return critical_error(LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND);
 		}
-
-		/* verify request signature */
+		/* Is authnRequest signed ? */
+		must_verify_signature = TRUE;
+		authnRequestSigned = lasso_provider_get_metadata_one(
+				remote_provider, "AuthnRequestsSigned");
+		if (authnRequestSigned != NULL) {
+			must_verify_signature = strcmp(authnRequestSigned, "true") == 0;
+			lasso_release_string(authnRequestSigned);
+		}
+		if (sig_verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE) {
+			must_verify_signature = TRUE;
+		}
+		if (sig_verify_hint == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE) {
+			must_verify_signature = FALSE;
+		}
+		/* reset the signature_status, and if signature validation was not really needed
+		 * just choke on the presence of an invalid signature, if no signature just goes on
+		 * */
+		profile->signature_status = 0;
 		if (must_verify_signature) {
 			ret = lasso_provider_verify_signature(remote_provider,
 					authn_request_msg, "RequestID", format);
-			profile->signature_status = ret;
+			if (profile == LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE && ret !=
+					LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+				profile->signature_status = ret;
+			}
 		}
 	}
 
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index fe3f42be..23f54eee 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -145,6 +145,20 @@ lasso_provider_get_assertion_consumer_service_url(LassoProvider *provider, const
 	char *name = NULL;
 	char *assertion_consumer_service_url = NULL;
 
+	g_return_val_if_fail(LASSO_IS_PROVIDER(provider), NULL);
+
+	if (provider->private_data->conformance == LASSO_PROTOCOL_SAML_2_0) {
+		long sid = -1;
+		if (service_id != NULL) {
+			if (lasso_string_to_xsd_integer(service_id, &sid)) {
+				if (sid < 0) {
+					sid = -1;
+				}
+			}
+		}
+		return lasso_saml20_provider_get_assertion_consumer_service_url(provider, sid);
+	}
+
 	if (service_id == NULL)
 		service_id = provider->private_data->default_assertion_consumer;
 	name = g_strdup_printf("AssertionConsumerServiceURL %s", service_id);
diff --git a/lasso/id-ff/providerprivate.h b/lasso/id-ff/providerprivate.h
index 66b9ad08..1adce734 100644
--- a/lasso/id-ff/providerprivate.h
+++ b/lasso/id-ff/providerprivate.h
@@ -49,7 +49,7 @@ struct EndpointType_s {
 	char *url;
 	char *return_url;
 	int index;
-	gboolean is_default;
+	int is_default;
 };
 typedef struct EndpointType_s EndpointType;
 
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index aa892315..a75e4cc0 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -288,7 +288,7 @@ lasso_saml20_login_process_authn_request_msg(LassoLogin *login, const char *auth
 		lasso_check_good_rc(lasso_saml20_profile_process_any_request(profile, request, authn_request_msg));
 	}
 	if (! LASSO_IS_SAMLP2_AUTHN_REQUEST(request)) {
-		return critical_error(LASSO_PROFILE_ERROR_MISSING_REQUEST);
+		return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
 	}
 	authn_request = LASSO_SAMLP2_AUTHN_REQUEST(request);
 	/* intialize the response */
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 18f7d64c..1948e6cc 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -345,6 +345,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
 {
 	LassoProvider *remote_provider;
 	int rc = 0;
+	LassoProfileSignatureVerifyHint sig_verify_hint;
 
 	/* FIXME: parse only one time the message, reuse the parsed document for signature
 	 * validation */
@@ -355,13 +356,21 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
 	if (! LASSO_IS_SAMLP2_ARTIFACT_RESOLVE(profile->request)) {
 		return critical_error(LASSO_PROFILE_ERROR_INVALID_MSG);
 	}
+	lasso_assign_string(profile->private_data->artifact,
+			LASSO_SAMLP2_ARTIFACT_RESOLVE(profile->request)->Artifact);
+
+	sig_verify_hint = lasso_profile_get_signature_verify_hint(profile);
 
 	lasso_assign_string(profile->remote_providerID, LASSO_SAMLP2_REQUEST_ABSTRACT(
 			profile->request)->Issuer->content);
 	remote_provider = lasso_server_get_provider(profile->server, profile->remote_providerID);
 
-	profile->signature_status = lasso_provider_verify_signature(remote_provider, msg, "ID",
-			LASSO_MESSAGE_FORMAT_SOAP);
+	goto_cleanup_if_fail_with_rc(remote_provider, LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER);
+
+	if (sig_verify_hint != LASSO_PROFILE_SIGNATURE_VERIFY_HINT_IGNORE) {
+		profile->signature_status = lasso_provider_verify_signature(remote_provider, msg, "ID",
+				LASSO_MESSAGE_FORMAT_SOAP);
+	}
 
 	switch (lasso_profile_get_signature_verify_hint(profile)) {
 		case LASSO_PROFILE_SIGNATURE_VERIFY_HINT_MAYBE:
@@ -374,9 +383,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
 			break;
 	}
 
-	lasso_assign_string(profile->private_data->artifact,
-			LASSO_SAMLP2_ARTIFACT_RESOLVE(profile->request)->Artifact);
-
+cleanup:
 	return rc;
 }
 
@@ -1537,7 +1544,7 @@ lasso_profile_saml20_setup_message_signature(LassoProfile *profile, LassoNode *r
 		} else {
 			request->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
 		}
-		request->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
+		request->sign_method = profile->server->signature_method;
 		lasso_assign_string(request->private_key_file,
 				profile->server->private_key);
 		lasso_assign_string(request->certificate_file,
@@ -1555,7 +1562,7 @@ lasso_profile_saml20_setup_message_signature(LassoProfile *profile, LassoNode *r
 		} else {
 			response->sign_type = LASSO_SIGNATURE_TYPE_SIMPLE;
 		}
-		response->sign_method = LASSO_SIGNATURE_METHOD_RSA_SHA1;
+		response->sign_method = profile->server->signature_method;
 		lasso_assign_string(response->private_key_file,
 				profile->server->private_key);
 		lasso_assign_string(response->certificate_file,
diff --git a/lasso/saml-2.0/provider.c b/lasso/saml-2.0/provider.c
index bc9e70f1..67ecc9f8 100644
--- a/lasso/saml-2.0/provider.c
+++ b/lasso/saml-2.0/provider.c
@@ -24,6 +24,8 @@
 
 #define _POSIX_SOURCE
 
+#include <errno.h>
+
 #include "../xml/private.h"
 #include <xmlsec/base64.h>
 #include <xmlsec/xmltree.h>
@@ -145,7 +147,7 @@ load_endpoint_type2(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 	xmlChar *isDefault = getSaml2MdProp(xmlnode, LASSO_SAML2_METADATA_ATTRIBUTE_ISDEFAULT);
 	gboolean indexed_endpoint = FALSE;
 	int idx = *counter++;
-	gboolean is_default = FALSE;
+	int is_default = 0;
 	EndpointType *endpoint_type;
 
 	if (! binding || ! location) {
@@ -158,7 +160,18 @@ load_endpoint_type2(xmlNode *xmlnode, LassoProvider *provider, LassoProviderRole
 			warning("Invalid AssertionConsumerService, no index set");
 			goto cleanup;
 		}
-		is_default = xsdIsTrue(isDefault);
+		/* isDefault is 0 if invalid or not present
+		 * -1 if true (comes first)
+		 * +1 if false (comes last)
+		 */
+		if (isDefault) {
+			if (xsdIsTrue(isDefault)) {
+				is_default = -1;
+			}
+			if (xsdIsFalse(isDefault)) {
+				is_default = 1;
+			}
+		}
 	}
 	endpoint_type = g_new0(EndpointType, 1);
 	endpoint_type->kind = g_strdup((char*)xmlnode->name);
@@ -182,6 +195,13 @@ static gint
 compare_endpoint_type(const EndpointType *a, const EndpointType *b) {
 	int c;
 	
+	/* order the sequence of endpoints:
+	 * - first by role,
+	 * - then by profile,
+	 * - then by isDefault attribute (truth first, then absent, then false)
+	 * - then by index
+	 * - then by binding
+	 */
 	if (a->role < b->role)
 		return -1;
 	if (a->role > b->role)
@@ -189,12 +209,9 @@ compare_endpoint_type(const EndpointType *a, const EndpointType *b) {
 	c = g_strcmp0(a->kind,b->kind);
 	if (c != 0)
 		return c;
-	c = g_strcmp0(a->binding,b->binding);
-	if (c != 0)
-		return c;
-	if (a->is_default && ! b->is_default)
+	if (a->is_default < b->is_default)
 		return -1;
-	if (! a->is_default && b->is_default)
+	if (a->is_default > b->is_default)
 		return +1;
 	if (a->index < b->index)
 		return -1;
@@ -675,7 +692,7 @@ lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(LassoProvide
 				lasso_strisequal(endpoint_type->kind,kind) &&
 				lasso_strisequal(endpoint_type->binding,binding))
 		{
-			return endpoint_type->url;
+			return g_strdup(endpoint_type->url);
 		}
 	}
 	return NULL;
diff --git a/lasso/xml/xml.c b/lasso/xml/xml.c
index e143bbff..0251d479 100644
--- a/lasso/xml/xml.c
+++ b/lasso/xml/xml.c
@@ -31,9 +31,12 @@
  *
  */
 
+#define _GNU_SOURCE /* for use of strndup */
+
 #include "private.h"
 #include <ctype.h>
-
+#include <errno.h>
+#include <string.h>
 
 #include <xmlsec/base64.h>
 #include <xmlsec/xmltree.h>
diff --git a/tests/integration/saml2/test_01_sso.py b/tests/integration/saml2/test_01_sso.py
index 6efe8a56..04f396d3 100644
--- a/tests/integration/saml2/test_01_sso.py
+++ b/tests/integration/saml2/test_01_sso.py
@@ -47,7 +47,7 @@ go http://localhost:10002
 fv 1 is_passive true
 submit
 url http://localhost:10002
-find 'Unknown authentication failure'
+find 'Authentication failure'
 ''')
 
 
diff --git a/tests/non_regression_tests.c b/tests/non_regression_tests.c
index 208bc30d..03f6045f 100644
--- a/tests/non_regression_tests.c
+++ b/tests/non_regression_tests.c
@@ -32,6 +32,7 @@
 #include <../lasso/xml/lib_authentication_statement.h>
 #include <../lasso/xml/saml_name_identifier.h>
 #include <../lasso/xml/samlp_response.h>
+#include <../lasso/id-ff/provider.h>
 #include "../lasso/utils.h"
 
 
@@ -81,11 +82,67 @@ Format=\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\"\n\
 }
 END_TEST
 
+START_TEST(indexed_endpoints_20101008)
+{
+	LassoProvider *provider = NULL;
+	char *meta01 = "<md:EntityDescriptor entityID=\"google.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
+<SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"wrong\" index=\"1\" />\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"ok\" index=\"0\" />\n\
+</SPSSODescriptor>\n\
+</md:EntityDescriptor>\n";
+	char *meta02 = "<md:EntityDescriptor entityID=\"google.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
+<SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"wrong\" index=\"0\" isDefault=\"false\" />\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"ok\" index=\"1\" />\n\
+</SPSSODescriptor>\n\
+</md:EntityDescriptor>\n";
+	char *meta03 = "<md:EntityDescriptor entityID=\"google.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
+<SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"wrong\" index=\"0\" isDefault=\"false\" />\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"ok\" index=\"1\" />\n\
+</SPSSODescriptor>\n\
+</md:EntityDescriptor>\n";
+	char *meta04 = "<md:EntityDescriptor entityID=\"google.com\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\" xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\">\n\
+<SPSSODescriptor protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact\" Location=\"wrong\" index=\"0\" />\n\
+<AssertionConsumerService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"ok\" index=\"1\" isDefault=\"true\" />\n\
+</SPSSODescriptor>\n\
+</md:EntityDescriptor>\n";
+
+	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta01, NULL, NULL);
+	check_not_null(provider);
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "ok");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "wrong");
+	lasso_release_gobject(provider);
+	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta02, NULL, NULL);
+	check_not_null(provider);
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	lasso_release_gobject(provider);
+	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta03, NULL, NULL);
+	check_not_null(provider);
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	lasso_release_gobject(provider);
+	provider = lasso_provider_new_from_buffer(LASSO_PROVIDER_ROLE_SP, meta04, NULL, NULL);
+	check_not_null(provider);
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, NULL), "ok");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "0"), "wrong");
+	check_str_equals(lasso_provider_get_assertion_consumer_service_url(provider, "1"), "ok");
+	lasso_release_gobject(provider);
+}
+END_TEST
+
 struct {
 	char *name;
 	void *function;
 } tests[] = {
-	{ "Googleapps error from coudot@ on 27-09-2010", test01_googleapps_27092010}
+	{ "Googleapps error from coudot@ on 27-09-2010", test01_googleapps_27092010},
+	{ "Wrong assertionConsumer ordering on 08-10-2010", indexed_endpoints_20101008}
 };
 
 Suite*
diff --git a/website/web/doap.rdf b/website/web/doap.rdf
index 81d9fe85..b1e171d0 100644
--- a/website/web/doap.rdf
+++ b/website/web/doap.rdf
@@ -62,6 +62,10 @@
     </repository>
     <release>
       <Version>
+        <created>2010-10-13</created>
+        <revision>2.3.4</revision>
+      </Version>
+      <Version>
         <created>2010-10-01</created>
         <revision>2.3.3</revision>
       </Version>
diff --git a/website/web/download/index.xml b/website/web/download/index.xml
index df890276..e4fd34fc 100644
--- a/website/web/download/index.xml
+++ b/website/web/download/index.xml
@@ -10,7 +10,7 @@
 	<p>
 	  Lasso is licensed under the GNU GPL and the latest release
 	  is available here as a gzipped tarball:
-	  <a href="https://dev.entrouvert.org/attachments/download/15/lasso-2.3.2.tar.gz">lasso-2.3.2.tar.gz</a>
+	  <a href="https://dev.entrouvert.org/lasso/lasso-2.3.4.tar.gz">lasso-2.3.4.tar.gz</a>
 	</p>
 
 	<h2>Binary Downloads</h2>
diff --git a/website/web/index.xml b/website/web/index.xml
index cf2e521d..d3d65f5c 100644
--- a/website/web/index.xml
+++ b/website/web/index.xml
@@ -46,10 +46,9 @@
   </p>
 
   <p>
-   The most recent version of Lasso is <strong>2.3.3</strong>. You can
-   <a
-   href="https://dev.entrouvert.org/attachments/download/15/lasso-2.3.2.tar.gz">download
-   the 2.3.2 tarball here</a> or get more options on the general <a
+   The most recent version of Lasso is <strong>2.3.4</strong>. You can
+   <a href="https://dev.entrouvert.org/lasso/lasso-2.3.4.tar.gz">download
+   the 2.3.4 tarball here</a> or get more options on the general <a
    href="/download/">download</a> page.
   </p>
 
diff --git a/website/web/news/18-release-2.3.4.xml b/website/web/news/18-release-2.3.4.xml
new file mode 100644
index 00000000..d5fa268d
--- /dev/null
+++ b/website/web/news/18-release-2.3.4.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<div xmlns="http://www.w3.org/1999/xhtml">
+<h3>2010-10-13: Released 2.3.4</h3>
+
+ <p>
+  Lasso 2.3.4 have been released.
+  <a href="/download/">Download 2.3.4 now</a>
+ </p>
+
+ <p class="changes">
+  <strong>What changed ?</strong>
+  Fix bug on ordering of assertionConsumer endpoints, and problem of
+  compilation on Pardus and EL5 distributions.
+ </p>
+
+</div>