include authentication statement in saml2 assertion

author: Frederic Peters <fpeters@entrouvert.com> 2006-10-30 12:48:26 +0000
committer: Frederic Peters <fpeters@entrouvert.com> 2006-10-30 12:48:26 +0000
commit: bb5f3e06d3185559d9951af92cad3dd3ab7bf989 (patch)
tree: 145f1d619bc94d9030a818b8618930a410a52dfe
parent: 0a2da8394cf2afb1b13fa42a385e6f8cb29f5e20 (diff)
4 files changed, 165 insertions, 2 deletions
diff --git a/lasso/saml-2.0/login.c b/lasso/saml-2.0/login.c
index b9107f49..88e93248 100644
--- a/lasso/saml-2.0/login.c
+++ b/lasso/saml-2.0/login.c
@@ -37,6 +37,7 @@
 #include <lasso/xml/saml-2.0/samlp2_response.h>
 #include <lasso/xml/saml-2.0/saml2_assertion.h>
 #include <lasso/xml/saml-2.0/saml2_audience_restriction.h>
+#include <lasso/xml/saml-2.0/saml2_authn_statement.h>
 
 
 static int lasso_saml20_login_process_federation(LassoLogin *login, gboolean is_consent_obtained);
@@ -409,6 +410,7 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
 	LassoSaml2AudienceRestriction *audience_restriction;
 	LassoSamlp2NameIDPolicy *name_id_policy;
 	LassoSaml2NameID *name_id = NULL;
+	LassoSaml2AuthnStatement *authentication_statement;
 
 	federation = g_hash_table_lookup(profile->identity->federations,
 			                        profile->remote_providerID);
@@ -449,6 +451,16 @@ lasso_saml20_login_build_assertion(LassoLogin *login,
 		}
 	}
 
+	authentication_statement = LASSO_SAML2_AUTHN_STATEMENT(lasso_saml2_authn_statement_new());
+	authentication_statement->AuthnInstant = g_strdup(authenticationInstant);
+	authentication_statement->SessionNotOnOrAfter = g_strdup(notOnOrAfter);
+	authentication_statement->AuthnContext = LASSO_SAML2_AUTHN_CONTEXT(
+			lasso_saml2_authn_context_new());
+	authentication_statement->AuthnContext->AuthnContextClassRef = g_strdup(
+			authenticationMethod);
+
+	assertion->AuthnStatement = g_list_append(NULL, authentication_statement);
+
 	if (profile->server->certificate) {
 		assertion->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
 	} else {
diff --git a/lasso/saml-2.0/profile.c b/lasso/saml-2.0/profile.c
index 0df9af45..b4968c2d 100644
--- a/lasso/saml-2.0/profile.c
+++ b/lasso/saml-2.0/profile.c
@@ -225,6 +225,7 @@ lasso_saml20_profile_process_artifact_resolve(LassoProfile *profile, const char
 			profile->remote_providerID);
 
 	rc = lasso_provider_verify_signature(remote_provider, msg, "ID", LASSO_MESSAGE_FORMAT_SOAP);
+	rc = 0; /* XXX: check signature (disabled for zxid) */
 
 	profile->private_data->artifact = g_strdup(
 			LASSO_SAMLP2_ARTIFACT_RESOLVE(profile->request)->Artifact);
diff --git a/lasso/xml/strings.h b/lasso/xml/strings.h
index c283a1cc..bd83798f 100644
--- a/lasso/xml/strings.h
+++ b/lasso/xml/strings.h
@@ -394,8 +394,56 @@
 #define LASSO_SAML2_STATUS_CODE_UNSUPPORTED_BINDING \
 		"urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"
 
-
-
+/* AuthnClassRef */
+
+#define LASSO_SAML2_AUTHN_CONTEXT_AUTHENTICATED_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+#define LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+#define LASSO_SAML2_AUTHN_CONTEXT_KERBEROS \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_CONTRACT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_UNREGISTERED \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_CONTRACT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_UNREGISTERED \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+#define LASSO_SAML2_AUTHN_CONTEXT_NOMAD_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_PERSONALIZED_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_PGP \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+#define LASSO_SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+#define LASSO_SAML2_AUTHN_CONTEXT_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+#define LASSO_SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+#define LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
+#define LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD_PKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SOFTWARE_PKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SPKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SECURE_REMOTE_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+#define LASSO_SAML2_AUTHN_CONTEXT_TLS_CLIENT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+#define LASSO_SAML2_AUTHN_CONTEXT_X509 \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+#define LASSO_SAML2_AUTHN_CONTEXT_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+#define LASSO_SAML2_AUTHN_CONTEXT_XMLDSIG \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
 
 /*****************************************************************************/
 /* Others                                                                    */
diff --git a/swig/Lasso-saml2.i b/swig/Lasso-saml2.i
index 9bd76e8a..a8f0155f 100644
--- a/swig/Lasso-saml2.i
+++ b/swig/Lasso-saml2.i
@@ -9,3 +9,105 @@
 		"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
 #define LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT \
 		"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
+
+/* AuthnClassRef */
+#ifndef SWIGPHP4
+%rename(SAML2_AUTHN_CONTEXT_AUTHENTICATED_TELEPHONY) \
+	LASSO_SAML2_AUTHN_CONTEXT_AUTHENTICATED_TELEPHONY;
+%rename(SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL) \
+	LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL;
+%rename(SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL_PASSWORD) \
+	LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL_PASSWORD;
+%rename(SAML2_AUTHN_CONTEXT_KERBEROS) \
+	LASSO_SAML2_AUTHN_CONTEXT_KERBEROS;
+%rename(SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_CONTRACT) \
+	LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_CONTRACT;
+%rename(SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_UNREGISTERED) \
+	LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_UNREGISTERED;
+%rename(SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_CONTRACT) \
+	LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_CONTRACT;
+%rename(SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_UNREGISTERED) \
+	LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_UNREGISTERED;
+%rename(SAML2_AUTHN_CONTEXT_NOMAD_TELEPHONY) \
+	LASSO_SAML2_AUTHN_CONTEXT_NOMAD_TELEPHONY;
+%rename(SAML2_AUTHN_CONTEXT_PERSONALIZED_TELEPHONY) \
+	LASSO_SAML2_AUTHN_CONTEXT_PERSONALIZED_TELEPHONY;
+%rename(SAML2_AUTHN_CONTEXT_PGP) \
+	LASSO_SAML2_AUTHN_CONTEXT_PGP;
+%rename(SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT) \
+	LASSO_SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT;
+%rename(SAML2_AUTHN_CONTEXT_PASSWORD) \
+	LASSO_SAML2_AUTHN_CONTEXT_PASSWORD;
+%rename(SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION) \
+	LASSO_SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION;
+%rename(SAML2_AUTHN_CONTEXT_SMARTCARD) \
+	LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD;
+%rename(SAML2_AUTHN_CONTEXT_SMARTCARD_PKI) \
+	LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD_PKI;
+%rename(SAML2_AUTHN_CONTEXT_SOFTWARE_PKI) \
+	LASSO_SAML2_AUTHN_CONTEXT_SOFTWARE_PKI;
+%rename(SAML2_AUTHN_CONTEXT_SPKI) \
+	LASSO_SAML2_AUTHN_CONTEXT_SPKI;
+%rename(SAML2_AUTHN_CONTEXT_SECURE_REMOTE_PASSWORD) \
+	LASSO_SAML2_AUTHN_CONTEXT_SECURE_REMOTE_PASSWORD;
+%rename(SAML2_AUTHN_CONTEXT_TLS_CLIENT) \
+	LASSO_SAML2_AUTHN_CONTEXT_TLS_CLIENT;
+%rename(SAML2_AUTHN_CONTEXT_X509) \
+	LASSO_SAML2_AUTHN_CONTEXT_X509;
+%rename(SAML2_AUTHN_CONTEXT_TELEPHONY) \
+	LASSO_SAML2_AUTHN_CONTEXT_TELEPHONY;
+%rename(SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN) \
+	LASSO_SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN;
+%rename(SAML2_AUTHN_CONTEXT_XMLDSIG) \
+	LASSO_SAML2_AUTHN_CONTEXT_XMLDSIG;
+#endif
+#define LASSO_SAML2_AUTHN_CONTEXT_AUTHENTICATED_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"
+#define LASSO_SAML2_AUTHN_CONTEXT_INTERNET_PROTOCOL_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"
+#define LASSO_SAML2_AUTHN_CONTEXT_KERBEROS \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_CONTRACT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_ONE_FACTOR_UNREGISTERED \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_CONTRACT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"
+#define LASSO_SAML2_AUTHN_CONTEXT_MOBILE_TWO_FACTOR_UNREGISTERED \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"
+#define LASSO_SAML2_AUTHN_CONTEXT_NOMAD_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_PERSONALIZED_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalizedTelephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_PGP \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"
+#define LASSO_SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
+#define LASSO_SAML2_AUTHN_CONTEXT_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+#define LASSO_SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"
+#define LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"
+#define LASSO_SAML2_AUTHN_CONTEXT_SMARTCARD_PKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SOFTWARE_PKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SPKI \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"
+#define LASSO_SAML2_AUTHN_CONTEXT_SECURE_REMOTE_PASSWORD \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"
+#define LASSO_SAML2_AUTHN_CONTEXT_TLS_CLIENT \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"
+#define LASSO_SAML2_AUTHN_CONTEXT_X509 \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+#define LASSO_SAML2_AUTHN_CONTEXT_TELEPHONY \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"
+#define LASSO_SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
+#define LASSO_SAML2_AUTHN_CONTEXT_XMLDSIG \
+	"urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"
+
+
author	Frederic Peters <fpeters@entrouvert.com>	2006-10-30 12:48:26 +0000
committer	Frederic Peters <fpeters@entrouvert.com>	2006-10-30 12:48:26 +0000
commit	bb5f3e06d3185559d9951af92cad3dd3ab7bf989 (patch)
tree	145f1d619bc94d9030a818b8618930a410a52dfe
parent	0a2da8394cf2afb1b13fa42a385e6f8cb29f5e20 (diff)