diff options
| -rw-r--r-- | lasso/id-ff/login.c | 2 | ||||
| -rw-r--r-- | lasso/id-ff/logout.c | 5 | ||||
| -rw-r--r-- | lasso/id-ff/profile.c | 22 |
3 files changed, 27 insertions, 2 deletions
diff --git a/lasso/id-ff/login.c b/lasso/id-ff/login.c index f1529c39..4f8841d6 100644 --- a/lasso/id-ff/login.c +++ b/lasso/id-ff/login.c @@ -472,7 +472,6 @@ lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method) /* build artifact infos */ remote_provider = g_hash_table_lookup(LASSO_PROFILE(login)->server->providers, LASSO_PROFILE(login)->remote_providerID); - /* liberty-idff-bindings-profiles-v1.2.pdf p.25 */ url = lasso_provider_get_metadata_one(remote_provider, "AssertionConsumerServiceURL"); if (url == NULL) { return critical_error(LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL); @@ -480,6 +479,7 @@ lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method) identityProviderSuccinctID = lasso_sha1( LASSO_PROVIDER(LASSO_PROFILE(login)->server)->ProviderID); + /* Artifact Format is described in "Binding Profiles", 3.2.2.2. */ memcpy(samlArt, "\000\003", 2); /* type code */ memcpy(samlArt+2, identityProviderSuccinctID, 20); lasso_build_random_sequence(samlArt+22, 20); diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c index 5a8a38ff..afbf48af 100644 --- a/lasso/id-ff/logout.c +++ b/lasso/id-ff/logout.c @@ -520,6 +520,11 @@ lasso_logout_process_response_msg(LassoLogout *logout, gchar *response_msg) if (strcmp(statusCodeValue, LASSO_SAML_STATUS_CODE_SUCCESS) != 0) { /* At SP, if the request method was a SOAP type, then rebuild the request * message with HTTP method */ + + /* takes lower-level StatusCode if available */ + if (response->Status->StatusCode && response->Status->StatusCode->StatusCode) + statusCodeValue = response->Status->StatusCode->StatusCode->Value; + if (strcmp(statusCodeValue, LASSO_LIB_STATUS_CODE_UNSUPPORTED_PROFILE) == 0 && remote_provider->role == LASSO_PROVIDER_ROLE_IDP && logout->initial_http_request_method == LASSO_HTTP_METHOD_SOAP) { diff --git a/lasso/id-ff/profile.c b/lasso/id-ff/profile.c index 869a0e10..b0989e3f 100644 --- a/lasso/id-ff/profile.c +++ b/lasso/id-ff/profile.c @@ -189,9 +189,29 @@ lasso_profile_set_response_status(LassoProfile *ctx, const char *statusCodeValue { LassoSamlpStatus *status; + /* protocols-schema 1.2 (errata 2.0), page 9 + * + * 3.1.9. Response Status Codes + * + * All Liberty response messages use <samlp: StatusCode> elements to + * indicate the status of a corresponding request. Responders MUST + * comply with the rules governing <samlp: StatusCode> elements + * specified in [SAMLCore11] regarding the use of nested second-, or + * lower-level response codes to provide specific information relating + * to particular errors. A number of status codes are defined within + * the Liberty namespace for use with this specification. + */ + status = lasso_samlp_status_new(); status->StatusCode = lasso_samlp_status_code_new(); - status->StatusCode->Value = g_strdup(statusCodeValue); + + if (strcmp(statusCodeValue, LASSO_SAML_STATUS_CODE_SUCCESS) == 0) { + status->StatusCode->Value = g_strdup(statusCodeValue); + } else { + status->StatusCode->Value = g_strdup(LASSO_SAML_STATUS_CODE_RESPONDER); + status->StatusCode->StatusCode = lasso_samlp_status_code_new(); + status->StatusCode->StatusCode->Value = g_strdup(statusCodeValue); + } if (LASSO_IS_SAMLP_RESPONSE(ctx->response)) { LassoSamlpResponse *response = LASSO_SAMLP_RESPONSE(ctx->response); |