diff options
author | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2010-05-31 11:19:26 +0000 |
---|---|---|
committer | manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> | 2010-05-31 11:19:26 +0000 |
commit | 6d2d83d8f8792acad49ff36155df72eee373b6a7 (patch) | |
tree | badbc94a7e0f22fd2c61318e420579a934c76481 | |
parent | 40950a7b66ed2999494fdaeab3bddb5b58ad8268 (diff) | |
download | mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.gz mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.xz mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.zip |
Shibboleth 2 interoperability. This is acchieved by increasing the
storage for attributes, as OID-named attributes sent by the Shibboleth
IdP consomes quite some space.
There is also a required Destination attribute in AuthnRequest elements.
It is done by trunk version of lasso, but not by any currently released
version, hence we do if it is not done.
git-svn-id: https://modmellon.googlecode.com/svn/trunk@85 a716ebb1-153a-0410-b759-cfb97c6a1b53
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | auth_mellon.h | 6 | ||||
-rw-r--r-- | auth_mellon_handler.c | 13 | ||||
-rw-r--r-- | auth_mellon_util.c | 36 |
4 files changed, 55 insertions, 2 deletions
@@ -3,6 +3,8 @@ Version 0.2.7 * Optionaly ave the remote IdP entityId in the environment +* Shibboleth 2 interoperability + Version 0.2.6 --------------------------------------------------------------------------- diff --git a/auth_mellon.h b/auth_mellon.h index 0c66868..8f45ec9 100644 --- a/auth_mellon.h +++ b/auth_mellon.h @@ -70,8 +70,8 @@ #define AM_CACHE_ENVSIZE 128 #define AM_CACHE_USERSIZE 512 #define AM_CACHE_MAX_LASSO_IDENTITY_SIZE 1024 -#define AM_CACHE_MAX_LASSO_SESSION_SIZE 8192 -#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 16384 +#define AM_CACHE_MAX_LASSO_SESSION_SIZE 32768 +#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 65536 /* This is the length of the session id we use. @@ -277,6 +277,8 @@ const char *am_get_header_attr(request_rec *r, const char *h, int am_has_header(request_rec *r, const char *h, const char *v); const char *am_get_mime_header(request_rec *r, const char *m, const char *h); const char *am_get_mime_body(request_rec *r, const char *mime); +char *am_get_service_url(request_rec *r, + LassoProfile *profile, char *service_name); int am_auth_mellon_user(request_rec *r); diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c index 57cecd9..1fcdb5f 100644 --- a/auth_mellon_handler.c +++ b/auth_mellon_handler.c @@ -2186,6 +2186,19 @@ static int am_auth_new_ticket(request_rec *r) LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Consent = g_strdup(LASSO_SAML2_CONSENT_IMPLICIT); + + /* + * Make sure the Destination attribute is set to the IdP + * SingleSignOnService endpoint. This is required for + * Shibboleth 2 interoperability, and older versions of + * lasso (at least up to 2.2.91) did not do it. + * XXX Here we assume HTTP-Redirect method + */ + if (LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Destination == NULL) + LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Destination = + am_get_service_url(r, LASSO_PROFILE(login), + "SingleSignOnService HTTP-Redirect"); + LASSO_PROFILE(login)->msg_relayState = g_strdup(relay_state); ret = lasso_login_build_authn_request_msg(login); diff --git a/auth_mellon_util.c b/auth_mellon_util.c index 6e4a629..576a2dc 100644 --- a/auth_mellon_util.c +++ b/auth_mellon_util.c @@ -1204,3 +1204,39 @@ const char *am_get_mime_body(request_rec *r, const char *mime) /* Turn back LF into CRLF */ return am_add_cr(r, body); } + +/* This function returns the URL for a given provider service (type + method) + * + * Parameters: + * request_rec *r The request + * LassoProfile *profile Login profile + * char *endpoint_name Service and method as specified in metadata + * e.g.: "SingleSignOnService HTTP-Redirect" + * Returns: + * The endpoint URL that must be freed by caller, or NULL on failure. + */ +char * +am_get_service_url(request_rec *r, LassoProfile *profile, char *service_name) +{ + LassoProvider *provider; + gchar *url; + + provider = lasso_server_get_provider(profile->server, + profile->remote_providerID); + if (LASSO_IS_PROVIDER(provider) == FALSE) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Cannot find provider service %s, no provider.", + service_name); + return NULL; + } + + url = lasso_provider_get_metadata_one(provider, service_name); + if (url == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, + "Cannot find provider service %s from metadata.", + service_name); + return NULL; + } + + return url; +} |