Shibboleth 2 interoperability. This is acchieved by increasing the

storage for attributes, as OID-named attributes sent by the Shibboleth IdP consomes quite some space. There is also a required Destination attribute in AuthnRequest elements. It is done by trunk version of lasso, but not by any currently released version, hence we do if it is not done. git-svn-id: https://modmellon.googlecode.com/svn/trunk@85 a716ebb1-153a-0410-b759-cfb97c6a1b53
author: manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2010-05-31 11:19:26 +0000
committer: manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53> 2010-05-31 11:19:26 +0000
commit: 6d2d83d8f8792acad49ff36155df72eee373b6a7 (patch)
tree: badbc94a7e0f22fd2c61318e420579a934c76481
parent: 40950a7b66ed2999494fdaeab3bddb5b58ad8268 (diff)
download: mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.gz
mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.xz
mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.zip
4 files changed, 55 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 47a94af..2f8523e 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ Version 0.2.7
 
 * Optionaly ave the remote IdP entityId in the environment
 
+* Shibboleth 2 interoperability
+
 Version 0.2.6
 ---------------------------------------------------------------------------
 
diff --git a/auth_mellon.h b/auth_mellon.h
index 0c66868..8f45ec9 100644
--- a/auth_mellon.h
+++ b/auth_mellon.h
@@ -70,8 +70,8 @@
 #define AM_CACHE_ENVSIZE 128
 #define AM_CACHE_USERSIZE 512
 #define AM_CACHE_MAX_LASSO_IDENTITY_SIZE 1024
-#define AM_CACHE_MAX_LASSO_SESSION_SIZE 8192
-#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 16384
+#define AM_CACHE_MAX_LASSO_SESSION_SIZE 32768
+#define AM_CACHE_MAX_LASSO_SAML_RESPONSE_SIZE 65536
 
 
 /* This is the length of the session id we use.
@@ -277,6 +277,8 @@ const char *am_get_header_attr(request_rec *r, const char *h,
 int am_has_header(request_rec *r, const char *h, const char *v);
 const char *am_get_mime_header(request_rec *r, const char *m, const char *h);
 const char *am_get_mime_body(request_rec *r, const char *mime);
+char *am_get_service_url(request_rec *r, 
+                         LassoProfile *profile, char *service_name);
 
 
 int am_auth_mellon_user(request_rec *r);
diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
index 57cecd9..1fcdb5f 100644
--- a/auth_mellon_handler.c
+++ b/auth_mellon_handler.c
@@ -2186,6 +2186,19 @@ static int am_auth_new_ticket(request_rec *r)
     LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Consent
       = g_strdup(LASSO_SAML2_CONSENT_IMPLICIT);
 
+
+    /* 
+     * Make sure the Destination attribute is set to the IdP 
+     * SingleSignOnService endpoint. This is required for 
+     * Shibboleth 2 interoperability, and older versions of
+     * lasso (at least up to 2.2.91) did not do it.
+     * XXX Here we assume HTTP-Redirect method
+     */
+    if (LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Destination == NULL)
+        LASSO_SAMLP2_REQUEST_ABSTRACT(request)->Destination = 
+            am_get_service_url(r, LASSO_PROFILE(login), 
+                               "SingleSignOnService HTTP-Redirect");
+
     LASSO_PROFILE(login)->msg_relayState = g_strdup(relay_state);
 
     ret = lasso_login_build_authn_request_msg(login);
diff --git a/auth_mellon_util.c b/auth_mellon_util.c
index 6e4a629..576a2dc 100644
--- a/auth_mellon_util.c
+++ b/auth_mellon_util.c
@@ -1204,3 +1204,39 @@ const char *am_get_mime_body(request_rec *r, const char *mime)
     /* Turn back LF into CRLF */
     return am_add_cr(r, body);
 }
+
+/* This function returns the URL for a given provider service (type + method)
+ *
+ * Parameters:
+ *  request_rec *r        The request
+ *  LassoProfile *profile Login profile
+ *  char *endpoint_name   Service and method as specified in metadata
+ *                        e.g.: "SingleSignOnService HTTP-Redirect"
+ * Returns:
+ *  The endpoint URL that must be freed by caller, or NULL on failure.
+ */
+char *
+am_get_service_url(request_rec *r, LassoProfile *profile, char *service_name)
+{
+    LassoProvider *provider;
+    gchar *url;
+
+    provider = lasso_server_get_provider(profile->server, 
+                                         profile->remote_providerID);
+    if (LASSO_IS_PROVIDER(provider) == FALSE) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "Cannot find provider service %s, no provider.",
+                      service_name);
+	return NULL;
+    }
+
+    url = lasso_provider_get_metadata_one(provider, service_name);
+    if (url == NULL) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
+                      "Cannot find provider service %s from metadata.",
+                      service_name);
+	return NULL;
+    }
+
+    return url;
+}
author	manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2010-05-31 11:19:26 +0000
committer	manu@netbsd.org <manu@netbsd.org@a716ebb1-153a-0410-b759-cfb97c6a1b53>	2010-05-31 11:19:26 +0000
commit	6d2d83d8f8792acad49ff36155df72eee373b6a7 (patch)
tree	badbc94a7e0f22fd2c61318e420579a934c76481
parent	40950a7b66ed2999494fdaeab3bddb5b58ad8268 (diff)
download	mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.gz mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.tar.xz mod_auth_mellon-6d2d83d8f8792acad49ff36155df72eee373b6a7.zip