Add a check for consistency between the Shibboleth 1.x authentication…

… request binding and the corresponding IDPSSODescriptor's protocolSupportEnumeration attribute, per the Shibboleth Protocols and Profiles document, section 3.4.3.
InCommon · Feb 15, 2010 · 143f01a · 143f01a
1 parent 7bcb192
commit 143f01a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/build/check.xsl b/build/check.xsl
@@ -119,6 +119,31 @@
 	</xsl:template>
 
 
+	<!--
+		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
+		authentication request binding, the role descriptor's protocolSupportEnumeration
+		must include both of the following:
+		
+			urn:oasis:names:tc:SAML:1.1:protocol
+			urn:mace:shibboleth:1.0
+		
+		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
+	-->
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
 		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which

diff --git a/build/check_imported.xsl b/build/check_imported.xsl
@@ -54,6 +54,31 @@
 	</xsl:template>
 
 
+	<!--
+		If an IDPSSODescriptor contains a SingleSignOnService with the Shibboleth 1.x
+		authentication request binding, the role descriptor's protocolSupportEnumeration
+		must include both of the following:
+		
+			urn:oasis:names:tc:SAML:1.1:protocol
+			urn:mace:shibboleth:1.0
+		
+		See the Shibboleth Protocols and Profiles document, section 3.4.3, for details.
+	-->
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:oasis:names:tc:SAML:1.1:protocol in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:IDPSSODescriptor[md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest']]
+		[not(contains(@protocolSupportEnumeration, 'urn:mace:shibboleth:1.0'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">Shibboleth 1.x auth request needs urn:mace:shibboleth:1.0 in IDPSSODescriptor/@protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		Checks for an IdP whose KeyDescriptor elements do not include a @use attribute.
 		This causes problems with the Shibboleth 1.3 SP prior to V1.3.1, which