-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a checking ruleset for the SAML V2.0 Metadata Interoperability Pr…
…ofile. This isn't a strict check, as we allow KeyName-only KeyDescriptors which the IOP does not.
- Loading branch information
Showing
2 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| check_mdiop.xsl | ||
| Checking ruleset containing rules associated with the SAML V2.0 Metadata | ||
| Interoperability Profile, see: | ||
| http://wiki.oasis-open.org/security/SAML2MetadataIOP | ||
| Author: Ian A. Young <ian@iay.org.uk> | ||
| --> | ||
| <xsl:stylesheet version="1.0" | ||
| xmlns:xsl="http://www.w3.org/1999/XSL/Transform" | ||
| xmlns:ds="http://www.w3.org/2000/09/xmldsig#" | ||
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> | ||
|
|
||
| <!-- | ||
| Common support functions. | ||
| --> | ||
| <xsl:import href="check_framework.xsl"/> | ||
|
|
||
| <!-- | ||
| Section 2.5.1: at least one representation must appear. | ||
| As well as the variations specified in the IOP, we also allow a KeyName to be | ||
| used, as the UK federation currently allows a pure PKIX setup as an | ||
| alternative to embedded keys. | ||
| Strict IOP conformance would require the removal of the KeyInfo/KeyName clause. | ||
| --> | ||
| <xsl:template match="md:KeyDescriptor | ||
| [not(ds:KeyInfo/ds:KeyName)] | ||
| [not(ds:KeyInfo/ds:KeyValue)] | ||
| [not(ds:KeyInfo/ds:X509Data/ds:X509Certificate)]"> | ||
| <xsl:call-template name="fatal"> | ||
| <xsl:with-param name="m">KeyDescriptor does not contain a key representation</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:template> | ||
|
|
||
| <!-- | ||
| Section 2.5.1: only one X.509 certificate may appear in any KeyDescriptor. | ||
| --> | ||
| <xsl:template match="md:KeyDescriptor[count(ds:KeyInfo/ds:X509Data/ds:X509Certificate)>1]"> | ||
| <xsl:call-template name="fatal"> | ||
| <xsl:with-param name="m">KeyDescriptor contains more than one X509Certificate</xsl:with-param> | ||
| </xsl:call-template> | ||
| </xsl:template> | ||
|
|
||
| </xsl:stylesheet> |