Add a checking ruleset for the ADFS metadata profile. Note that one c…

…heck is being held down to "warning" level until an existing entity which breaks the rule in question is corrected.

build.xml

@@ -775,10 +775,11 @@
 				<jvmarg value="-Djava.endorsed.dirs=${tools.xalan}/endorsed"/>
 				<arg value="@{i}"/>
 				<!-- set of checking stylesheets applied in every case -->
-				<arg value="${build.dir}/check_shibboleth.xsl"/>
+                <arg value="${build.dir}/check_adfs.xsl"/>
                 <arg value="${build.dir}/check_idpdisc.xsl"/>
 				<arg value="${build.dir}/check_mdiop.xsl"/>
                 <arg value="${build.dir}/check_misc.xsl"/>
+                <arg value="${build.dir}/check_shibboleth.xsl"/>
 				<!-- single context-dependent ruleset -->
 				<arg value="${build.dir}/@{s}"/>
 			</java>

build/check_adfs.xsl

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_adfs.xsl
+	
+	Checking ruleset containing rules associated with the ADFS metadata profile,
+	as described here:
+
+		https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+		An IdP's SSO descriptor must contain a SingleSignOn element with
+		the appropriate binding.
+	-->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+		[not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<!--
+		An SP's SSO descriptor must contain an AssertionConsumerService element with
+		the appropriate binding.
+	-->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+		[not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+		<!--
+			The current UK federation metadata has one entity which breaks this rule at present.
+			Change this from "warning" to "fatal" once that has been resolved.
+		-->
+		<xsl:call-template name="warning">
+			<xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<!--
+		If the ADFS binding appears on any service, the parent role's protocol support
+		enumeration must include the appropruate URI.
+	-->
+	<xsl:template match="md:SingleSignOnService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:AssertionConsumerService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+	<xsl:template match="md:SingleLogoutService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>