From 3734f3efa583fa3165c1d7749262218e804e984f Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Mon, 15 Mar 2010 14:54:19 +0000
Subject: [PATCH] Add a checking ruleset for the ADFS metadata profile.  Note
 that one check is being held down to "warning" level until an existing entity
 which breaks the rule in question is corrected.

---
 build.xml            |  3 +-
 build/check_adfs.xsl | 81 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 build/check_adfs.xsl

diff --git a/build.xml b/build.xml
index 0bf01a69..2e83af9a 100644
--- a/build.xml
+++ b/build.xml
@@ -775,10 +775,11 @@
 				<jvmarg value="-Djava.endorsed.dirs=${tools.xalan}/endorsed"/>
 				<arg value="@{i}"/>
 				<!-- set of checking stylesheets applied in every case -->
-				<arg value="${build.dir}/check_shibboleth.xsl"/>
+                <arg value="${build.dir}/check_adfs.xsl"/>
                 <arg value="${build.dir}/check_idpdisc.xsl"/>
 				<arg value="${build.dir}/check_mdiop.xsl"/>
                 <arg value="${build.dir}/check_misc.xsl"/>
+                <arg value="${build.dir}/check_shibboleth.xsl"/>
 				<!-- single context-dependent ruleset -->
 				<arg value="${build.dir}/@{s}"/>
 			</java>
diff --git a/build/check_adfs.xsl b/build/check_adfs.xsl
new file mode 100644
index 00000000..dfa12ae2
--- /dev/null
+++ b/build/check_adfs.xsl
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_adfs.xsl
+	
+	Checking ruleset containing rules associated with the ADFS metadata profile,
+	as described here:
+
+		https://spaces.internet2.edu/display/SHIB/ADFSMetadataProfile
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+		An IdP's SSO descriptor must contain a SingleSignOn element with
+		the appropriate binding.
+	-->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+		[not(md:SingleSignOnService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS IdP role lacks SSO service with appropriate Binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		An SP's SSO descriptor must contain an AssertionConsumerService element with
+		the appropriate binding.
+	-->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext')]
+		[not(md:AssertionConsumerService/@Binding = 'http://schemas.xmlsoap.org/ws/2003/07/secext')]">
+		<!--
+			The current UK federation metadata has one entity which breaks this rule at present.
+			Change this from "warning" to "fatal" once that has been resolved.
+		-->
+		<xsl:call-template name="warning">
+			<xsl:with-param name="m">ADFS SP role lacks SSO service with appropriate Binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<!--
+		If the ADFS binding appears on any service, the parent role's protocol support
+		enumeration must include the appropruate URI.
+	-->
+	<xsl:template match="md:SingleSignOnService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS SingleSignOnService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:AssertionConsumerService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS AssertionConsumerService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	<xsl:template match="md:SingleLogoutService
+		[@Binding='http://schemas.xmlsoap.org/ws/2003/07/secext']
+		[not(contains(../@protocolSupportEnumeration, 'http://schemas.xmlsoap.org/ws/2003/07/secext'))]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">ADFS SingleLogoutService requires appropriate protocolSupportEnumeration</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+</xsl:stylesheet>