Promote saml2int check that all SAML 2.0 IdPs have embedded key mater…

…ial to production.
InCommon · Jul 9, 2012 · 6ebce15 · 6ebce15
1 parent a24d6ee
commit 6ebce15
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 17 deletions.
diff --git a/build/check_saml2int.xsl b/build/check_saml2int.xsl
@@ -106,4 +106,27 @@
 		</xsl:call-template>
 	</xsl:template>
 
+	<!--
+		Section 9.1
+		
+		Responses MUST be signed, so appropriate IdP roles MUST include embedded key material
+		suitable for signing those responses.
+	-->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
+		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/check_future_0.xsl b/mdx/check_future_0.xsl
@@ -29,21 +29,4 @@
 	-->
 	<xsl:import href="../build/check_framework.xsl"/>
 
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][@use='signing'])]
-		[not(md:KeyDescriptor[descendant::ds:X509Data][not(@use)])]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has no embedded signing key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>