Promote a check for SAML 2.0 IdPs whose metadata includes pure PKIX K…

…eyDescriptor elements to production. This is problematic for some OpenAthens SP software, and superfluous for anyone else.
InCommon · Sep 17, 2012 · 755127a · 755127a
1 parent 767435a
commit 755127a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 18 deletions.
diff --git a/build/check_misc.xsl b/build/check_misc.xsl
@@ -11,6 +11,7 @@
 -->
 <xsl:stylesheet version="1.0"
 	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
 	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
@@ -140,4 +141,24 @@
 		</xsl:call-template>
 	</xsl:template>
 
+	<!--
+        Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
+        
+        This causes problems for some OpenAthens SP products.
+    -->
+	<xsl:template match="md:IDPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	<xsl:template match="md:AttributeAuthorityDescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
+		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
 </xsl:stylesheet>
diff --git a/mdx/check_future_0.xsl b/mdx/check_future_0.xsl
@@ -29,22 +29,4 @@
 	-->
 	<xsl:import href="../build/check_framework.xsl"/>
 
-	<!--
-		Look for SAML 2.0 IdPs whose metadata includes pure PKIX KeyDescriptor elements.
-	-->
-	<xsl:template match="md:IDPSSODescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 IdP has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-	<xsl:template match="md:AttributeAuthorityDescriptor
-		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:2.0:protocol')]
-		[md:KeyDescriptor[not(descendant::ds:X509Data)]]">
-		<xsl:call-template name="error">
-			<xsl:with-param name="m">SAML 2.0 AttributeAuthority has KeyDescriptor without embedded key</xsl:with-param>
-		</xsl:call-template>
-	</xsl:template>
-
 </xsl:stylesheet>