Check that browser-facing bindings on SingleSignOnService elements ar…

…e not duplicated, as this makes no sense (browsers can't fall over to another endpoint if the first one fails). Inter alia, this involves adding a new check_saml2 ruleset.
InCommon · Aug 4, 2011 · 7e9a476 · 7e9a476
1 parent 9cc1742
commit 7e9a476
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 1 deletion.
diff --git a/build.xml b/build.xml
@@ -872,6 +872,7 @@
                 <arg value="${build.dir}/check_mdui.xsl"/>
                 <arg value="${build.dir}/check_misc.xsl"/>
                 <arg value="${build.dir}/check_namespaces.xsl"/>
+				<arg value="${build.dir}/check_saml2.xsl"/>
 				<arg value="${build.dir}/check_saml2meta.xsl"/>
                 <arg value="${build.dir}/check_shibboleth.xsl"/>
 

diff --git a/build/check_saml2.xsl b/build/check_saml2.xsl
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_saml2.xsl
+
+	Checking ruleset containing rules associated with the SAML 2.0 specification.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+
+	<!--
+		It does not make sense for an IdP to have more than one SingleSignOnService
+		with any of a list of SAML 2.0 front-channel bindings.
+	-->
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>	
+
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template> 
+
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template> 
+
+</xsl:stylesheet>
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
@@ -19,7 +19,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
@@ -87,6 +86,18 @@
 	</xsl:template>
 
 
+	<!--
+		It does not make sense for an IdP to have more than one SingleSignOnService
+		with the Shibboleth authentication request binding, because this is a
+		front-channel binding.
+	-->
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
 		

diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -178,6 +178,19 @@
         </property>
     </bean>
 
+    <!--
+        check_saml2
+    -->
+    <bean id="check_saml2" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="check_saml2"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_saml2.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         check_saml2meta
     -->
@@ -252,6 +265,7 @@
                 <ref bean="check_mdui"/>
                 <ref bean="check_misc"/>
                 <ref bean="check_namespaces"/>
+                <ref bean="check_saml2"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
             </list>