From 7e9a4762536f7242ea51ecd55150c2335da9ffe7 Mon Sep 17 00:00:00 2001
From: Ian Young <ian@iay.org.uk>
Date: Thu, 4 Aug 2011 15:20:49 +0000
Subject: [PATCH] Check that browser-facing bindings on SingleSignOnService
 elements are not duplicated, as this makes no sense (browsers can't fall over
 to another endpoint if the first one fails). Inter alia, this involves adding
 a new check_saml2 ruleset.

---
 build.xml                  |  1 +
 build/check_saml2.xsl      | 45 ++++++++++++++++++++++++++++++++++++++
 build/check_shibboleth.xsl | 13 ++++++++++-
 mdx/validation-beans.xml   | 14 ++++++++++++
 4 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 build/check_saml2.xsl

diff --git a/build.xml b/build.xml
index 9d5491d9..2290c4b9 100644
--- a/build.xml
+++ b/build.xml
@@ -872,6 +872,7 @@
                 <arg value="${build.dir}/check_mdui.xsl"/>
                 <arg value="${build.dir}/check_misc.xsl"/>
                 <arg value="${build.dir}/check_namespaces.xsl"/>
+				<arg value="${build.dir}/check_saml2.xsl"/>
 				<arg value="${build.dir}/check_saml2meta.xsl"/>
                 <arg value="${build.dir}/check_shibboleth.xsl"/>
 				
diff --git a/build/check_saml2.xsl b/build/check_saml2.xsl
new file mode 100644
index 00000000..3915264d
--- /dev/null
+++ b/build/check_saml2.xsl
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_saml2.xsl
+
+	Checking ruleset containing rules associated with the SAML 2.0 specification.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	
+	<!--
+		It does not make sense for an IdP to have more than one SingleSignOnService
+		with any of a list of SAML 2.0 front-channel bindings.
+	-->
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>	
+	
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-POST-SimpleSign binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template> 
+
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with SAML 2.0 HTTP-Redirect binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template> 
+
+</xsl:stylesheet>
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
index 03ee5ddc..34a9fb8f 100644
--- a/build/check_shibboleth.xsl
+++ b/build/check_shibboleth.xsl
@@ -19,7 +19,6 @@
 	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
 	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
 
 	<!--
@@ -87,6 +86,18 @@
 	</xsl:template>
 	
 	
+	<!--
+		It does not make sense for an IdP to have more than one SingleSignOnService
+		with the Shibboleth authentication request binding, because this is a
+		front-channel binding.
+	-->
+	<xsl:template match="md:SingleSignOnService[@Binding='urn:mace:shibboleth:1.0:profiles:AuthnRequest'][position()>1]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">more than one SingleSignOnService with Shibboleth binding</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+	
+	
 	<!--
 		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
 		
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
index 8f489402..0571e82b 100644
--- a/mdx/validation-beans.xml
+++ b/mdx/validation-beans.xml
@@ -178,6 +178,19 @@
         </property>
     </bean>
 
+    <!--
+        check_saml2
+    -->
+    <bean id="check_saml2" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="check_saml2"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_saml2.xsl"/>
+            </bean>
+        </property>
+    </bean>
+    
     <!--
         check_saml2meta
     -->
@@ -252,6 +265,7 @@
                 <ref bean="check_mdui"/>
                 <ref bean="check_misc"/>
                 <ref bean="check_namespaces"/>
+                <ref bean="check_saml2"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>
             </list>