Check that a SAML 1.1 SP's NameIDFormat list includes the Shibboleth …

…transient, to allow the attribute query callback to be performed.
InCommon · Apr 12, 2011 · b4ae5c2 · b4ae5c2
1 parent 71e6834
commit b4ae5c2
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/build/check_shibboleth.xsl b/build/check_shibboleth.xsl
@@ -109,6 +109,24 @@
 	</xsl:template>
 
 
+	<!--
+		Check for SAML 1.1 SPs which exclude the Shibboleth transient name identifier format.
+		
+		An SP which has no NameIDFormat elements is fine, but if any are mentioned in a
+		SAML 1.1 SP then the Shibboleth transient must be included in the list as otherwise
+		there will be no name identifier sent to the SP and no attribute query can be
+		performed.
+	-->
+	<xsl:template match="md:SPSSODescriptor
+		[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+		[md:NameIDFormat]
+		[not(md:NameIDFormat[.='urn:mace:shibboleth:1.0:nameIdentifier'])]">
+		<xsl:call-template name="fatal">
+			<xsl:with-param name="m">SAML 1.1 SP excludes Shibboleth transient name identifier format</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+
 	<!--
 		Check for a construct which is known to cause the Shibboleth 1.3 SP to dump core.