Add validation for SAML subject identifier entity attribute

See ukf/ukf-meta#176 for details
InCommon · May 27, 2021 · b508259 · b508259
1 parent 842892f
commit b508259
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/mdx/uk/check_uk_mdattr.xsl b/mdx/uk/check_uk_mdattr.xsl
@@ -64,6 +64,7 @@
         [@Name != 'http://macedir.org/entity-category']
         [@Name != 'http://macedir.org/entity-category-support']
         [@Name != 'urn:oasis:names:tc:SAML:attribute:assurance-certification']
+        [@Name != 'urn:oasis:names:tc:SAML:profiles:subject-id:req']
         ">
         <xsl:call-template name="error">
             <xsl:with-param name="m">
@@ -121,4 +122,22 @@
         </xsl:call-template>
     </xsl:template>
 
+    <!--
+        Validate SAML subject identifier requirement value.
+    -->
+    <xsl:template match="mdattr:EntityAttributes/saml:Attribute[@Name='urn:oasis:names:tc:SAML:profiles:subject-id:req']
+        /saml:AttributeValue
+            [. != 'subject-id']
+            [. != 'pairwise-id']
+            [. != 'none']
+            [. != 'any']
+        ">
+        <xsl:call-template name="error">
+            <xsl:with-param name="m">
+                <xsl:text>unknown subject identifier requirement values </xsl:text>
+                <xsl:value-of select="."/>
+            </xsl:with-param>
+        </xsl:call-template>
+    </xsl:template>
+
 </xsl:stylesheet>