Check that a SAML 1.1 SP supports the Browser/POST profile through an…

… appropriate AssertionConsumerService binding.
InCommon · Feb 27, 2012 · d53f8e7 · d53f8e7
1 parent f033ac2
commit d53f8e7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/build/check_saml1.xsl b/build/check_saml1.xsl
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_saml1.xsl
+
+	Checking ruleset containing rules associated with the SAML 1.x specification.
+	
+	Author: Ian A. Young <ian@iay.org.uk>
+
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="check_framework.xsl"/>
+
+	<!--
+		A service provider claiming to support SAML 1.1 should include an appropriate POST AssertionConsumerService.
+	-->
+	<xsl:template match="md:EntityDescriptor/md:SPSSODescriptor[contains(@protocolSupportEnumeration, 'urn:oasis:names:tc:SAML:1.1:protocol')]
+		[not(md:AssertionConsumerService[@Binding = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post'])]">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">no POST support on SAML 1.1 SP</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>
diff --git a/mdx/validation-beans.xml b/mdx/validation-beans.xml
@@ -3,12 +3,21 @@
     Common validation bean definitions.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:p="http://www.springframework.org/schema/p"
     xmlns:util="http://www.springframework.org/schema/util"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="
         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
         http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd">
 
+    <!--
+        check_xslt_parent
+        
+        Parent (template) for XSLT-based checking stages.
+    -->
+    <bean id="check_xslt_parent" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        lazy-init="true" init-method="initialize" abstract="true"/>
+
     <!--
         check_adfs
     -->
@@ -319,6 +328,17 @@
         </property>
     </bean>
 
+    <!--
+        check_saml1
+    -->
+    <bean id="check_saml1" p:id="check_saml1" parent="check_xslt_parent">
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/build/check_saml1.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         check_saml2
     -->
@@ -408,6 +428,7 @@
                 <ref bean="check_misc"/>
                 <ref bean="check_namespaces"/>
                 <ref bean="check_reqattr"/>
+                <ref bean="check_saml1"/>
                 <ref bean="check_saml2"/>
                 <ref bean="check_saml2meta"/>
                 <ref bean="check_shibboleth"/>