From 151ad17e0422f77efe3d55038398a510364b850e Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Mon, 7 Jan 2019 11:10:10 +0100 Subject: [PATCH] xml: adapt schema in saml2:AuthnContext (#29340) saml2:AuthnContext XML schema indicate that AuthenticatingAuthority is an optional unbounded list of nodes, but the current Lasso schema only handle an unique element. To prevent Lasso from refusing perfectly legal messages, we add a rule to the Lasso ignoring other nodes after the first one. --- lasso/xml/saml-2.0/saml2_authn_context.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lasso/xml/saml-2.0/saml2_authn_context.c b/lasso/xml/saml-2.0/saml2_authn_context.c index e9ba4b08..d2a1f0e6 100644 --- a/lasso/xml/saml-2.0/saml2_authn_context.c +++ b/lasso/xml/saml-2.0/saml2_authn_context.c @@ -71,6 +71,10 @@ static struct XmlSnippet schema_snippets[] = { G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthnContextDeclRef), NULL, NULL, NULL}, { "AuthenticatingAuthority", SNIPPET_CONTENT | SNIPPET_OPTIONAL, G_STRUCT_OFFSET(LassoSaml2AuthnContext, AuthenticatingAuthority), NULL, NULL, NULL}, + /* Other AuthenticatingAuthority are just ignored, it's a work-around to at least accept correct SAML message. + * See https://dev.entrouvert.org/issues/29340 */ + { "AuthenticatingAuthority", SNIPPET_LIST_CONTENT | SNIPPET_OPTIONAL, + NULL, NULL, NULL, NULL}, {NULL, 0, 0, NULL, NULL, NULL} };