The flags parameter allows to control the checking of digital signature
upon EntityDescriptor and EntitiesDescriptor nodes in SAML 2.0 metadata
files.
The default behaviour is to check all found signatures and to inherit
signature from EntitiesDescriptor to their children.
By only enabling checking of EntityDescrtiptor node signatures it's also
possible to only check signature at the EntityDescriptor level and so
only trust individual entities and not the aggregating provider.
An empty reference means the complete document, so the signed node is
the root element of this document. We must check that the parameter
signe_node dmatches our assumption.
The aim of this function is now to load any metadata file, and to
replace completely the use of lasso_server_add_provider.
The metadata content argument is replaced by a metadata file path to
more closely match other APIs.
This method allows to load providers in bulk from what is called a
federation file, i.e a SAML metadata file containing declarations for
more than one provider. Those file are usually signed to bind some trust
to its content, so lasso_server_load_federation can take an optional
file path to a certificate chain file used to check the signature on the
given XML content. Only same document signature is accepted (i.e. there
must be only one XML signature reference and it should be to the empty
string meaning the « current » document).
I'm not sure of the need outside lasso so I will let this method private
for the moment. It's an helper method for the
lasso_server_load_federation method which traverses an
EntitiesDescriptor node to find all the EntityDescriptor contained
inside.
It only loads one kind of provider (idp or sp). It's currently
impossible for a provider to have the two roles at the same time toward
a given LassoServer object, i.e. the current service is a service
provider or an identity provider, it cannot be the two at the same time.
xmlCopyPropList does not copy the property list into the target it just
copy it with respect to the target (mainly for namespace references).
This patch adds the real copy into the target node.
Identity, Lecp, Login, Logout, NameIdentifierMapping, NameRegistration,
Session, AssertionQuery, Ecp and NameIdManagement objects were missing a
namespace association to their GObject class. It broke when you try to
dump a node created by lasso_node_new_from_dump.
Benjamin Dauvergne
Frédéric Péters
Jean-Marc Liger