642182bdf4
With a SAML Authn Response either the message or the assertion contained in the response message or both can be signed. Most IdP's sign the message. This fixes a bug when processing an ECP authn response when only the assertion is signed. lasso_saml20_profile_process_soap_response_with_headers() performs a signature check on the SAML message. A signature can also appear on the assertion which is checked by lasso_saml20_login_process_response_status_and_assertion() The problem occurred when the message was not signed and lasso_saml20_profile_process_soap_response_with_headers() returned LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not actually an error because we haven't checked the signature on the assertion yet. We were returning the first LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent signature check in lasso_saml20_login_process_response_status_and_assertion() succeeded. The ECP unit tests were enhanced to cover these cases. The enhanced unit test revealed a problem in two switch statements operating on the return value of lasso_profile_get_signature_verify_hint() which were missing a case statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused an abort due to an unknown enumeration value. Fixes Bug: 26828 License: MIT Signed-off-by: John Dennis <jdennis@redhat.com> |
||
---|---|---|
.. | ||
data | ||
integration | ||
valgrind | ||
Makefile.am | ||
assertion_query_saml2.c | ||
basic_tests.c | ||
idwsf2_tests.c | ||
login_tests.c | ||
login_tests_saml2.c | ||
metadata_tests.c | ||
non_regression_tests.c | ||
perfs.c | ||
random_tests.c | ||
tests.c | ||
tests.h | ||
tests2.c |