642182bdf4
With a SAML Authn Response either the message or the assertion contained in the response message or both can be signed. Most IdP's sign the message. This fixes a bug when processing an ECP authn response when only the assertion is signed. lasso_saml20_profile_process_soap_response_with_headers() performs a signature check on the SAML message. A signature can also appear on the assertion which is checked by lasso_saml20_login_process_response_status_and_assertion() The problem occurred when the message was not signed and lasso_saml20_profile_process_soap_response_with_headers() returned LASSO_DS_ERROR_SIGNATURE_NOT_FOUND as an error code which is not actually an error because we haven't checked the signature on the assertion yet. We were returning the first LASSO_DS_ERROR_SIGNATURE_NOT_FOUND error when in fact the subsequent signature check in lasso_saml20_login_process_response_status_and_assertion() succeeded. The ECP unit tests were enhanced to cover these cases. The enhanced unit test revealed a problem in two switch statements operating on the return value of lasso_profile_get_signature_verify_hint() which were missing a case statement for LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE which caused an abort due to an unknown enumeration value. Fixes Bug: 26828 License: MIT Signed-off-by: John Dennis <jdennis@redhat.com> |
||
|---|---|---|
| .. | ||
| data | ||
| integration | ||
| valgrind | ||
| Makefile.am | ||
| assertion_query_saml2.c | ||
| basic_tests.c | ||
| idwsf2_tests.c | ||
| login_tests.c | ||
| login_tests_saml2.c | ||
| metadata_tests.c | ||
| non_regression_tests.c | ||
| perfs.c | ||
| random_tests.c | ||
| tests.c | ||
| tests.h | ||
| tests2.c | ||