API change in Single Sign On profile (IdP side) to allow the developer to mess

with <lib:Assertion/> Outlined in http://lists.labs.libre-entreprise.org/pipermail/lasso-devel/2004-December/001119.html
2004-12-14 19:20:20 +00:00 · 2004-12-14 19:20:20 +00:00 · ad056adf36
parent 2bda2b596e
commit ad056adf36
8 changed files with 138 additions and 213 deletions
--- a/docs/lasso-book/single-sign-on.process
+++ b/docs/lasso-book/single-sign-on.process
@ -89,37 +89,17 @@ Single Sign-On and Federation
                   # unserialize with lasso_login_new_from_dump(dump)
                   consentObtained = TRUE # or FALSE if user didn't give its consent

-            authenticationMethod = LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD
-                # or LASSO_SAML_AUTHENTICATION_METHOD_SOFTWARE_PKI or others
-                # (see ...)
-                # this is how the user has been authenticated
+            IF lasso_login_validate_request_msg(login, userAuthenticated, consentObtained) == 0:
+                # build and fill assertion
+                lasso_login_build_assertion(login, authenticationMethod,
+                        authenticationInstant, reauthenticationTime
+                        assertionIsNotBefore, assertionIsNotOnOrAfter)
+                # any other change to the assertion can take place here

-            authenticationInstant = "2004-03-01T00:00:00Z"
-                # this is when the authentication occured; when NULL Lasso will put current time
-
-            assertionIsNotBefore = "2004-03-01T00:00:00Z"
-                # this is when assertion starts to be valid; NULL when not used
-
-            assertionIsNotOnOrAfter = "2004-04-01T00:00:00Z"
-                # this is when assertion stops to be valid; NULL when not used
-
-            reauthenticationTime = "2004-04-01T00:00:00Z"
-                # this is when the user will have to be reauthenticated; NULL when not used
-
-            IF login->protocolProfile IS lassoLoginProtocolProfileBrwsArt
-                lasso_login_build_artifact_msg(login, userAuthenticated,
-                    consentObtained,
-                    authenticationMethod,
-                    authenticationInstant, reauthenticationTime,
-                    assertionIsNotBefore, assertionIsNotOnOrAfter,
-                    lassoHttpMethodRedirect)
+            IF login->protocolProfile IS LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART
+                lasso_login_build_artifact_msg(login, LASSO_HTTP_METHOD_REDIRECT)
            ELSE # IF login->protocolProfile IS lassoLoginProtocolProfileBrwsPost
-                lasso_login_build_authn_response_msg(login, userAuthenticated,
-                    consentObtained,
-                    authenticationMethod,
-                    authenticationInstant, reauthenticationTime,
-                    assertionIsNotBefore, assertionIsNotOnOrAfter,
-                    reauthenticationTime)
+                lasso_login_build_authn_response_msg(login)

            # map LASSO_PROFILE(login)->nameIdentifier to user and session
            # (write this down in a database)
--- a/lasso/id-ff/lecp.c
+++ b/lasso/id-ff/lecp.c
@ -127,14 +127,7 @@ lasso_lecp_build_authn_response_msg(LassoLecp *lecp)
 }

 gint
-lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp,
-		gint authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter)
+lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp)
 {
 	LassoProfile  *profile;
 	LassoProvider *provider;
@ -156,10 +149,7 @@ lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp,
 	}

 	/* build lib:AuthnResponse */
-	lasso_login_build_authn_response_msg(LASSO_LOGIN(lecp),
-			authentication_result, is_consent_obtained,
-			authenticationMethod, authenticationInstant, reauthenticateOnOrAfter,
-			notBefore, notOnOrAfter);
+	lasso_login_build_authn_response_msg(LASSO_LOGIN(lecp));

 	assertionConsumerServiceURL = lasso_provider_get_metadata_one(
 			provider, "AssertionConsumerServiceURL");
--- a/lasso/id-ff/lecp.h
+++ b/lasso/id-ff/lecp.h
@ -70,14 +70,7 @@ LASSO_EXPORT int lasso_lecp_build_authn_request_msg(LassoLecp *lecp);

 LASSO_EXPORT int lasso_lecp_build_authn_response_msg(LassoLecp *lecp);

-LASSO_EXPORT int  lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp,
-		int authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter);
+LASSO_EXPORT int  lasso_lecp_build_authn_response_envelope_msg(LassoLecp *lecp);

 LASSO_EXPORT void lasso_lecp_destroy(LassoLecp *lecp);

--- a/lasso/id-ff/login.c
+++ b/lasso/id-ff/login.c
@ -44,7 +44,6 @@ struct _LassoLoginPrivate
 /**
 * lasso_login_build_assertion:
 * @login: a Login
- * @federation: a federation or NULL
 * @authenticationMethod: the authentication method.
 * @authenticationInstant: the time at which the authentication took place or NULL.
 * @reauthenticateOnOrAfter: the time at, or after which the service provider
@ -61,9 +60,8 @@ struct _LassoLoginPrivate
 *
 * Return value: 0 on success or a negative value otherwise.
 **/
-static gint
+int
 lasso_login_build_assertion(LassoLogin *login,
-		LassoFederation *federation,
 		const char *authenticationMethod,
 		const char *authenticationInstant,
 		const char *reauthenticateOnOrAfter,
@ -74,12 +72,15 @@ lasso_login_build_assertion(LassoLogin *login,
 	LassoLibAuthenticationStatement *as;
 	LassoSamlNameIdentifier *nameIdentifier;
 	LassoProfile *profile;
-	gint ret = 0;
+	LassoFederation *federation;

 	g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
 	/* federation MAY be NULL */

 	profile = LASSO_PROFILE(login);
+
+	federation = g_hash_table_lookup(profile->identity->federations,
+			profile->remote_providerID);
 	
 	/*
 	 get RequestID to build Assertion
@ -111,21 +112,18 @@ lasso_login_build_assertion(LassoLogin *login,
 				federation->local_nameIdentifier);
 	}

-	if (as == NULL) {
-		return -1;
-	}
-
 	LASSO_SAML_ASSERTION(assertion)->AuthenticationStatement = 
 				LASSO_SAML_AUTHENTICATION_STATEMENT(as);

 	/* FIXME : How to know if the assertion must be signed or unsigned ? */
-	/* signature should be added at end */
+#if 0
+	/* signature should be added at end (i.e. move this to
+	 * build_response_msg and build_authn_response_msg) */
 	ret = lasso_saml_assertion_set_signature(LASSO_SAML_ASSERTION(assertion),
 			profile->server->signature_method,
 			profile->server->private_key,
 			profile->server->certificate);
-	if (ret)
-		return ret;
+#endif

 	if (login->protocolProfile == LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST) {
 		/* only add assertion if response is an AuthnResponse */
@ -136,6 +134,7 @@ lasso_login_build_assertion(LassoLogin *login,
 	if (profile->session == NULL) {
 		profile->session = lasso_session_new();
 	}
+	login->assertion = LASSO_SAML_ASSERTION(assertion);
 	lasso_session_add_assertion(profile->session, profile->remote_providerID,
 			LASSO_SAML_ASSERTION(assertion));
 	return 0;
@ -436,41 +435,17 @@ lasso_login_accept_sso(LassoLogin *login)
 /**
 * lasso_login_build_artifact_msg:
 * @login: a LassoLogin
- * @authentication_result: whether the principal is authenticated.  
- * @is_consent_obtained: whether the principal consents to be federated.
- * @authenticationMethod: the authentication method
- * @authenticationInstant: the time at which the authentication took place
- * @reauthenticateOnOrAfter: the time at, or after which the service provider
- *   reauthenticates the Principal with the identity provider or NULL
- * @notBefore: the earliest time instant at which the assertion is valid
- * @notOnOrAfter: the time instant at which the assertion has expired
- *
 * @http_method: the HTTP method to send the artifact (REDIRECT or POST)
 * 
 * Builds an artifact. Depending of the HTTP method, the data for the sending of
 * the artifact are stored in msg_url (REDIRECT) or msg_url, msg_body and
 * msg_relayState (POST).
 *
- * @authenticationMethod, @authenticationInstant, @reauthenticateOnOrAfter,
- * @notBefore, @notOnOrAfter should be NULL if @authentication_result is FALSE.
- * If @authenticationInstant is NULL, the current time will be set.
- *
- * Time values must be encoded in UTC.
- * 
 * Return value: 0 on success and a negative value otherwise.
 **/
 gint
-lasso_login_build_artifact_msg(LassoLogin *login,
-		gboolean authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter,
-		lassoHttpMethod http_method)
+lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method)
 {
-	LassoFederation *federation = NULL;
 	LassoProvider *remote_provider;
 	gchar *url;
 	xmlSecByte samlArt[42], *b64_samlArt, *relayState;
@ -488,23 +463,6 @@ lasso_login_build_artifact_msg(LassoLogin *login,
 		return critical_error(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE);
 	}

-	/* process federation and build assertion only if signature is OK */
-	if (LASSO_PROFILE(login)->signature_status == 0 && authentication_result == TRUE) {
-		ret = lasso_login_process_federation(login, is_consent_obtained);
-		if (ret < 0)
-			return ret;
-
-		/* fill the response with the assertion */
-		if (ret == 0) {
-			federation = g_hash_table_lookup(
-					LASSO_PROFILE(login)->identity->federations,
-					LASSO_PROFILE(login)->remote_providerID);
-			lasso_login_build_assertion(login, federation, authenticationMethod,
-					authenticationInstant, reauthenticateOnOrAfter,
-					notBefore, notOnOrAfter);
-		}
-	}
-
 	if (LASSO_PROFILE(login)->remote_providerID == NULL)
 		return -1;

@ -655,40 +613,17 @@ lasso_login_build_authn_request_msg(LassoLogin *login)
 /**
 * lasso_login_build_authn_response_msg:
 * @login: a LassoLogin
- * @authentication_result: whether the principal is authenticated
- * @is_consent_obtained: whether the principal consents to be federated
- * @authenticationMethod: the method used to authenticate the principal
- * @authenticationInstant: the time at which the authentication took place
- * @reauthenticateOnOrAfter: the time at, or after which the service provider
- *   reauthenticates the Principal with the identity provider 
- * @notBefore: the earliest time instant at which the assertion is valid
- * @notOnOrAfter: the time instant at which the assertion has expired
 * 
 * Builds an authentication response. The data for the sending of the response
 * are stored in msg_url and msg_body.
 *
- * @authenticationMethod, @authenticationInstant, @reauthenticateOnOrAfter,
- * @notBefore, @notOnOrAfter should be NULL if @authentication_result is FALSE.
- * If @authenticationInstant is NULL, the current time will be set.
- *
- * Time values must be encoded in UTC.
- * 
 * Return value: 0 on success and a negative value otherwise.
 **/
 gint
-lasso_login_build_authn_response_msg(LassoLogin *login,
-		gboolean authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter)
+lasso_login_build_authn_response_msg(LassoLogin *login)
 {
-	LassoProfile *profile;
 	LassoProvider *remote_provider;
-	LassoFederation *federation;
-	gint ret = 0;
+	LassoProfile *profile;

 	g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);

@ -699,55 +634,6 @@ lasso_login_build_authn_response_msg(LassoLogin *login,
 		return critical_error(LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE);
 	}

-	/* create LibAuthnResponse */
-	profile->response = lasso_lib_authn_response_new(
-			LASSO_PROVIDER(profile->server)->ProviderID,
-			LASSO_LIB_AUTHN_REQUEST(profile->request));
-
-	/* modify AuthnResponse StatusCode if user authentication is not OK */
-	if (authentication_result == FALSE) {
-		lasso_profile_set_response_status(profile,
-				LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
-	}
-
-	/* if signature is not OK => modify AuthnResponse StatusCode */
-	if (profile->signature_status == LASSO_DS_ERROR_INVALID_SIGNATURE) {
-		lasso_profile_set_response_status(profile,
-				LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE);
-	}
-
-	if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
-		/* Unsigned AuthnRequest */
-		lasso_profile_set_response_status(profile,
-				LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST);
-	}
-
-	if (profile->signature_status == 0 && authentication_result == TRUE) {
-		/* process federation */
-		ret = lasso_login_process_federation(login, is_consent_obtained);
-		if (ret < 0)
-			return ret;
-
-		/* fill the response with the assertion */
-		if (ret == 0) {
-			federation = g_hash_table_lookup(
-					profile->identity->federations,
-					profile->remote_providerID);
-			lasso_login_build_assertion(login, federation,
-					authenticationMethod, authenticationInstant,
-					reauthenticateOnOrAfter,
-					notBefore, notOnOrAfter);
-		}
-	}
-
-	if (LASSO_SAMLP_RESPONSE(profile->response)->Status == NULL) {
-		lasso_profile_set_response_status(profile,
-				LASSO_SAML_STATUS_CODE_SUCCESS);
-	}
-
-	remote_provider = g_hash_table_lookup(profile->server->providers,
-			profile->remote_providerID);
-
 	/* XXX: not sure this was signed in Lasso 0.5.0 */
 	LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_type = LASSO_SIGNATURE_TYPE_WITHX509;
 	LASSO_SAMLP_RESPONSE_ABSTRACT(profile->response)->sign_method = 
@ -756,10 +642,13 @@ lasso_login_build_authn_response_msg(LassoLogin *login,
 	/* build an lib:AuthnResponse base64 encoded */
 	profile->msg_body = lasso_node_export_to_base64(profile->response,
 			profile->server->private_key, profile->server->certificate);
+
+	remote_provider = g_hash_table_lookup(LASSO_PROFILE(login)->server->providers,
+			LASSO_PROFILE(login)->remote_providerID);
 	profile->msg_url = lasso_provider_get_metadata_one(
 			remote_provider, "AssertionConsumerServiceURL");

-	return ret;
+	return 0;
 }

 /**
@ -1272,6 +1161,7 @@ lasso_login_process_response_msg(LassoLogin *login, gchar *response_msg)
 static struct XmlSnippet schema_snippets[] = {
 	{ "AssertionArtifact", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoLogin, assertionArtifact) },
 	{ "NameIDPolicy", SNIPPET_CONTENT, G_STRUCT_OFFSET(LassoLogin, nameIDPolicy) },
+	{ "Assertion", SNIPPET_NODE_IN_CHILD, G_STRUCT_OFFSET(LassoLogin, assertion) },
 	{ NULL, 0, 0}
 };

@ -1434,3 +1324,56 @@ lasso_login_dump(LassoLogin *login)
 	return lasso_node_dump(LASSO_NODE(login), NULL, 1);
 }

+
+int
+lasso_login_validate_request_msg(LassoLogin *login, gboolean authentication_result,
+		gboolean is_consent_obtained)
+{
+	LassoProfile *profile;
+	gint ret = 0;
+
+	g_return_val_if_fail(LASSO_IS_LOGIN(login), LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ);
+
+	profile = LASSO_PROFILE(login);
+
+	/* create LibAuthnResponse */
+	profile->response = lasso_lib_authn_response_new(
+			LASSO_PROVIDER(profile->server)->ProviderID,
+			LASSO_LIB_AUTHN_REQUEST(profile->request));
+
+	/* modify AuthnResponse StatusCode if user authentication is not OK */
+	if (authentication_result == FALSE) {
+		lasso_profile_set_response_status(profile,
+				LASSO_SAML_STATUS_CODE_REQUEST_DENIED);
+		return LASSO_LOGIN_ERROR_REQUEST_DENIED;
+	}
+
+	/* if signature is not OK => modify AuthnResponse StatusCode */
+	if (profile->signature_status == LASSO_DS_ERROR_INVALID_SIGNATURE) {
+		lasso_profile_set_response_status(profile,
+				LASSO_LIB_STATUS_CODE_INVALID_SIGNATURE);
+		return LASSO_LOGIN_ERROR_INVALID_SIGNATURE;
+	}
+
+	if (profile->signature_status == LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
+		/* Unsigned AuthnRequest */
+		lasso_profile_set_response_status(profile,
+				LASSO_LIB_STATUS_CODE_UNSIGNED_AUTHN_REQUEST);
+		return LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST;
+	}
+
+	if (profile->signature_status == 0 && authentication_result == TRUE) {
+		/* process federation */
+		ret = lasso_login_process_federation(login, is_consent_obtained);
+		if (ret < 0)
+			return ret;
+
+		/* XXX: what should be done if ret was > 0 ?  I would return
+		 * that code */
+	}
+
+	lasso_profile_set_response_status(profile, LASSO_SAML_STATUS_CODE_SUCCESS);
+
+	return ret;
+}
+
--- a/lasso/id-ff/login.h
+++ b/lasso/id-ff/login.h
@ -61,6 +61,7 @@ struct _LassoLogin {

 	lassoLoginProtocolProfile protocolProfile;
 	gchar *assertionArtifact;
+	LassoSamlAssertion *assertion;

 	/*< private >*/
 	gchar *nameIDPolicy;
@ -78,26 +79,11 @@ LASSO_EXPORT LassoLogin* lasso_login_new(LassoServer *server);
 LASSO_EXPORT LassoLogin* lasso_login_new_from_dump(LassoServer *server, const gchar *dump);
 LASSO_EXPORT gint lasso_login_accept_sso(LassoLogin *login);

-LASSO_EXPORT gint lasso_login_build_artifact_msg(LassoLogin *login,
-		gboolean authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter,
-		lassoHttpMethod http_method);
+LASSO_EXPORT gint lasso_login_build_artifact_msg(LassoLogin *login, lassoHttpMethod http_method);

 LASSO_EXPORT gint lasso_login_build_authn_request_msg(LassoLogin *login);

-LASSO_EXPORT gint lasso_login_build_authn_response_msg(LassoLogin *login,
-		gboolean authentication_result,
-		gboolean is_consent_obtained,
-		const char *authenticationMethod,
-		const char *authenticationInstant,
-		const char *reauthenticateOnOrAfter,
-		const char *notBefore,
-		const char *notOnOrAfter);
+LASSO_EXPORT gint lasso_login_build_authn_response_msg(LassoLogin *login);

 LASSO_EXPORT gint lasso_login_build_request_msg(LassoLogin *login);
 LASSO_EXPORT gint lasso_login_build_response_msg(LassoLogin *login, gchar *remote_providerID);
@ -124,6 +110,14 @@ LASSO_EXPORT gint lasso_login_process_authn_response_msg(LassoLogin *login,
 LASSO_EXPORT gint lasso_login_process_request_msg(LassoLogin *login, gchar *request_msg);
 LASSO_EXPORT gint lasso_login_process_response_msg(LassoLogin *login, gchar *response_msg);

+LASSO_EXPORT int lasso_login_validate_request_msg(LassoLogin *login,
+		gboolean authentication_result, gboolean is_consent_obtained);
+
+LASSO_EXPORT int lasso_login_build_assertion(LassoLogin *login,
+		const char *authenticationMethod, const char *authenticationInstant,
+		const char *reauthenticateOnOrAfter,
+		const char *notBefore, const char *notOnOrAfter);
+
 #ifdef __cplusplus
 }
 #endif /* __cplusplus */
--- a/lasso/xml/errors.h
+++ b/lasso/xml/errors.h
@ -72,9 +72,12 @@
 #define LASSO_PARAM_ERROR_CHECK_FAILED                -503

 /* login */
-#define LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND         601
-#define LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED         602
-#define LASSO_LOGIN_ERROR_INVALID_NAMEIDPOLICY        -603
+#define LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND		 601
+#define LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED		 602
+#define LASSO_LOGIN_ERROR_INVALID_NAMEIDPOLICY		-603
+#define LASSO_LOGIN_ERROR_REQUEST_DENIED		 604
+#define LASSO_LOGIN_ERROR_INVALID_SIGNATURE		 605
+#define LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST	 606

 /* others */
 #define LASSO_ERROR_UNDEFINED                         -999
--- a/swig/Lasso.i
+++ b/swig/Lasso.i
@ -1620,10 +1620,13 @@ typedef struct {
 		END_THROW_ERROR

 		THROW_ERROR
-		void buildArtifactMsg(gboolean authenticationResult, gboolean isConsentObtained,
-				char *authenticationMethod, char *authenticationInstant,
-				char *reauthenticateOnOrAfter, char *notBefore,
-				char *notOnOrAfter, lassoHttpMethod httpMethod);
+		void buildArtifactMsg(lassoHttpMethod httpMethod);
+		END_THROW_ERROR
+
+		THROW_ERROR
+		int buildAssertion(char *authenticationMethod, char *authenticationInstant,
+				char *reauthenticateOnOrAfter,
+				char *notBefore, char *notOnOrAfter);
 		END_THROW_ERROR

 		THROW_ERROR
@ -1631,10 +1634,7 @@ typedef struct {
 		END_THROW_ERROR

 		THROW_ERROR
-		void buildAuthnResponseMsg(gint authenticationResult, gboolean isConsentObtained,
-				char *authenticationMethod, char *authenticationInstant,
-				char *reauthenticateOnOrAfter, char *notBefore,
-				char *notOnOrAfter);
+		void buildAuthnResponseMsg();
 		END_THROW_ERROR

 		THROW_ERROR
@ -1681,6 +1681,11 @@ typedef struct {
 		THROW_ERROR
 		void processResponseMsg(gchar *responseMsg);
 		END_THROW_ERROR
+
+		THROW_ERROR
+		int validateRequestMsg(gboolean authenticationResult, gboolean isConsentObtained);
+		END_THROW_ERROR
+
 	}
 } LassoLogin;

@ -1825,6 +1830,7 @@ gint LassoLogin_setSessionFromDump(LassoLogin *self, gchar *dump) {
 /* Methods implementations */

 #define LassoLogin_acceptSso lasso_login_accept_sso
+#define LassoLogin_buildAssertion lasso_login_build_assertion
 #define LassoLogin_buildArtifactMsg lasso_login_build_artifact_msg
 #define LassoLogin_buildAuthnRequestMsg lasso_login_build_authn_request_msg
 #define LassoLogin_buildAuthnResponseMsg lasso_login_build_authn_response_msg
@ -1840,6 +1846,7 @@ gint LassoLogin_setSessionFromDump(LassoLogin *self, gchar *dump) {
 #define LassoLogin_processAuthnResponseMsg lasso_login_process_authn_response_msg
 #define LassoLogin_processRequestMsg lasso_login_process_request_msg
 #define LassoLogin_processResponseMsg lasso_login_process_response_msg
+#define LassoLogin_validateRequestMsg lasso_login_validate_request_msg

 %}

@ -2147,6 +2154,18 @@ typedef struct {
 		void setSessionFromDump(gchar *dump);
 		END_THROW_ERROR

+		/* Methods inherited from LassoLogin */
+
+		THROW_ERROR
+		int buildAssertion(char *authenticationMethod, char *authenticationInstant,
+				char *reauthenticateOnOrAfter,
+				char *notBefore, char *notOnOrAfter);
+		END_THROW_ERROR
+
+		THROW_ERROR
+		int validateRequestMsg(gboolean authenticationResult, gboolean isConsentObtained);
+		END_THROW_ERROR
+
 		/* Methods */

 		THROW_ERROR
@ -2158,10 +2177,7 @@ typedef struct {
 		END_THROW_ERROR

 		THROW_ERROR
-		void buildAuthnResponseEnvelopeMsg(gboolean authenticationResult,
-				gboolean isConsentObtained, char *authenticationMethod,
-				char *authenticationInstant, char *reauthenticateOnOrAfter,
-				char *notBefore, char *notOnOrAfter);
+		void buildAuthnResponseEnvelopeMsg();
 		END_THROW_ERROR

 		THROW_ERROR
@ -2183,6 +2199,7 @@ typedef struct {
 		THROW_ERROR
 		void processAuthnResponseEnvelopeMsg(gchar *responseMsg);
 		END_THROW_ERROR
+
 	}
 } LassoLecp;

@ -2321,6 +2338,7 @@ gint LassoLecp_setSessionFromDump(LassoLecp *self, gchar *dump) {

 /* Methods implementations */

+#define LassoLecp_buildAssertion lasso_login_build_assertion
 #define LassoLecp_buildAuthnRequestEnvelopeMsg lasso_lecp_build_authn_request_envelope_msg
 #define LassoLecp_buildAuthnRequestMsg lasso_lecp_build_authn_request_msg
 #define LassoLecp_buildAuthnResponseEnvelopeMsg lasso_lecp_build_authn_response_envelope_msg
@ -2329,6 +2347,7 @@ gint LassoLecp_setSessionFromDump(LassoLecp *self, gchar *dump) {
 #define LassoLecp_processAuthnRequestEnvelopeMsg lasso_lecp_process_authn_request_envelope_msg
 #define LassoLecp_processAuthnRequestMsg lasso_lecp_process_authn_request_msg
 #define LassoLecp_processAuthnResponseEnvelopeMsg lasso_lecp_process_authn_response_envelope_msg
+#define LassoLecp_validateRequestMsg lasso_login_validate_request_msg

 %}

--- a/tests/login_tests.c
+++ b/tests/login_tests.c
@ -136,15 +136,18 @@ START_TEST(test02_serviceProviderLogin)
 			"protocoleProfile should be ProfileBrwsArt");
 	fail_unless(! lasso_login_must_ask_for_consent(idpLoginContext),
 			"lasso_login_must_ask_for_consent() should be FALSE");
-	rc = lasso_login_build_artifact_msg(idpLoginContext,
+	rc = lasso_login_validate_request_msg(idpLoginContext,
 			1, /* authentication_result */
-		        0, /* is_consent_obtained */
+		        0 /* is_consent_obtained */
+			);
+
+	rc = lasso_login_build_assertion(idpLoginContext,
 			LASSO_SAML_AUTHENTICATION_METHOD_PASSWORD,
 			"FIXME: authenticationInstant",
 			"FIXME: reauthenticateOnOrAfter",
 			"FIXME: notBefore",
-			"FIXME: notOnOrAfter",
-			LASSO_HTTP_METHOD_REDIRECT);
+			"FIXME: notOnOrAfter");
+	rc = lasso_login_build_artifact_msg(idpLoginContext, LASSO_HTTP_METHOD_REDIRECT);
 	fail_unless(rc == 0, "lasso_login_build_artifact_msg failed");

 	idpIdentityContextDump = lasso_identity_dump(LASSO_PROFILE(idpLoginContext)->identity);