222 |
222 |
gint
|
223 |
223 |
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
224 |
224 |
{
|
225 |
|
char *url = NULL;
|
|
225 |
char *consumer_url = NULL;
|
226 |
226 |
gboolean must_sign = TRUE;
|
227 |
227 |
LassoProfile *profile;
|
228 |
228 |
LassoSamlp2AuthnRequest *authn_request;
|
... | ... | |
247 |
247 |
}
|
248 |
248 |
|
249 |
249 |
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
|
250 |
|
|
251 |
250 |
/*
|
252 |
|
* PAOS is special, the url passed to build_request is the
|
|
251 |
* PAOS is special, as the destination is determined
|
|
252 |
* by a client (ECP), not an SP. The saml-bindings-2.0-os
|
|
253 |
* specification only describes the use of the destination
|
|
254 |
* attribute for HTTP redirect binding and HTTP POST binding,
|
|
255 |
* not PAOS. So the destination attribute must be left unset to
|
|
256 |
* avoid IdP-side errors.
|
|
257 |
*
|
|
258 |
* However, the url passed to build_request is the
|
253 |
259 |
* AssertionConsumerServiceURL of this SP, not the
|
254 |
|
* destination.
|
|
260 |
- * destination IdP URL. The build_request function handles
|
|
261 |
* PAOS as a special case in terms of populating the
|
|
262 |
* destination attribute.
|
255 |
263 |
*/
|
256 |
264 |
if (authn_request->AssertionConsumerServiceURL) {
|
257 |
|
url = authn_request->AssertionConsumerServiceURL;
|
|
265 |
consumer_url = authn_request->AssertionConsumerServiceURL;
|
258 |
266 |
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
|
259 |
|
LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
|
267 |
LASSO_PROVIDER(profile->server), consumer_url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
260 |
268 |
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
|
261 |
269 |
goto cleanup;
|
262 |
270 |
}
|
263 |
271 |
} else {
|
264 |
|
url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
|
272 |
consumer_url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
265 |
273 |
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
|
266 |
|
lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
|
|
274 |
lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, consumer_url);
|
267 |
275 |
}
|
268 |
276 |
}
|
269 |
277 |
|
270 |
|
|
271 |
278 |
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
|
272 |
|
login->http_method, url));
|
|
279 |
login->http_method, consumer_url));
|
273 |
280 |
|
274 |
281 |
cleanup:
|
275 |
282 |
return rc;
|