222 |
222 |
gint
|
223 |
223 |
lasso_saml20_login_build_authn_request_msg(LassoLogin *login)
|
224 |
224 |
{
|
225 |
|
char *url = NULL;
|
|
225 |
char *assertionConsumerServiceURL = NULL;
|
226 |
226 |
gboolean must_sign = TRUE;
|
227 |
227 |
LassoProfile *profile;
|
228 |
228 |
LassoSamlp2AuthnRequest *authn_request;
|
... | ... | |
247 |
247 |
}
|
248 |
248 |
|
249 |
249 |
if (login->http_method == LASSO_HTTP_METHOD_PAOS) {
|
250 |
|
|
251 |
250 |
/*
|
252 |
251 |
* PAOS is special, the url passed to build_request is the
|
253 |
252 |
* AssertionConsumerServiceURL of this SP, not the
|
254 |
|
* destination.
|
|
253 |
* destination IdP URL. This is done to fill paos:responseConsumerURL
|
|
254 |
* appropriately down the line in build_request_msg.
|
|
255 |
* See https://dev.entrouvert.org/issues/34409 for more information.
|
255 |
256 |
*/
|
256 |
257 |
if (authn_request->AssertionConsumerServiceURL) {
|
257 |
|
url = authn_request->AssertionConsumerServiceURL;
|
|
258 |
assertionConsumerServiceURL = authn_request->AssertionConsumerServiceURL;
|
258 |
259 |
if (!lasso_saml20_provider_check_assertion_consumer_service_url(
|
259 |
|
LASSO_PROVIDER(profile->server), url, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
|
260 |
LASSO_PROVIDER(profile->server), assertionConsumerServiceURL, LASSO_SAML2_METADATA_BINDING_PAOS)) {
|
260 |
261 |
rc = LASSO_PROFILE_ERROR_INVALID_REQUEST;
|
261 |
262 |
goto cleanup;
|
262 |
263 |
}
|
263 |
264 |
} else {
|
264 |
|
url = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
|
265 |
assertionConsumerServiceURL = lasso_saml20_provider_get_assertion_consumer_service_url_by_binding(
|
265 |
266 |
LASSO_PROVIDER(profile->server), LASSO_SAML2_METADATA_BINDING_PAOS);
|
266 |
|
lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, url);
|
|
267 |
lasso_assign_new_string(authn_request->AssertionConsumerServiceURL, assertionConsumerServiceURL);
|
267 |
268 |
}
|
268 |
269 |
}
|
269 |
270 |
|
270 |
|
|
271 |
271 |
lasso_check_good_rc(lasso_saml20_profile_build_request_msg(profile, "SingleSignOnService",
|
272 |
|
login->http_method, url));
|
|
272 |
login->http_method, assertionConsumerServiceURL));
|
273 |
273 |
|
274 |
274 |
cleanup:
|
275 |
275 |
return rc;
|