@PVP2

  --also allow a EntityDescriptor element as root element in metadata files
  --some adjustments in the PVP Assertion to make it SAML2 standard compliant

@MOA-ID-Auth
  --improve SZR-Gateway client error handling

1 files changed, 18 insertions, 3 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 5e8206739..f21567245 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -21,6 +21,7 @@ import org.opensaml.saml2.core.RequestedAuthnContext;
 import org.opensaml.saml2.core.Subject;
 import org.opensaml.saml2.core.SubjectConfirmation;
 import org.opensaml.saml2.core.SubjectConfirmationData;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
 import org.opensaml.saml2.metadata.AttributeConsumingService;
 import org.opensaml.saml2.metadata.EntityDescriptor;
 import org.opensaml.saml2.metadata.NameIDFormat;
@@ -42,6 +43,7 @@ import at.gv.egovernment.moa.id.data.AuthenticationData;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionConsumerServiceException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
@@ -293,7 +295,16 @@ public class PVP2AssertionBuilder implements PVPConstants {
 				.createSAMLObject(SubjectConfirmationData.class);
 		subjectConfirmationData.setInResponseTo(authnRequest.getID());
 		subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20));
-		subjectConfirmationData.setRecipient(peerEntity.getEntityID());
+		
+		//TL: change from entityID to destination URL 
+		AssertionConsumerService consumerService = spSSODescriptor
+				.getAssertionConsumerServices().get(idx);
+
+		if (consumerService == null) {
+			throw new InvalidAssertionConsumerServiceException(idx);
+		}
+		
+		subjectConfirmationData.setRecipient(consumerService.getLocation());
 
 		subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
 
@@ -303,7 +314,7 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		AudienceRestriction audienceRestriction = SAML2Utils
 				.createSAMLObject(AudienceRestriction.class);
 		Audience audience = SAML2Utils.createSAMLObject(Audience.class);
-
+		
 		audience.setAudienceURI(peerEntity.getEntityID());
 		audienceRestriction.getAudiences().add(audience);
 		conditions.setNotBefore(new DateTime());
@@ -316,8 +327,12 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		assertion.setConditions(conditions);
 
 		Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class);
-		issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName());
+		
+		//TODO: check!
+		//change to entity value from entity name to IDP EntityID (URL)
+		issuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath());
 		issuer.setFormat(NameID.ENTITY);
+		
 		assertion.setIssuer(issuer);
 		assertion.setSubject(subject);
 		assertion.setID(SAML2Utils.getSecureIdentifier());