1
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
5
<title>LassoLogin</title>
6
<meta name="generator" content="DocBook XSL Stylesheets V1.75.1">
7
<link rel="home" href="index.html" title="Lasso Reference Manual">
8
<link rel="up" href="idff.html" title="Identity Federation Framework - ID-FF 1.2 profiles">
9
<link rel="prev" href="idff.html" title="Identity Federation Framework - ID-FF 1.2 profiles">
10
<link rel="next" href="lasso-LassoLogout.html" title="LassoLogout">
11
<meta name="generator" content="GTK-Doc V1.11 (XML mode)">
12
<link rel="stylesheet" href="style.css" type="text/css">
13
<link rel="chapter" href="lasso.html" title="Lasso & Liberty Alliance Overview">
14
<link rel="reference" href="rn01.html" title="Application Programming Interface">
15
<link rel="chapter" href="architecture.html" title="Lasso Architecture">
16
<link rel="chapter" href="idff.html" title="Identity Federation Framework - ID-FF 1.2 profiles">
17
<link rel="chapter" href="xml-idff.html" title="Objects from ID-FF 1.2 schemas">
18
<link rel="chapter" href="saml2.html" title="SAML 2.0 Single Sign On profiles">
19
<link rel="chapter" href="xml-samlv2.html" title="Objects from SAML 2.0 schemas">
20
<link rel="chapter" href="idwsf.html" title="Identity Web Services Framework 1.0">
21
<link rel="chapter" href="xml-idwsf.html" title="Objects from ID-WSF 1.0 schemas">
22
<link rel="chapter" href="idwsf2.html" title="ID-WSF 2.0">
23
<link rel="chapter" href="xml-idwsf2.html" title="Objects from ID-WSF 2.0 schemas">
24
<link rel="chapter" href="soap.html" title="Object from the SOAP 1.1 schemas">
25
<link rel="chapter" href="xml-dsig.html" title="Object from the XML-DSIG schemas">
26
<link rel="chapter" href="ws-addr.html" title="Object from the WS-* schemas">
27
<link rel="part" href="pt01.html" title="Part II. Appendix">
28
<link rel="index" href="api-index.html" title="API Index">
29
<link rel="glossary" href="annotation-glossary.html" title="Annotation Glossary">
31
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
32
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2">
34
<td><a accesskey="p" href="idff.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
35
<td><a accesskey="u" href="idff.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
36
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
37
<th width="100%" align="center">Lasso Reference Manual</th>
38
<td><a accesskey="n" href="lasso-LassoLogout.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
40
<tr><td colspan="5" class="shortcuts">
41
<a href="#lasso-LassoLogin.synopsis" class="shortcut">Top</a>
43
<a href="#lasso-LassoLogin.description" class="shortcut">Description</a>
46
<div class="refentry" title="LassoLogin">
47
<a name="lasso-LassoLogin"></a><div class="titlepage"></div>
48
<div class="refnamediv"><table width="100%"><tr>
50
<h2><span class="refentrytitle"><a name="lasso-LassoLogin.top_of_page"></a>LassoLogin</span></h2>
51
<p>LassoLogin — Single Sign-On and Federation Profile</p>
53
<td valign="top" align="right"></td>
55
<div class="refsynopsisdiv" title="Synopsis">
56
<a name="lasso-LassoLogin.synopsis"></a><h2>Synopsis</h2>
57
<pre class="synopsis">
58
enum LassoLoginProtocolProfile;
60
LassoLogin* lasso_login_new (LassoServer *server);
61
LassoLogin* lasso_login_new_from_dump (LassoServer *server,
63
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
65
lasso_error_t lasso_login_accept_sso (LassoLogin *login);
66
lasso_error_t lasso_login_build_artifact_msg (LassoLogin *login,
67
LassoHttpMethod http_method);
68
lasso_error_t lasso_login_build_assertion (LassoLogin *login,
69
const char *authenticationMethod,
70
const char *authenticationInstant,
71
const char *reauthenticateOnOrAfter,
72
const char *notBefore,
73
const char *notOnOrAfter);
74
lasso_error_t lasso_login_build_authn_request_msg (LassoLogin *login);
75
lasso_error_t lasso_login_build_authn_response_msg
77
lasso_error_t lasso_login_build_request_msg (LassoLogin *login);
78
lasso_error_t lasso_login_build_response_msg (LassoLogin *login,
80
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
81
>gchar</a> *remote_providerID);
82
void lasso_login_destroy (LassoLogin *login);
84
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
85
>gchar</a>* lasso_login_dump (LassoLogin *login);
86
LassoNode * lasso_login_get_assertion (LassoLogin *login);
87
lasso_error_t lasso_login_init_authn_request (LassoLogin *login,
89
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
90
>gchar</a> *remote_providerID,
91
LassoHttpMethod http_method);
92
lasso_error_t lasso_login_init_idp_initiated_authn_request
95
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
96
>gchar</a> *remote_providerID);
97
lasso_error_t lasso_login_init_request (LassoLogin *login,
99
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
100
>gchar</a> *response_msg,
101
LassoHttpMethod response_http_method);
103
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
104
>gboolean</a> lasso_login_must_ask_for_consent (LassoLogin *login);
106
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
107
>gboolean</a> lasso_login_must_authenticate (LassoLogin *login);
108
lasso_error_t lasso_login_process_authn_request_msg
110
const char *authn_request_msg);
111
lasso_error_t lasso_login_process_authn_response_msg
114
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
115
>gchar</a> *authn_response_msg);
116
lasso_error_t lasso_login_process_paos_response_msg
119
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
121
lasso_error_t lasso_login_process_request_msg (LassoLogin *login,
123
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
124
>gchar</a> *request_msg);
125
lasso_error_t lasso_login_process_response_msg (LassoLogin *login,
127
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
128
>gchar</a> *response_msg);
129
lasso_error_t lasso_login_validate_request_msg (LassoLogin *login,
131
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
132
>gboolean</a> authentication_result,
134
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
135
>gboolean</a> is_consent_obtained);
138
<div class="refsect1" title="Description">
139
<a name="lasso-LassoLogin.description"></a><h2>Description</h2>
141
The Single Sign On process allows a user to log in once to an identity
142
provider (IdP), and to be then transparently loged in to the required
143
service providers (SP) belonging to the IP "circle of trust". Subordinating
144
different identities of the same user within a circle of trust to a unique
145
IP is called "Identity Federation". The liberty Alliance specifications
146
allows, thanks to this federation, strong and unique authentication coupled
147
with control by the user of his personal informations. The explicit user
148
agreement is necessary before proceeding to Identity Federation.
153
The service provider must implement the following process:
155
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
156
<li class="listitem"><p>creating an authentication request with
157
<code class="function">lasso_login_init_authn_request()</code>;</p></li>
158
<li class="listitem"><p>sending it to the identity provider with
159
<code class="function">lasso_login_build_authn_request_msg()</code>;</p></li>
160
<li class="listitem">
161
<p>receiving and processing the answer:
163
<div class="itemizedlist"><ul class="itemizedlist" type="circle">
164
<li class="listitem">either an authentication response with
165
<code class="function">lasso_login_process_authn_response_msg()</code>
167
<li class="listitem">or an artifact with <code class="function">lasso_login_init_request()</code> then sending the
168
request to the IdP with <code class="function">lasso_login_build_request_msg()</code> and processing the
169
new answer with <code class="function">lasso_login_process_response_msg()</code>.</li>
181
<p>Our first example shows how to initiate a request toward an ID-FF 1.2 or SAML 2.0 identity
182
provider. It supposes that we already initialized a <span class="type">LassoServer</span> object with the metadatas or our
183
provider (and its private key if we want to sign the request), and that we added the metadatas of
184
the targetted IdP with the method <code class="function">lasso_server_add_provider()</code>. </p>
189
<div class="example">
190
<a name="id2692415"></a><p class="title"><b>Example 1. Service Provider Login URL</b></p>
191
<div class="example-contents"><pre class="programlisting">
193
int rc; // hold return codes
195
login = lasso_login_new(server);
196
rc = lasso_login_init_authn_request(login, "http://identity-provider-id/",
197
LASSO_HTTP_METHOD_REDIRECT);
199
... // handle errors, most of them are related to bad initialization
202
// customize AuthnRequest
203
// protocolProfile is the protocolProfile of the provider http://identity-provider-id/
204
if (protocolProfile == LASSO_LIBERTY_1_2) {
205
LassoLibAuthnRequest *request = LASSO_LIB_AUTHN_REQUEST(LASSO_PROFILE(login)->request);
206
request->NameIDPolicy = strdup(LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED);
207
request->ForceAuthn = TRUE;
208
request->IsPassive = FALSE;
209
// tell the IdP how to return the response
210
request->ProtocolProfile = strdup(LASSO_LIB_PROTOCOL_PROFILE_BRWS_ART);
211
} else if (protocolProfile == LASSO_SAML_2_0) {
212
LassoSamlp2AuthnRequest *request = LASSO_SAMLP2_AUTHN_REQUEST(LASSO_PROFILE(login)->request);
213
if (request->NameIDPolicy->Format) {
214
g_free(request->NameIDPolicy->Format);
216
request->NameIDPolicy->Format = g_strdup(LASSO_NAME_IDENTIFIER_FORMAT_PERSISTENT);
217
// Allow creation of new federation
219
request->NameIDPolicy->AllowCreate = 1;
220
request->ForceAuthn = TRUE;
221
request->IsPassive = FALSE;
222
// tell the IdP how to return the response
223
if (request->ProtocolBinding) {
224
g_free(request->ProtocolBinding);
226
// here we expect an artifact response, it could be post, redirect or PAOS.
227
request->ProtocolBinding = g_strdup(LASSO_SAML2_METADATA_BINDING_ARTIFACT);
229
// Lasso will choose whether to sign the request by looking at the IdP
230
// metadatas and at our metadatas, but you can always force him to sign or to
231
// not sign using the method lasso_profile_set_signature_hint() on the
232
// LassoLogin object.
234
rc = lasso_login_build_authn_request_msg(login);
236
.... // handle errors
237
// could be that the requested binding (POST, Redirect, etc..) is not supported (LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE)
238
// or that we could not sign the request (LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED).
241
// redirect user to identity provider
242
// we chose the Redirect binding, so we have to generate a redirect HTTP response to the URL returned by Lasso
243
printf("Location: %s\n\nRedirected to IdP\n", LASSO_PROFILE(login)->msg_url);
246
<p><br class="example-break">
250
<p>Next example shows how to receive the response from the identity
251
provider for ID-FF 1.2.</p>
256
<div class="example">
257
<a name="id2692480"></a><p class="title"><b>Example 2. Service Provider Assertion Consumer Service URL for ID-FF 1.2</b></p>
258
<div class="example-contents"><pre class="programlisting">
260
char *request_method = getenv("REQUEST_METHOD");
261
char *artifact_msg = NULL, *lares = NULL, *lareq = NULL;
262
char *name_identifier;
263
lassoHttpMethod method;
266
login = lasso_login_new(server);
267
if (strcmp(request_method, "GET") == 0) {
268
artifact_msg = getenv("QUERY_STRING");
269
method = LASSO_HTTP_METHOD_REDIRECT;
271
// read submitted form; if it has a LAREQ field, put it in lareq,
272
// if it has a LARES field, put it in lares
274
artifact_msg = lareq;
276
response_msg = lares;
280
method = LASSO_HTTP_METHOD_POST;
284
// we received an artifact response,
285
// it means we did not really receive the response,
286
// only a token to redeem the real response from the identity
287
// provider through a SOAP resolution call
288
rc = lasso_login_init_request(login, artifact_msg, method);
291
// there is usually no error at this step, only
292
// if the IdP response is malformed
294
rc = lasso_login_build_request_msg(login);
297
// as for AuthnRequest generation, it generally is caused
298
// by a bad initialization like an impossibility to load
301
// makes a SOAP call, soap_call is NOT a Lasso function
302
soap_answer_msg = soap_call(LASSO_PROFILE(login)->msg_url,
303
LASSO_PROFILE(login)->msg_body);
304
rc = lasso_login_process_response_msg(login, soap_answer_msg);
307
// here you can know if the IdP refused the request,
309
} else if (response_msg) {
310
lasso_login_process_authn_response_msg(login, response_msg);
313
// looks up name_identifier in local file, database, whatever and gets back
314
// two things: identity_dump and session_dump
315
name_identifier = LASSO_PROFILE(login)->nameIdentifier
316
lasso_profile_set_identity_from_dump(LASSO_PROFILE(login), identity_dump);
317
lasso_profile_set_session_from_dump(LASSO_PROFILE(login), session_dump);
319
lasso_login_accept_sso(login);
321
if (lasso_profile_is_identity_dirty(LASSO_PROFILE(login))) {
322
LassoIdentity *identity;
324
identity = lasso_profile_get_identity(LASSO_PROFILE(login));
325
identity_dump = lasso_identity_dump(identity);
326
// record identity_dump in file, database...
329
if (lasso_profile_is_session_dirty(LASSO_PROFILE(login))) {
330
LassoSession *session;
332
session = lasso_profile_get_session(LASSO_PROFILE(login));
333
session_dump = lasso_session_dump(session);
334
// record session_dump in file, database...
337
// redirect user anywhere
338
printf("Location: %s\n\nRedirected to site root\n", login->msg_url);
341
<p><br class="example-break">
345
<p>The implement an IdP you must create a single sign-on service endpoint, the needed APIs for
346
this are <code class="function">lasso_login_process_authn_request_msg()</code>, <code class="function">lasso_login_validate_request_msg()</code>,
347
<code class="function">lasso_login_build_assertion()</code>, <code class="function">lasso_login_build_authn_response_msg()</code> and
348
<code class="function">lasso_login_build_artifact_msg()</code>. You will have to chose between
349
<code class="function">lasso_login_build_authn_response_msg()</code> and <code class="function">lasso_login_build_artifact_msg()</code> depending on the
350
requested protocol for the response by the service provider</p>
355
<div class="example">
356
<a name="id2692613"></a><p class="title"><b>Example 3. Identity provider single sign-on service</b></p>
357
<div class="example-contents"><pre class="programlisting">
359
char *request_method = getenv("REQUEST_METHOD");
360
char *artifact_msg = NULL, *lares = NULL, *lareq = NULL;
361
char *name_identifier;
362
lassoHttpMethod method;
365
login = lasso_login_new(server);
366
if (strcmp(request_method, 'GET')) { // AuthnRequest send with the HTTP-Redirect binding
368
lasso_profile_set_signature_verify_hint(LASSO_PROFILE(login),
369
LASSO_PROFILE_SIGNATURE_VERIFY_HINT_FORCE);
370
rc = lasso_process_authn_request_msg(login, getenv("QUERY_STRING"));
380
<p><br class="example-break"></p>
382
<div class="refsect1" title="Details">
383
<a name="lasso-LassoLogin.details"></a><h2>Details</h2>
384
<div class="refsect2" title="enum LassoLoginProtocolProfile">
385
<a name="LassoLoginProtocolProfile"></a><h3>enum LassoLoginProtocolProfile</h3>
386
<pre class="programlisting">typedef enum {
387
LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART = 1,
388
LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST,
389
LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP,
390
LASSO_LOGIN_PROTOCOL_PROFILE_REDIRECT,
391
} LassoLoginProtocolProfile;
394
Identifies the four possible profiles for Single Sign-On and Federation. It defined how the
395
response to authentication request will transmitted to the service provider.</p>
396
<div class="variablelist"><table border="0">
397
<col align="left" valign="top">
400
<td><p><a name="LASSO-LOGIN-PROTOCOL-PROFILE-BRWS-ART--CAPS"></a><span class="term"><code class="literal">LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART</code></span></p></td>
401
<td> response is transmitted through a redirect request with
402
an artifact, followed by an artifact resolution request by the service provider.
406
<td><p><a name="LASSO-LOGIN-PROTOCOL-PROFILE-BRWS-POST--CAPS"></a><span class="term"><code class="literal">LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST</code></span></p></td>
407
<td> response is transmitted through a POST.
411
<td><p><a name="LASSO-LOGIN-PROTOCOL-PROFILE-BRWS-LECP--CAPS"></a><span class="term"><code class="literal">LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP</code></span></p></td>
412
<td> response is transmitted in a PAOS response (see
413
<span class="type">LassoLecp</span>).
417
<td><p><a name="LASSO-LOGIN-PROTOCOL-PROFILE-REDIRECT--CAPS"></a><span class="term"><code class="literal">LASSO_LOGIN_PROTOCOL_PROFILE_REDIRECT</code></span></p></td>
418
<td> response is transmitted through a redirect.
425
<div class="refsect2" title="LassoLogin">
426
<a name="LassoLogin"></a><h3>LassoLogin</h3>
427
<pre class="programlisting">typedef struct {
430
LassoLoginProtocolProfile protocolProfile;
431
gchar *assertionArtifact;
435
Single sign-on profile for the current transaction; possibly an
436
assertionArtifact to be used by the service provider in its
437
"assertionConsumerServiceURL" and the assertion created or received for the
439
<div class="variablelist"><table border="0">
440
<col align="left" valign="top">
443
<td><p><span class="term">LassoProfile <em class="structfield"><code>parent</code></em>;</span></p></td>
447
<td><p><span class="term">LassoLoginProtocolProfile <em class="structfield"><code>protocolProfile</code></em>;</span></p></td>
448
<td> the kind of binding used for this authentication request.
452
<td><p><span class="term"><a
453
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
454
>gchar</a> *<em class="structfield"><code>assertionArtifact</code></em>;</span></p></td>
455
<td> a string representing the artifact received through an artifact resolution.
463
<div class="refsect2" title="lasso_login_new ()">
464
<a name="lasso-login-new"></a><h3>lasso_login_new ()</h3>
465
<pre class="programlisting">LassoLogin* lasso_login_new (LassoServer *server);</pre>
467
Creates a new <span class="type">LassoLogin</span>.</p>
468
<div class="variablelist"><table border="0">
469
<col align="left" valign="top">
472
<td><p><span class="term"><em class="parameter"><code>server</code></em> :</span></p></td>
473
<td> the <span class="type">LassoServer</span>
477
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
478
<td> a newly created <span class="type">LassoLogin</span> object; or NULL if an error
486
<div class="refsect2" title="lasso_login_new_from_dump ()">
487
<a name="lasso-login-new-from-dump"></a><h3>lasso_login_new_from_dump ()</h3>
488
<pre class="programlisting">LassoLogin* lasso_login_new_from_dump (LassoServer *server,
490
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
491
>gchar</a> *dump);</pre>
493
Restores the <em class="parameter"><code>dump</code></em> to a new <span class="type">LassoLogin</span>.</p>
494
<div class="variablelist"><table border="0">
495
<col align="left" valign="top">
498
<td><p><span class="term"><em class="parameter"><code>server</code></em> :</span></p></td>
499
<td> the <span class="type">LassoServer</span>
503
<td><p><span class="term"><em class="parameter"><code>dump</code></em> :</span></p></td>
508
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
509
<td> a newly created <span class="type">LassoLogin</span>; or NULL if an error occured.
516
<div class="refsect2" title="lasso_login_accept_sso ()">
517
<a name="lasso-login-accept-sso"></a><h3>lasso_login_accept_sso ()</h3>
518
<pre class="programlisting">lasso_error_t lasso_login_accept_sso (LassoLogin *login);</pre>
520
Gets the assertion of the response and adds it to the <span class="type">LassoSession</span> object.
521
Builds a federation with the 2 name identifiers of the assertion
522
and adds it into the identity.
523
If the session or the identity are NULL, they are created.</p>
524
<div class="variablelist"><table border="0">
525
<col align="left" valign="top">
528
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
529
<td> a <span class="type">LassoLogin</span>
533
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
534
<td> 0 on success; or
535
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
536
<li class="listitem"><p>
537
<span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is not a <span class="type">LassoLogin</span> object,
539
<li class="listitem"><p>
540
<span class="type">LASSO_PROFILE_ERROR_MISSING_RESPONSE</span> if no response is present in the login profile object;
541
usually because no call to lasso_login_process_authn_response_msg was done;
543
<li class="listitem"><p>
544
<span class="type">LASSO_PROFILE_ERROR_MISSING_ASSERTION</span> if the response does not contain an assertion,
546
<li class="listitem"><p>
547
<span class="type">LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND</span> if the assertion does not contain a NameID element,
549
<li class="listitem"><p>
550
<span class="type">LASSO_PROFILE_ERROR_MISSING_NAME_IDENTIFIER</span> same as
551
<span class="type">LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND</span>,
553
<li class="listitem"><p>
554
<span class="type">LASSO_LOGIN_ERROR_ASSERTION_REPLAY</span> if the assertion has already been used.
563
<div class="refsect2" title="lasso_login_build_artifact_msg ()">
564
<a name="lasso-login-build-artifact-msg"></a><h3>lasso_login_build_artifact_msg ()</h3>
565
<pre class="programlisting">lasso_error_t lasso_login_build_artifact_msg (LassoLogin *login,
566
LassoHttpMethod http_method);</pre>
568
Builds a SAML artifact. Depending of the HTTP method, the data for the sending of
569
the artifact are stored in <em class="parameter"><code>msg_url</code></em> (REDIRECT) or <em class="parameter"><code>msg_url</code></em>, <em class="parameter"><code>msg_body</code></em> and
570
<em class="parameter"><code>msg_relayState</code></em> (POST).</p>
571
<div class="variablelist"><table border="0">
572
<col align="left" valign="top">
575
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
576
<td> a <span class="type">LassoLogin</span>
580
<td><p><span class="term"><em class="parameter"><code>http_method</code></em> :</span></p></td>
581
<td> the HTTP method to send the artifact (REDIRECT or POST)
585
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
586
<td> 0 on success; or
587
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
588
<li class="listitem"><p>
589
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,
591
<li class="listitem"><p>
592
LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no remote provider ID was setup in the login
593
profile object, it's usually done by lasso_login_process_authn_request_msg,
595
<li class="listitem"><p>
596
LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT
597
or LASSO_HTTP_METHOD_POST (ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or
598
LASSO_HTTP_METHOD_ARTIFACT_POST (SAML 2.0 case) for SAML 2.0),
600
<li class="listitem"><p>
601
LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE if the current protocolProfile is not
603
<li class="listitem"><p>
604
LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_ART (only for ID-FF 1.2),
606
<li class="listitem"><p>
607
LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the remote provider is not known to our server object
608
which impeach us to find a service endpoint,
610
<li class="listitem"><p>
611
LASSO_PROFILE_ERROR_MISSING_RESPONSE if the response object is missing,
613
<li class="listitem"><p>
614
LASSO_PROFILE_ERROR_MISSING_STATUS_CODE if the response object is missing a status code,
624
<div class="refsect2" title="lasso_login_build_assertion ()">
625
<a name="lasso-login-build-assertion"></a><h3>lasso_login_build_assertion ()</h3>
626
<pre class="programlisting">lasso_error_t lasso_login_build_assertion (LassoLogin *login,
627
const char *authenticationMethod,
628
const char *authenticationInstant,
629
const char *reauthenticateOnOrAfter,
630
const char *notBefore,
631
const char *notOnOrAfter);</pre>
633
Builds an assertion and stores it in profile session.
634
<em class="parameter"><code>authenticationInstant</code></em>, reauthenticateOnOrAfter, <em class="parameter"><code>notBefore</code></em> and
635
<em class="parameter"><code>notOnOrAfter</code></em> may be NULL. If <em class="parameter"><code>authenticationInstant</code></em> is NULL, the current
636
time will be used. Time values must be encoded in UTC.
639
Construct the authentication assertion for the response. It must be called after validating the
640
request using <code class="function">lasso_login_validate_request_msg()</code>. The created assertion is accessed using
641
<code class="function">lasso_login_get_assertion()</code>.</p>
642
<div class="variablelist"><table border="0">
643
<col align="left" valign="top">
646
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
647
<td> a <span class="type">LassoLogin</span>
651
<td><p><span class="term"><em class="parameter"><code>authenticationMethod</code></em> :</span></p></td>
652
<td> the authentication method
656
<td><p><span class="term"><em class="parameter"><code>authenticationInstant</code></em> :</span></p></td>
657
<td> the time at which the authentication took place
661
<td><p><span class="term"><em class="parameter"><code>notBefore</code></em> :</span></p></td>
662
<td> the earliest time instant at which the assertion is valid
666
<td><p><span class="term"><em class="parameter"><code>notOnOrAfter</code></em> :</span></p></td>
667
<td> the time instant at which the assertion has expired
671
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
672
<td> 0 on success; or
673
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
674
<li class="listitem"><p>
675
<span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is not a <span class="type">LassoLogin</span> object,
677
<li class="listitem"><p>
678
<span class="type">LASSO_PROFILE_ERROR_IDENTITY_NOT_FOUND</span> if no identity object was found in the login profile object.
680
<li class="listitem"><p>
681
<span class="type">LASSO_PROFILE_ERROR_MISSING_RESPONSE</span> if no response object is present ( it is normally initialized
682
by <code class="function">lasso_login_process_authn_request_msg()</code> )
684
<li class="listitem"><p>
685
<span class="type">LASSO_PROFILE_ERROR_FEDERATION_NOT_FOUND</span> if a <span class="type">LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT</span> or <span class="type">LASSO_SAML2_NAME_IDENTIFIER_FORMAT_ENCRYPTED</span> NameID format is asked and no corresponding federation was found in the <span class="type">LassoIdentity</span> object,
687
<li class="listitem"><p>
688
<span class="type">LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND</span> if encryption is needed and the request issuing provider is unknown (it as not been registered in the <span class="type">LassoServer</span> object),
690
<li class="listitem"><p>
691
<span class="type">LASSO_DS_ERROR_ENCRYPTION_FAILED</span> if encryption is needed but it failed,
701
<div class="refsect2" title="lasso_login_build_authn_request_msg ()">
702
<a name="lasso-login-build-authn-request-msg"></a><h3>lasso_login_build_authn_request_msg ()</h3>
703
<pre class="programlisting">lasso_error_t lasso_login_build_authn_request_msg (LassoLogin *login);</pre>
705
Converts profile authentication request (<em class="parameter"><code>request</code></em> member) into a Liberty message, either an URL
706
in HTTP-Redirect profile or an URL and a field value in Browser-POST (form) profile.
709
The URL is set into the <em class="parameter"><code>msg_url</code></em> member and the eventual field value (LAREQ) is set into the
710
<em class="parameter"><code>msg_body</code></em> member.</p>
711
<div class="variablelist"><table border="0">
712
<col align="left" valign="top">
715
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
716
<td> a <span class="type">LassoLogin</span>
720
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
721
<td> 0 on success; or
722
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
723
<li class="listitem"><p>
724
<span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is not a <span class="type">LassoLogin</span> object,
726
<li class="listitem"><p>
727
<span class="type">LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID</span> if not remote provider ID was setup&160;- it usually
728
means that <code class="function">lasso_login_init_request()</code> was not called before,
730
<li class="listitem"><p>
731
<span class="type">LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND</span> if the remote provider ID is not registered in the server
734
<li class="listitem"><p>
735
<span class="type">LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE</span> if the SSO profile is not supported by the targeted
738
<li class="listitem"><p>
739
<span class="type">LASSO_PROFILE_ERROR_BUILDING_QUERY_FAILED</span> if the building of the query part of the redirect URL
740
or of the body of the POST content failed&160;- it only happens with the <span class="type">LASSO_HTTP_METHOD_REDIRECT</span>,
741
<span class="type">LASSO_HTTP_METHOD_POST</span>, <span class="type">LASSO_HTTP_METHOD_ARTIFACT_GET</span> and
742
<span class="type">LASSO_HTTP_METHOD_ARTIFACT_POST</span> bindings&160;-,
744
<li class="listitem"><p>
745
<span class="type">LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL</span> if the metadata of the remote provider does not contain
746
an url for the SSO profile,
748
<li class="listitem"><p>
749
<span class="type">LASSO_PROFILE_ERROR_INVALID_REQUEST</span> if the request object is not of the needed type, is usually
750
means that <code class="function">lasso_login_init_request()</code> was not called before,
752
<li class="listitem"><p>
753
<span class="type">LASSO_PROFILE_MISSING_REQUEST</span> if the request object is missing,
755
<li class="listitem"><p>
756
<span class="type">LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD</span> if the current setted <em class="parameter"><code>http_method</code></em> on the <span class="type">LassoLogin</span>
766
<div class="refsect2" title="lasso_login_build_authn_response_msg ()">
767
<a name="lasso-login-build-authn-response-msg"></a><h3>lasso_login_build_authn_response_msg ()</h3>
768
<pre class="programlisting">lasso_error_t lasso_login_build_authn_response_msg
769
(LassoLogin *login);</pre>
771
Converts profile authentication response (<em class="parameter"><code>response</code></em> member) into a Liberty
775
The URL is set into the <em class="parameter"><code>msg_url</code></em> member and the field value (LARES) is set
776
into the <em class="parameter"><code>msg_body</code></em> member.</p>
777
<div class="variablelist"><table border="0">
778
<col align="left" valign="top">
781
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
782
<td> a <span class="type">LassoLogin</span>
786
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
787
<td> 0 on success; or
788
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
789
<li class="listitem"><p>
790
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,
792
<li class="listitem"><p>
793
LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE if the current protocol profile is not
795
<li class="listitem"><p>
796
LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_POST or LASSO_LOGIN_PROTOCOL_PROFILE_BRWS_LECP,
798
<li class="listitem"><p>
799
LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the remote provider ID is not registered in the server
802
<li class="listitem"><p>
803
LASSO_PROFILE_ERROR_UNKNOWN_PROFILE_URL if the metadata of the remote provider does not contain
804
an URL for the assertion consuming service,
806
<li class="listitem"><p>
807
LASSO_PROFILE_ERROR_MISSING_SERVER the server object is needed to sign a message and it is
810
<li class="listitem"><p>
811
LASSO_DS_ERROR_PRIVATE_KEY_LOAD_FAILED the private key for signing could not be found,
813
<li class="listitem"><p>
814
LASSO_PROFILE_ERROR_MISSING_RESPONSE if the response object is missing,
816
<li class="listitem"><p>
817
LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE if the SSO profile is not supported by the targeted
820
<li class="listitem"><p>
821
LASSO_PROFILE_BUILDING_QUERY_FAILED if using <span class="type">LASSO_HTTP_METHOD_REDIRECT</span> building of the redirect
824
<li class="listitem"><p>
825
LASSO_PROFILE_BUILDING_MSG_FAILED if using <span class="type">LASSO_HTTP_METHOD_POST</span>, <span class="type">LASSO_HTTP_METHOD_SOAP</span> or
826
<span class="type">LASSO_HTTP_METHOD_PAOS</span> and building the <em class="parameter"><code>msg_body</code></em> failed.
836
<div class="refsect2" title="lasso_login_build_request_msg ()">
837
<a name="lasso-login-build-request-msg"></a><h3>lasso_login_build_request_msg ()</h3>
838
<pre class="programlisting">lasso_error_t lasso_login_build_request_msg (LassoLogin *login);</pre>
840
Produce a SOAP Artifact Resolve message. It must follows a call to
841
<code class="function">lasso_login_init_request()</code> on the artifact message.
842
Converts artifact request into a Liberty SOAP message.
845
The URL is set into the <em class="parameter"><code>msg_url</code></em> member and the SOAP message is set into the
846
<em class="parameter"><code>msg_body</code></em> member. You should POST the <em class="parameter"><code>msg_body</code></em> to the <em class="parameter"><code>msg_url</code></em> afterward.</p>
847
<div class="variablelist"><table border="0">
848
<col align="left" valign="top">
851
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
852
<td> a <span class="type">LassoLogin</span>
856
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
857
<td> 0 on success; or
858
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,
859
LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if not remote provider ID was setup -- it usually
860
means that lasso_login_init_request was not called before,
861
LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the remote provider ID is not registered in the server
870
<div class="refsect2" title="lasso_login_build_response_msg ()">
871
<a name="lasso-login-build-response-msg"></a><h3>lasso_login_build_response_msg ()</h3>
872
<pre class="programlisting">lasso_error_t lasso_login_build_response_msg (LassoLogin *login,
874
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
875
>gchar</a> *remote_providerID);</pre>
877
Converts profile assertion response (<em class="parameter"><code>response</code></em> member) into a Liberty SOAP
878
messageresponse message.
881
The URL is set into the <em class="parameter"><code>msg_url</code></em> member and the SOAP message is set into the
882
<em class="parameter"><code>msg_body</code></em> member.</p>
883
<div class="variablelist"><table border="0">
884
<col align="left" valign="top">
887
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
888
<td> a <span class="type">LassoLogin</span>
892
<td><p><span class="term"><em class="parameter"><code>remote_providerID</code></em> :</span></p></td>
893
<td> service provider ID
897
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
898
<td> 0 on success; or a negative value otherwise.
899
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,
900
LASSO_PROFILE_ERROR_SESSION_NOT_FOUND if no session object was found in the login profile object
901
calling <code class="function">lasso_login_build_assertion()</code>.
909
<div class="refsect2" title="lasso_login_destroy ()">
910
<a name="lasso-login-destroy"></a><h3>lasso_login_destroy ()</h3>
911
<pre class="programlisting">void lasso_login_destroy (LassoLogin *login);</pre>
913
Destroys a <span class="type">LassoLogin</span> object.
916
<em class="parameter"><code>Deprecated</code></em>: Since <span class="type">2</span>.2.1, use <a
917
href="http://library.gnome.org/devel/gobject/unstable/gobject-The-Base-Object-Type.html#g-object-unref"
918
><code class="function">g_object_unref()</code></a> instead.</p>
919
<div class="variablelist"><table border="0">
920
<col align="left" valign="top">
922
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
923
<td> a <span class="type">LassoLogin</span>
929
<div class="refsect2" title="lasso_login_dump ()">
930
<a name="lasso-login-dump"></a><h3>lasso_login_dump ()</h3>
931
<pre class="programlisting"><a
932
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
933
>gchar</a>* lasso_login_dump (LassoLogin *login);</pre>
935
Dumps <em class="parameter"><code>login</code></em> content to an XML string.</p>
936
<div class="variablelist"><table border="0">
937
<col align="left" valign="top">
940
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
941
<td> a <span class="type">LassoLogin</span>
945
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
946
<td> the dump string. It must be freed by the caller.. <a href="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?query=transfer"><span class="acronym">transfer</span></a> full. </td>
952
<div class="refsect2" title="lasso_login_get_assertion ()">
953
<a name="lasso-login-get-assertion"></a><h3>lasso_login_get_assertion ()</h3>
954
<pre class="programlisting">LassoNode * lasso_login_get_assertion (LassoLogin *login);</pre>
956
Return the last build assertion.</p>
957
<div class="variablelist"><table border="0">
958
<col align="left" valign="top">
961
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
962
<td> a <span class="type">LassoLogin</span> object
966
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
967
<td> a <span class="type">LassoNode</span> representing the build assertion (generally a <span class="type">LassoSamlAssertion</span> when
968
using ID-FF 1.2 or a <span class="type">LassoSaml2Assertion</span> when using SAML 2.0)
975
<div class="refsect2" title="lasso_login_init_authn_request ()">
976
<a name="lasso-login-init-authn-request"></a><h3>lasso_login_init_authn_request ()</h3>
977
<pre class="programlisting">lasso_error_t lasso_login_init_authn_request (LassoLogin *login,
979
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
980
>gchar</a> *remote_providerID,
981
LassoHttpMethod http_method);</pre>
984
<p>Initializes a new AuthnRequest from current service provider to remote
985
identity provider specified in <em class="parameter"><code>remote_providerID</code></em> (if NULL the first known
986
identity provider is used).</p>
991
<p>For ID-FF 1.2 the default NameIDPolicy in an AuthnRequest is None, which imply that a
992
federation must already exist on the IdP side.</p>
997
<p>For SAML 2.0 the default NameIDPolicy is the first listed in the metadatas of the current
998
provider, or if none is specified, Transient, which ask the IdP to give a one-time
1000
<div class="variablelist"><table border="0">
1001
<col align="left" valign="top">
1004
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1005
<td> a <span class="type">LassoLogin</span>
1009
<td><p><span class="term"><em class="parameter"><code>remote_providerID:(allow-none)</code></em> :</span></p></td>
1010
<td> the providerID of the identity provider (may be NULL)
1014
<td><p><span class="term"><em class="parameter"><code>http_method</code></em> :</span></p></td>
1015
<td> HTTP method to use for request transmission. <acronym title="Default parameter value (for in case the shadows-to function has less parameters)."><span class="acronym">default</span></acronym> LASSO_HTTP_METHOD_REDIRECT. </td>
1018
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1019
<td> 0 on success; or <div class="itemizedlist"><ul class="itemizedlist" type="disc">
1020
<li class="listitem"><p>LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,</p></li>
1021
<li class="listitem"><p>LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if <em class="parameter"><code>remote_providerID</code></em> is NULL and no default remote
1022
provider could be found from the server object -- usually the first one in the order of adding to
1023
the server object --,</p></li>
1024
<li class="listitem"><p>LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND if the <em class="parameter"><code>remote_providerID</code></em> is not known to our server object.</p></li>
1025
<li class="listitem"><p>LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT
1026
or LASSO_HTTP_METHOD_POST,</p></li>
1027
<li class="listitem"><p>LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED if creation of the request object failed.</p></li>
1036
<div class="refsect2" title="lasso_login_init_idp_initiated_authn_request ()">
1037
<a name="lasso-login-init-idp-initiated-authn-request"></a><h3>lasso_login_init_idp_initiated_authn_request ()</h3>
1038
<pre class="programlisting">lasso_error_t lasso_login_init_idp_initiated_authn_request
1041
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1042
>gchar</a> *remote_providerID);</pre>
1045
<p>Generates an authentication response without matching authentication
1051
<p>The choice of NameIDFormat is the same as for <code class="function">lasso_login_init_authn_request()</code> but with the
1052
target <em class="parameter"><code>remote_providerID</code></em> as the current provider</p>
1057
<p>If <em class="parameter"><code>remote_providerID</code></em> is NULL, the first known provider is used.</p>
1058
<div class="variablelist"><table border="0">
1059
<col align="left" valign="top">
1062
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1063
<td> a <span class="type">LassoLogin</span>.
1067
<td><p><span class="term"><em class="parameter"><code>remote_providerID</code></em> :</span></p></td>
1068
<td> the providerID of the remote service provider (may be
1073
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1074
<td> 0 on success; or a negative value otherwise. Error codes are the same as
1075
<code class="function">lasso_login_init_authn_request()</code>.
1082
<div class="refsect2" title="lasso_login_init_request ()">
1083
<a name="lasso-login-init-request"></a><h3>lasso_login_init_request ()</h3>
1084
<pre class="programlisting">lasso_error_t lasso_login_init_request (LassoLogin *login,
1086
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1087
>gchar</a> *response_msg,
1088
LassoHttpMethod response_http_method);</pre>
1090
Initializes an artifact request. <em class="parameter"><code>response_msg</code></em> is either the query string
1091
(in redirect mode) or the form LAREQ field (in browser-post mode).
1092
It should only be used if you received an artifact message, <em class="parameter"><code>response_msg</code></em> must be content of the
1093
artifact field for the POST artifact binding of the query string for the REDIRECT artifact
1094
binding. You must set the <em class="parameter"><code>response_http_method</code></em> argument according to the way you received the
1095
artifact message.</p>
1096
<div class="variablelist"><table border="0">
1097
<col align="left" valign="top">
1100
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1101
<td> a <span class="type">LassoLogin</span>
1105
<td><p><span class="term"><em class="parameter"><code>response_msg</code></em> :</span></p></td>
1106
<td> the authentication response received
1110
<td><p><span class="term"><em class="parameter"><code>response_http_method</code></em> :</span></p></td>
1111
<td> the method used to receive the authentication
1116
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1117
<td> 0 on success; or
1118
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
1119
<li class="listitem"><p>
1120
LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ if login is not a <span class="type">LassoLogin</span> object,
1122
<li class="listitem"><p>
1123
LASSO_PARAM_ERROR_INVALID_VALUE if <em class="parameter"><code>response_msg</code></em> is NULL,
1125
<li class="listitem"><p>
1126
LASSO_PROFILE_ERROR_INVALID_HTTP_METHOD if the HTTP method is neither LASSO_HTTP_METHOD_REDIRECT
1127
or LASSO_HTTP_METHOD_POST (in the ID-FF 1.2 case) or neither LASSO_HTTP_METHOD_ARTIFACT_GET or
1128
LASSO_HTTP_METHOD_ARTIFACT_POST (in the SAML 2.0 case),
1130
<li class="listitem"><p>
1131
LASSO_PROFILE_ERROR_MISSING_ARTIFACT if no artifact field was found in the query string (only
1132
possible for the LASSO_HTTP_METHOD_REDIRECT case),
1134
<li class="listitem"><p>
1135
LASSO_PROFILE_ERROR_INVALID_ARTIFACT if decoding of the artifact failed -- whether because
1136
the base64 encoding is invalid or because the type code is wrong --,
1138
<li class="listitem"><p>
1139
LASSO_PROFILE_ERROR_MISSING_REMOTE_PROVIDERID if no provider ID could be found corresponding to
1140
the hash contained in the artifact.
1150
<div class="refsect2" title="lasso_login_must_ask_for_consent ()">
1151
<a name="lasso-login-must-ask-for-consent"></a><h3>lasso_login_must_ask_for_consent ()</h3>
1152
<pre class="programlisting"><a
1153
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
1154
>gboolean</a> lasso_login_must_ask_for_consent (LassoLogin *login);</pre>
1156
Evaluates if consent must be asked to the Principal to federate him.</p>
1157
<div class="variablelist"><table border="0">
1158
<col align="left" valign="top">
1161
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1162
<td> a <span class="type">LassoLogin</span>
1166
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1167
<td> <code class="literal">TRUE</code> if consent must be asked
1174
<div class="refsect2" title="lasso_login_must_authenticate ()">
1175
<a name="lasso-login-must-authenticate"></a><h3>lasso_login_must_authenticate ()</h3>
1176
<pre class="programlisting"><a
1177
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
1178
>gboolean</a> lasso_login_must_authenticate (LassoLogin *login);</pre>
1180
Evaluates if user must be authenticated.</p>
1181
<div class="variablelist"><table border="0">
1182
<col align="left" valign="top">
1185
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1186
<td> a <span class="type">LassoLogin</span>
1190
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1191
<td> <code class="literal">TRUE</code> if user must be authenticated
1198
<div class="refsect2" title="lasso_login_process_authn_request_msg ()">
1199
<a name="lasso-login-process-authn-request-msg"></a><h3>lasso_login_process_authn_request_msg ()</h3>
1200
<pre class="programlisting">lasso_error_t lasso_login_process_authn_request_msg
1202
const char *authn_request_msg);</pre>
1204
Processes received authentication request, checks it is signed correctly,
1205
checks if requested protocol profile is supported, etc.</p>
1206
<div class="variablelist"><table border="0">
1207
<col align="left" valign="top">
1210
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1211
<td> a <span class="type">LassoLogin</span>
1215
<td><p><span class="term"><em class="parameter"><code>authn_request_msg</code></em> :</span></p></td>
1216
<td> the authentication request received
1220
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1221
<td> 0 on success; or
1222
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
1223
<li class="listitem"><p>
1224
<span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is no a <span class="type">LassoLogin</span> object,
1226
<li class="listitem"><p>
1227
<span class="type">LASSO_PROFILE_ERROR_MISSING_REQUEST</span> if <em class="parameter"><code>authn_request_msg</code></em> is <span class="type">NULL</span> and no request as actually
1228
been processed or initialized &<span class="type">151</span>; see <code class="function">lasso_login_init_idp_initiated_authn_request()</code>,
1231
<li class="listitem"><p>
1232
<span class="type">LASSO_PROFILE_ERROR_INVALID_MSG</span> if the content of <em class="parameter"><code>authn_request_msg</code></em> cannot be parsed to as a
1233
valid lib:AuthnRequest messages for any support binding (mainly HTTP-Redirect, HTTP-Post and
1236
<li class="listitem"><p>
1238
<span class="type">LASSO_PROFILE_ERROR_MISSING_ISSUER</span> if the parsed samlp2:AuthnRequest does not have a proper Issuer element,
1240
<li class="listitem"><p>
1242
<span class="type">LASSO_PROFILE_ERROR_INVALID_REQUEST</span> if the parsed message does not validate as a valid
1243
samlp2:AuthnRequest (SAMLv2) i.e. if there is no Issuer, or mutually exclusive attributes are
1244
used (ProtocolBinding and AssertionConsumerServiceIndex),
1246
<li class="listitem"><p>
1248
<span class="type">LASSO_PROFILE_ERROR_INVALID_PROTOCOLPROFILE</span> if the protocolProfile (ID-FFv1.2) or the
1249
protocolBinding (SAMLv2) is unsupported by Lasso,
1251
<li class="listitem"><p>
1253
<span class="type">LASSO_PROFILE_ERROR_UNSUPPORTED_PROFILE</span> if the protocolProfile (ID-FFv1.2) or the protocolBinding
1254
(SAMLv2) for the AssertionConsumer is unsupported by this provider implementation as indicated by
1257
<li class="listitem"><p>
1259
<span class="type">LASSO_PROFILE_ERROR_UNKNOWN_PROVIDER</span>, or
1260
<span class="type">LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND</span> if the metadata for the issuer of the request are absent
1261
from the <span class="type">LassoServer</span> object of this profile,
1263
<li class="listitem"><p>
1265
<span class="type">LASSO_DS_ERROR_SIGNATURE_NOT_FOUND</span> if no signature could be found and signature validation is
1266
forced &<span class="type">151</span>; by the service provider metadata with the AuthnRequestsSigned attribute
1267
(ID-FFv1.2&SAMLv2), the attribute WantAuthnRequestsSigned in the identity provider metadata file
1268
(SAMLv2) or as advised by the <code class="function">lasso_profile_set_signature_verify_hint()</code> method),
1270
<li class="listitem"><p>
1272
<span class="type">LASSO_DS_ERROR_SIGNATURE_VERIFICATION_FAILED</span> if the signature validation failed on a present
1275
<li class="listitem"><p>
1276
<span class="type">LASSO_DS_ERROR_INVALID_SIGNATURE</span> if the signature was malformed and a signature was present,
1286
<div class="refsect2" title="lasso_login_process_authn_response_msg ()">
1287
<a name="lasso-login-process-authn-response-msg"></a><h3>lasso_login_process_authn_response_msg ()</h3>
1288
<pre class="programlisting">lasso_error_t lasso_login_process_authn_response_msg
1291
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1292
>gchar</a> *authn_response_msg);</pre>
1294
Processes received authentication response.</p>
1295
<div class="variablelist"><table border="0">
1296
<col align="left" valign="top">
1299
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1300
<td> a <span class="type">LassoLogin</span>
1304
<td><p><span class="term"><em class="parameter"><code>authn_response_msg</code></em> :</span></p></td>
1305
<td> the authentication response received
1309
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1310
<td> 0 on success; or a negative value otherwise.
1317
<div class="refsect2" title="lasso_login_process_paos_response_msg ()">
1318
<a name="lasso-login-process-paos-response-msg"></a><h3>lasso_login_process_paos_response_msg ()</h3>
1319
<pre class="programlisting">lasso_error_t lasso_login_process_paos_response_msg
1322
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1323
>gchar</a> *msg);</pre>
1326
<div class="refsect2" title="lasso_login_process_request_msg ()">
1327
<a name="lasso-login-process-request-msg"></a><h3>lasso_login_process_request_msg ()</h3>
1328
<pre class="programlisting">lasso_error_t lasso_login_process_request_msg (LassoLogin *login,
1330
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1331
>gchar</a> *request_msg);</pre>
1333
Processes received artifact request.</p>
1334
<div class="variablelist"><table border="0">
1335
<col align="left" valign="top">
1338
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1339
<td> a <span class="type">LassoLogin</span>
1343
<td><p><span class="term"><em class="parameter"><code>request_msg</code></em> :</span></p></td>
1344
<td> the artifact request received
1348
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1349
<td> 0 on success; or a negative value otherwise.
1356
<div class="refsect2" title="lasso_login_process_response_msg ()">
1357
<a name="lasso-login-process-response-msg"></a><h3>lasso_login_process_response_msg ()</h3>
1358
<pre class="programlisting">lasso_error_t lasso_login_process_response_msg (LassoLogin *login,
1360
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gchar"
1361
>gchar</a> *response_msg);</pre>
1363
Processes received assertion response.</p>
1364
<div class="variablelist"><table border="0">
1365
<col align="left" valign="top">
1368
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1369
<td> a <span class="type">LassoLogin</span>
1373
<td><p><span class="term"><em class="parameter"><code>response_msg</code></em> :</span></p></td>
1374
<td> the assertion response received
1378
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1379
<td> 0 on success; or
1380
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
1381
<li class="listitem"><p><span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is not a <span class="type">LassoLogin</span> object,</p></li>
1382
<li class="listitem"><p><span class="type">LASSO_PARAM_ERROR_INVALID_VALUE</span> if response_msg is NULL,</p></li>
1383
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_INVALID_MSG</span> if the message is not a <span class="type">LassoSamlpResponse</span> (ID-FF 1.2) or a <span class="type">LassoSamlp2ResponseMsg</span> (SAML 2.0),</p></li>
1384
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_RESPONSE_DOES_NOT_MATCH_REQUEST</span> if the response does not refer to the request or if the response refer to an unknown request and <code class="literal">strict-checking</code> is activated ,</p></li>
1385
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_REQUEST_DENIED</span> the identity provided
1386
returned a failure status of "RequestDenied"</p></li>
1387
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND</span> if creation of a new
1388
federation was not allowed and none existed,</p></li>
1389
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_UNKNOWN_PRINCIPAL</span> if authentication failed
1390
or/and if the user cancelled the authentication,</p></li>
1391
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_STATUS_NOT_SUCCESS</span>, if the response status
1392
is a failure but we have no more precise error code to report it, you must
1393
look at the second level status in the response,</p></li>
1394
<li class="listitem"><p><span class="type">LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND</span>, if the issuing
1395
provider of the assertion is unknown,</p></li>
1396
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_INVALID_ISSUER</span> the issuer of the
1397
assertion received, is not the expected one</p></li>
1398
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_NAME_IDENTIFIER_NOT_FOUND</span> no statement was fournd, or none statement contains a subject with a name identifier,</p></li>
1399
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_MISSING_STATUS_CODE</span> if the reponse is
1400
missing a <code class="literal">StatusCode</code> element,</p></li>
1401
<li class="listitem"><p><span class="type">LASSO_PROFILE_ERROR_MISSING_ASSERTION</span> if the message does
1402
not contain any assertion.</p></li>
1410
<div class="refsect2" title="lasso_login_validate_request_msg ()">
1411
<a name="lasso-login-validate-request-msg"></a><h3>lasso_login_validate_request_msg ()</h3>
1412
<pre class="programlisting">lasso_error_t lasso_login_validate_request_msg (LassoLogin *login,
1414
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
1415
>gboolean</a> authentication_result,
1417
href="http://library.gnome.org/devel/glib/unstable/glib-Basic-Types.html#gboolean"
1418
>gboolean</a> is_consent_obtained);</pre>
1420
Initializes a response to the authentication request received.</p>
1421
<div class="variablelist"><table border="0">
1422
<col align="left" valign="top">
1425
<td><p><span class="term"><em class="parameter"><code>login</code></em> :</span></p></td>
1426
<td> a <span class="type">LassoLogin</span>
1430
<td><p><span class="term"><em class="parameter"><code>authentication_result</code></em> :</span></p></td>
1431
<td> whether user has authenticated succesfully
1435
<td><p><span class="term"><em class="parameter"><code>is_consent_obtained</code></em> :</span></p></td>
1436
<td> whether user consent has been obtained
1440
<td><p><span class="term"><span class="emphasis"><em>Returns</em></span> :</span></p></td>
1441
<td> 0 on success; or <div class="itemizedlist"><ul class="itemizedlist" type="disc">
1442
<li class="listitem"><p><span class="type">LASSO_PARAM_ERROR_BAD_TYPE_OR_NULL_OBJ</span> if login is not a <span class="type">LassoLogin</span> object,</p></li>
1443
<li class="listitem">
1444
<p><span class="type">LASSO_LOGIN_ERROR_REQUEST_DENIED</span></p> if <em class="parameter"><code>authentication_result</code></em> if FALSE,</li>
1445
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_INVALID_SIGNATURE</span> if signature validation of the request
1447
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_UNSIGNED_AUTHN_REQUEST</span> if no signature was present on the
1449
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_FEDERATION_NOT_FOUND</span> if federation policy is
1450
<span class="type">LASSO_LIB_NAMEID_POLICY_TYPE_NONE</span> and no federation was found in the <span class="type">LassoIdentity</span> object
1451
(ID-FF 1.2 case)</p></li>
1452
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_INVALID_NAMEIDPOLICY</span> if request policy is not one of
1453
<span class="type">LASSO_LIB_NAMEID_POLICY_TYPE_FEDERATED</span> or <span class="type">LASSO_LIB_NAMEID_POLICY_TYPE_ANY</span> (ID-FF 1.2 case) or if no NameID policy was defined or the AllowCreate request flag is FALSE (SAML 2.0 case),</p></li>
1454
<li class="listitem"><p><span class="type">LASSO_LOGIN_ERROR_CONSENT_NOT_OBTAINED</span> if <em class="parameter"><code>is_consent_obtained</code></em> is FALSE and
1455
conssent was necessary (for example if the request does not communicate that consent was already
1456
obtained from the user),</p></li>
1457
<li class="listitem"><p><span class="type">LASSO_SERVER_ERROR_PROVIDER_NOT_FOUND</span> if the requesting provider is unknown,</p></li>
1466
<div class="footer">
1468
Generated by GTK-Doc V1.11</div>