From 3b079b3735ea98b3b36b22b0f0353cb56f023dad Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 04 2015 16:40:43 +0000
Subject: saml_base must be a subpath of saml_auth in client installer


If the authenticated path doesn't reside under saml_base (which
defaults to /) then mod_auth_mellon can't find the IdP.

https://fedorahosted.org/ipsilon/ticket/163

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewd-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/install/ipsilon-client-install b/ipsilon/install/ipsilon-client-install
index d72d195..668cd58 100755
--- a/ipsilon/install/ipsilon-client-install
+++ b/ipsilon/install/ipsilon-client-install
@@ -419,6 +419,11 @@ def parse_args():
     if not args['saml_sp'].startswith(args['saml_base']):
         raise ValueError('--saml-sp must be a subpath of --saml-base.')
 
+    # The samle_auth setting must be a subpath of saml_base otherwise
+    # the IdP cannot be identified by mod_auth_mellon.
+    if not args['saml_auth'].startswith(args['saml_base']):
+        raise ValueError('--saml-auth must be a subpath of --saml-base.')
+
     # The saml_sp_logout, saml_sp_post and saml_sp_paos settings must
     # be subpaths of saml_sp (the mellon endpoint).
     path_args = {'saml_sp_logout': 'logout',