public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result)
{
$intendedAudiences = $assertion->getValidAudiences();
if ($intendedAudiences === NULL) {
return;
}
$entityId = $this->serviceProvider->getEntityId();
if (!in_array($entityId, $intendedAudiences)) {
$result->addError(sprintf('The configured Service Provider [%s] is not a valid audience for the assertion. Audiences: [%s]', $entityId, implode('], [', $intendedAudiences)));
}
}
public function validate($token)
{
$data = $this->parseToken($token);
// validate digest and thumbprint
$assertion = new SAML2_Assertion($data['Assertion']);
$certificates = $assertion->getCertificates();
$this->validateCertificateThumbprint($certificates[0]);
// validate issuer
if ($this->validateIssuer) {
$this->validateIssuer($assertion->getIssuer());
}
// validate audiences
if ($this->validateAudiences) {
$this->validateAudiences($assertion->getValidAudiences(), $assertion->getNotBefore(), $assertion->getNotOnOrAfter());
}
return $this->getClaims($data);
}
public function testUnmarshalling()
{
// Unmarshall an assertion
$document = new \DOMDocument();
$document->loadXML(<<<XML
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_593e33ddf86449ce4d4c22b60ac48e067d98a0b2bf"
Version="2.0"
IssueInstant="2010-03-05T13:34:28Z"
>
<saml:Issuer>testIssuer</saml:Issuer>
<saml:Conditions>
<saml:AudienceRestriction>
<saml:Audience>audience1</saml:Audience>
<saml:Audience>audience2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2010-03-05T13:34:28Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>someAuthnContext</saml:AuthnContextClassRef>
<saml:AuthenticatingAuthority>someIdP1</saml:AuthenticatingAuthority>
<saml:AuthenticatingAuthority>someIdP2</saml:AuthenticatingAuthority>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
XML
);
$assertion = new \SAML2_Assertion($document->firstChild);
// Test for valid audiences
$assertionValidAudiences = $assertion->getValidAudiences();
$this->assertCount(2, $assertionValidAudiences);
$this->assertEquals('audience1', $assertionValidAudiences[0]);
$this->assertEquals('audience2', $assertionValidAudiences[1]);
// Test for Authenticating Authorities
$assertionAuthenticatingAuthorities = $assertion->getAuthenticatingAuthority();
$this->assertCount(2, $assertionAuthenticatingAuthorities);
$this->assertEquals('someIdP1', $assertionAuthenticatingAuthorities[0]);
$this->assertEquals('someIdP2', $assertionAuthenticatingAuthorities[1]);
}
