public static function createFromRequest(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $originalRequest, IdentityProvider $idpMetadata, EngineBlock_Corto_ProxyServer $server)
{
$nameIdPolicy = array('AllowCreate' => 'true');
/**
* Name policy is not required, so it is only set if configured, SAML 2.0 spec
* says only following values are allowed:
* - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
* - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
*
* Note: Some IDP's like those using ADFS2 do not understand those, for these cases the format can be 'configured as empty
* or set to an older version.
*/
if (!empty($idpMetadata->nameIdFormat)) {
$nameIdPolicy['Format'] = $idpMetadata->nameIdFormat;
}
/** @var SAML2_AuthnRequest $originalRequest */
$sspRequest = new SAML2_AuthnRequest();
$sspRequest->setId($server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_REQUEST));
$sspRequest->setIssueInstant(time());
$sspRequest->setDestination($idpMetadata->singleSignOnServices[0]->location);
$sspRequest->setForceAuthn($originalRequest->getForceAuthn());
$sspRequest->setIsPassive($originalRequest->getIsPassive());
$sspRequest->setAssertionConsumerServiceURL($server->getUrl('assertionConsumerService'));
$sspRequest->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);
$sspRequest->setIssuer($server->getUrl('spMetadataService'));
$sspRequest->setNameIdPolicy($nameIdPolicy);
if (empty($idpMetadata->disableScoping)) {
// Copy over the Idps that are allowed to answer this request.
$sspRequest->setIDPList($originalRequest->getIDPList());
// Proxy Count
$sspRequest->setProxyCount($originalRequest->getProxyCount() ? $originalRequest->getProxyCount() : $server->getConfig('max_proxies', 10));
// Add the SP to the requesterIds
$requesterIds = $originalRequest->getRequesterID();
$requesterIds[] = $originalRequest->getIssuer();
// Add the SP as the requester
$sspRequest->setRequesterID($requesterIds);
}
// Use the default binding even if more exist
$request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($sspRequest);
$request->setDeliverByBinding($idpMetadata->singleSignOnServices[0]->binding);
return $request;
}
/**
* Build an authentication request based on information in the metadata.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the service provider.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider.
*/
public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
{
$ar = new SAML2_AuthnRequest();
if ($spMetadata->hasValue('NameIDPolicy')) {
$nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL);
} else {
$nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
}
if ($nameIdPolicy !== NULL) {
$ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE));
}
$ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
$ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
$protbind = $spMetadata->getValueValidate('ProtocolBinding', array(SAML2_Const::BINDING_HTTP_POST, SAML2_Const::BINDING_HOK_SSO, SAML2_Const::BINDING_HTTP_ARTIFACT, SAML2_Const::BINDING_HTTP_REDIRECT), SAML2_Const::BINDING_HTTP_POST);
/* Shoaib - setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST */
$ar->setProtocolBinding($protbind);
$ar->setIssuer($spMetadata->getString('entityid'));
$ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', NULL));
$ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', NULL));
if ($spMetadata->hasValue('AuthnContextClassRef')) {
$accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
$ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
}
self::addRedirectSign($spMetadata, $idpMetadata, $ar);
return $ar;
}
/**
* Build an authentication request based on information in the metadata.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the service provider.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider.
*/
public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
{
$ar = new SAML2_AuthnRequest();
if ($spMetadata->hasValue('NameIDPolicy')) {
$nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL);
} else {
$nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT);
}
if ($nameIdPolicy !== NULL) {
$ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE));
}
$ar->setIssuer($spMetadata->getString('entityid'));
$ar->setDestination($idpMetadata->getString('SingleSignOnService'));
$ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
$ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
if ($spMetadata->hasValue('AuthnContextClassRef')) {
$accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
$ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
}
self::addRedirectSign($spMetadata, $idpMetadata, $ar);
return $ar;
}
/**
* Build an authentication request based on information in the metadata.
*
* @param SimpleSAML_Configuration $spMetadata The metadata of the service provider.
* @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider.
*/
public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
{
$ar = new SAML2_AuthnRequest();
// get the NameIDPolicy to apply. IdP metadata has precedence.
$nameIdPolicy = array();
if ($idpMetadata->hasValue('NameIDPolicy')) {
$nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
} elseif ($spMetadata->hasValue('NameIDPolicy')) {
$nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
}
if (!is_array($nameIdPolicy)) {
// handle old configurations where 'NameIDPolicy' was used to specify just the format
$nameIdPolicy = array('Format' => $nameIdPolicy);
}
$nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
$policy = array('Format' => $nameIdPolicy_cf->getString('Format', SAML2_Const::NAMEID_TRANSIENT), 'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true));
$spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
if ($spNameQualifier !== false) {
$policy['SPNameQualifier'] = $spNameQualifier;
}
$ar->setNameIdPolicy($policy);
$ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE));
$ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE));
$protbind = $spMetadata->getValueValidate('ProtocolBinding', array(SAML2_Const::BINDING_HTTP_POST, SAML2_Const::BINDING_HOK_SSO, SAML2_Const::BINDING_HTTP_ARTIFACT, SAML2_Const::BINDING_HTTP_REDIRECT), SAML2_Const::BINDING_HTTP_POST);
/* Shoaib - setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST */
$ar->setProtocolBinding($protbind);
$ar->setIssuer($spMetadata->getString('entityid'));
$ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', NULL));
$ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', NULL));
if ($spMetadata->hasValue('AuthnContextClassRef')) {
$accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
$ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
}
self::addRedirectSign($spMetadata, $idpMetadata, $ar);
return $ar;
}
