This class builds SAML 2.0 metadata for an entity by examining the metadata for the entity.
public function getMetadata()
{
$idpentityid = SimpleSAML_Utilities::getBaseURL() . 'module.php/fedlab/metadata.php';
$metaArray = array('metadata-set' => 'saml20-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => SimpleSAML_Utilities::getBaseURL() . 'module.php/fedlab/SingleSignOnService.php', 'SingleLogoutService' => SimpleSAML_Utilities::getBaseURL() . 'module.php/fedlab/SingleLogoutService.php', 'certificate' => 'server.crt');
$metaArrayConfig = SimpleSAML_Configuration::loadFromArray($metaArray);
$certInfo = SimpleSAML_Utilities::loadPublicKey($metaArrayConfig, TRUE);
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addMetadataIdP20($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$metaBuilder->addContact('technical', array('emailAddress' => $this->config->getString('technicalcontact_email', NULL), 'name' => $this->config->getString('technicalcontact_name', NULL)));
$metaxml = $metaBuilder->getEntityDescriptorText();
return $metaxml;
}
public function getMetadataDocument()
{
// Get metadata entries
$entities = $this->getSources();
// Generate XML Document
$xml = new DOMDocument();
$entitiesDescriptor = $xml->createElementNS('urn:oasis:names:tc:SAML:2.0:metadata', 'EntitiesDescriptor');
$entitiesDescriptor->setAttribute('Name', $this->id);
$xml->appendChild($entitiesDescriptor);
$maxDuration = $this->getMaxDuration();
$reconstruct = $this->getReconstruct();
/* Build EntityDescriptor elements for them. */
foreach ($entities as $entity => $sets) {
$entityDescriptor = NULL;
foreach ($sets as $set => $metadata) {
if (!array_key_exists('entityDescriptor', $metadata)) {
/* One of the sets doesn't contain an EntityDescriptor element. */
$entityDescriptor = FALSE;
break;
}
if ($entityDescriptor == NULL) {
/* First EntityDescriptor elements. */
$entityDescriptor = $metadata['entityDescriptor'];
continue;
}
assert('is_string($entityDescriptor)');
if ($entityDescriptor !== $metadata['entityDescriptor']) {
/* Entity contains multiple different EntityDescriptor elements. */
$entityDescriptor = FALSE;
break;
}
}
if (is_string($entityDescriptor) && !$reconstruct) {
/* All metadata sets for the entity contain the same entity descriptor. Use that one. */
$tmp = new DOMDocument();
$tmp->loadXML(base64_decode($entityDescriptor));
$entityDescriptor = $tmp->documentElement;
} else {
$tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
$orgmeta = NULL;
foreach ($sets as $set => $metadata) {
$tmp->addMetadata($set, $metadata);
$orgmeta = $metadata;
}
$tmp->addOrganizationInfo($orgmeta);
$entityDescriptor = $tmp->getEntityDescriptor();
}
$entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
}
/* Sign the metadata if enabled. */
if ($this->shouldSign()) {
$signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
$signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
}
return $xml;
}
$metaArray11 = array('AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId));
$spconfig = $source->getMetadata();
if ($spconfig->getBoolean('saml11.binding.artifact.enable', FALSE)) {
$metaArray11['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml1-acs.php/' . $sourceId . '/artifact');
}
$metaArray20 = array('AssertionConsumerService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId), 'SingleLogoutService' => SimpleSAML_Module::getModuleURL('saml/sp/saml2-logout.php/' . $sourceId));
if ($spconfig->getBoolean('saml20.binding.artifact.enable', FALSE)) {
$metaArray20['AssertionConsumerService.artifact'] = SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $sourceId);
}
$certInfo = SimpleSAML_Utilities::loadPublicKey($spconfig->toArray());
if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
$certData = $certInfo['certData'];
$metaArray11['certData'] = $certData;
$metaArray20['certData'] = $certData;
}
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$metaBuilder->addMetadataSP11($metaArray11);
$metaBuilder->addMetadataSP20($metaArray20);
$config = SimpleSAML_Configuration::getInstance();
$metaBuilder->addContact('technical', array('emailAddress' => $config->getString('technicalcontact_email', NULL), 'name' => $config->getString('technicalcontact_name', NULL)));
$xml = $metaBuilder->getEntityDescriptorText();
if (array_key_exists('output', $_REQUEST) && $_REQUEST['output'] == 'xhtml') {
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['header'] = 'saml20-sp';
$t->data['metadata'] = htmlspecialchars($xml);
$t->data['metadataflat'] = '$metadata[' . var_export($entityId, TRUE) . '] = ' . var_export($metaArray20, TRUE) . ';';
$t->data['metaurl'] = $source->getMetadataURL();
$t->data['idpsend'] = array();
$t->data['sentok'] = FALSE;
$t->data['adminok'] = FALSE;
$t->data['adminlogin'] = NULL;
$metaArray['scope'] = $idpmeta->getArray('scope');
}
if ($idpmeta->hasValue('EntityAttributes')) {
$metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
}
if ($idpmeta->hasValue('UIInfo')) {
$metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
}
if ($idpmeta->hasValue('DiscoHints')) {
$metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
}
if ($idpmeta->hasValue('RegistrationInfo')) {
$metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
}
$metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addSecurityTokenServiceType($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$technicalContactEmail = $config->getString('technicalcontact_email', null);
if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
$metaBuilder->addContact('technical', \SimpleSAML\Utils\Config\Metadata::getContact(array('emailAddress' => $technicalContactEmail, 'name' => $config->getString('technicalcontact_name', null), 'contactType' => 'technical')));
}
$output_xhtml = array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml';
$metaxml = $metaBuilder->getEntityDescriptorText($output_xhtml);
if (!$output_xhtml) {
$metaxml = str_replace("\n", '', $metaxml);
}
// sign the metadata if enabled
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
if ($output_xhtml) {
$defaultidp = $config->getString('default-adfs-idp', null);
if (count($keys) === 1) {
$metaArray['certData'] = $keys[0]['X509Certificate'];
} else {
$metaArray['keys'] = $keys;
}
$metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:mace:shibboleth:1.0:nameIdentifier');
if ($idpmeta->hasValue('OrganizationName')) {
$metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
if (!$idpmeta->hasValue('OrganizationURL')) {
throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
}
$metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
}
$metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addMetadataIdP11($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$metaBuilder->addContact('technical', \SimpleSAML\Utils\Config\Metadata::getContact(array('emailAddress' => $config->getString('technicalcontact_email', null), 'name' => $config->getString('technicalcontact_name', null), 'contactType' => 'technical')));
$metaxml = $metaBuilder->getEntityDescriptorText();
// sign the metadata if enabled
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'Shib 1.3 IdP');
if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
$defaultidp = $config->getString('default-shib13-idp', null);
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['clipboard.js'] = true;
$t->data['header'] = 'shib13-idp';
$t->data['metaurl'] = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), array('output' => 'xml'));
$t->data['metadata'] = htmlspecialchars($metaxml);
$t->data['metadataflat'] = htmlspecialchars($metaflat);
$t->data['defaultidp'] = $defaultidp;
// add additional contacts
$contacts = $spconfig->getArray('contacts', array());
// add certificate
if (count($keys) === 1) {
$metaArray20['certData'] = $keys[0]['X509Certificate'];
} elseif (count($keys) > 1) {
$metaArray20['keys'] = $keys;
}
// add UIInfo extension
if ($spconfig->hasValue('UIInfo')) {
$metaArray20['UIInfo'] = $spconfig->getArray('UIInfo');
}
$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
$metaArray20['metadata-set'] = 'saml20-sp-remote';
$metaArray20['entityid'] = $entityId;
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$metaBuilder->addMetadataSP20($metaArray20, $supported_protocols);
$metaBuilder->addOrganizationInfo($metaArray20);
if (!empty($contact)) {
$metaBuilder->addContact('technical', $contact);
}
foreach ($contacts as $c) {
$metaBuilder->addContact($c['contactType'], $c);
}
$xml = $metaBuilder->getEntityDescriptorText();
unset($metaArray20['attributes.required']);
unset($metaArray20['UIInfo']);
unset($metaArray20['metadata-set']);
unset($metaArray20['entityid']);
/* Sign the metadata if enabled. */
$xml = SimpleSAML_Metadata_Signer::sign($xml, $spconfig->toArray(), 'SAML 2 SP');
$metaArray['redirect.sign'] = $idpmeta->getBoolean('redirect.validate');
}
if ($idpmeta->hasValue('contacts')) {
$contacts = $idpmeta->getArray('contacts');
foreach ($contacts as $contact) {
$metaArray['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
}
}
$technicalContactEmail = $config->getString('technicalcontact_email', false);
if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
$techcontact['emailAddress'] = $technicalContactEmail;
$techcontact['name'] = $config->getString('technicalcontact_name', null);
$techcontact['contactType'] = 'technical';
$metaArray['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($techcontact);
}
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addMetadataIdP20($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$metaxml = $metaBuilder->getEntityDescriptorText();
$metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';';
// sign the metadata if enabled
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
$defaultidp = $config->getString('default-saml20-idp', null);
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['clipboard.js'] = true;
$t->data['available_certs'] = $availableCerts;
$t->data['header'] = 'saml20-idp';
$t->data['metaurl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
$t->data['metadata'] = htmlspecialchars($metaxml);
$t->data['metadataflat'] = htmlspecialchars($metaflat);
$metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
}
if ($idpmeta->hasValue('scope')) {
$metaArray['scope'] = $idpmeta->getArray('scope');
}
if ($idpmeta->hasValue('EntityAttributes')) {
$metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
}
if ($idpmeta->hasValue('UIInfo')) {
$metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
}
if ($idpmeta->hasValue('DiscoHints')) {
$metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
}
$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addMetadataIdP20($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$technicalContactEmail = $config->getString('technicalcontact_email', NULL);
if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
$metaBuilder->addContact('technical', array('emailAddress' => $technicalContactEmail, 'name' => $config->getString('technicalcontact_name', NULL)));
}
$metaxml = $metaBuilder->getEntityDescriptorText();
/* Sign the metadata if enabled. */
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP');
if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
$defaultidp = $config->getString('default-saml20-idp', NULL);
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['available_certs'] = $availableCerts;
$t->data['header'] = 'saml20-idp';
$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
if ($spconfig->hasValue('RegistrationInfo')) {
$metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
}
// add signature options
if ($spconfig->hasValue('WantAssertionsSigned')) {
$metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
}
if ($spconfig->hasValue('redirect.sign')) {
$metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
} elseif ($spconfig->hasValue('sign.authnrequest')) {
$metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
}
$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2_Const::NS_SAMLP);
$metaArray20['metadata-set'] = 'saml20-sp-remote';
$metaArray20['entityid'] = $entityId;
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$metaBuilder->addMetadataSP20($metaArray20, $supported_protocols);
$metaBuilder->addOrganizationInfo($metaArray20);
$xml = $metaBuilder->getEntityDescriptorText();
unset($metaArray20['UIInfo']);
unset($metaArray20['metadata-set']);
unset($metaArray20['entityid']);
// sanitize the attributes array to remove friendly names
if (isset($metaArray20['attributes']) && is_array($metaArray20['attributes'])) {
$metaArray20['attributes'] = array_values($metaArray20['attributes']);
}
/* Sign the metadata if enabled. */
$xml = SimpleSAML_Metadata_Signer::sign($xml, $spconfig->toArray(), 'SAML 2 SP');
if (array_key_exists('output', $_REQUEST) && $_REQUEST['output'] == 'xhtml') {
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['header'] = 'saml20-sp';
/**
* Test the requeste attributes are valued correctly.
*/
public function testAttributes()
{
$entityId = 'https://entity.example.com/id';
// test SP20 array parsing, no friendly name
$set = 'saml20-sp-remote';
$metadata = array('entityid' => $entityId, 'name' => array('en' => 'Test SP'), 'metadata-set' => $set, 'attributes' => array('urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'urn:oid:0.9.2342.19200300.100.1.3', 'urn:oid:2.5.4.3'));
$samlBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$samlBuilder->addMetadata($set, $metadata);
$spDesc = $samlBuilder->getEntityDescriptor();
$acs = $spDesc->getElementsByTagName("AttributeConsumingService");
$this->assertEquals(1, $acs->length);
$attributes = $acs->item(0)->getElementsByTagName("RequestedAttribute");
$this->assertEquals(4, $attributes->length);
for ($c = 0; $c < $attributes->length; $c++) {
$curAttribute = $attributes->item($c);
$this->assertTrue($curAttribute->hasAttribute("Name"));
$this->assertFalse($curAttribute->hasAttribute("FriendlyName"));
$this->assertEquals($metadata['attributes'][$c], $curAttribute->getAttribute("Name"));
}
// test SP20 array parsing, no friendly name
$set = 'saml20-sp-remote';
$metadata = array('entityid' => $entityId, 'name' => array('en' => 'Test SP'), 'metadata-set' => $set, 'attributes' => array('eduPersonTargetedID' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'eduPersonPrincipalName' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'eduPersonOrgDN' => 'urn:oid:0.9.2342.19200300.100.1.3', 'cn' => 'urn:oid:2.5.4.3'));
$samlBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$samlBuilder->addMetadata($set, $metadata);
$spDesc = $samlBuilder->getEntityDescriptor();
$acs = $spDesc->getElementsByTagName("AttributeConsumingService");
$this->assertEquals(1, $acs->length);
$attributes = $acs->item(0)->getElementsByTagName("RequestedAttribute");
$this->assertEquals(4, $attributes->length);
$keys = array_keys($metadata['attributes']);
for ($c = 0; $c < $attributes->length; $c++) {
$curAttribute = $attributes->item($c);
$this->assertTrue($curAttribute->hasAttribute("Name"));
$this->assertTrue($curAttribute->hasAttribute("FriendlyName"));
$this->assertEquals($metadata['attributes'][$keys[$c]], $curAttribute->getAttribute("Name"));
$this->assertEquals($keys[$c], $curAttribute->getAttribute("FriendlyName"));
}
// test SP13 array parsing, no friendly name
$set = 'shib13-sp-remote';
$metadata = array('entityid' => $entityId, 'name' => array('en' => 'Test SP'), 'metadata-set' => $set, 'attributes' => array('urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'urn:oid:0.9.2342.19200300.100.1.3', 'urn:oid:2.5.4.3'));
$samlBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$samlBuilder->addMetadata($set, $metadata);
$spDesc = $samlBuilder->getEntityDescriptor();
$acs = $spDesc->getElementsByTagName("AttributeConsumingService");
$this->assertEquals(1, $acs->length);
$attributes = $acs->item(0)->getElementsByTagName("RequestedAttribute");
$this->assertEquals(4, $attributes->length);
for ($c = 0; $c < $attributes->length; $c++) {
$curAttribute = $attributes->item($c);
$this->assertTrue($curAttribute->hasAttribute("Name"));
$this->assertFalse($curAttribute->hasAttribute("FriendlyName"));
$this->assertEquals($metadata['attributes'][$c], $curAttribute->getAttribute("Name"));
}
// test SP20 array parsing, no friendly name
$set = 'shib13-sp-remote';
$metadata = array('entityid' => $entityId, 'name' => array('en' => 'Test SP'), 'metadata-set' => $set, 'attributes' => array('eduPersonTargetedID' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'eduPersonPrincipalName' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'eduPersonOrgDN' => 'urn:oid:0.9.2342.19200300.100.1.3', 'cn' => 'urn:oid:2.5.4.3'));
$samlBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId);
$samlBuilder->addMetadata($set, $metadata);
$spDesc = $samlBuilder->getEntityDescriptor();
$acs = $spDesc->getElementsByTagName("AttributeConsumingService");
$this->assertEquals(1, $acs->length);
$attributes = $acs->item(0)->getElementsByTagName("RequestedAttribute");
$this->assertEquals(4, $attributes->length);
$keys = array_keys($metadata['attributes']);
for ($c = 0; $c < $attributes->length; $c++) {
$curAttribute = $attributes->item($c);
$this->assertTrue($curAttribute->hasAttribute("Name"));
$this->assertTrue($curAttribute->hasAttribute("FriendlyName"));
$this->assertEquals($metadata['attributes'][$keys[$c]], $curAttribute->getAttribute("Name"));
$this->assertEquals($keys[$c], $curAttribute->getAttribute("FriendlyName"));
}
}
public function getMetadataDocument()
{
// Get metadata entries
$entities = $this->getSources();
$maxDuration = $this->getMaxDuration();
$reconstruct = $this->getReconstruct();
$entitiesDescriptor = new SAML2_XML_md_EntitiesDescriptor();
$entitiesDescriptor->Name = $this->id;
$entitiesDescriptor->validUntil = time() + $maxDuration;
// add RegistrationInfo extension if enabled
if ($this->gConfig->hasValue('RegistrationInfo')) {
$ri = new SAML2_XML_mdrpi_RegistrationInfo();
foreach ($this->gConfig->getArray('RegistrationInfo') as $riName => $riValues) {
switch ($riName) {
case 'authority':
$ri->registrationAuthority = $riValues;
break;
case 'instant':
$ri->registrationInstant = SAML2_Utils::xsDateTimeToTimestamp($riValues);
break;
case 'policies':
$ri->RegistrationPolicy = $riValues;
break;
}
}
$entitiesDescriptor->Extensions[] = $ri;
}
/* Build EntityDescriptor elements for them. */
foreach ($entities as $entity => $sets) {
$entityDescriptor = NULL;
foreach ($sets as $set => $metadata) {
if (!array_key_exists('entityDescriptor', $metadata)) {
/* One of the sets doesn't contain an EntityDescriptor element. */
$entityDescriptor = FALSE;
break;
}
if ($entityDescriptor == NULL) {
/* First EntityDescriptor elements. */
$entityDescriptor = $metadata['entityDescriptor'];
continue;
}
assert('is_string($entityDescriptor)');
if ($entityDescriptor !== $metadata['entityDescriptor']) {
/* Entity contains multiple different EntityDescriptor elements. */
$entityDescriptor = FALSE;
break;
}
}
if (is_string($entityDescriptor) && !$reconstruct) {
/* All metadata sets for the entity contain the same entity descriptor. Use that one. */
$tmp = new DOMDocument();
$tmp->loadXML(base64_decode($entityDescriptor));
$entitiesDescriptor->children[] = new SAML2_XML_md_EntityDescriptor($tmp->documentElement);
} else {
$tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
$orgmeta = NULL;
foreach ($sets as $set => $metadata) {
$tmp->addMetadata($set, $metadata);
$orgmeta = $metadata;
}
$tmp->addOrganizationInfo($orgmeta);
$entitiesDescriptor->children[] = $tmp->getEntityDescriptor();
}
}
$document = $entitiesDescriptor->toXML();
// sign the metadata if enabled
if ($this->shouldSign()) {
$signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
$signer->sign($document, $document, $document->firstChild);
}
return $document;
}
private static function getMetadata($eid, $revision, $type = null, array $option = null)
{
assert('ctype_digit($eid)');
assert('ctype_digit($revision)');
$janus_config = sspmod_janus_DiContainer::getInstance()->getConfig();
$entityController = sspmod_janus_DiContainer::getInstance()->getEntityController();
if (!($entity = $entityController->setEntity($eid, $revision))) {
self::$_error = array('Entity could not be loaded - Eid: ' . $eid . ' Revisionid: ' . $revision);
return false;
}
$metadata_raw = $entityController->getMetadata();
// Get metadata fields
$nm_mb = new sspmod_janus_MetadataFieldBuilder($janus_config->getArray('metadatafields.' . $entity->getType()));
$metadatafields_required = $nm_mb->getMetadataFields();
// Get required metadata fields
$required = array();
foreach ($metadatafields_required as $mf) {
if (isset($mf->required) && $mf->required === true) {
$required[] = $mf->name;
}
}
// Get metadata to me tested
$metadata = array();
foreach ($metadata_raw as $k => $v) {
// Metadata field not defined
if (!isset($metadatafields_required[$v->getKey()])) {
continue;
}
// Value not set for metadata
if (is_string($v->getValue()) && $v->getValue() == '') {
continue;
}
// Compute is the default values is allowed
$default_allow = false;
if (isset($metadatafields_required[$v->getKey()]->default_allow) && is_bool($metadatafields_required[$v->getKey()]->default_allow)) {
$default_allow = $metadatafields_required[$v->getKey()]->default_allow;
}
/*
* Do not include metadata if value is set to default and default
* is not allowed.
*/
if (!$default_allow && (isset($metadatafields_required[$v->getKey()]->default) && $v->getValue() == $metadatafields_required[$v->getKey()]->default)) {
continue;
}
$metadata[] = $v->getKey();
}
// Compute missing metadata that is required
$missing_required = array_diff($required, $metadata);
$entityId = $entity->getEntityid();
if (!empty($missing_required)) {
SimpleSAML_Logger::error('JANUS - Missing required metadata fields. Entity_id:' . $entityId);
self::$_error = $missing_required;
return false;
}
try {
$metaArray = $entityController->getMetaArray();
$metaArray['eid'] = $eid;
$blockedEntities = $entityController->getBlockedEntities();
$allowedEntities = $entityController->getAllowedEntities();
$disabledConsent = $entityController->getDisableConsent();
$metaFlat = '// Revision: ' . $entity->getRevisionid() . "\n";
$metaFlat .= var_export($entityId, TRUE) . ' => ' . var_export($metaArray, TRUE) . ',';
// Add authproc filter to block blocked entities
if (!empty($blockedEntities) || !empty($allowedEntities)) {
$metaFlat = substr($metaFlat, 0, -2);
if (!empty($allowedEntities)) {
$metaFlat .= " 'allowed' => array(\n";
$metaArray['allowed'] = array();
foreach ($allowedEntities as $allowedEntity) {
$metaFlat .= " '" . $allowedEntity['remoteentityid'] . "',\n";
$metaArray['allowed'][] = $allowedEntity['remoteentityid'];
}
$metaFlat .= " ),\n";
}
if (!empty($blockedEntities)) {
$metaFlat .= " 'blocked' => array(\n";
$metaArray['blocked'] = array();
foreach ($blockedEntities as $blockedEntity) {
$metaFlat .= " '" . $blockedEntity['remoteentityid'] . "',\n";
$metaArray['blocked'][] = $blockedEntity['remoteentityid'];
}
$metaFlat .= " ),\n";
}
$metaFlat .= '),';
}
// Add disable consent
if (!empty($disabledConsent)) {
$metaFlat = substr($metaFlat, 0, -2);
$metaFlat .= " 'consent.disable' => array(\n";
foreach ($disabledConsent as $key => $value) {
$metaFlat .= " '" . $key . "',\n";
}
$metaFlat .= " ),\n";
$metaFlat .= '),';
}
$maxCache = isset($option['maxCache']) ? $option['maxCache'] : null;
$maxDuration = isset($option['maxDuration']) ? $option['maxDuration'] : null;
try {
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($entityId, $maxCache, $maxDuration);
$metaBuilder->addMetadata($metaArray['metadata-set'], $metaArray);
} catch (Exception $e) {
SimpleSAML_Logger::error('JANUS - Entity_id:' . $entityId . ' - Error generating XML metadata - ' . var_export($e, true));
self::$_error = array('Error generating XML metadata - ' . $e->getMessage());
return false;
}
// Add organization info
if (!empty($metaArray['OrganizationName']) && !empty($metaArray['OrganizationDisplayName']) && !empty($metaArray['OrganizationURL'])) {
$metaBuilder->addOrganizationInfo(array('OrganizationName' => $metaArray['OrganizationName'], 'OrganizationDisplayName' => $metaArray['OrganizationDisplayName'], 'OrganizationURL' => $metaArray['OrganizationURL']));
}
// Add contact info
if (!empty($metaArray['contact'])) {
$metaBuilder->addContact('technical', $metaArray['contact']);
}
switch ($type) {
case self::XML:
return $metaBuilder->getEntityDescriptor();
case self::XMLREADABLE:
return $metaBuilder->getEntityDescriptorText();
case self::PHPARRAY:
return $metaArray;
case self::FLATFILE:
default:
return $metaFlat;
}
} catch (Exception $exception) {
$session = SimpleSAML_Session::getInstance();
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'JANUS - Metadatageneration', $exception);
return false;
}
}
$metaArray['scope'] = $idpmeta->getArray('scope');
}
if ($idpmeta->hasValue('EntityAttributes')) {
$metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
}
if ($idpmeta->hasValue('UIInfo')) {
$metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
}
if ($idpmeta->hasValue('DiscoHints')) {
$metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
}
if ($idpmeta->hasValue('RegistrationInfo')) {
$metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
}
$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
$metaBuilder->addSecurityTokenServiceType($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$technicalContactEmail = $config->getString('technicalcontact_email', NULL);
if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') {
$metaBuilder->addContact('technical', array('emailAddress' => $technicalContactEmail, 'name' => $config->getString('technicalcontact_name', NULL)));
}
$output_xhtml = array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml';
$metaxml = $metaBuilder->getEntityDescriptorText($output_xhtml);
if (!$output_xhtml) {
$metaxml = str_replace("\n", '', $metaxml);
}
/* Sign the metadata if enabled. */
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
if ($output_xhtml) {
$defaultidp = $config->getString('default-adfs-idp', NULL);
$metaArray['keys'] = $keys;
}
$metaArray['NameIDFormat'] = array(SAML2_Const::NAMEID_PERSISTENT, SAML2_Const::NAMEID_TRANSIENT);
if ($aameta->hasValue('OrganizationName')) {
$metaArray['OrganizationName'] = $aameta->getLocalizedString('OrganizationName');
$metaArray['OrganizationDisplayName'] = $aameta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
if (!$aameta->hasValue('OrganizationURL')) {
throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
}
$metaArray['OrganizationURL'] = $aameta->getLocalizedString('OrganizationURL');
}
if ($aameta->hasValue('scope')) {
$metaArray['scope'] = $aameta->getArray('scope');
}
$metaflat = '$metadata[' . var_export($aaentityid, true) . '] = ' . var_export($metaArray, true) . ';';
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($aaentityid);
$metaBuilder->addAttributeAuthority($metaArray);
$metaBuilder->addOrganizationInfo($metaArray);
$technicalContactEmail = $config->getString('technicalcontact_email', null);
$technicalContactName = $config->getString('technicalcontact_name', null);
if ($technicalContactEmail and $technicalContactEmail !== '*****@*****.**') {
$metaBuilder->addContact('technical', array('contactType' => 'technical', 'emailAddress' => $technicalContactEmail, 'name' => $technicalContactName));
}
$metaxml = $metaBuilder->getEntityDescriptorText();
/* Sign the metadata if enabled. */
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $aameta->toArray(), 'SAML 2 IdP');
if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
$defaultaa = null;
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
$t->data['header'] = 'saml20-aa';
$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
