Beispiel #1
  * Send an authenticationResponse using HTTP-POST.
  * @param string $response  The response which should be sent.
  * @param array $idpmd  The metadata of the IdP which is sending the response.
  * @param array $spmd  The metadata of the SP which is receiving the response.
  * @param string|NULL $relayState  The relaystate for the SP.
  * @param string $shire  The shire which should receive the response.
 public function sendResponse($response, $idpmd, $spmd, $relayState, $shire)
     SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
     $privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
     $publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
     $responsedom = new DOMDocument();
     $responsedom->loadXML(str_replace("\r", "", $response));
     $responseroot = $responsedom->getElementsByTagName('Response')->item(0);
     $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
     /* Determine what we should sign - either the Response element or the Assertion. The default
      * is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
      * SP metadata or 'saml20.signresponse' in the global configuration.
     $signResponse = FALSE;
     if (array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
         $signResponse = $spmd['signresponse'];
         if (!is_bool($signResponse)) {
             throw new Exception('Expected the \'signresponse\' option in the metadata of the' . ' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
     } else {
         $signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
     /* Check if we have an assertion to sign. Force to sign the response if not. */
     if ($firstassertionroot === NULL) {
         $signResponse = TRUE;
     $signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
     if (array_key_exists('certificatechain', $idpmd)) {
     if ($signResponse) {
         /* Sign the response - this must be done after encrypting the assertion. */
         /* We insert the signature before the saml2p:Status element. */
         $statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
         assert('count($statusElements) === 1');
         $signer->sign($responseroot, $responseroot, $statusElements[0]);
     } else {
         /* Sign the assertion */
         $signer->sign($firstassertionroot, $firstassertionroot);
     $response = $responsedom->saveXML();
     if ($this->configuration->getBoolean('debug', FALSE)) {
         $p = new SimpleSAML_XHTML_Template($this->configuration, 'post-debug.php');
         $p->data['header'] = 'SAML (Shibboleth 1.3) Response Debug-mode';
         $p->data['RelayStateName'] = 'TARGET';
         $p->data['RelayState'] = $relayState;
         $p->data['destination'] = $shire;
         $p->data['response'] = str_replace("\n", "", base64_encode($response));
         $p->data['responseHTML'] = htmlspecialchars(SimpleSAML_Utilities::formatXMLString($response));
     } else {
         SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
Beispiel #2
  * Constructor for the metadata signer.
  * You can pass an list of options as key-value pairs in the array. This allows you to initialize
  * a metadata signer in one call.
  * The following keys are recognized:
  *  - privatekey       The file with the private key, relative to the cert-directory.
  *  - privatekey_pass  The passphrase for the private key.
  *  - certificate      The file with the certificate, relative to the cert-directory.
  *  - privatekey_array The private key, as an array returned from SimpleSAML_Utilities::loadPrivateKey.
  *  - publickey_array  The public key, as an array returned from SimpleSAML_Utilities::loadPublicKey.
  *  - id               The name of the ID attribute.
  * @param $options  Associative array with options for the constructor. Defaults to an empty array.
 public function __construct($options = array())
     if (self::$certDir === FALSE) {
         $config = SimpleSAML_Configuration::getInstance();
         self::$certDir = $config->getPathValue('certdir', 'cert/');
     $this->idAttrName = FALSE;
     $this->privateKey = FALSE;
     $this->certificate = FALSE;
     $this->extraCertificates = array();
     if (array_key_exists('privatekey', $options)) {
         $pass = NULL;
         if (array_key_exists('privatekey_pass', $options)) {
             $pass = $options['privatekey_pass'];
         $this->loadPrivateKey($options['privatekey'], $pass);
     if (array_key_exists('certificate', $options)) {
     if (array_key_exists('privatekey_array', $options)) {
     if (array_key_exists('publickey_array', $options)) {
     if (array_key_exists('id', $options)) {
Beispiel #3
  * Send an authenticationResponse using HTTP-POST.
  * @param string                   $response The response which should be sent.
  * @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
  * @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
  * @param string|null              $relayState The relaystate for the SP.
  * @param string                   $shire The shire which should receive the response.
 public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
     \SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11');
     $privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true);
     $publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true);
     $responsedom = new DOMDocument();
     $responsedom->loadXML(str_replace("\r", "", $response));
     $responseroot = $responsedom->getElementsByTagName('Response')->item(0);
     $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
     /* Determine what we should sign - either the Response element or the Assertion. The default is to sign the
      * Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or
      * 'saml20.signresponse' in the global configuration.
      * TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove!
     if ($spmd->hasValue('signresponse')) {
         $signResponse = $spmd->getBoolean('signresponse');
     } else {
         $signResponse = $this->configuration->getBoolean('shib13.signresponse', true);
     // check if we have an assertion to sign. Force to sign the response if not
     if ($firstassertionroot === null) {
         $signResponse = true;
     $signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
     if ($idpmd->hasValue('certificatechain')) {
     if ($signResponse) {
         // sign the response - this must be done after encrypting the assertion
         // we insert the signature before the saml2p:Status element
         $statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p');
         assert('count($statusElements) === 1');
         $signer->sign($responseroot, $responseroot, $statusElements[0]);
     } else {
         /* Sign the assertion */
         $signer->sign($firstassertionroot, $firstassertionroot);
     $response = $responsedom->saveXML();
     \SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out');
     \SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
Beispiel #4
  * Send an authenticationResponse using HTTP-POST.
  * @param string $response  The response which should be sent.
  * @param SimpleSAML_Configuration $idpmd  The metadata of the IdP which is sending the response.
  * @param SimpleSAML_Configuration $spmd  The metadata of the SP which is receiving the response.
  * @param string|NULL $relayState  The relaystate for the SP.
  * @param string $shire  The shire which should receive the response.
 public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
     SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
     $privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
     $publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
     $responsedom = new DOMDocument();
     $responsedom->loadXML(str_replace("\r", "", $response));
     $responseroot = $responsedom->getElementsByTagName('Response')->item(0);
     $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
     /* Determine what we should sign - either the Response element or the Assertion. The default
      * is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
      * SP metadata or 'saml20.signresponse' in the global configuration.
     $signResponse = FALSE;
     if ($spmd->hasValue('signresponse')) {
         $signResponse = $spmd->getBoolean['signresponse'];
     } else {
         $signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
     /* Check if we have an assertion to sign. Force to sign the response if not. */
     if ($firstassertionroot === NULL) {
         $signResponse = TRUE;
     $signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
     if ($idpmd->hasValue('certificatechain')) {
     if ($signResponse) {
         /* Sign the response - this must be done after encrypting the assertion. */
         /* We insert the signature before the saml2p:Status element. */
         $statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
         assert('count($statusElements) === 1');
         $signer->sign($responseroot, $responseroot, $statusElements[0]);
     } else {
         /* Sign the assertion */
         $signer->sign($firstassertionroot, $firstassertionroot);
     $response = $responsedom->saveXML();
     SimpleSAML_Utilities::debugMessage($response, 'out');
     SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
Beispiel #5
 public function getMetadataDocument()
     // Get metadata entries
     $entities = $this->getSources();
     // Generate XML Document
     $xml = new DOMDocument();
     $entitiesDescriptor = $xml->createElementNS('urn:oasis:names:tc:SAML:2.0:metadata', 'EntitiesDescriptor');
     $entitiesDescriptor->setAttribute('Name', $this->id);
     $maxDuration = $this->getMaxDuration();
     $reconstruct = $this->getReconstruct();
     /* Build EntityDescriptor elements for them. */
     foreach ($entities as $entity => $sets) {
         $entityDescriptor = NULL;
         foreach ($sets as $set => $metadata) {
             if (!array_key_exists('entityDescriptor', $metadata)) {
                 /* One of the sets doesn't contain an EntityDescriptor element. */
                 $entityDescriptor = FALSE;
             if ($entityDescriptor == NULL) {
                 /* First EntityDescriptor elements. */
                 $entityDescriptor = $metadata['entityDescriptor'];
             if ($entityDescriptor !== $metadata['entityDescriptor']) {
                 /* Entity contains multiple different EntityDescriptor elements. */
                 $entityDescriptor = FALSE;
         if (is_string($entityDescriptor) && !$reconstruct) {
             /* All metadata sets for the entity contain the same entity descriptor. Use that one. */
             $tmp = new DOMDocument();
             $entityDescriptor = $tmp->documentElement;
         } else {
             $tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
             $orgmeta = NULL;
             foreach ($sets as $set => $metadata) {
                 $tmp->addMetadata($set, $metadata);
                 $orgmeta = $metadata;
             $entityDescriptor = $tmp->getEntityDescriptor();
         $entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
     /* Sign the metadata if enabled. */
     if ($this->shouldSign()) {
         $signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
         $signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
     return $xml;
Beispiel #6
 public function getMetadataDocument()
     // Get metadata entries
     $entities = $this->getSources();
     $maxDuration = $this->getMaxDuration();
     $reconstruct = $this->getReconstruct();
     $entitiesDescriptor = new SAML2_XML_md_EntitiesDescriptor();
     $entitiesDescriptor->Name = $this->id;
     $entitiesDescriptor->validUntil = time() + $maxDuration;
     // add RegistrationInfo extension if enabled
     if ($this->gConfig->hasValue('RegistrationInfo')) {
         $ri = new SAML2_XML_mdrpi_RegistrationInfo();
         foreach ($this->gConfig->getArray('RegistrationInfo') as $riName => $riValues) {
             switch ($riName) {
                 case 'authority':
                     $ri->registrationAuthority = $riValues;
                 case 'instant':
                     $ri->registrationInstant = SAML2_Utils::xsDateTimeToTimestamp($riValues);
                 case 'policies':
                     $ri->RegistrationPolicy = $riValues;
         $entitiesDescriptor->Extensions[] = $ri;
     /* Build EntityDescriptor elements for them. */
     foreach ($entities as $entity => $sets) {
         $entityDescriptor = NULL;
         foreach ($sets as $set => $metadata) {
             if (!array_key_exists('entityDescriptor', $metadata)) {
                 /* One of the sets doesn't contain an EntityDescriptor element. */
                 $entityDescriptor = FALSE;
             if ($entityDescriptor == NULL) {
                 /* First EntityDescriptor elements. */
                 $entityDescriptor = $metadata['entityDescriptor'];
             if ($entityDescriptor !== $metadata['entityDescriptor']) {
                 /* Entity contains multiple different EntityDescriptor elements. */
                 $entityDescriptor = FALSE;
         if (is_string($entityDescriptor) && !$reconstruct) {
             /* All metadata sets for the entity contain the same entity descriptor. Use that one. */
             $tmp = new DOMDocument();
             $entitiesDescriptor->children[] = new SAML2_XML_md_EntityDescriptor($tmp->documentElement);
         } else {
             $tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
             $orgmeta = NULL;
             foreach ($sets as $set => $metadata) {
                 $tmp->addMetadata($set, $metadata);
                 $orgmeta = $metadata;
             $entitiesDescriptor->children[] = $tmp->getEntityDescriptor();
     $document = $entitiesDescriptor->toXML();
     // sign the metadata if enabled
     if ($this->shouldSign()) {
         $signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
         $signer->sign($document, $document, $document->firstChild);
     return $document;
Beispiel #7
/* Make sure that the request isn't suspicious (contains references to current
 * directory or parent directory or anything like that. Searching for './' in the
 * URL will detect both '../' and './'. Searching for '\' will detect attempts to
 * use Windows-style paths.
if (strpos($attributemap, '\\') !== FALSE) {
    throw new SimpleSAML_Error_BadRequest('Requested URL contained a backslash.');
} elseif (strpos($attributemap, './') !== FALSE) {
    throw new SimpleSAML_Error_BadRequest('Requested URL contained \'./\'.');
$arp = new sspmod_aggregator_ARP($md, $attributemap, $prefix, $suffix);
$arpxml = $arp->getXML();
$xml = new DOMDocument();
$firstelement = $xml->firstChild;
if ($aggregator->shouldSign()) {
    $signinfo = $aggregator->getSigningInfo();
    $signer = new SimpleSAML_XML_Signer($signinfo);
    $signer->sign($firstelement, $firstelement, $firstelement->firstChild);
$mimetype = 'application/samlmetadata-xml';
$allowedmimetypes = array('text/plain', 'application/samlmetadata-xml', 'application/xml');
if (isset($_GET['mimetype']) && in_array($_GET['mimetype'], $allowedmimetypes)) {
    $mimetype = $_GET['mimetype'];
if ($mimetype === 'text/plain') {
header('Content-Type: ' . $mimetype);
echo $xml->saveXML();
     $ssp_metadata = $ssp_metadata . "\n\n" . sspmod_janus_MetaExport::getFlatMetadata($entity['eid'], $entity['revisionid']);
     if (empty($entityDescriptor)) {
         $t = new SimpleSAML_XHTML_Template($config, 'janus:error.php', 'janus:error');
         $t->data['header'] = 'JANUS';
         $t->data['title'] = 'error_required_metadata_missing_header';
         $t->data['error'] = 'error_required_metadata_missing_entity';
         $t->data['error_data'] = array('%ENTITY%' => $entity['entityid']);
         $t->data['extra_data'] = implode("\n", sspmod_janus_MetaExport::getError());
     $entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
 /* Sign the metadata if enabled. */
 if ($janus_config->getBoolean('sign.enable', FALSE)) {
     $signer = new SimpleSAML_XML_Signer(array('privatekey' => $janus_config->getString('sign.privatekey'), 'privatekey_pass' => $janus_config->getString('sign.privatekey_pass', NULL), 'certificate' => $janus_config->getString('sign.certificate'), 'id' => 'ID'));
     $signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
 if (isset($export_external)) {
     $externalconfig = $janus_config->getArray('export.external');
     if (array_key_exists($export_external, $externalconfig)) {
         $externalconfig = $externalconfig[$export_external];
         try {
             $exporter = sspmod_janus_Exporter::getInstance($externalconfig['class'], $externalconfig['option']);
         } catch (Exception $e) {
             SimpleSAML_Utilities::fatalError($session->getTrackID(), 'Can not export metadata externally', $e);
Beispiel #9
/* Build EntitiesDescriptor. */
$doc = new DOMDocument('1.0', 'utf-8');
$root = $doc->createElementNS('urn:oasis:names:tc:SAML:2.0:metadata', 'EntitiesDescriptor');
$store = SimpleSAML_MetaShare_Store::getInstance();
foreach ($store->getEntityList() as $entityId) {
    $entityNode = $store->getMetadata($entityId);
    if ($entityNode === FALSE) {
        /* For some reason we were unable to load the metadata - skip entity. */
    $entityNode = $doc->importNode($entityNode, TRUE);
    assert($entityNode !== FALSE);
/* Sign the metadata if enabled. */
if ($metaConfig->getBoolean('metashare.signmetadatalist', FALSE)) {
    $privateKey = $metaConfig->getString('metashare.privatekey');
    $privateKeyPass = $metaConfig->getString('metashare.privatekey_pass', NULL);
    $certificate = $metaConfig->getString('metashare.certificate');
    $signer = new SimpleSAML_XML_Signer(array('privatekey' => $privateKey, 'privatekey_pass' => $privateKeyPass, 'certificate' => $certificate, 'id' => 'ID'));
    $signer->sign($root, $root, $root->firstChild);
/* Show the metadata. */
if (array_key_exists('mimetype', $_GET)) {
    $mimeType = $_GET['mimetype'];
} else {
    $mimeType = 'application/samlmetadata+xml';
header('Content-Type: ' . $mimeType);
echo $doc->saveXML();