public static function createFromRequest(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $originalRequest, IdentityProvider $idpMetadata, EngineBlock_Corto_ProxyServer $server) { $nameIdPolicy = array('AllowCreate' => 'true'); /** * Name policy is not required, so it is only set if configured, SAML 2.0 spec * says only following values are allowed: * - urn:oasis:names:tc:SAML:2.0:nameid-format:transient * - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent. * * Note: Some IDP's like those using ADFS2 do not understand those, for these cases the format can be 'configured as empty * or set to an older version. */ if (!empty($idpMetadata->nameIdFormat)) { $nameIdPolicy['Format'] = $idpMetadata->nameIdFormat; } /** @var SAML2_AuthnRequest $originalRequest */ $sspRequest = new SAML2_AuthnRequest(); $sspRequest->setId($server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_REQUEST)); $sspRequest->setIssueInstant(time()); $sspRequest->setDestination($idpMetadata->singleSignOnServices[0]->location); $sspRequest->setForceAuthn($originalRequest->getForceAuthn()); $sspRequest->setIsPassive($originalRequest->getIsPassive()); $sspRequest->setAssertionConsumerServiceURL($server->getUrl('assertionConsumerService')); $sspRequest->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST); $sspRequest->setIssuer($server->getUrl('spMetadataService')); $sspRequest->setNameIdPolicy($nameIdPolicy); if (empty($idpMetadata->disableScoping)) { // Copy over the Idps that are allowed to answer this request. $sspRequest->setIDPList($originalRequest->getIDPList()); // Proxy Count $sspRequest->setProxyCount($originalRequest->getProxyCount() ? $originalRequest->getProxyCount() : $server->getConfig('max_proxies', 10)); // Add the SP to the requesterIds $requesterIds = $originalRequest->getRequesterID(); $requesterIds[] = $originalRequest->getIssuer(); // Add the SP as the requester $sspRequest->setRequesterID($requesterIds); } // Use the default binding even if more exist $request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($sspRequest); $request->setDeliverByBinding($idpMetadata->singleSignOnServices[0]->binding); return $request; }
public function serve($serviceName) { $response = $this->_server->getBindingsModule()->receiveResponse(); $_SESSION['consent'][$response->getId()]['response'] = $response; $request = $this->_server->getReceivedRequestFromResponse($response); $serviceProvider = $this->_server->getRepository()->fetchServiceProviderByEntityId($request->getIssuer()); $spMetadataChain = EngineBlock_SamlHelper::getSpRequesterChain($serviceProvider, $request, $this->_server->getRepository()); $identityProviderEntityId = $response->getOriginalIssuer(); $identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($identityProviderEntityId); // Flush log if SP or IdP has additional logging enabled $requireAdditionalLogging = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array_merge($spMetadataChain, array($identityProvider))); if ($requireAdditionalLogging) { $application = EngineBlock_ApplicationSingleton::getInstance(); $application->flushLog('Activated additional logging for one or more SPs in the SP requester chain, or the IdP'); $log = $application->getLogInstance(); $log->info('Raw HTTP request', array('http_request' => (string) $application->getHttpRequest())); } if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) { $response->setConsent(SAML2_Const::CONSENT_INAPPLICABLE); $response->setDestination($response->getReturn()); $response->setDeliverByBinding('INTERNAL'); $this->_server->getBindingsModule()->send($response, $serviceProvider); return; } $consentDestinationEntityMetadata = $spMetadataChain[0]; $attributes = $response->getAssertion()->getAttributes(); $consent = $this->_consentFactory->create($this->_server, $response, $attributes); $priorConsent = $consent->hasStoredConsent($consentDestinationEntityMetadata); if ($priorConsent) { $response->setConsent(SAML2_Const::CONSENT_PRIOR); $response->setDestination($response->getReturn()); $response->setDeliverByBinding('INTERNAL'); $this->_server->getBindingsModule()->send($response, $serviceProvider); return; } $html = $this->_server->renderTemplate('consent', array('action' => $this->_server->getUrl('processConsentService'), 'ID' => $response->getId(), 'attributes' => $attributes, 'sp' => $consentDestinationEntityMetadata, 'idp' => $identityProvider)); $this->_server->sendOutput($html); }
/** * @return SimpleSAML_Configuration */ protected function getSspOwnMetadata() { $keyPair = $this->_server->getSigningCertificates(); $spMetadata = SimpleSAML_Configuration::loadFromArray(array('entityid' => $this->_server->getUrl('spMetadataService'), 'SingleSignOnService' => array(array('Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => $this->_server->getUrl('spMetadataService'))), 'keys' => array(array('signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => $keyPair->getCertificate()->toCertData()), array('signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => $keyPair->getCertificate()->toCertData())), 'privatekey' => $keyPair->getPrivateKey() ? $keyPair->getPrivateKey()->filePath() : '')); return $spMetadata; }
/** * @param MetadataRepositoryInterface $metadataRepository * @param EngineBlock_X509_KeyPair $keyPair * @param EngineBlock_Corto_ProxyServer $proxyServer * @return ServiceProvider * @throws EngineBlock_Corto_ProxyServer_Exception * @throws EngineBlock_Exception */ protected function getEngineSpRole(MetadataRepositoryInterface $metadataRepository, EngineBlock_X509_KeyPair $keyPair, EngineBlock_Corto_ProxyServer $proxyServer) { /** * Augment our own SP entry with stuff that can't be set via the Service Registry (yet) */ $spEntityId = $proxyServer->getUrl('spMetadataService'); $engineServiceProvider = $metadataRepository->findServiceProviderByEntityId($spEntityId); if (!$engineServiceProvider) { throw new EngineBlock_Exception("Unable to find EngineBlock configured as Service Provider. No '{$spEntityId}' in repository!"); } $engineServiceProvider->certificates = array($keyPair->getCertificate()); $engineServiceProvider->supportedNameIdFormats = array(SAML2_Const::NAMEID_PERSISTENT, SAML2_Const::NAMEID_TRANSIENT, SAML2_Const::NAMEID_UNSPECIFIED); $metadata = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getAttributeMetadata(); $requestedAttributeIds = $metadata->findRequestedAttributeIds(); $requiredAttributeIds = $metadata->findRequiredAttributeIds(); $requestedAttributes = array(); foreach ($requestedAttributeIds as $requestedAttributeId) { $requestedAttributes[] = new RequestedAttribute($requestedAttributeId); } foreach ($requiredAttributeIds as $requiredAttributeId) { $requestedAttributes[] = new RequestedAttribute($requiredAttributeId, true); } $engineServiceProvider->requestedAttributes = $requestedAttributes; // Allow all Identity Providers for EngineBlock. $engineServiceProvider->allowedIdpEntityIds = $metadataRepository->findAllIdentityProviderEntityIds(); $engineServiceProvider->responseProcessingService = new Service($proxyServer->getUrl('provideConsentService'), 'INTERNAL'); return $engineServiceProvider; }