/** * @param string $destinationUrl * @param string $assertionConsumerServiceURL * @param string $issuerUrl * @return SAML2_AuthnRequest */ public function create($destinationUrl, $assertionConsumerServiceURL, $issuerUrl) { $request = new SAML2_AuthnRequest(); $request->setDestination($destinationUrl); $request->setAssertionConsumerServiceURL($assertionConsumerServiceURL); $request->setIssuer($issuerUrl); $request->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST); $request->setNameIdPolicy(array('Format' => SAML2_Const::NAMEID_TRANSIENT, 'AllowCreate' => true)); return $request; }
/** * Due to the fact that the symmetric key is generated each time, we cannot test whether or not the resulting XML * matches a specific XML, but we can test whether or not the resulting structure is actually correct, conveying * all information required to decrypt the NameId. */ public function testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure() { // the NameID we're going to encrypt $nameId = array('Value' => md5('Arthur Dent'), 'Format' => SAML2_Const::NAMEID_ENCRYPTED); // basic AuthnRequest $request = new SAML2_AuthnRequest(); $request->setIssuer('https://gateway.stepup.org/saml20/sp/metadata'); $request->setDestination('https://tiqr.stepup.org/idp/profile/saml2/Redirect/SSO'); $request->setNameId($nameId); // encrypt the NameID $key = SAML2_CertificatesMock::getPublicKey(); $request->encryptNameId($key); $expectedStructureDocument = new DOMDocument(); $expectedStructureDocument->loadXML(<<<AUTHNREQUEST <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="" Version="" IssueInstant="" Destination=""> <saml:Issuer></saml:Issuer> <saml:Subject> <saml:EncryptedID xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </dsig:KeyInfo> <xenc:CipherData> <xenc:CipherValue></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml:EncryptedID> </saml:Subject> </samlp:AuthnRequest> AUTHNREQUEST ); $expectedStructure = $expectedStructureDocument->documentElement; $requestStructure = $request->toUnsignedXML(); $this->assertEqualXMLStructure($expectedStructure, $requestStructure); }
/** * Build an authentication request based on information in the metadata. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. */ public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata) { $ar = new SAML2_AuthnRequest(); if ($spMetadata->hasValue('NameIDPolicy')) { $nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL); } else { $nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT); } if ($nameIdPolicy !== NULL) { $ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE)); } $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT)); $dst = $dst['Location']; $ar->setIssuer($spMetadata->getString('entityid')); $ar->setDestination($dst); $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE)); $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE)); $protbind = $spMetadata->getValueValidate('ProtocolBinding', array(SAML2_Const::BINDING_HTTP_POST, SAML2_Const::BINDING_HTTP_ARTIFACT, SAML2_Const::BINDING_HTTP_REDIRECT), SAML2_Const::BINDING_HTTP_POST); /* Shoaib - setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST */ $ar->setProtocolBinding($protbind); if ($spMetadata->hasValue('AuthnContextClassRef')) { $accr = $spMetadata->getArrayizeString('AuthnContextClassRef'); $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr)); } self::addRedirectSign($spMetadata, $idpMetadata, $ar); return $ar; }
/** * Build an authentication request based on information in the metadata. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. */ public static function buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata) { $ar = new SAML2_AuthnRequest(); if ($spMetadata->hasValue('NameIDPolicy')) { $nameIdPolicy = $spMetadata->getString('NameIDPolicy', NULL); } else { $nameIdPolicy = $spMetadata->getString('NameIDFormat', SAML2_Const::NAMEID_TRANSIENT); } if ($nameIdPolicy !== NULL) { $ar->setNameIdPolicy(array('Format' => $nameIdPolicy, 'AllowCreate' => TRUE)); } $ar->setIssuer($spMetadata->getString('entityid')); $ar->setDestination($idpMetadata->getString('SingleSignOnService')); $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', FALSE)); $ar->setIsPassive($spMetadata->getBoolean('IsPassive', FALSE)); if ($spMetadata->hasValue('AuthnContextClassRef')) { $accr = $spMetadata->getArrayizeString('AuthnContextClassRef'); $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr)); } self::addRedirectSign($spMetadata, $idpMetadata, $ar); return $ar; }
/** * launchkey_form - login form for wp-login.php * * @since 1.1.0 * * @param string $class A space separated list of classes to set on the "class" attribute of a containing DIV for the login button * @param string $id The value to set on the "id" attribute of a containing DIV for the login button * @param string $style A string of HTML style code tto set on the "style" attribute of a containing DIV for the login button */ public function launchkey_form($class = '', $id = '', $style = '') { if (isset($_GET['launchkey_error'])) { $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'The LaunchKey request was denied or an issue was detected during authentication. Please try again.'))); } elseif (isset($_GET['launchkey_ssl_error'])) { $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'There was an error trying to request the LaunchKey servers. If this persists you may need to disable SSL verification.'))); } elseif (isset($_GET['launchkey_security'])) { $this->wp_facade->_echo($this->template->render_template('error', array('error' => 'Error!', 'message' => 'There was a security issue detected and you have been logged out for your safety. Log back in to ensure a secure session.'))); } $container = SAML2_Utils::getContainer(); $request = new SAML2_AuthnRequest(); $request->setId($container->generateId()); //$request->setProviderName( parse_url( $this->wp_facade->home_url( '/' ), PHP_URL_HOST ) ); $request->setDestination($this->login_url); $request->setIssuer($this->entity_id); $request->setRelayState($this->wp_facade->admin_url()); $request->setAssertionConsumerServiceURL($this->wp_facade->wp_login_url()); $request->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST); $request->setIsPassive(false); $request->setNameIdPolicy(array('Format' => SAML2_Const::NAMEID_PERSISTENT, 'AllowCreate' => true)); // Send it off using the HTTP-Redirect binding $binding = new SAML2_HTTPRedirect(); $binding->setDestination($this->login_url); $this->wp_facade->_echo($this->template->render_template('launchkey-form', array('class' => $class, 'id' => $id, 'style' => $style, 'login_url' => $binding->getRedirectURL($request), 'login_text' => 'Log in with', 'login_with_app_name' => 'LaunchKey', 'size' => in_array($this->wp_facade->get_locale(), array('fr_FR', 'es_ES')) ? 'small' : 'medium'))); }
/** * Test for setting IDPEntry values via setIDPList. * Tests legacy support (single string), array of attributes, and skipping of unknown attributes. */ public function testIDPlistAttributes() { // basic AuthnRequest $request = new SAML2_AuthnRequest(); $request->setIssuer('https://gateway.example.org/saml20/sp/metadata'); $request->setDestination('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO'); $request->setIDPList(array('Legacy1', array('ProviderID' => 'http://example.org/AAP', 'Name' => 'N00T', 'Loc' => 'https://mies'), array('ProviderID' => 'urn:example:1', 'Name' => 'Voorbeeld', 'Something' => 'Else'))); $expectedStructureDocument = new DOMDocument(); $expectedStructureDocument->loadXML(<<<AUTHNREQUEST <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="" Version="" IssueInstant="" Destination=""> <saml:Issuer></saml:Issuer> <samlp:Scoping><samlp:IDPList> <samlp:IDPEntry ProviderID="Legacy1"/> <samlp:IDPEntry ProviderID="http://example.org/AAP" Name="N00T" Loc="https://mies"/> <samlp:IDPEntry ProviderID="urn:example:1" Name="Voorbeeld"/> </samlp:IDPList></samlp:Scoping> </samlp:AuthnRequest> AUTHNREQUEST ); $expectedStructure = $expectedStructureDocument->documentElement; $requestStructure = $request->toUnsignedXML(); $this->assertEqualXMLStructure($expectedStructure, $requestStructure); }