$buf .= '</wsdl:input>'; $buf .= '<wsdl:output>'; $buf .= '<soap12:body use="literal"/>'; $buf .= '</wsdl:output>'; $buf .= '</wsdl:operation>'; $buf .= '</wsdl:binding>'; $buf .= '<wsdl:service name="STS_0">'; $buf .= '<wsdl:port name="STS_0_port" binding="tns:Transport_binding">'; $buf .= '<soap12:address location="' . $ICconfig['tokenserviceurl'] . '" />'; $buf .= '<wsa:EndpointReference>'; $buf .= '<wsa:Address>' . $ICconfig['tokenserviceurl'] . '</wsa:Address>'; $buf .= '<wsid:Identity>'; $buf .= '<ds:KeyInfo>'; $buf .= '<ds:X509Data>'; $buf .= '<ds:X509Certificate>'; $buf .= sspmod_InfoCard_Utils::takeCert($ICconfig['certificates'][0]); $buf .= '</ds:X509Certificate>'; $buf .= '</ds:X509Data>'; $buf .= '</ds:KeyInfo>'; $buf .= '</wsid:Identity>'; $buf .= '</wsa:EndpointReference>'; $buf .= '</wsdl:port>'; $buf .= '</wsdl:service>'; $buf .= '</wsdl:definitions>'; $buf .= '</MetadataSection>'; $buf .= '<MetadataSection Dialect="http://www.w3.org/2001/XMLSchema" Identifier="' . $ICconfig['tokenserviceurl'] . '">'; $buf .= '<xs:schema xmlns:tns="' . $ICconfig['tokenserviceurl'] . '" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="' . $ICconfig['tokenserviceurl'] . '">'; $buf .= '<xs:complexType name="MessageBody">'; $buf .= '<xs:sequence>'; $buf .= '<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>'; $buf .= '</xs:sequence>';
$ppid = getppid($samlToken); SimpleSAML_Logger::debug('PPID: ' . $ppid); if (sspmod_InfoCard_UserFunctions::validateUser(array('PPID' => $ppid), $ICconfig['UserCredential'])) { $authenticated = true; } break; default: break; } $messageid = $doc->getElementsByTagname('MessageID')->item(0)->nodeValue; if ($authenticated) { $ICconfig['InfoCard'] = $autoconfig->getValue('InfoCard'); $ICconfig['issuer'] = $autoconfig->getValue('issuer'); $ICconfig['sts_crt'] = $autoconfig->getValue('sts_crt'); $ICconfig['sts_key'] = $autoconfig->getValue('sts_key'); $requiredClaims = sspmod_InfoCard_Utils::extractClaims($ICconfig['InfoCard']['schema'], $doc->getElementsByTagname('ClaimType')); $claimValues = sspmod_InfoCard_UserFunctions::fillClaims($username, $ICconfig['InfoCard']['requiredClaims'], $ICconfig['InfoCard']['optionalClaims'], $requiredClaims); $response = sspmod_InfoCard_STS::createToken($claimValues, $ICconfig, $messageid); } else { $response = sspmod_InfoCard_STS::errorMessage('Wrong Credentials', $messageid); } Header('Content-length: ' . strlen($response) + 1); print $response; //LOG if ($debugDir != null) { $handle = fopen($debugDir . '/' . $messageid . '.log', 'w'); fwrite($handle, " ------ InfoCard simpleSAMLphp Module LOG ------\n\n"); fwrite($handle, "-- TIME: " . gmdate('Y-m-d') . ' ' . gmdate('H:i:s') . "\n"); fwrite($handle, "-- MESSAGE ID: " . $messageid . "\n\n\n"); fwrite($handle, "-- RST\n"); fwrite($handle, $HTTP_RAW_POST_DATA);
private static function saml_assertion($claimValues, $config, $assertionid, $created, $expires) { $saml = '<saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="' . $assertionid . '" Issuer="' . $config['issuer'] . '" IssueInstant="' . $created . '" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">'; $saml .= '<saml:Conditions NotBefore="' . $created . '" NotOnOrAfter="' . $expires . '" />'; $saml .= '<saml:AttributeStatement>'; $saml .= '<saml:Subject>'; $saml .= '<saml:SubjectConfirmation>'; $saml .= '<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>'; // proof key $saml .= '<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">'; $saml .= '<dsig:X509Data>'; $saml .= '<dsig:X509Certificate>' . sspmod_InfoCard_Utils::takeCert($config['sts_crt']) . '</dsig:X509Certificate>'; $saml .= '</dsig:X509Data>'; $saml .= '</dsig:KeyInfo>'; $saml .= '</saml:SubjectConfirmation>'; $saml .= '</saml:Subject>'; foreach ($claimValues as $claim => $data) { $saml .= '<saml:Attribute AttributeName="' . $claim . '" AttributeNamespace="' . $config['InfoCard']['schema'] . '/claims">'; $saml .= '<saml:AttributeValue>' . $data['value'] . '</saml:AttributeValue>'; $saml .= '</saml:Attribute>'; } $saml .= '</saml:AttributeStatement>'; //Pure SAML Assertion digest $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($saml . '</saml:Assertion>'); $myhash = sha1($canonicalbuf, TRUE); $samldigest = base64_encode($myhash); //Digest block $signedinfo = '<dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" >'; $signedinfo .= '<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />'; $signedinfo .= '<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />'; $signedinfo .= '<dsig:Reference URI="#' . $assertionid . '">'; $signedinfo .= '<dsig:Transforms>'; $signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />'; $signedinfo .= '<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />'; $signedinfo .= '</dsig:Transforms>'; $signedinfo .= '<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />'; $signedinfo .= '<dsig:DigestValue>' . $samldigest . '</dsig:DigestValue>'; $signedinfo .= '</dsig:Reference>'; $signedinfo .= '</dsig:SignedInfo>'; //Signature of the digest $canonicalbuf = sspmod_InfoCard_Utils::canonicalize($signedinfo); $privkey = openssl_pkey_get_private(file_get_contents($config['sts_key'])); $signature = ''; openssl_sign($canonicalbuf, $signature, $privkey); openssl_free_key($privkey); $samlsignature = base64_encode($signature); //Signature block $saml .= '<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">'; $saml .= $signedinfo; $saml .= '<dsig:SignatureValue>' . $samlsignature . '</dsig:SignatureValue>'; $saml .= '<dsig:KeyInfo>'; $saml .= '<dsig:X509Data>'; $saml .= '<dsig:X509Certificate>' . sspmod_InfoCard_Utils::takeCert($config['sts_crt']) . '</dsig:X509Certificate>'; $saml .= '</dsig:X509Data>'; $saml .= '</dsig:KeyInfo>'; $saml .= '</dsig:Signature>'; $saml .= '</saml:Assertion>'; return $saml; }