Add signature key and sender certificate to an element (Message or Assertion).
public static addSign ( SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2\SignedElement $element ) | ||
$srcMetadata | SimpleSAML_Configuration | The metadata of the sender. |
$dstMetadata | SimpleSAML_Configuration | The metadata of the recipient. |
$element | SAML2\SignedElement | The element we should add the data to. |
/** * @param SAML2_Response $response * @param SimpleSAML_Configuration $idpConfig */ private function addSigns(SAML2_Response $response, SimpleSAML_Configuration $idpConfig) { $assertions = $response->getAssertions(); $className = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getMessageUtilClassName(); // Special case the 'normal' message verification class name so we have IDE support. if ($className === 'sspmod_saml_Message') { sspmod_saml_Message::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]); return; } $className::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]); }
/** * Receive a SAML 2 message sent using the HTTP-Artifact binding. * * Throws an exception if it is unable receive the message. * * @return SAML2_Message The received message. */ public function receive() { if (array_key_exists('SAMLart', $_REQUEST)) { $artifact = base64_decode($_REQUEST['SAMLart']); $endpointIndex = bin2hex(substr($artifact, 2, 2)); $sourceId = bin2hex(substr($artifact, 4, 20)); } else { throw new Execption('Missing SAMLArt parameter.'); } $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpmetadata = $metadataHandler->getMetaDataConfigForSha1($sourceId, 'saml20-idp-remote'); $endpoint = NULL; foreach ($idpmetadata->getEndpoints('ArtifactResolutionService') as $ep) { if ($ep['index'] === hexdec($endpointIndex)) { $endpoint = $ep; break; } } if ($endpoint === NULL) { throw new Exception('No ArtifactResolutionService with the correct index.'); } SimpleSAML_Logger::debug("ArtifactResolutionService endpoint being used is := " . $endpoint['Location']); //Construct the ArtifactResolve Request $ar = new SAML2_ArtifactResolve(); /* Set the request attributes */ $ar->setIssuer($this->spMetadata->getString('entityid')); $ar->setArtifact($_REQUEST['SAMLart']); $ar->setDestination($endpoint['Location']); /* Sign the request */ sspmod_saml_Message::addSign($this->spMetadata, $idpmetadata, $ar); // Shoaib - moved from the SOAPClient. $soap = new SAML2_SOAPClient(); // Send message through SoapClient $artifactResponse = $soap->send($ar, $this->spMetadata); if (!$artifactResponse->isSuccess()) { throw new Exception('Received error from ArtifactResolutionService.'); } $xml = $artifactResponse->getAny(); if ($xml === NULL) { /* Empty ArtifactResponse - possibly because of Artifact replay? */ return NULL; } $samlresponse = SAML2_Message::fromXML($xml); $samlresponse->addValidator(array(get_class($this), 'validateSignature'), $artifactResponse); if (isset($_REQUEST['RelayState'])) { $samlresponse->setRelayState($_REQUEST['RelayState']); } return $samlresponse; }
/** * Build a authentication response based on information in the metadata. * * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @param SimpleSAML_Configuration $spMetadata The metadata of the SP. * @param string $consumerURL The Destination URL of the response. */ private static function buildResponse(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, $consumerURL) { $signResponse = $spMetadata->getBoolean('saml20.sign.response', NULL); if ($signResponse === NULL) { $signResponse = $idpMetadata->getBoolean('saml20.sign.response', TRUE); } $r = new SAML2_Response(); $r->setIssuer($idpMetadata->getString('entityid')); $r->setDestination($consumerURL); if ($signResponse) { sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $r); } return $r; }
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-hosted'); if (!$idpMetadata->getBoolean('saml20.sendartifact', FALSE)) { throw new SimpleSAML_Error_Error('NOACCESS'); } $store = SimpleSAML_Store::getInstance(); if ($store === FALSE) { throw new Exception('Unable to send artifact without a datastore configured.'); } $binding = new SAML2_SOAP(); $request = $binding->receive(); if (!$request instanceof SAML2_ArtifactResolve) { throw new Exception('Message received on ArtifactResolutionService wasn\'t a ArtifactResolve request.'); } $issuer = $request->getIssuer(); $spMetadata = $metadata->getMetadataConfig($issuer, 'saml20-sp-remote'); $artifact = $request->getArtifact(); $responseData = $store->get('artifact', $artifact); $store->delete('artifact', $artifact); if ($responseData !== NULL) { $document = new DOMDocument(); $document->loadXML($responseData); $responseXML = $document->firstChild; } else { $responseXML = NULL; } $artifactResponse = new SAML2_ArtifactResponse(); $artifactResponse->setIssuer($idpEntityId); $artifactResponse->setInResponseTo($request->getId()); $artifactResponse->setAny($responseXML); sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $artifactResponse); $binding->send($artifactResponse);
} /* Filter which attribute values we should return. */ $returnAttributes[$name] = array_intersect($values, $attributes[$name]); } } /* $returnAttributes contains the attributes we should return. Send them. */ $assertion = new SAML2_Assertion(); $assertion->setIssuer($idpEntityId); $assertion->setNameId($query->getNameId()); $assertion->setNotBefore(time()); $assertion->setNotOnOrAfter(time() + 5 * 60); $assertion->setValidAudiences(array($spEntityId)); $assertion->setAttributes($returnAttributes); $assertion->setAttributeNameFormat($attributeNameFormat); $sc = new SAML2_XML_saml_SubjectConfirmation(); $sc->Method = SAML2_Const::CM_BEARER; $sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData(); $sc->SubjectConfirmationData->NotOnOrAfter = time() + 5 * 60; $sc->SubjectConfirmationData->Recipient = $endpoint; $sc->SubjectConfirmationData->InResponseTo = $query->getId(); $assertion->setSubjectConfirmation(array($sc)); sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $assertion); $response = new SAML2_Response(); $response->setRelayState($query->getRelayState()); $response->setDestination($endpoint); $response->setIssuer($idpEntityId); $response->setInResponseTo($query->getId()); $response->setAssertions(array($assertion)); sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $response); $binding = new SAML2_HTTPPost(); $binding->send($response);
private function buildResponse($returnAttributes) { /* SubjectConfirmation */ $sc = new SAML2_XML_saml_SubjectConfirmation(); $sc->Method = SAML2_Const::CM_BEARER; $sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData(); $sc->SubjectConfirmationData->NotBefore = time(); $sc->SubjectConfirmationData->NotOnOrAfter = time() + $this->config->getInteger('validFor'); $sc->SubjectConfirmationData->InResponseTo = $this->query->getId(); $assertion = new SAML2_Assertion(); $assertion->setSubjectConfirmation(array($sc)); $assertion->setIssuer($this->aaEntityId); $assertion->setNameId($this->query->getNameId()); $assertion->setNotBefore(time()); $assertion->setNotOnOrAfter(time() + $this->config->getInteger('validFor')); $assertion->setValidAudiences(array($this->spEntityId)); $assertion->setAttributes($returnAttributes); $assertion->setAttributeNameFormat($this->attributeNameFormat); if ($this->signAssertion) { sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $assertion); } /* The Response */ $response = new SAML2_Response(); $response->setRelayState($this->query->getRelayState()); $response->setIssuer($this->aaEntityId); $response->setInResponseTo($this->query->getId()); $response->setAssertions(array($assertion)); if ($this->signResponse) { sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $response); } return $response; }
/** * build and send AttributeQuery */ function sendQuery($dataId, $url, $nameId, $attributes, $attributeNameFormat, $src, $dst) { assert('is_string($dataId)'); assert('is_string($url)'); assert('is_array($nameId)'); assert('is_array($attributes)'); SimpleSAML_Logger::debug('[attributeaggregator] - sending request'); $query = new SAML2_AttributeQuery(); $query->setRelayState($dataId); $query->setDestination($url); $query->setIssuer($src->getValue('entityid')); $query->setNameId($nameId); $query->setAttributeNameFormat($attributeNameFormat); if (!empty($attributes)) { $query->setAttributes($attributes); } sspmod_saml_Message::addSign($src, $dst, $query); if (!$query->getSignatureKey()) { throw new SimpleSAML_Error_Exception('[attributeaggregator] - Unable to find private key for signing attribute request.'); } SimpleSAML_Logger::debug('[attributeaggregator] - sending attribute query: ' . var_export($query, 1)); $binding = new SAML2_SOAPClient(); $result = $binding->send($query, $src); return $result; }