public function testMarshalling()
{
$indexedEndpointType = new IndexedEndpointType();
$indexedEndpointType->Binding = 'TestBinding';
$indexedEndpointType->Location = 'TestLocation';
$indexedEndpointType->index = 42;
$indexedEndpointType->isDefault = false;
$document = DOMDocumentFactory::fromString('<root />');
$indexedEndpointTypeElement = $indexedEndpointType->toXML($document->firstChild, 'md:Test');
$indexedEndpointElements = Utils::xpQuery($indexedEndpointTypeElement, '/root/saml_metadata:Test');
$this->assertCount(1, $indexedEndpointElements);
$indexedEndpointElement = $indexedEndpointElements[0];
$this->assertEquals('TestBinding', $indexedEndpointElement->getAttribute('Binding'));
$this->assertEquals('TestLocation', $indexedEndpointElement->getAttribute('Location'));
$this->assertEquals('42', $indexedEndpointElement->getAttribute('index'));
$this->assertEquals('false', $indexedEndpointElement->getAttribute('isDefault'));
$indexedEndpointType->isDefault = true;
$document->loadXML('<root />');
$indexedEndpointTypeElement = $indexedEndpointType->toXML($document->firstChild, 'md:Test');
$indexedEndpointTypeElement = Utils::xpQuery($indexedEndpointTypeElement, '/root/saml_metadata:Test');
$this->assertCount(1, $indexedEndpointTypeElement);
$this->assertEquals('true', $indexedEndpointTypeElement[0]->getAttribute('isDefault'));
$indexedEndpointType->isDefault = null;
$document->loadXML('<root />');
$indexedEndpointTypeElement = $indexedEndpointType->toXML($document->firstChild, 'md:Test');
$indexedEndpointTypeElement = Utils::xpQuery($indexedEndpointTypeElement, '/root/saml_metadata:Test');
$this->assertCount(1, $indexedEndpointTypeElement);
$this->assertTrue(!$indexedEndpointTypeElement[0]->hasAttribute('isDefault'));
}
/**
* Verifies that we can create an AttributeValue from a DOMElement.
*/
public function testCreateAttributeFromDOMElement()
{
$attribute = new Attribute();
$attribute->Name = 'TheName';
$attribute->NameFormat = 'TheNameFormat';
$attribute->FriendlyName = 'TheFriendlyName';
$element = new \DOMDocument();
$element->loadXML(<<<ATTRIBUTEVALUE
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:surftest.nl:example</NameID>
ATTRIBUTEVALUE
);
$attribute->AttributeValue = array(new AttributeValue($element->documentElement));
$document = DOMDocumentFactory::fromString('<root />');
$returnedStructure = $attribute->toXML($document->firstChild);
$expectedStructureDocument = new \DOMDocument();
$expectedStructureDocument->loadXML(<<<ATTRIBUTEXML
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Name="TheName" NameFormat="TheNameFormat" FriendlyName="TheFriendlyName">
<saml:AttributeValue>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">urn:collab:person:surftest.nl:example</NameID>
</saml:AttributeValue>
</saml:Attribute>
ATTRIBUTEXML
);
$expectedStructure = $expectedStructureDocument->documentElement;
$this->assertEqualXMLStructure($expectedStructure, $returnedStructure);
$this->assertEquals("urn:collab:person:surftest.nl:example", $attribute->AttributeValue[0]->getString());
}
/**
* Prepare a basic DOMelement to test against
*/
public function setUp()
{
$document = DOMDocumentFactory::fromString(<<<XML
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="s2a0da3504aff978b0f8c80f6a62c713c4a2f64c5b"
InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984"
Version="2.0"
IssueInstant="2007-12-10T11:39:48Z"
Destination="http://moodle.bridge.feide.no/simplesaml/saml2/sp/AssertionConsumerService.php">
<saml:Issuer>max.feide.no</saml:Issuer>
<samlp:Extensions>
<myns:AttributeList xmlns:myns="urn:mynamespace">
<myns:Attribute name="UserName" value=""/>
</myns:AttributeList>
<ExampleElement name="AnotherExtension" />
</samlp:Extensions>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
</samlp:Response>
XML
);
$this->testElement = $document->documentElement;
}
public function testUnmarshalling()
{
$mdNamespace = Constants::NS_MD;
$document = DOMDocumentFactory::fromString(<<<XML
<md:Test xmlns:md="{$mdNamespace}" Binding="urn:something" Location="https://whatever/" xmlns:test="urn:test" test:attr="value" />
XML
);
$endpointType = new EndpointType($document->firstChild);
$this->assertEquals(true, $endpointType->hasAttributeNS('urn:test', 'attr'));
$this->assertEquals('value', $endpointType->getAttributeNS('urn:test', 'attr'));
$this->assertEquals(false, $endpointType->hasAttributeNS('urn:test', 'invalid'));
$this->assertEquals('', $endpointType->getAttributeNS('urn:test', 'invalid'));
$endpointType->removeAttributeNS('urn:test', 'attr');
$this->assertEquals(false, $endpointType->hasAttributeNS('urn:test', 'attr'));
$this->assertEquals('', $endpointType->getAttributeNS('urn:test', 'attr'));
$endpointType->setAttributeNS('urn:test2', 'test2:attr2', 'value2');
$this->assertEquals('value2', $endpointType->getAttributeNS('urn:test2', 'attr2'));
$document->loadXML('<root />');
$endpointTypeElement = $endpointType->toXML($document->firstChild, 'md:Test');
$endpointTypeElements = Utils::xpQuery($endpointTypeElement, '/root/saml_metadata:Test');
$this->assertCount(1, $endpointTypeElements);
$endpointTypeElement = $endpointTypeElements[0];
$this->assertEquals('value2', $endpointTypeElement->getAttributeNS('urn:test2', 'attr2'));
$this->assertEquals(false, $endpointTypeElement->hasAttributeNS('urn:test', 'attr'));
}
/**
* Test unmarshalling / marshalling of XML with Extensions element
*/
public function testExtensionOrdering()
{
$xml = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_306f8ec5b618f361c70b6ffb1480eade"
Version="2.0"
IssueInstant="2004-12-05T09:21:59Z"
Destination="https://idp.example.org/SAML2/SSO/Artifact"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
AssertionConsumerServiceURL="https://sp.example.com/SAML2/SSO/Artifact">
<saml:Issuer>https://sp.example.com/SAML2</saml:Issuer>
<samlp:Extensions>
<myns:AttributeList xmlns:myns="urn:mynamespace">
<myns:Attribute name="UserName" value=""/>
</myns:AttributeList>
</samlp:Extensions>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user@example.org</saml:NameID>
</saml:Subject>
<samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
</samlp:AuthnRequest>
AUTHNREQUEST;
$document = DOMDocumentFactory::fromString($xml);
$authnRequest = new AuthnRequest($document->documentElement);
$this->assertXmlStringEqualsXmlString($document->C14N(), $authnRequest->toUnsignedXML()->C14N());
}
/**
* Extract the response element from the SOAP response.
*
* @param string $soapResponse The SOAP response.
* @return string The <saml1p:Response> element, as a string.
*/
private static function extractResponse($soapResponse)
{
assert('is_string($soapResponse)');
try {
$doc = \SAML2\DOMDocumentFactory::fromString($soapResponse);
} catch (\Exception $e) {
throw new SimpleSAML_Error_Exception('Error parsing SAML 1 artifact response.');
}
$soapEnvelope = $doc->firstChild;
if (!SimpleSAML\Utils\XML::isDOMElementOfType($soapEnvelope, 'Envelope', 'http://schemas.xmlsoap.org/soap/envelope/')) {
throw new SimpleSAML_Error_Exception('Expected artifact response to contain a <soap:Envelope> element.');
}
$soapBody = SimpleSAML\Utils\XML::getDOMChildren($soapEnvelope, 'Body', 'http://schemas.xmlsoap.org/soap/envelope/');
if (count($soapBody) === 0) {
throw new SimpleSAML_Error_Exception('Couldn\'t find <soap:Body> in <soap:Envelope>.');
}
$soapBody = $soapBody[0];
$responseElement = SimpleSAML\Utils\XML::getDOMChildren($soapBody, 'Response', 'urn:oasis:names:tc:SAML:1.0:protocol');
if (count($responseElement) === 0) {
throw new SimpleSAML_Error_Exception('Couldn\'t find <saml1p:Response> in <soap:Body>.');
}
$responseElement = $responseElement[0];
/*
* Save the <saml1p:Response> element. Note that we need to import it
* into a new document, in order to preserve namespace declarations.
*/
$newDoc = \SAML2\DOMDocumentFactory::create();
$newDoc->appendChild($newDoc->importNode($responseElement, TRUE));
$responseXML = $newDoc->saveXML();
return $responseXML;
}
/**
* Un-serialize this XML chunk.
*
* @param string $serialized The serialized chunk.
* @return \SAML2\XML\Chunk The chunk object represented by the serialized string.
*/
public function unserialize($serialized)
{
$doc = DOMDocumentFactory::fromString(unserialize($serialized));
$this->xml = $doc->documentElement;
$this->localName = $this->xml->localName;
$this->namespaceURI = $this->xml->namespaceURI;
}
/**
* Convert this NameID to XML.
*
* @param \DOMElement|null $parent The element we should append to.
* @return \DOMElement This AdditionalMetadataLocation-element.
*/
public function toXML(\DOMElement $parent = null)
{
assert('is_string($this->NameQualifier) || is_null($this->NameQualifier)');
assert('is_string($this->SPNameQualifier) || is_null($this->SPNameQualifier)');
assert('is_string($this->Format) || is_null($this->Format)');
assert('is_string($this->SPProvidedID) || is_null($this->SPProvidedID)');
assert('is_string($this->value)');
if ($parent === null) {
$parent = DOMDocumentFactory::create();
$doc = $parent;
} else {
$doc = $parent->ownerDocument;
}
$e = $doc->createElementNS(Constants::NS_SAML, 'saml:NameID');
$parent->appendChild($e);
if ($this->NameQualifier !== null) {
$e->setAttribute('NameQualifier', $this->NameQualifier);
}
if ($this->SPNameQualifier !== null) {
$e->setAttribute('SPNameQualifier', $this->SPNameQualifier);
}
if ($this->Format !== null) {
$e->setAttribute('Format', $this->Format);
}
if ($this->SPProvidedID !== null) {
$e->setAttribute('SPProvidedID', $this->SPProvidedID);
}
$t = $doc->createTextNode($this->value);
$e->appendChild($t);
return $e;
}
/**
* Test serialization and unserialization
*/
public function testChunkSerializationLoop()
{
$ser = $this->chunk->serialize();
$document = DOMDocumentFactory::fromString('<root />');
$newchunk = new Chunk($document->firstChild);
$newchunk->unserialize($ser);
$this->assertEqualXMLStructure($this->chunk->getXML(), $newchunk->getXML());
}
public function testEmptyRegistrationAuthorityOutboundThrowsException()
{
$registrationInfo = new RegistrationInfo();
$registrationInfo->registrationAuthority = '';
$document = DOMDocumentFactory::fromString('<root />');
$this->setExpectedException('Exception', 'Missing required registration authority.');
$xml = $registrationInfo->toXML($document->firstChild);
}
public function setXML($xml)
{
assert('is_string($xml)');
try {
$this->dom = \SAML2\DOMDocumentFactory::fromString(str_replace("\r", "", $xml));
} catch (\Exception $e) {
throw new Exception('Unable to parse AuthnResponse XML.');
}
}
/**
* Unmarshalling fails if height attribute not present
*/
public function testUnmarshallingFailsMissingHeight()
{
$document = DOMDocumentFactory::fromString(<<<XML
<mdui:Logo width="300" xml:lang="nl">https://static.example.org/images/logos/logo300x200.png</mdui:Logo>
XML
);
$this->setExpectedException('Exception', 'Missing height of Logo');
$logo = new Logo($document->firstChild);
}
/**
* Unmarshalling fails if attribute is empty
*/
public function testUnmarshallingFailsMissingKeywords()
{
$document = DOMDocumentFactory::fromString(<<<XML
<mdui:Keywords xml:lang="nl"></mdui:Keywords>
XML
);
$this->setExpectedException('Exception', 'Missing value for Keywords');
$keywords = new Keywords($document->firstChild);
}
public function testUnmarshalling()
{
$document = DOMDocumentFactory::fromString('<md:AdditionalMetadataLocation xmlns:md="' . Constants::NS_MD . '"' . ' namespace="TheNamespaceAttribute">LocationText</md:AdditionalMetadataLocation>');
$additionalMetadataLocation = new AdditionalMetadataLocation($document->firstChild);
$this->assertEquals('TheNamespaceAttribute', $additionalMetadataLocation->namespace);
$this->assertEquals('LocationText', $additionalMetadataLocation->location);
$document->loadXML('<md:AdditionalMetadataLocation xmlns:md="' . Constants::NS_MD . '"' . '>LocationText</md:AdditionalMetadataLocation>');
$this->setExpectedException('Exception', 'Missing namespace attribute on AdditionalMetadataLocation element.');
new AdditionalMetadataLocation($document->firstChild);
}
public function testMissingPublisherThrowsException()
{
$document = DOMDocumentFactory::fromString(<<<XML
<mdrpi:PublicationInfo xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
creationInstant="2011-01-01T00:00:00Z"
publicationId="SomePublicationId">
</mdrpi:PublicationInfo>
XML
);
$this->setExpectedException('Exception', 'Missing required attribute "publisher"');
$publicationInfo = new PublicationInfo($document->firstChild);
}
function __construct($metaxml)
{
$template = '';
if (strpos("\n", $metaxml) === FALSE) {
foreach (explode("\n", self::template) as $line) {
$template .= trim($line);
}
} else {
$template = self::template;
}
$sigdoc = \SAML2\DOMDocumentFactory::fromString($template);
$this->sigNode = $sigdoc->documentElement;
}
public function testUnmarshallingFailure()
{
$samlNamespace = Constants::NS_SAML;
$document = DOMDocumentFactory::fromString(<<<XML
<saml:Attribute xmlns:saml="{$samlNamespace}" NameFormat="TheNameFormat" FriendlyName="TheFriendlyName">
<saml:AttributeValue>FirstValue</saml:AttributeValue>
<saml:AttributeValue>SecondValue</saml:AttributeValue>
</saml:Attribute>
XML
);
$this->setExpectedException('Exception', 'Missing Name on Attribute.');
new Attribute($document->firstChild);
}
public function testUnmarshallingWithoutOwner()
{
$mdNamespace = Constants::NS_MD;
$document = DOMDocumentFactory::fromString(<<<XML
<md:AffiliationDescriptor xmlns:md="{$mdNamespace}" ID="TheID" validUntil="2009-02-13T23:31:30Z" cacheDuration="PT5000S">
<md:AffiliateMember>Member</md:AffiliateMember>
<md:AffiliateMember>OtherMember</md:AffiliateMember>
</md:AffiliationDescriptor>
XML
);
$this->setExpectedException('Exception', 'Missing affiliationOwnerID on AffiliationDescriptor.');
new AffiliationDescriptor($document->firstChild);
}
public function testManySubjectConfirmationDataThrowsException()
{
$samlNamespace = Constants::NS_SAML;
$document = DOMDocumentFactory::fromString(<<<XML
<saml:SubjectConfirmation xmlns:saml="{$samlNamespace}" Method="SomeMethod">
<saml:NameID>SomeNameIDValue</saml:NameID>
<saml:SubjectConfirmationData Recipient="Me" />
<saml:SubjectConfirmationData Recipient="Someone Else" />
</saml:SubjectConfirmation>
XML
);
$this->setExpectedException('Exception', 'More than one SubjectConfirmationData child in a SubjectConfirmation element');
$subjectConfirmation = new SubjectConfirmation($document->firstChild);
}
public function testUnmarshalling()
{
$samlNamespace = Constants::NS_SAML;
$document = DOMDocumentFactory::fromString(<<<XML
<saml:NameID xmlns:saml="{$samlNamespace}" NameQualifier="TheNameQualifier" SPNameQualifier="TheSPNameQualifier" Format="TheFormat" SPProvidedID="TheSPProvidedID">TheNameIDValue</saml:NameID>
XML
);
$nameId = new NameID($document->firstChild);
$this->assertEquals('TheNameQualifier', $nameId->NameQualifier);
$this->assertEquals('TheSPNameQualifier', $nameId->SPNameQualifier);
$this->assertEquals('TheFormat', $nameId->Format);
$this->assertEquals('TheSPProvidedID', $nameId->SPProvidedID);
$this->assertEquals('TheNameIDValue', $nameId->value);
}
/**
* @test
* @group signature
*/
public function signed_message_with_valid_signature_is_validated_correctly()
{
$pattern = Certificate::CERTIFICATE_PATTERN;
preg_match($pattern, CertificatesMock::PUBLIC_KEY_PEM, $matches);
$config = new IdentityProvider(array('certificateData' => $matches[1]));
$validator = new PublicKeyValidator(new SimpleTestLogger(), new KeyLoader());
$doc = DOMDocumentFactory::fromFile(__DIR__ . '/response.xml');
$response = new Response($doc->firstChild);
$response->setSignatureKey(CertificatesMock::getPrivateKey());
$response->setCertificates(array(CertificatesMock::PUBLIC_KEY_PEM));
// convert to signed response
$response = new Response($response->toSignedXML());
$this->assertTrue($validator->canValidate($response, $config), 'Cannot validate the element');
$this->assertTrue($validator->hasValidSignature($response, $config), 'The signature is not valid');
}
public function testUnmarshalling()
{
$samlNamespace = Constants::NS_SAML;
$document = DOMDocumentFactory::fromString(<<<XML
<saml:SubjectConfirmation xmlns:saml="{$samlNamespace}" Method="SomeMethod">
<saml:NameID>SomeNameIDValue</saml:NameID>
<saml:SubjectConfirmationData/>
</saml:SubjectConfirmation>
XML
);
$subjectConfirmation = new SubjectConfirmation($document->firstChild);
$this->assertEquals('SomeMethod', $subjectConfirmation->Method);
$this->assertTrue($subjectConfirmation->NameID instanceof NameID);
$this->assertEquals('SomeNameIDValue', $subjectConfirmation->NameID->value);
$this->assertTrue($subjectConfirmation->SubjectConfirmationData instanceof SubjectConfirmationData);
}
/**
* Store a NameID to attribute.
*
* @param array &$state The request state.
*/
public function process(&$state)
{
assert('is_array($state)');
if (!isset($state['saml:NameID'][\SAML2\Constants::NAMEID_PERSISTENT])) {
SimpleSAML\Logger::warning('Unable to generate eduPersonTargetedID because no persistent NameID was available.');
return;
}
$nameID = $state['saml:NameID'][\SAML2\Constants::NAMEID_PERSISTENT];
if ($this->nameId) {
$doc = \SAML2\DOMDocumentFactory::create();
$root = $doc->createElement('root');
$doc->appendChild($root);
\SAML2\Utils::addNameId($root, $nameID);
$value = $doc->saveXML($root->firstChild);
} else {
$value = $nameID['Value'];
}
$state['Attributes'][$this->attribute] = array($value);
}
/**
* @test
* @group signature
*/
public function signed_message_with_valid_signature_is_validated_correctly()
{
$pattern = Certificate::CERTIFICATE_PATTERN;
preg_match($pattern, CertificatesMock::PUBLIC_KEY_PEM, $matches);
$certdata = X509::createFromCertificateData($matches[1]);
$fingerprint = $certdata->getFingerprint();
$fingerprint_retry = $certdata->getFingerprint();
$this->assertTrue($fingerprint->equals($fingerprint_retry), 'Cached fingerprint does not match original');
$config = new IdentityProvider(array('certificateFingerprints' => array($fingerprint->getRaw())));
$validator = new FingerprintValidator(new SimpleTestLogger(), new FingerprintLoader());
$doc = DOMDocumentFactory::fromFile(__DIR__ . '/response.xml');
$response = new Response($doc->firstChild);
$response->setSignatureKey(CertificatesMock::getPrivateKey());
$response->setCertificates(array(CertificatesMock::PUBLIC_KEY_PEM));
// convert to signed response
$response = new Response($response->toSignedXML());
$this->assertTrue($validator->canValidate($response, $config), 'Cannot validate the element');
$this->assertTrue($validator->hasValidSignature($response, $config), 'The signature is not valid');
}
public function testUnmarshalling()
{
$document = DOMDocumentFactory::fromString(<<<XML
<mdrpi:PublicationInfo xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi"
publisher="SomePublisher"
creationInstant="2011-01-01T00:00:00Z"
publicationId="SomePublicationId">
<mdrpi:UsagePolicy xml:lang="en">http://TheEnglishUsagePolicy</mdrpi:UsagePolicy>
<mdrpi:UsagePolicy xml:lang="no">http://TheNorwegianUsagePolicy</mdrpi:UsagePolicy>
</mdrpi:PublicationInfo>
XML
);
$publicationInfo = new PublicationInfo($document->firstChild);
$this->assertEquals('SomePublisher', $publicationInfo->publisher);
$this->assertEquals(1293840000, $publicationInfo->creationInstant);
$this->assertEquals('SomePublicationId', $publicationInfo->publicationId);
$this->assertCount(2, $publicationInfo->UsagePolicy);
$this->assertEquals('http://TheEnglishUsagePolicy', $publicationInfo->UsagePolicy["en"]);
$this->assertEquals('http://TheNorwegianUsagePolicy', $publicationInfo->UsagePolicy["no"]);
}
public function testMarshalling()
{
$roleDescriptor = new RoleDescriptorMock();
$roleDescriptor->ID = 'SomeID';
$roleDescriptor->validUntil = 1234567890;
$roleDescriptor->cacheDuration = 'PT5000S';
$roleDescriptor->protocolSupportEnumeration = array('protocol1', 'protocol2');
$roleDescriptor->errorURL = 'https://example.org/error';
$document = DOMDocumentFactory::fromString('<root />');
$roleDescriptorElement = $roleDescriptor->toXML($document->firstChild);
$roleDescriptorElement = Utils::xpQuery($roleDescriptorElement, '/root/md:RoleDescriptor');
$this->assertCount(1, $roleDescriptorElement);
$roleDescriptorElement = $roleDescriptorElement[0];
$this->assertEquals('SomeID', $roleDescriptorElement->getAttribute("ID"));
$this->assertEquals('2009-02-13T23:31:30Z', $roleDescriptorElement->getAttribute("validUntil"));
$this->assertEquals('PT5000S', $roleDescriptorElement->getAttribute("cacheDuration"));
$this->assertEquals('protocol1 protocol2', $roleDescriptorElement->getAttribute("protocolSupportEnumeration"));
$this->assertEquals('myns:MyElement', $roleDescriptorElement->getAttributeNS(Constants::NS_XSI, "type"));
$this->assertEquals('http://example.org/mynsdefinition', $roleDescriptorElement->lookupNamespaceURI("myns"));
}
/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
* @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
* @param string|null $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
{
\SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11');
$privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true);
$publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true);
$responsedom = \SAML2\DOMDocumentFactory::fromString(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default is to sign the
* Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or
* 'saml20.signresponse' in the global configuration.
*
* TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove!
*/
if ($spmd->hasValue('signresponse')) {
$signResponse = $spmd->getBoolean('signresponse');
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', true);
}
// check if we have an assertion to sign. Force to sign the response if not
if ($firstassertionroot === null) {
$signResponse = true;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if ($idpmd->hasValue('certificatechain')) {
$signer->addCertificate($idpmd->getString('certificatechain'));
}
if ($signResponse) {
// sign the response - this must be done after encrypting the assertion
// we insert the signature before the saml2p:Status element
$statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
// Sign the assertion
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
\SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out');
\SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
/**
* Convert this Issuer to XML.
*
* @param \DOMElement|null $parent The element we should append to.
*
* @return \DOMElement The current Issuer object converted into a \DOMElement.
*/
public function toXML(\DOMElement $parent = null)
{
if ($this->Format !== Constants::NAMEID_ENTITY) {
return parent::toXML($parent);
}
/*
* From saml-core-2.0-os 8.3.6, when the entity Format is used: "The NameQualifier, SPNameQualifier, and
* SPProvidedID attributes MUST be omitted."
*/
if ($parent === null) {
$parent = DOMDocumentFactory::create();
$doc = $parent;
} else {
$doc = $parent->ownerDocument;
}
$element = $doc->createElementNS(Constants::NS_SAML, 'saml:Issuer');
$parent->appendChild($element);
$value = $element->ownerDocument->createTextNode($this->value);
$element->appendChild($value);
return $element;
}
public function testUnmarshalling()
{
$samlNamespace = Constants::NS_SAML;
$document = DOMDocumentFactory::fromString(<<<XML
<saml:SubjectConfirmationData
xmlns:saml="{$samlNamespace}"
NotBefore="2001-04-19T04:25:21Z"
NotOnOrAfter="2009-02-13T23:31:30Z"
Recipient="https://sp.example.org/asdf"
InResponseTo="SomeRequestID"
Address="127.0.0.1"
/>
XML
);
$subjectConfirmationData = new SubjectConfirmationData($document->firstChild);
$this->assertEquals(987654321, $subjectConfirmationData->NotBefore);
$this->assertEquals(1234567890, $subjectConfirmationData->NotOnOrAfter);
$this->assertEquals('https://sp.example.org/asdf', $subjectConfirmationData->Recipient);
$this->assertEquals('SomeRequestID', $subjectConfirmationData->InResponseTo);
$this->assertEquals('127.0.0.1', $subjectConfirmationData->Address);
}
public function testUnmarshallingAttributes()
{
$document = DOMDocumentFactory::fromString(<<<XML
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="urn:simplesamlphp:v1:simplesamlphp" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">is</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">really</saml:AttributeValue>
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">cool</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="foo" NameFormat="urn:simplesamlphp:v1">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">bar</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
XML
);
$entityAttributes = new EntityAttributes($document->firstChild);
$this->assertCount(2, $entityAttributes->children);
$this->assertEquals('urn:simplesamlphp:v1:simplesamlphp', $entityAttributes->children[0]->Name);
$this->assertEquals('urn:oasis:names:tc:SAML:2.0:attrname-format:uri', $entityAttributes->children[0]->NameFormat);
$this->assertCount(3, $entityAttributes->children[0]->AttributeValue);
$this->assertEquals('foo', $entityAttributes->children[1]->Name);
$this->assertEquals('urn:simplesamlphp:v1', $entityAttributes->children[1]->NameFormat);
$this->assertCount(1, $entityAttributes->children[1]->AttributeValue);
}
