public static function createFromRequest(EngineBlock_Saml2_AuthnRequestAnnotationDecorator $originalRequest, IdentityProvider $idpMetadata, EngineBlock_Corto_ProxyServer $server)
{
$nameIdPolicy = array('AllowCreate' => 'true');
/**
* Name policy is not required, so it is only set if configured, SAML 2.0 spec
* says only following values are allowed:
* - urn:oasis:names:tc:SAML:2.0:nameid-format:transient
* - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
*
* Note: Some IDP's like those using ADFS2 do not understand those, for these cases the format can be 'configured as empty
* or set to an older version.
*/
if (!empty($idpMetadata->nameIdFormat)) {
$nameIdPolicy['Format'] = $idpMetadata->nameIdFormat;
}
/** @var SAML2_AuthnRequest $originalRequest */
$sspRequest = new SAML2_AuthnRequest();
$sspRequest->setId($server->getNewId(\OpenConext\Component\EngineBlockFixtures\IdFrame::ID_USAGE_SAML2_REQUEST));
$sspRequest->setIssueInstant(time());
$sspRequest->setDestination($idpMetadata->singleSignOnServices[0]->location);
$sspRequest->setForceAuthn($originalRequest->getForceAuthn());
$sspRequest->setIsPassive($originalRequest->getIsPassive());
$sspRequest->setAssertionConsumerServiceURL($server->getUrl('assertionConsumerService'));
$sspRequest->setProtocolBinding(SAML2_Const::BINDING_HTTP_POST);
$sspRequest->setIssuer($server->getUrl('spMetadataService'));
$sspRequest->setNameIdPolicy($nameIdPolicy);
if (empty($idpMetadata->disableScoping)) {
// Copy over the Idps that are allowed to answer this request.
$sspRequest->setIDPList($originalRequest->getIDPList());
// Proxy Count
$sspRequest->setProxyCount($originalRequest->getProxyCount() ? $originalRequest->getProxyCount() : $server->getConfig('max_proxies', 10));
// Add the SP to the requesterIds
$requesterIds = $originalRequest->getRequesterID();
$requesterIds[] = $originalRequest->getIssuer();
// Add the SP as the requester
$sspRequest->setRequesterID($requesterIds);
}
// Use the default binding even if more exist
$request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($sspRequest);
$request->setDeliverByBinding($idpMetadata->singleSignOnServices[0]->binding);
return $request;
}
public function serve($serviceName)
{
$response = $this->_server->getBindingsModule()->receiveResponse();
$_SESSION['consent'][$response->getId()]['response'] = $response;
$request = $this->_server->getReceivedRequestFromResponse($response);
$serviceProvider = $this->_server->getRepository()->fetchServiceProviderByEntityId($request->getIssuer());
$spMetadataChain = EngineBlock_SamlHelper::getSpRequesterChain($serviceProvider, $request, $this->_server->getRepository());
$identityProviderEntityId = $response->getOriginalIssuer();
$identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($identityProviderEntityId);
// Flush log if SP or IdP has additional logging enabled
$requireAdditionalLogging = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array_merge($spMetadataChain, array($identityProvider)));
if ($requireAdditionalLogging) {
$application = EngineBlock_ApplicationSingleton::getInstance();
$application->flushLog('Activated additional logging for one or more SPs in the SP requester chain, or the IdP');
$log = $application->getLogInstance();
$log->info('Raw HTTP request', array('http_request' => (string) $application->getHttpRequest()));
}
if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
$response->setConsent(SAML2_Const::CONSENT_INAPPLICABLE);
$response->setDestination($response->getReturn());
$response->setDeliverByBinding('INTERNAL');
$this->_server->getBindingsModule()->send($response, $serviceProvider);
return;
}
$consentDestinationEntityMetadata = $spMetadataChain[0];
$attributes = $response->getAssertion()->getAttributes();
$consent = $this->_consentFactory->create($this->_server, $response, $attributes);
$priorConsent = $consent->hasStoredConsent($consentDestinationEntityMetadata);
if ($priorConsent) {
$response->setConsent(SAML2_Const::CONSENT_PRIOR);
$response->setDestination($response->getReturn());
$response->setDeliverByBinding('INTERNAL');
$this->_server->getBindingsModule()->send($response, $serviceProvider);
return;
}
$html = $this->_server->renderTemplate('consent', array('action' => $this->_server->getUrl('processConsentService'), 'ID' => $response->getId(), 'attributes' => $attributes, 'sp' => $consentDestinationEntityMetadata, 'idp' => $identityProvider));
$this->_server->sendOutput($html);
}
/**
* @return SimpleSAML_Configuration
*/
protected function getSspOwnMetadata()
{
$keyPair = $this->_server->getSigningCertificates();
$spMetadata = SimpleSAML_Configuration::loadFromArray(array('entityid' => $this->_server->getUrl('spMetadataService'), 'SingleSignOnService' => array(array('Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', 'Location' => $this->_server->getUrl('spMetadataService'))), 'keys' => array(array('signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => $keyPair->getCertificate()->toCertData()), array('signing' => true, 'type' => 'X509Certificate', 'X509Certificate' => $keyPair->getCertificate()->toCertData())), 'privatekey' => $keyPair->getPrivateKey() ? $keyPair->getPrivateKey()->filePath() : ''));
return $spMetadata;
}
/**
* @param MetadataRepositoryInterface $metadataRepository
* @param EngineBlock_X509_KeyPair $keyPair
* @param EngineBlock_Corto_ProxyServer $proxyServer
* @return ServiceProvider
* @throws EngineBlock_Corto_ProxyServer_Exception
* @throws EngineBlock_Exception
*/
protected function getEngineSpRole(MetadataRepositoryInterface $metadataRepository, EngineBlock_X509_KeyPair $keyPair, EngineBlock_Corto_ProxyServer $proxyServer)
{
/**
* Augment our own SP entry with stuff that can't be set via the Service Registry (yet)
*/
$spEntityId = $proxyServer->getUrl('spMetadataService');
$engineServiceProvider = $metadataRepository->findServiceProviderByEntityId($spEntityId);
if (!$engineServiceProvider) {
throw new EngineBlock_Exception("Unable to find EngineBlock configured as Service Provider. No '{$spEntityId}' in repository!");
}
$engineServiceProvider->certificates = array($keyPair->getCertificate());
$engineServiceProvider->supportedNameIdFormats = array(SAML2_Const::NAMEID_PERSISTENT, SAML2_Const::NAMEID_TRANSIENT, SAML2_Const::NAMEID_UNSPECIFIED);
$metadata = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getAttributeMetadata();
$requestedAttributeIds = $metadata->findRequestedAttributeIds();
$requiredAttributeIds = $metadata->findRequiredAttributeIds();
$requestedAttributes = array();
foreach ($requestedAttributeIds as $requestedAttributeId) {
$requestedAttributes[] = new RequestedAttribute($requestedAttributeId);
}
foreach ($requiredAttributeIds as $requiredAttributeId) {
$requestedAttributes[] = new RequestedAttribute($requiredAttributeId, true);
}
$engineServiceProvider->requestedAttributes = $requestedAttributes;
// Allow all Identity Providers for EngineBlock.
$engineServiceProvider->allowedIdpEntityIds = $metadataRepository->findAllIdentityProviderEntityIds();
$engineServiceProvider->responseProcessingService = new Service($proxyServer->getUrl('provideConsentService'), 'INTERNAL');
return $engineServiceProvider;
}
