public function serve($serviceName)
{
$response = $this->_server->getBindingsModule()->receiveResponse();
$_SESSION['consent'][$response->getId()]['response'] = $response;
$request = $this->_server->getReceivedRequestFromResponse($response);
$serviceProvider = $this->_server->getRepository()->fetchServiceProviderByEntityId($request->getIssuer());
$spMetadataChain = EngineBlock_SamlHelper::getSpRequesterChain($serviceProvider, $request, $this->_server->getRepository());
$identityProviderEntityId = $response->getOriginalIssuer();
$identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($identityProviderEntityId);
// Flush log if SP or IdP has additional logging enabled
$requireAdditionalLogging = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array_merge($spMetadataChain, array($identityProvider)));
if ($requireAdditionalLogging) {
$application = EngineBlock_ApplicationSingleton::getInstance();
$application->flushLog('Activated additional logging for one or more SPs in the SP requester chain, or the IdP');
$log = $application->getLogInstance();
$log->info('Raw HTTP request', array('http_request' => (string) $application->getHttpRequest()));
}
if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) {
$response->setConsent(SAML2_Const::CONSENT_INAPPLICABLE);
$response->setDestination($response->getReturn());
$response->setDeliverByBinding('INTERNAL');
$this->_server->getBindingsModule()->send($response, $serviceProvider);
return;
}
$consentDestinationEntityMetadata = $spMetadataChain[0];
$attributes = $response->getAssertion()->getAttributes();
$consent = $this->_consentFactory->create($this->_server, $response, $attributes);
$priorConsent = $consent->hasStoredConsent($consentDestinationEntityMetadata);
if ($priorConsent) {
$response->setConsent(SAML2_Const::CONSENT_PRIOR);
$response->setDestination($response->getReturn());
$response->setDeliverByBinding('INTERNAL');
$this->_server->getBindingsModule()->send($response, $serviceProvider);
return;
}
$html = $this->_server->renderTemplate('consent', array('action' => $this->_server->getUrl('processConsentService'), 'ID' => $response->getId(), 'attributes' => $attributes, 'sp' => $consentDestinationEntityMetadata, 'idp' => $identityProvider));
$this->_server->sendOutput($html);
}
public function send(EngineBlock_Saml2_MessageAnnotationDecorator $message, AbstractRole $remoteEntity)
{
$bindingUrn = $message->getDeliverByBinding();
$sspMessage = $message->getSspMessage();
if ($bindingUrn === 'INTERNAL') {
$this->sendInternal($message);
return;
}
if ($this->shouldMessageBeSigned($sspMessage, $remoteEntity)) {
$keyPair = $this->_server->getSigningCertificates();
$sspMessage->setCertificates(array($keyPair->getCertificate()->toPem()));
$sspMessage->setSignatureKey($keyPair->getPrivateKey()->toXmlSecurityKey());
}
$sspBinding = SAML2_Binding::getBinding($bindingUrn);
if ($sspBinding instanceof SAML2_HTTPPost) {
// SAML2int dictates that we MUST sign assertions.
// The SAML2 library will do that for us, if we just set the key to sign with.
if ($sspMessage instanceof SAML2_Response) {
foreach ($sspMessage->getAssertions() as $assertion) {
$assertion->setCertificates($sspMessage->getCertificates());
$assertion->setSignatureKey($sspMessage->getSignatureKey());
}
// BWC dictates that we don't sign responses.
$messageElement = $sspMessage->toUnsignedXML();
} else {
$messageElement = $sspMessage->toSignedXML();
}
$xml = $messageElement->ownerDocument->saveXML($messageElement);
$this->validateXml($xml);
$extra = '';
$extra .= method_exists($message, 'getReturn') ? '<input type="hidden" name="return" value="' . htmlspecialchars($message->getReturn()) . '">' : '';
$extra .= $sspMessage->getRelayState() ? '<input type="hidden" name="RelayState" value="' . htmlspecialchars($sspMessage->getRelayState()) . '">' : '';
$encodedMessage = htmlspecialchars(base64_encode($xml));
$action = $sspMessage->getDestination();
$log = $this->_server->getSessionLog();
$log->info('HTTP-Post: Sending Message', array('saml_message' => $xml));
$output = $this->_server->renderTemplate('form', array('action' => $action, 'message' => $encodedMessage, 'xtra' => $extra, 'name' => $message->getMessageType(), 'trace' => $this->getTraceHtml($xml)));
$this->_server->sendOutput($output);
} else {
if ($sspBinding instanceof SAML2_HTTPRedirect) {
if ($sspMessage instanceof SAML2_Response) {
throw new EngineBlock_Corto_Module_Bindings_UnsupportedBindingException('May not send a Reponse via HTTP Redirect');
}
$url = $sspBinding->getRedirectURL($sspMessage);
$this->_server->redirect($url, $message);
} else {
throw new EngineBlock_Corto_Module_Bindings_Exception('Unsupported Binding');
}
}
}
