/** * Tests the generateNameId method of the OneLogin_Saml2_Utils * * @covers OneLogin_Saml2_Utils::generateNameId */ public function testGenerateNameId() { //$xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'.$decrypted.'</root>'; //$newDoc = new DOMDocument(); $nameIdValue = 'ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde'; $entityId = 'http://stuff.com/endpoints/metadata.php'; $nameIDFormat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'; $nameId = OneLogin_Saml2_Utils::generateNameId($nameIdValue, $entityId, $nameIDFormat); $expectedNameId = '<saml:NameID SPNameQualifier="http://stuff.com/endpoints/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">ONELOGIN_ce998811003f4e60f8b07a311dc641621379cfde</saml:NameID>'; $this->assertEquals($nameId, $expectedNameId); $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $x509cert = $settingsInfo['idp']['x509cert']; $key = OneLogin_Saml2_Utils::formatCert($x509cert); $nameIdEnc = OneLogin_Saml2_Utils::generateNameId($nameIdValue, $entityId, $nameIDFormat, $key); $nameidExpectedEnc = '<saml:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><xenc:CipherData><xenc:CipherValue>'; $this->assertContains($nameidExpectedEnc, $nameIdEnc); }
/** * Formats the SP cert. */ public function formatSPCert() { if (isset($this->_sp['x509cert'])) { $this->_sp['x509cert'] = OneLogin_Saml2_Utils::formatCert($this->_sp['x509cert']); } }
/** * Tests the getIdPData method of the OneLogin_Saml2_Settings * * @covers OneLogin_Saml2_Settings::getIdPData */ public function testGetIdPData() { $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $settings = new OneLogin_Saml2_Settings($settingsInfo); $idpData = $settings->getIdPData(); $this->assertNotEmpty($idpData); $this->assertArrayHasKey('entityId', $idpData); $this->assertArrayHasKey('singleSignOnService', $idpData); $this->assertArrayHasKey('singleLogoutService', $idpData); $this->assertArrayHasKey('x509cert', $idpData); $this->assertEquals('http://idp.example.com/', $idpData['entityId']); $this->assertEquals('http://idp.example.com/SSOService.php', $idpData['singleSignOnService']['url']); $this->assertEquals('http://idp.example.com/SingleLogoutService.php', $idpData['singleLogoutService']['url']); $x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo'; $formatedx509cert = OneLogin_Saml2_Utils::formatCert($x509cert); $this->assertEquals($formatedx509cert, $idpData['x509cert']); }
/** * Adds the x509 descriptors (sign/encriptation) to the metadata * The same cert will be used for sign/encrypt * * @param string $metadata SAML Metadata XML * @param string $cert x509 cert * * @return string Metadata with KeyDescriptors */ public static function addX509KeyDescriptors($metadata, $cert) { $xml = new DOMDocument(); $xml->preserveWhiteSpace = false; $xml->formatOutput = true; try { $xml = OneLogin_Saml2_Utils::loadXML($xml, $metadata); if (!$xml) { throw new Exception('Error parsing metadata'); } } catch (Exception $e) { throw new Exception('Error parsing metadata. ' . $e->getMessage()); } $formatedCert = OneLogin_Saml2_Utils::formatCert($cert, false); $x509Certificate = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'X509Certificate', $formatedCert); $keyData = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'ds:X509Data'); $keyData->appendChild($x509Certificate); $keyInfo = $xml->createElementNS(OneLogin_Saml2_Constants::NS_DS, 'ds:KeyInfo'); $keyInfo->appendChild($keyData); $keyDescriptor = $xml->createElementNS(OneLogin_Saml2_Constants::NS_MD, "md:KeyDescriptor"); $SPSSODescriptor = $xml->getElementsByTagName('SPSSODescriptor')->item(0); $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild); $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild); $signing = $xml->getElementsByTagName('KeyDescriptor')->item(0); $signing->setAttribute('use', 'signing'); $encryption = $xml->getElementsByTagName('KeyDescriptor')->item(1); $encryption->setAttribute('use', 'encryption'); $signing->appendChild($keyInfo); $encryption->appendChild($keyInfo->cloneNode(true)); return $xml->saveXML(); }
/** * Constructs the AuthnRequest object. * * @param OneLogin_Saml2_Settings $settings Settings * @param bool $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true' * @param bool $isPassive When true the AuthNReuqest will set the Ispassive='true' */ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false) { $this->_settings = $settings; $spData = $this->_settings->getSPData(); $idpData = $this->_settings->getIdPData(); $security = $this->_settings->getSecurityData(); $id = OneLogin_Saml2_Utils::generateUniqueID(); $issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time()); $nameIDPolicyFormat = $spData['NameIDFormat']; if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) { $nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED; } $providerNameStr = ''; $organizationData = $settings->getOrganization(); if (!empty($organizationData)) { $langs = array_keys($organizationData); if (in_array('en-US', $langs)) { $lang = 'en-US'; } else { $lang = $langs[0]; } if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) { $providerNameStr = <<<PROVIDERNAME ProviderName="{$organizationData[$lang]['displayname']}" PROVIDERNAME; } } $forceAuthnStr = ''; if ($forceAuthn) { $forceAuthnStr = <<<FORCEAUTHN ForceAuthn="true" FORCEAUTHN; } $isPassiveStr = ''; if ($isPassive) { $isPassiveStr = <<<ISPASSIVE IsPassive="true" ISPASSIVE; } $requestedAuthnStr = ''; if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) { if ($security['requestedAuthnContext'] === true) { $requestedAuthnStr = <<<REQUESTEDAUTHN <samlp:RequestedAuthnContext Comparison="exact"> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> REQUESTEDAUTHN; } else { $requestedAuthnStr .= " <samlp:RequestedAuthnContext Comparison=\"exact\">\n"; foreach ($security['requestedAuthnContext'] as $contextValue) { $requestedAuthnStr .= " <saml:AuthnContextClassRef>" . $contextValue . "</saml:AuthnContextClassRef>\n"; } $requestedAuthnStr .= ' </samlp:RequestedAuthnContext>'; } } $signature = ''; if (isset($security['authnRequestsSigned']) && $security['authnRequestsSigned']) { $key = $this->_settings->getSPkey(); $objKey = new XMLSecurityKey($security['signatureAlgorithm'], array('type' => 'private')); $objKey->loadKey($key, false); $signatureValue = $objKey->signData(time()); $signatureValue = base64_encode($signatureValue); $digestValue = base64_encode(sha1(time())); $x509Cert = $this->_settings->getSPcert(); $x509Cert = OneLogin_Saml2_Utils::formatCert($x509Cert, false); $signature = <<<SIGNATURE <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>{$digestValue}</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>asd{$signatureValue}</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>{$x509Cert}</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> SIGNATURE; } $request = <<<AUTHNREQUEST <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{$id}" Version="2.0" {$providerNameStr}{$forceAuthnStr}{$isPassiveStr} IssueInstant="{$issueInstant}" Destination="{$idpData['singleSignOnService']['url']}" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}"> <saml:Issuer>{$spData['entityId']}</saml:Issuer> {$signature} <samlp:NameIDPolicy Format="{$nameIDPolicyFormat}" AllowCreate="true" /> {$requestedAuthnStr} </samlp:AuthnRequest> AUTHNREQUEST; $this->_id = $id; $this->_authnRequest = $request; }