public function validate(SAML2_XML_saml_SubjectConfirmation $subjectConfirmation, SAML2_Assertion_Validation_Result $result)
{
$notOnOrAfter = $subjectConfirmation->SubjectConfirmationData->NotOnOrAfter;
if ($notOnOrAfter && $notOnOrAfter <= SAML2_Utilities_Temporal::getTime() - 60) {
$result->addError('NotOnOrAfter in SubjectConfirmationData is in the past');
}
}
public function validate(SAML2_XML_saml_SubjectConfirmation $subjectConfirmation, SAML2_Assertion_Validation_Result $result)
{
$notBefore = $subjectConfirmation->SubjectConfirmationData->NotBefore;
if ($notBefore && $notBefore > SAML2_Utilities_Temporal::getTime() + 60) {
$result->addError('NotBefore in SubjectConfirmationData is in the future');
}
}
public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result)
{
$notBeforeTimestamp = $assertion->getNotBefore();
if ($notBeforeTimestamp && $notBeforeTimestamp > SAML2_Utilities_Temporal::getTime() + 60) {
$result->addError('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.');
}
}
public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result)
{
$notValidOnOrAfterTimestamp = $assertion->getNotOnOrAfter();
if ($notValidOnOrAfterTimestamp && $notValidOnOrAfterTimestamp <= SAML2_Utilities_Temporal::getTime() - 60) {
$result->addError('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
}
}
/**
* Create the redirect URL for a message.
*
* @param SAML2_Message $message The message.
* @return string The URL the user should be redirected to in order to send a message.
* @throws Exception
*/
public function getRedirectURL(SAML2_Message $message)
{
$store = SimpleSAML_Store::getInstance();
if ($store === FALSE) {
throw new Exception('Unable to send artifact without a datastore configured.');
}
$generatedId = pack('H*', (string) SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(20)));
$artifact = base64_encode("" . sha1($message->getIssuer(), TRUE) . $generatedId);
$artifactData = $message->toUnsignedXML();
$artifactDataString = $artifactData->ownerDocument->saveXML($artifactData);
$store->set('artifact', $artifact, $artifactDataString, SAML2_Utilities_Temporal::getTime() + 15 * 60);
$params = array('SAMLart' => $artifact);
$relayState = $message->getRelayState();
if ($relayState !== NULL) {
$params['RelayState'] = $relayState;
}
return SimpleSAML_Utilities::addURLparameter($message->getDestination(), $params);
}
/**
* Constructor for SAML 2 assertions.
*
* @param DOMElement|NULL $xml The input assertion.
* @throws Exception
*/
public function __construct(DOMElement $xml = NULL)
{
$this->id = SAML2_Utils::getContainer()->generateId();
$this->issueInstant = SAML2_Utilities_Temporal::getTime();
$this->issuer = '';
$this->authnInstant = SAML2_Utilities_Temporal::getTime();
$this->attributes = array();
$this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
$this->certificates = array();
$this->AuthenticatingAuthority = array();
$this->SubjectConfirmation = array();
if ($xml === NULL) {
return;
}
if (!$xml->hasAttribute('ID')) {
throw new Exception('Missing ID attribute on SAML assertion.');
}
$this->id = $xml->getAttribute('ID');
if ($xml->getAttribute('Version') !== '2.0') {
/* Currently a very strict check. */
throw new Exception('Unsupported version: ' . $xml->getAttribute('Version'));
}
$this->issueInstant = SAML2_Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
$issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
if (empty($issuer)) {
throw new Exception('Missing <saml:Issuer> in assertion.');
}
$this->issuer = trim($issuer[0]->textContent);
$this->parseSubject($xml);
$this->parseConditions($xml);
$this->parseAuthnStatement($xml);
$this->parseAttributes($xml);
$this->parseEncryptedAttributes($xml);
$this->parseSignature($xml);
}
/**
* Initialize a message.
*
* This constructor takes an optional parameter with a DOMElement. If this
* parameter is given, the message will be initialized with data from that
* XML element.
*
* If no XML element is given, the message is initialized with suitable
* default values.
*
* @param string $tagName The tag name of the root element.
* @param DOMElement|NULL $xml The input message.
* @throws Exception
*/
protected function __construct($tagName, DOMElement $xml = NULL)
{
assert('is_string($tagName)');
$this->tagName = $tagName;
$this->id = SAML2_Utils::getContainer()->generateId();
$this->issueInstant = SAML2_Utilities_Temporal::getTime();
$this->certificates = array();
$this->validators = array();
if ($xml === NULL) {
return;
}
if (!$xml->hasAttribute('ID')) {
throw new Exception('Missing ID attribute on SAML message.');
}
$this->id = $xml->getAttribute('ID');
if ($xml->getAttribute('Version') !== '2.0') {
/* Currently a very strict check. */
throw new Exception('Unsupported version: ' . $xml->getAttribute('Version'));
}
$this->issueInstant = SAML2_Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
if ($xml->hasAttribute('Destination')) {
$this->destination = $xml->getAttribute('Destination');
}
if ($xml->hasAttribute('Consent')) {
$this->consent = $xml->getAttribute('Consent');
}
$issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
if (!empty($issuer)) {
$this->issuer = trim($issuer[0]->textContent);
}
/* Validate the signature element of the message. */
try {
$sig = SAML2_Utils::validateElement($xml);
if ($sig !== FALSE) {
$this->messageContainedSignatureUponConstruction = TRUE;
$this->certificates = $sig['Certificates'];
$this->validators[] = array('Function' => array('SAML2_Utils', 'validateSignature'), 'Data' => $sig);
}
} catch (Exception $e) {
/* Ignore signature validation errors. */
}
$this->extensions = SAML2_XML_samlp_Extensions::getList($xml);
}
