public function validate(SAML2_XML_saml_SubjectConfirmation $subjectConfirmation, SAML2_Assertion_Validation_Result $result) { $notOnOrAfter = $subjectConfirmation->SubjectConfirmationData->NotOnOrAfter; if ($notOnOrAfter && $notOnOrAfter <= SAML2_Utilities_Temporal::getTime() - 60) { $result->addError('NotOnOrAfter in SubjectConfirmationData is in the past'); } }
public function validate(SAML2_XML_saml_SubjectConfirmation $subjectConfirmation, SAML2_Assertion_Validation_Result $result) { $notBefore = $subjectConfirmation->SubjectConfirmationData->NotBefore; if ($notBefore && $notBefore > SAML2_Utilities_Temporal::getTime() + 60) { $result->addError('NotBefore in SubjectConfirmationData is in the future'); } }
public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result) { $notBeforeTimestamp = $assertion->getNotBefore(); if ($notBeforeTimestamp && $notBeforeTimestamp > SAML2_Utilities_Temporal::getTime() + 60) { $result->addError('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'); } }
public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result) { $notValidOnOrAfterTimestamp = $assertion->getNotOnOrAfter(); if ($notValidOnOrAfterTimestamp && $notValidOnOrAfterTimestamp <= SAML2_Utilities_Temporal::getTime() - 60) { $result->addError('Received an assertion that has expired. Check clock synchronization on IdP and SP.'); } }
/** * Create the redirect URL for a message. * * @param SAML2_Message $message The message. * @return string The URL the user should be redirected to in order to send a message. * @throws Exception */ public function getRedirectURL(SAML2_Message $message) { $store = SimpleSAML_Store::getInstance(); if ($store === FALSE) { throw new Exception('Unable to send artifact without a datastore configured.'); } $generatedId = pack('H*', (string) SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(20))); $artifact = base64_encode("" . sha1($message->getIssuer(), TRUE) . $generatedId); $artifactData = $message->toUnsignedXML(); $artifactDataString = $artifactData->ownerDocument->saveXML($artifactData); $store->set('artifact', $artifact, $artifactDataString, SAML2_Utilities_Temporal::getTime() + 15 * 60); $params = array('SAMLart' => $artifact); $relayState = $message->getRelayState(); if ($relayState !== NULL) { $params['RelayState'] = $relayState; } return SimpleSAML_Utilities::addURLparameter($message->getDestination(), $params); }
/** * Constructor for SAML 2 assertions. * * @param DOMElement|NULL $xml The input assertion. * @throws Exception */ public function __construct(DOMElement $xml = NULL) { $this->id = SAML2_Utils::getContainer()->generateId(); $this->issueInstant = SAML2_Utilities_Temporal::getTime(); $this->issuer = ''; $this->authnInstant = SAML2_Utilities_Temporal::getTime(); $this->attributes = array(); $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED; $this->certificates = array(); $this->AuthenticatingAuthority = array(); $this->SubjectConfirmation = array(); if ($xml === NULL) { return; } if (!$xml->hasAttribute('ID')) { throw new Exception('Missing ID attribute on SAML assertion.'); } $this->id = $xml->getAttribute('ID'); if ($xml->getAttribute('Version') !== '2.0') { /* Currently a very strict check. */ throw new Exception('Unsupported version: ' . $xml->getAttribute('Version')); } $this->issueInstant = SAML2_Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant')); $issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer'); if (empty($issuer)) { throw new Exception('Missing <saml:Issuer> in assertion.'); } $this->issuer = trim($issuer[0]->textContent); $this->parseSubject($xml); $this->parseConditions($xml); $this->parseAuthnStatement($xml); $this->parseAttributes($xml); $this->parseEncryptedAttributes($xml); $this->parseSignature($xml); }
/** * Initialize a message. * * This constructor takes an optional parameter with a DOMElement. If this * parameter is given, the message will be initialized with data from that * XML element. * * If no XML element is given, the message is initialized with suitable * default values. * * @param string $tagName The tag name of the root element. * @param DOMElement|NULL $xml The input message. * @throws Exception */ protected function __construct($tagName, DOMElement $xml = NULL) { assert('is_string($tagName)'); $this->tagName = $tagName; $this->id = SAML2_Utils::getContainer()->generateId(); $this->issueInstant = SAML2_Utilities_Temporal::getTime(); $this->certificates = array(); $this->validators = array(); if ($xml === NULL) { return; } if (!$xml->hasAttribute('ID')) { throw new Exception('Missing ID attribute on SAML message.'); } $this->id = $xml->getAttribute('ID'); if ($xml->getAttribute('Version') !== '2.0') { /* Currently a very strict check. */ throw new Exception('Unsupported version: ' . $xml->getAttribute('Version')); } $this->issueInstant = SAML2_Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant')); if ($xml->hasAttribute('Destination')) { $this->destination = $xml->getAttribute('Destination'); } if ($xml->hasAttribute('Consent')) { $this->consent = $xml->getAttribute('Consent'); } $issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer'); if (!empty($issuer)) { $this->issuer = trim($issuer[0]->textContent); } /* Validate the signature element of the message. */ try { $sig = SAML2_Utils::validateElement($xml); if ($sig !== FALSE) { $this->messageContainedSignatureUponConstruction = TRUE; $this->certificates = $sig['Certificates']; $this->validators[] = array('Function' => array('SAML2_Utils', 'validateSignature'), 'Data' => $sig); } } catch (Exception $e) { /* Ignore signature validation errors. */ } $this->extensions = SAML2_XML_samlp_Extensions::getList($xml); }