Exemple #1
0
 public function validate(Assertion $assertion, Result $result)
 {
     $notBeforeTimestamp = $assertion->getNotBefore();
     if ($notBeforeTimestamp && $notBeforeTimestamp > Temporal::getTime() + 60) {
         $result->addError('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.');
     }
 }
 public function validate(SubjectConfirmation $subjectConfirmation, Result $result)
 {
     $notBefore = $subjectConfirmation->SubjectConfirmationData->NotBefore;
     if ($notBefore && $notBefore > Temporal::getTime() + 60) {
         $result->addError('NotBefore in SubjectConfirmationData is in the future');
     }
 }
 public function validate(SubjectConfirmation $subjectConfirmation, Result $result)
 {
     $notOnOrAfter = $subjectConfirmation->SubjectConfirmationData->NotOnOrAfter;
     if ($notOnOrAfter && $notOnOrAfter <= Temporal::getTime() - 60) {
         $result->addError('NotOnOrAfter in SubjectConfirmationData is in the past');
     }
 }
Exemple #4
0
 public function validate(Assertion $assertion, Result $result)
 {
     $notValidOnOrAfterTimestamp = $assertion->getNotOnOrAfter();
     if ($notValidOnOrAfterTimestamp && $notValidOnOrAfterTimestamp <= Temporal::getTime() - 60) {
         $result->addError('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
     }
 }
 public function validate(Assertion $assertion, Result $result)
 {
     $sessionNotOnOrAfterTimestamp = $assertion->getSessionNotOnOrAfter();
     $currentTime = Temporal::getTime();
     if ($sessionNotOnOrAfterTimestamp && $sessionNotOnOrAfterTimestamp <= $currentTime - 60) {
         $result->addError('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.');
     }
 }
Exemple #6
0
 /**
  * Create the redirect URL for a message.
  *
  * @param  \SAML2\Message $message The message.
  * @return string        The URL the user should be redirected to in order to send a message.
  * @throws \Exception
  */
 public function getRedirectURL(Message $message)
 {
     $store = SimpleSAML_Store::getInstance();
     if ($store === false) {
         throw new \Exception('Unable to send artifact without a datastore configured.');
     }
     $generatedId = pack('H*', (string) SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(20)));
     $artifact = base64_encode("" . sha1($message->getIssuer(), true) . $generatedId);
     $artifactData = $message->toUnsignedXML();
     $artifactDataString = $artifactData->ownerDocument->saveXML($artifactData);
     $store->set('artifact', $artifact, $artifactDataString, Temporal::getTime() + 15 * 60);
     $params = array('SAMLart' => $artifact);
     $relayState = $message->getRelayState();
     if ($relayState !== null) {
         $params['RelayState'] = $relayState;
     }
     return SimpleSAML_Utilities::addURLparameter($message->getDestination(), $params);
 }
Exemple #7
0
 /**
  * Initialize a message.
  *
  * This constructor takes an optional parameter with a \DOMElement. If this
  * parameter is given, the message will be initialized with data from that
  * XML element.
  *
  * If no XML element is given, the message is initialized with suitable
  * default values.
  *
  * @param string          $tagName The tag name of the root element.
  * @param \DOMElement|null $xml     The input message.
  * @throws \Exception
  */
 protected function __construct($tagName, \DOMElement $xml = null)
 {
     assert('is_string($tagName)');
     $this->tagName = $tagName;
     $this->id = Utils::getContainer()->generateId();
     $this->issueInstant = Temporal::getTime();
     $this->certificates = array();
     $this->validators = array();
     if ($xml === null) {
         return;
     }
     if (!$xml->hasAttribute('ID')) {
         throw new \Exception('Missing ID attribute on SAML message.');
     }
     $this->id = $xml->getAttribute('ID');
     if ($xml->getAttribute('Version') !== '2.0') {
         /* Currently a very strict check. */
         throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
     }
     $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
     if ($xml->hasAttribute('Destination')) {
         $this->destination = $xml->getAttribute('Destination');
     }
     if ($xml->hasAttribute('Consent')) {
         $this->consent = $xml->getAttribute('Consent');
     }
     $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
     if (!empty($issuer)) {
         $this->issuer = trim($issuer[0]->textContent);
     }
     /* Validate the signature element of the message. */
     try {
         $sig = Utils::validateElement($xml);
         if ($sig !== false) {
             $this->messageContainedSignatureUponConstruction = true;
             $this->certificates = $sig['Certificates'];
             $this->validators[] = array('Function' => array('\\SAML2\\Utils', 'validateSignature'), 'Data' => $sig);
         }
     } catch (\Exception $e) {
         /* Ignore signature validation errors. */
     }
     $this->extensions = Extensions::getList($xml);
 }
Exemple #8
0
 /**
  * Initialize a message.
  *
  * This constructor takes an optional parameter with a \DOMElement. If this
  * parameter is given, the message will be initialized with data from that
  * XML element.
  *
  * If no XML element is given, the message is initialized with suitable
  * default values.
  *
  * @param string           $tagName The tag name of the root element
  * @param \DOMElement|null $xml     The input message
  *
  * @throws \Exception
  */
 protected function __construct($tagName, \DOMElement $xml = null)
 {
     assert('is_string($tagName)');
     $this->tagName = $tagName;
     $this->id = Utils::getContainer()->generateId();
     $this->issueInstant = Temporal::getTime();
     $this->certificates = array();
     $this->validators = array();
     if ($xml === null) {
         return;
     }
     if (!$xml->hasAttribute('ID')) {
         throw new \Exception('Missing ID attribute on SAML message.');
     }
     $this->id = $xml->getAttribute('ID');
     if ($xml->getAttribute('Version') !== '2.0') {
         /* Currently a very strict check. */
         throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
     }
     $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
     if ($xml->hasAttribute('Destination')) {
         $this->destination = $xml->getAttribute('Destination');
     }
     if ($xml->hasAttribute('Consent')) {
         $this->consent = $xml->getAttribute('Consent');
     }
     $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
     if (!empty($issuer)) {
         $this->issuer = new XML\saml\Issuer($issuer[0]);
         if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
             $this->issuer = $this->issuer->value;
         }
     }
     $this->validateSignature($xml);
     $this->extensions = Extensions::getList($xml);
 }
Exemple #9
0
 /**
  * Constructor for SAML 2 assertions.
  *
  * @param \DOMElement|null $xml The input assertion.
  * @throws \Exception
  */
 public function __construct(\DOMElement $xml = null)
 {
     $this->id = Utils::getContainer()->generateId();
     $this->issueInstant = Temporal::getTime();
     $this->issuer = '';
     $this->authnInstant = Temporal::getTime();
     $this->attributes = array();
     $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
     $this->certificates = array();
     $this->AuthenticatingAuthority = array();
     $this->SubjectConfirmation = array();
     if ($xml === null) {
         return;
     }
     if (!$xml->hasAttribute('ID')) {
         throw new \Exception('Missing ID attribute on SAML assertion.');
     }
     $this->id = $xml->getAttribute('ID');
     if ($xml->getAttribute('Version') !== '2.0') {
         /* Currently a very strict check. */
         throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
     }
     $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
     $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
     if (empty($issuer)) {
         throw new \Exception('Missing <saml:Issuer> in assertion.');
     }
     $this->issuer = new XML\saml\Issuer($issuer[0]);
     if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
         $this->issuer = $this->issuer->value;
     }
     $this->parseSubject($xml);
     $this->parseConditions($xml);
     $this->parseAuthnStatement($xml);
     $this->parseAttributes($xml);
     $this->parseEncryptedAttributes($xml);
     $this->parseSignature($xml);
 }