This function returns null if there are no restrictions on how
late the assertion can be used.
| public getNotOnOrAfter ( ) : integer | null | ||
| Résultat | integer | null | The latest timestamp this assertion is valid. |
public function validate(Assertion $assertion, Result $result)
{
$notValidOnOrAfterTimestamp = $assertion->getNotOnOrAfter();
if ($notValidOnOrAfterTimestamp && $notValidOnOrAfterTimestamp <= Temporal::getTime() - 60) {
$result->addError('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
}
}
public static function handleLoginRequest(IPerson $Person)
{
try {
$binding = Binding::getCurrentBinding();
} catch (Exception $e) {
return static::throwUnauthorizedError('Cannot obtain SAML2 binding');
}
$request = $binding->receive();
// build response
$response = new Response();
$response->setInResponseTo($request->getId());
$response->setRelayState($request->getRelayState());
$response->setDestination($request->getAssertionConsumerServiceURL());
// build assertion
$assertion = new Assertion();
$assertion->setIssuer(static::$issuer);
$assertion->setSessionIndex(ContainerSingleton::getInstance()->generateId());
$assertion->setNotBefore(time() - 30);
$assertion->setNotOnOrAfter(time() + 300);
$assertion->setAuthnContext(SAML2_Constants::AC_PASSWORD);
// build subject confirmation
$sc = new SubjectConfirmation();
$sc->Method = SAML2_Constants::CM_BEARER;
$sc->SubjectConfirmationData = new SubjectConfirmationData();
$sc->SubjectConfirmationData->NotOnOrAfter = $assertion->getNotOnOrAfter();
$sc->SubjectConfirmationData->Recipient = $request->getAssertionConsumerServiceURL();
$sc->SubjectConfirmationData->InResponseTo = $request->getId();
$assertion->setSubjectConfirmation([$sc]);
// set NameID
$assertion->setNameId(['Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'Value' => $Person->Username . '@' . static::$issuer]);
// set additional attributes
$assertion->setAttributes(['User.Email' => [$Person->Email], 'User.Username' => [$Person->Username]]);
// attach assertion to response
$response->setAssertions([$assertion]);
// create signature
$privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, ['type' => 'private']);
$privateKey->loadKey(static::$privateKey);
$response->setSignatureKey($privateKey);
$response->setCertificates([static::$certificate]);
// prepare response
$responseXML = $response->toSignedXML();
$responseString = $responseXML->ownerDocument->saveXML($responseXML);
// dump response and quit
# header('Content-Type: text/xml');
# die($responseString);
// send response
$responseBinding = new HTTPPost();
$responseBinding->send($response);
}
/**
* Test an assertion with lots of options
*/
public function testMarshallingUnmarshallingChristmas()
{
// Create an assertion
$assertion = new Assertion();
$assertion->setIssuer('testIssuer');
$assertion->setValidAudiences(array('audience1', 'audience2'));
// deprecated function
$this->assertNull($assertion->getAuthnContext());
$assertion->setAuthnContext('someAuthnContext');
$assertion->setAuthnContextDeclRef('/relative/path/to/document.xml');
$assertion->setID("_123abc");
$assertion->setIssueInstant(1234567890);
$assertion->setAuthnInstant(1234567890 - 1);
$assertion->setNotBefore(1234567890 - 10);
$assertion->setNotOnOrAfter(1234567890 + 100);
$assertion->setSessionNotOnOrAfter(1234568890 + 200);
$assertion->setSessionIndex("idx1");
$assertion->setAuthenticatingAuthority(array("idp1", "idp2"));
$assertion->setAttributes(array("name1" => array("value1", "value2"), "name2" => array(2), "name3" => array(null)));
$assertion->setAttributeNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
$assertionElement = $assertion->toXML()->ownerDocument->saveXML();
$assertionToVerify = new Assertion(DOMDocumentFactory::fromString($assertionElement)->firstChild);
$this->assertEquals('/relative/path/to/document.xml', $assertionToVerify->getAuthnContextDeclRef());
$this->assertEquals('_123abc', $assertionToVerify->getId());
$this->assertEquals(1234567890, $assertionToVerify->getIssueInstant());
$this->assertEquals(1234567889, $assertionToVerify->getAuthnInstant());
$this->assertEquals(1234567880, $assertionToVerify->getNotBefore());
$this->assertEquals(1234567990, $assertionToVerify->getNotOnOrAfter());
$this->assertEquals(1234569090, $assertionToVerify->getSessionNotOnOrAfter());
$this->assertEquals('idx1', $assertionToVerify->getSessionIndex());
$authauth = $assertionToVerify->getAuthenticatingAuthority();
$this->assertCount(2, $authauth);
$this->assertEquals("idp2", $authauth[1]);
$attributes = $assertionToVerify->getAttributes();
$this->assertCount(3, $attributes);
$this->assertCount(2, $attributes['name1']);
$this->assertEquals("value1", $attributes['name1'][0]);
$this->assertEquals(2, $attributes['name2'][0]);
// NOTE: nil attribute is currently parsed as string..
//$this->assertNull($attributes["name3"][0]);
$this->assertEquals("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", $assertionToVerify->getAttributeNameFormat());
}
