Note that the authentication context must be set before the
session index can be inluded in the assertion.
public setSessionIndex ( string | null $sessionIndex ) | ||
$sessionIndex | string | null | The session index of the user at the IdP. |
public static function handleLoginRequest(IPerson $Person) { try { $binding = Binding::getCurrentBinding(); } catch (Exception $e) { return static::throwUnauthorizedError('Cannot obtain SAML2 binding'); } $request = $binding->receive(); // build response $response = new Response(); $response->setInResponseTo($request->getId()); $response->setRelayState($request->getRelayState()); $response->setDestination($request->getAssertionConsumerServiceURL()); // build assertion $assertion = new Assertion(); $assertion->setIssuer(static::$issuer); $assertion->setSessionIndex(ContainerSingleton::getInstance()->generateId()); $assertion->setNotBefore(time() - 30); $assertion->setNotOnOrAfter(time() + 300); $assertion->setAuthnContext(SAML2_Constants::AC_PASSWORD); // build subject confirmation $sc = new SubjectConfirmation(); $sc->Method = SAML2_Constants::CM_BEARER; $sc->SubjectConfirmationData = new SubjectConfirmationData(); $sc->SubjectConfirmationData->NotOnOrAfter = $assertion->getNotOnOrAfter(); $sc->SubjectConfirmationData->Recipient = $request->getAssertionConsumerServiceURL(); $sc->SubjectConfirmationData->InResponseTo = $request->getId(); $assertion->setSubjectConfirmation([$sc]); // set NameID $assertion->setNameId(['Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'Value' => $Person->Username . '@' . static::$issuer]); // set additional attributes $assertion->setAttributes(['User.Email' => [$Person->Email], 'User.Username' => [$Person->Username]]); // attach assertion to response $response->setAssertions([$assertion]); // create signature $privateKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, ['type' => 'private']); $privateKey->loadKey(static::$privateKey); $response->setSignatureKey($privateKey); $response->setCertificates([static::$certificate]); // prepare response $responseXML = $response->toSignedXML(); $responseString = $responseXML->ownerDocument->saveXML($responseXML); // dump response and quit # header('Content-Type: text/xml'); # die($responseString); // send response $responseBinding = new HTTPPost(); $responseBinding->send($response); }
/** * Test an assertion with lots of options */ public function testMarshallingUnmarshallingChristmas() { // Create an assertion $assertion = new Assertion(); $assertion->setIssuer('testIssuer'); $assertion->setValidAudiences(array('audience1', 'audience2')); // deprecated function $this->assertNull($assertion->getAuthnContext()); $assertion->setAuthnContext('someAuthnContext'); $assertion->setAuthnContextDeclRef('/relative/path/to/document.xml'); $assertion->setID("_123abc"); $assertion->setIssueInstant(1234567890); $assertion->setAuthnInstant(1234567890 - 1); $assertion->setNotBefore(1234567890 - 10); $assertion->setNotOnOrAfter(1234567890 + 100); $assertion->setSessionNotOnOrAfter(1234568890 + 200); $assertion->setSessionIndex("idx1"); $assertion->setAuthenticatingAuthority(array("idp1", "idp2")); $assertion->setAttributes(array("name1" => array("value1", "value2"), "name2" => array(2), "name3" => array(null))); $assertion->setAttributeNameFormat("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"); $assertionElement = $assertion->toXML()->ownerDocument->saveXML(); $assertionToVerify = new Assertion(DOMDocumentFactory::fromString($assertionElement)->firstChild); $this->assertEquals('/relative/path/to/document.xml', $assertionToVerify->getAuthnContextDeclRef()); $this->assertEquals('_123abc', $assertionToVerify->getId()); $this->assertEquals(1234567890, $assertionToVerify->getIssueInstant()); $this->assertEquals(1234567889, $assertionToVerify->getAuthnInstant()); $this->assertEquals(1234567880, $assertionToVerify->getNotBefore()); $this->assertEquals(1234567990, $assertionToVerify->getNotOnOrAfter()); $this->assertEquals(1234569090, $assertionToVerify->getSessionNotOnOrAfter()); $this->assertEquals('idx1', $assertionToVerify->getSessionIndex()); $authauth = $assertionToVerify->getAuthenticatingAuthority(); $this->assertCount(2, $authauth); $this->assertEquals("idp2", $authauth[1]); $attributes = $assertionToVerify->getAttributes(); $this->assertCount(3, $attributes); $this->assertCount(2, $attributes['name1']); $this->assertEquals("value1", $attributes['name1'][0]); $this->assertEquals(2, $attributes['name2'][0]); // NOTE: nil attribute is currently parsed as string.. //$this->assertNull($attributes["name3"][0]); $this->assertEquals("urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified", $assertionToVerify->getAttributeNameFormat()); }