{ $xpath = new DOMXPath($xml); $xpath->registerNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol"); $xpath->registerNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion"); //$query = "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"; $query = "/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute"; $entries = $xpath->query($query); return $entries->item(0)->nodeValue; } function genToken() { return mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand(); } if (is_valid($document, $x509certificate)) { //echo htmlentities($documentStr); $authedUser = get_nameid($document); $desiredUser = $_COOKIE['userId']; if ($authedUser != $desiredUser) { echo "Sorry, you want to log in to '{$desiredUser}' but it looks like you are '{$authedUser}'. Please go away."; die; } else { $token = genToken(); $categories = json_encode(explode(',', $_COOKIE['scope'])); $redis->set('token:' . $_COOKIE['userId'] . ':' . $token, $categories); //echo 'redis->set(token:'.$_COOKIE['userId'].':'.$token.', '.$categories; //echo 'Location: '.$_COOKIE['redirectUri'].'#access_token='.urlencode($token); header('Location: ' . $_COOKIE['redirectUri'] . '#access_token=' . urlencode($token)); } } else { echo '<!DOCTYPE html><head><meta charset="utf-8"><title>No go</title></head><body>' . 'Sorry, no access.' . '</body></html>'; }
<?php $documentStr = '<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfxc51666df-5522-b5b5-4b1e-f4702c7d0e5d" Version="2.0" IssueInstant="2012-02-17T13:08:20Z" Destination="http://surf.unhosted.org:81/saml2.php" InResponseTo="_8458820a428d12d12d7dded7418ee10928a4dd9b8"><saml:Issuer>http://frkosp.wind.surfnet.nl/sspidp/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfxc51666df-5522-b5b5-4b1e-f4702c7d0e5d"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>URvdErg615pAQBVDZqPvECG6MDA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>BGzBVRjk8xsnPt4l2jMZbch7rjctL5RZptD6J0P7VSxTqZOl/m3CE6YiC0TZEF88vhmfJ0JeG/RTk2f0h23nAcZSlVwvEUHlKpZQcnEFT3rEUMR4h3JQFu4wi/6l4FgrgHPakufE27Jq8ofSD/Sx8FtHYpgZC4yUsGUz1dNdzEKiAuJHP1zR+aHG/S9o/tp01BWJgCMELomBhWDUPuTFeeVcUYcduqxuWmcwLK3nefl0gTLm+7C1meOg4d8dMcfAKBHG0p2LieKrUke7Aa9iPPSgtpQERusNZxBQkSTVU9j1F6nnaI8EtlnMUHJm5FXoytR2Z54EhR+5rvB+BTbDRQ==</ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDTzCCAjegAwIBAgIJAOsqdXuE6utjMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAk5MMRAwDgYDVQQKDAdTVVJGbmV0MR0wGwYDVQQDDBREZW1vIElEUCBDZXJ0aWZpY2F0ZTAeFw0xMTAxMzExOTA1MThaFw0yMTAxMzAxOTA1MThaMD4xCzAJBgNVBAYTAk5MMRAwDgYDVQQKDAdTVVJGbmV0MR0wGwYDVQQDDBREZW1vIElEUCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALL2uqg9rxlT6eoyRXEbi8GRgt3UeP/9WcvgAzgmqTIBu8OayadDC1erXadEALz7016O9QYOb24clL9Spu4CR53/cERuoUHN3J3Pq2cmN5PPMMfzWPl37ufgxDbmYH5+lecRWoktrEaWN94LyfDoZlUhlkOgAD3PlScOsbf1AMersSCw7p//R43mxRgYXKC+cGvkMeI4gn' . 'S3C/0AjpFoL6YFWtlbNq+9VUBp5hxPk0QrOAjETde2DNOSYIP3yycAxfd6mIj1FnPpTutr1UnH3sM2rWHnItfZeRAD510nB20Ex+gu9hyxVfeBNrdcbjItPEM5BgDqA3Amsy5vhTgKnicCAwEAAaNQME4wHQYDVR0OBBYEFPlK/XTb2W9xaEwRyOLqxGb+SEbZMB8GA1UdIwQYMBaAFPlK/XTb2W9xaEwRyOLqxGb+SEbZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAG7AKmx3xAa+NSb8QnalCnTxghkc/2tv6o5hi5y9gp1NZ+l2ZSDdvOGIwU/6WXvEqXv30ErANNubZ9pOviJg9muuhIc5HKtFTta48XUscXViG7X4iPOX0R+J5pHPwiIQxUppv08Mpv00g49tEdghb/6nHJVJ9hrz33UJUN3K6NtA29sgUaznzUSruqhEVliolRskw8RUebZRiryQi2Fj/HIuLe9PcXB8HlqFi8DpUCuStyDU/dKe4cpj1wpuGpqbpH3iWiBV5AG1nj1CejGglKKmjiV4fMLvE6EnxIH+5Hk4n6VsCpyUXHtJcqvnWQLMa4oaCShGiv+gukjwVRkOc4k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="pfxa3574f5e-ef3f-f2cc-6c67-6c774d715221" Version="2.0" IssueInstant="2012-02-17T13:08:20Z">' . '<saml:Issuer>http://frkosp.wind.surfnet.nl/sspidp/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#pfxa3574f5e-ef3f-f2cc-6c67-6c774d715221"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>kDOsGfgZxBJFZkk5wcfwxbly8sY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>OTsvjpGEJUuRzyhoY2FIr/NaN0s+U7r9ID2nsG99bHg6o8WVwu4EITECvq9cmBqoxAccPwwf+Q4udqc1GLl1uCdWBupAuWK39MSNl4O9zIES4dc+UcmltcQAekCIdwDTT/5uDEpDaMUxgWlH+KqTjMUV86C/9ar+NMvCDrH2NueT6AIuoyR6yzEnMIQRmfPyOj6L66aypL7ZcOBWbf1DiXLnEPLrl+Z6dGt0en/QLyY1JsocGk4mXrnTTaLrBMyutF8HDD25WFNED0eTOFeKHd7arE0gi5DdiUpogxmwKiLItFhE1aLOiP0JTPjCWmHy9/dHffgJ1JDejqJpbBNgUA==</ds:SignatureValue> <ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDTzCCAjegAwIBAgIJAOsqdXuE6utjMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAk5MMRAwDgYDVQQKDAdTVVJGbmV0MR0wGwYDVQQDDBREZW1vIElEUCBDZXJ0aWZpY2F0ZTAeFw0xMTAxMzExOTA1MThaFw0yMTAxMzAxOTA1MThaMD4xCzAJBgNVBAYTAk5MMRAwDgYDVQQKDAdTVVJGbmV0MR0wGwYDVQQDDBREZW1vIElEUCBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALL2uqg9rxlT6eoyRXEbi8GRgt3UeP/9WcvgAzgmqTIBu8OayadDC1erXadEALz7016O9QYOb24clL9Spu4CR53/cERuoUHN3J3Pq2cmN5PPMMfzWPl37ufgxDbmYH5+lecRWoktrEaWN94LyfDoZlUhlkOgAD3PlScOsbf1AMersSCw7p//R43mxRgYXKC+cGvkMeI4gnS3C/0AjpFoL6YFWtlbNq+9VUBp5hxPk0QrOAjETde2DNOSYIP3yycAxfd6mIj1FnPpTutr1UnH3sM2rWHnItfZeRAD510nB20Ex+gu9hyxVfeBNrdcbjItPEM5BgDqA3Amsy5vhTgKnicCAwEAAaNQME4wHQYDVR0OBBYEFPlK/XTb2W9xaEwRyOLqxGb+SEbZMB8GA1UdIwQYMBaAFPlK/XTb2W9xaEwRyOLqxGb+SEbZMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAG7AKmx3xAa+NSb8QnalCnTxghkc/2tv6o5hi5y9gp1NZ+l2ZSDdvOGIw' . 'U/6WXvEqXv30ErANNubZ9pOviJg9muuhIc5HKtFTta48XUscXViG7X4iPOX0R+J5pHPwiIQxUppv08Mpv00g49tEdghb/6nHJVJ9hrz33UJUN3K6NtA29sgUaznzUSruqhEVliolRskw8RUebZRiryQi2Fj/HIuLe9PcXB8HlqFi8DpUCuStyDU/dKe4cpj1wpuGpqbpH3iWiBV5AG1nj1CejGglKKmjiV4fMLvE6EnxIH+5Hk4n6VsCpyUXHtJcqvnWQLMa4oaCShGiv+gukjwVRkOc4k=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="http://surf.unhosted.org:81/saml.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_4d95e7167c807f3c088b00a62b8c9e19ddb8e03ebf</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2012-02-17T13:13:20Z" Recipient="http://surf.unhosted.org:81/saml2.php" InResponseTo="_8458820a428d12d12d7dded7418ee10928a4dd9b8"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2012-02-17T13:07:50Z" NotOnOrAfter="2012-02-17T13:13:20Z"><saml:AudienceRestriction><saml:Audience>http://surf.unhosted.org:81/saml.php</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2012-02-17T11:52:19Z" SessionNotOnOrAfter="2012-02-17T21:08:20Z" SessionIndex="_c9448b7b773f1c24cb073012ae0ca305cf5b356c7f"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">alice@example.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">alice</saml:AttributeValue></saml:Attribute><saml:Attribute Name="givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Alice</saml:AttributeValue></saml:Attribute><saml:Attribute Name="objectClass" Name' . 'Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">top</saml:AttributeValue><saml:AttributeValue xsi:type="xs:string">person</saml:AttributeValue><saml:AttributeValue xsi:type="xs:string">organizationalPerson</saml:AttributeValue><saml:AttributeValue xsi:type="xs:string">inetorgperson</saml:AttributeValue></saml:Attribute><saml:Attribute Name="sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">in Wonderland</saml:AttributeValue></saml:Attribute><saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">Alice in Wonderland</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>'; $document = new DOMDocument(); $document->loadXML($documentStr); function get_nameid($xml) { $xpath = new DOMXPath($xml); $xpath->registerNamespace("samlp", "urn:oasis:names:tc:SAML:2.0:protocol"); $xpath->registerNamespace("saml", "urn:oasis:names:tc:SAML:2.0:assertion"); //$query = "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID"; $query = "/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute"; $entries = $xpath->query($query); var_dump($entries); return $entries->item(0)->nodeValue; } echo "\n" . get_nameid($document) . "\n\n";