/**
* Send a response to the SP.
*
* @param array $state The authentication state.
*/
public static function sendResponse(array $state)
{
assert('isset($state["Attributes"])');
assert('isset($state["SPMetadata"])');
assert('isset($state["saml:shire"])');
assert('array_key_exists("saml:target", $state)');
// Can be NULL
$spMetadata = $state["SPMetadata"];
$spEntityId = $spMetadata['entityid'];
$spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata, '$metadata[' . var_export($spEntityId, TRUE) . ']');
SimpleSAML\Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE));
$attributes = $state['Attributes'];
$shire = $state['saml:shire'];
$target = $state['saml:target'];
$idp = SimpleSAML_IdP::getByState($state);
$idpMetadata = $idp->getConfig();
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'protocol' => 'saml1');
if (isset($state['saml:AuthnRequestReceivedAt'])) {
$statsData['logintime'] = microtime(TRUE) - $state['saml:AuthnRequestReceivedAt'];
}
SimpleSAML_Stats::log('saml:idp:Response', $statsData);
// Generate and send response.
$ar = new SimpleSAML_XML_Shib13_AuthnResponse();
$authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes);
$httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire);
}
/**
* Decode a received response.
*
* @param array $post POST data received.
* @return SimpleSAML_XML_Shib13_AuthnResponse Response.
*/
public function decodeResponse($post)
{
assert('is_array($post)');
if (!array_key_exists('SAMLResponse', $post)) {
throw new Exception('Missing required SAMLResponse parameter.');
}
$rawResponse = $post['SAMLResponse'];
$samlResponseXML = base64_decode($rawResponse);
SimpleSAML_Utilities::debugMessage($samlResponseXML, 'in');
SimpleSAML_Utilities::validateXMLDocument($samlResponseXML, 'saml11');
$samlResponse = new SimpleSAML_XML_Shib13_AuthnResponse();
$samlResponse->setXML($samlResponseXML);
if (array_key_exists('TARGET', $post)) {
$samlResponse->setRelayState($post['TARGET']);
}
return $samlResponse;
}
/**
* Send a response to the SP.
*
* @param array $state The authentication state.
*/
public static function sendResponse(array $state)
{
assert('isset($state["Attributes"])');
assert('isset($state["SPMetadata"])');
assert('isset($state["saml:shire"])');
assert('array_key_exists("saml:target", $state)');
// Can be NULL.
$spMetadata = $state["SPMetadata"];
$spEntityId = $spMetadata['entityid'];
$spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata, '$metadata[' . var_export($spEntityId, TRUE) . ']');
SimpleSAML_Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE));
$attributes = $state['Attributes'];
$shire = $state['saml:shire'];
$target = $state['saml:target'];
$idp = SimpleSAML_IdP::getByState($state);
$idpMetadata = $idp->getConfig();
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
/* Generate and send response. */
$ar = new SimpleSAML_XML_Shib13_AuthnResponse();
$authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes);
$httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire);
}
$spMetadata = $source->getMetadata();
if (array_key_exists('SAMLart', $_REQUEST)) {
if (!isset($state['saml:idp'])) {
/* Unsolicited response. */
throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.');
}
$idpMetadata = $source->getIdPMetadata($state['saml:idp']);
$responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata);
$isValidated = TRUE;
/* Artifact binding validated with ssl certificate. */
} elseif (array_key_exists('SAMLResponse', $_REQUEST)) {
$responseXML = $_REQUEST['SAMLResponse'];
$responseXML = base64_decode($responseXML);
$isValidated = FALSE;
/* Must check signature on response. */
} else {
assert('FALSE');
}
$response = new SimpleSAML_XML_Shib13_AuthnResponse();
$response->setXML($responseXML);
$response->setMessageValidated($isValidated);
$response->validate();
$responseIssuer = $response->getIssuer();
$attributes = $response->getAttributes();
if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) {
throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.');
}
$logoutState = array('saml:logout:Type' => 'saml1');
$state['LogoutState'] = $logoutState;
$source->handleResponse($state, $responseIssuer, $attributes);
assert('FALSE');
if (array_key_exists('SAMLart', $_REQUEST)) {
if (!isset($state['saml:idp'])) {
/* Unsolicited response. */
throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.');
}
$idpMetadata = $source->getIdPMetadata($state['saml:idp']);
$responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata);
$isValidated = TRUE;
/* Artifact binding validated with ssl certificate. */
} elseif (array_key_exists('SAMLResponse', $_REQUEST)) {
$responseXML = $_REQUEST['SAMLResponse'];
$responseXML = base64_decode($responseXML);
$isValidated = FALSE;
/* Must check signature on response. */
} else {
assert('FALSE');
}
$response = new SimpleSAML_XML_Shib13_AuthnResponse();
$response->setXML($responseXML);
$response->setMessageValidated($isValidated);
$response->validate();
$responseIssuer = $response->getIssuer();
$attributes = $response->getAttributes();
if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) {
throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.');
}
$logoutState = array('saml:logout:Type' => 'saml1');
$state['LogoutState'] = $logoutState;
$state['saml:sp:NameID'] = $response->getNameID();
$source->handleResponse($state, $responseIssuer, $attributes);
assert('FALSE');
if (!array_key_exists('AssertionConsumerService', $spmetadata)) {
throw new Exception('Could not find [AssertionConsumerService] in Shib 1.3 Service Provider remote metadata.');
}
$foundACS = FALSE;
foreach (SimpleSAML_Utilities::arrayize($spmetadata['AssertionConsumerService']) as $acs) {
if ($acs === $shire) {
SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Found AssertionConsumerService: ' . $acs);
$foundACS = TRUE;
break;
}
}
if (!$foundACS) {
throw new Exception('Invalid AssertionConsumerService for SP ' . var_export($spmetadata['entityid'], TRUE) . ': ' . var_export($shire, TRUE));
}
$attributes = $session->getAttributes();
/* Authentication processing operations. */
if (!isset($authProcState)) {
/* Not processed. */
$pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'idp');
$authProcState = array('core:shib13-idp:requestcache' => $requestcache, 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spmetadata, 'Source' => $idpmetadata);
$pc->processState($authProcState);
}
$attributes = $authProcState['Attributes'];
/* Generate and send response. */
$ar = new SimpleSAML_XML_Shib13_AuthnResponse();
$authnResponseXML = $ar->generate($idpmetadata, $spmetadata, $shire, $attributes);
$httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$httppost->sendResponse($authnResponseXML, $idpmetadata, $spmetadata, $requestcache['RelayState'], $shire);
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception);
}
