/** * Send a response to the SP. * * @param array $state The authentication state. */ public static function sendResponse(array $state) { assert('isset($state["Attributes"])'); assert('isset($state["SPMetadata"])'); assert('isset($state["saml:shire"])'); assert('array_key_exists("saml:target", $state)'); // Can be NULL $spMetadata = $state["SPMetadata"]; $spEntityId = $spMetadata['entityid']; $spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata, '$metadata[' . var_export($spEntityId, TRUE) . ']'); SimpleSAML\Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE)); $attributes = $state['Attributes']; $shire = $state['saml:shire']; $target = $state['saml:target']; $idp = SimpleSAML_IdP::getByState($state); $idpMetadata = $idp->getConfig(); $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'protocol' => 'saml1'); if (isset($state['saml:AuthnRequestReceivedAt'])) { $statsData['logintime'] = microtime(TRUE) - $state['saml:AuthnRequestReceivedAt']; } SimpleSAML_Stats::log('saml:idp:Response', $statsData); // Generate and send response. $ar = new SimpleSAML_XML_Shib13_AuthnResponse(); $authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes); $httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire); }
/** * Decode a received response. * * @param array $post POST data received. * @return SimpleSAML_XML_Shib13_AuthnResponse Response. */ public function decodeResponse($post) { assert('is_array($post)'); if (!array_key_exists('SAMLResponse', $post)) { throw new Exception('Missing required SAMLResponse parameter.'); } $rawResponse = $post['SAMLResponse']; $samlResponseXML = base64_decode($rawResponse); SimpleSAML_Utilities::debugMessage($samlResponseXML, 'in'); SimpleSAML_Utilities::validateXMLDocument($samlResponseXML, 'saml11'); $samlResponse = new SimpleSAML_XML_Shib13_AuthnResponse(); $samlResponse->setXML($samlResponseXML); if (array_key_exists('TARGET', $post)) { $samlResponse->setRelayState($post['TARGET']); } return $samlResponse; }
/** * Send a response to the SP. * * @param array $state The authentication state. */ public static function sendResponse(array $state) { assert('isset($state["Attributes"])'); assert('isset($state["SPMetadata"])'); assert('isset($state["saml:shire"])'); assert('array_key_exists("saml:target", $state)'); // Can be NULL. $spMetadata = $state["SPMetadata"]; $spEntityId = $spMetadata['entityid']; $spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata, '$metadata[' . var_export($spEntityId, TRUE) . ']'); SimpleSAML_Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE)); $attributes = $state['Attributes']; $shire = $state['saml:shire']; $target = $state['saml:target']; $idp = SimpleSAML_IdP::getByState($state); $idpMetadata = $idp->getConfig(); $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /* Generate and send response. */ $ar = new SimpleSAML_XML_Shib13_AuthnResponse(); $authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes); $httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire); }
$spMetadata = $source->getMetadata(); if (array_key_exists('SAMLart', $_REQUEST)) { if (!isset($state['saml:idp'])) { /* Unsolicited response. */ throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.'); } $idpMetadata = $source->getIdPMetadata($state['saml:idp']); $responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata); $isValidated = TRUE; /* Artifact binding validated with ssl certificate. */ } elseif (array_key_exists('SAMLResponse', $_REQUEST)) { $responseXML = $_REQUEST['SAMLResponse']; $responseXML = base64_decode($responseXML); $isValidated = FALSE; /* Must check signature on response. */ } else { assert('FALSE'); } $response = new SimpleSAML_XML_Shib13_AuthnResponse(); $response->setXML($responseXML); $response->setMessageValidated($isValidated); $response->validate(); $responseIssuer = $response->getIssuer(); $attributes = $response->getAttributes(); if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) { throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.'); } $logoutState = array('saml:logout:Type' => 'saml1'); $state['LogoutState'] = $logoutState; $source->handleResponse($state, $responseIssuer, $attributes); assert('FALSE');
if (array_key_exists('SAMLart', $_REQUEST)) { if (!isset($state['saml:idp'])) { /* Unsolicited response. */ throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.'); } $idpMetadata = $source->getIdPMetadata($state['saml:idp']); $responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata); $isValidated = TRUE; /* Artifact binding validated with ssl certificate. */ } elseif (array_key_exists('SAMLResponse', $_REQUEST)) { $responseXML = $_REQUEST['SAMLResponse']; $responseXML = base64_decode($responseXML); $isValidated = FALSE; /* Must check signature on response. */ } else { assert('FALSE'); } $response = new SimpleSAML_XML_Shib13_AuthnResponse(); $response->setXML($responseXML); $response->setMessageValidated($isValidated); $response->validate(); $responseIssuer = $response->getIssuer(); $attributes = $response->getAttributes(); if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) { throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.'); } $logoutState = array('saml:logout:Type' => 'saml1'); $state['LogoutState'] = $logoutState; $state['saml:sp:NameID'] = $response->getNameID(); $source->handleResponse($state, $responseIssuer, $attributes); assert('FALSE');
if (!array_key_exists('AssertionConsumerService', $spmetadata)) { throw new Exception('Could not find [AssertionConsumerService] in Shib 1.3 Service Provider remote metadata.'); } $foundACS = FALSE; foreach (SimpleSAML_Utilities::arrayize($spmetadata['AssertionConsumerService']) as $acs) { if ($acs === $shire) { SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Found AssertionConsumerService: ' . $acs); $foundACS = TRUE; break; } } if (!$foundACS) { throw new Exception('Invalid AssertionConsumerService for SP ' . var_export($spmetadata['entityid'], TRUE) . ': ' . var_export($shire, TRUE)); } $attributes = $session->getAttributes(); /* Authentication processing operations. */ if (!isset($authProcState)) { /* Not processed. */ $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'idp'); $authProcState = array('core:shib13-idp:requestcache' => $requestcache, 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spmetadata, 'Source' => $idpmetadata); $pc->processState($authProcState); } $attributes = $authProcState['Attributes']; /* Generate and send response. */ $ar = new SimpleSAML_XML_Shib13_AuthnResponse(); $authnResponseXML = $ar->generate($idpmetadata, $spmetadata, $shire, $attributes); $httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $httppost->sendResponse($authnResponseXML, $idpmetadata, $spmetadata, $requestcache['RelayState'], $shire); } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception); }