Check signature on a SAML2 message if enabled.
public static validateMessage ( SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, |
||
$srcMetadata | SimpleSAML_Configuration | The metadata of the sender. |
$dstMetadata | SimpleSAML_Configuration | The metadata of the recipient. |
$message | The message we should check the signature on. |
/** * Receive a logout message. * * @param SimpleSAML_IdP $idp The IdP we are receiving it for. */ public static function receiveLogoutMessage(SimpleSAML_IdP $idp) { $binding = SAML2_Binding::getCurrentBinding(); $message = $binding->receive(); $spEntityId = $message->getIssuer(); if ($spEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $message); if ($message instanceof SAML2_LogoutResponse) { SimpleSAML_Logger::info('Received SAML 2.0 LogoutResponse from: ' . var_export($spEntityId, TRUE)); $statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid')); if (!$message->isSuccess()) { $statsData['error'] = $message->getStatus(); } SimpleSAML_Stats::log('saml:idp:LogoutResponse:recv', $statsData); $relayState = $message->getRelayState(); if (!$message->isSuccess()) { $logoutError = sspmod_saml_Message::getResponseError($message); SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . $logoutError); } else { $logoutError = NULL; } $assocId = 'saml:' . $spEntityId; $idp->handleLogoutResponse($assocId, $relayState, $logoutError); } elseif ($message instanceof SAML2_LogoutRequest) { SimpleSAML_Logger::info('Received SAML 2.0 LogoutRequest from: ' . var_export($spEntityId, TRUE)); SimpleSAML_Stats::log('saml:idp:LogoutRequest:recv', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'))); $spStatsId = $spMetadata->getString('core:statistics-id', $spEntityId); SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $spStatsId . ' ' . $idpMetadata->getString('entityid')); $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendLogoutResponse'), 'saml:SPEntityId' => $spEntityId, 'saml:RelayState' => $message->getRelayState(), 'saml:RequestId' => $message->getId()); $assocId = 'saml:' . $spEntityId; $idp->handleLogoutRequest($state, $assocId); } else { throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message)); } }
} if (!$source instanceof sspmod_saml_Auth_Source_SP) { throw new SimpleSAML_Error_Exception('Source type changed?'); } $binding = SAML2_Binding::getCurrentBinding(); $message = $binding->receive(); $idpEntityId = $message->getIssuer(); if ($idpEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $spEntityId = $source->getEntityId(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $source->getIdPMetadata($idpEntityId); $spMetadata = $source->getMetadata(); sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message); $destination = $message->getDestination(); //if ($destination !== NULL && $destination !== SimpleSAML_Utilities::selfURLNoQuery()) { // throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.'); //} if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); SimpleSAML_Auth_Source::completeLogout($state);
throw $e; } * */ try { $binding = SAML2_Binding::getCurrentBinding(); $request = $binding->receive(); if (!$request instanceof SAML2_AuthnRequest) { throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.'); } $spEntityId = $request->getIssuer(); if ($spEntityId === NULL) { throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request); $supportedBindings = array(SAML2_Const::BINDING_PAOS); $consumerURL = $request->getAssertionConsumerServiceURL(); $protocolBinding = $request->getProtocolBinding(); $consumerIndex = $request->getAssertionConsumerServiceIndex(); $acsEndpoint = sspmod_saml_IdP_SAML2::getAssertionConsumerService($supportedBindings, $spMetadata, $consumerURL, $protocolBinding, $consumerIndex); $relayState = $request->getRelayState(); $requestId = $request->getId(); $state = array(); $state[sspmod_core_Auth_UserPassBase::AUTHID] = $auth; $state['LoginCompletedHandler'] = "ecp_finish_auth"; $state['SPMetadata'] = $spMetadata->toArray(); $state['saml:RequestId'] = $requestId; $state['saml:RelayState'] = $relayState; $state['saml:ConsumerURL'] = $acsEndpoint['Location']; $state['saml:Binding'] = $acsEndpoint['Binding'];