/** * @param Request $httpRequest * @return AuthnRequest */ public static function createFromHttpRequest(Request $httpRequest) { // the GET parameter is already urldecoded by Symfony, so we should not do it again. $samlRequest = gzinflate(base64_decode($httpRequest->get(AuthnRequest::PARAMETER_REQUEST))); // additional security against XXE Processing vulnerability $previous = libxml_disable_entity_loader(true); $document = SAML2_DOMDocumentFactory::fromString($samlRequest); libxml_disable_entity_loader($previous); $request = SAML2_Message::fromXML($document->firstChild); if (!$request instanceof SAML2_AuthnRequest) { throw new RuntimeException(sprintf('The received request is not an AuthnRequest, "%s" received instead', substr(get_class($request), strrpos($request, '_') + 1))); } return AuthnRequest::create($request, $httpRequest->get(AuthnRequest::PARAMETER_REQUEST), $httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE), $httpRequest->get(AuthnRequest::PARAMETER_SIGNATURE), $httpRequest->get(AuthnRequest::PARAMETER_SIGNATURE_ALGORITHM)); }