/** * Receive a SAML 2 message sent using the HTTP-POST binding. * * Throws an exception if it is unable receive the message. * * @return SAML2_Message The received message. */ public function receive() { $postText = file_get_contents('php://input'); if (empty($postText)) { throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.'); } $document = new DOMDocument(); $document->loadXML($postText); $xml = $document->firstChild; SimpleSAML_Utilities::debugMessage($xml, 'in'); $results = SAML2_Utils::xpQuery($xml, '/soap-env:Envelope/soap-env:Body/*[1]'); return SAML2_Message::fromXML($results[0]); }
/** * Decode a received response. * * @param array $post POST data received. * @return SimpleSAML_XML_Shib13_AuthnResponse Response. */ public function decodeResponse($post) { assert('is_array($post)'); if (!array_key_exists('SAMLResponse', $post)) { throw new Exception('Missing required SAMLResponse parameter.'); } $rawResponse = $post['SAMLResponse']; $samlResponseXML = base64_decode($rawResponse); SimpleSAML_Utilities::debugMessage($samlResponseXML, 'in'); SimpleSAML_Utilities::validateXMLDocument($samlResponseXML, 'saml11'); $samlResponse = new SimpleSAML_XML_Shib13_AuthnResponse(); $samlResponse->setXML($samlResponseXML); if (array_key_exists('TARGET', $post)) { $samlResponse->setRelayState($post['TARGET']); } return $samlResponse; }
/** * Receive a SAML 2 message sent using the HTTP-POST binding. * * Throws an exception if it is unable receive the message. * * @return SAML2_Message The received message. */ public function receive() { if (array_key_exists('SAMLRequest', $_POST)) { $msg = $_POST['SAMLRequest']; } elseif (array_key_exists('SAMLResponse', $_POST)) { $msg = $_POST['SAMLResponse']; } else { throw new Exception('Missing SAMLRequest or SAMLResponse parameter.'); } $msg = base64_decode($msg); SimpleSAML_Utilities::debugMessage($msg, 'in'); $document = new DOMDocument(); $document->loadXML($msg); $xml = $document->firstChild; $msg = SAML2_Message::fromXML($xml); if (array_key_exists('RelayState', $_POST)) { $msg->setRelayState($_POST['RelayState']); } return $msg; }
/** * Decrypt the NameId of the subject in the assertion. * * @param XMLSecurityKey $key The decryption key. * @param array $blacklist Blacklisted decryption algorithms. */ public function decryptNameId(XMLSecurityKey $key, array $blacklist = array()) { if ($this->encryptedNameId === NULL) { /* No NameID to decrypt. */ return; } $nameId = SAML2_Utils::decryptElement($this->encryptedNameId, $key, $blacklist); SimpleSAML_Utilities::debugMessage($nameId, 'decrypt'); $this->nameId = SAML2_Utils::parseNameId($nameId); $this->encryptedNameId = NULL; }
/** * Receive a SAML 2 message sent using the HTTP-Redirect binding. * * Throws an exception if it is unable receive the message. * * @return SAML2_Message The received message. */ public function receive() { $data = self::parseQuery(); if (array_key_exists('SAMLRequest', $data)) { $msg = $data['SAMLRequest']; } elseif (array_key_exists('SAMLResponse', $data)) { $msg = $data['SAMLResponse']; } else { throw new Execption('Missing SAMLRequest or SAMLResponse parameter.'); } if (array_key_exists('SAMLEncoding', $data)) { $encoding = $data['SAMLEncoding']; } else { $encoding = self::DEFLATE; } $msg = base64_decode($msg); switch ($encoding) { case self::DEFLATE: $msg = gzinflate($msg); break; default: throw new Exception('Unknown SAMLEncoding: ' . var_export($encoding, TRUE)); } SimpleSAML_Utilities::debugMessage($msg, 'in'); $document = new DOMDocument(); $document->loadXML($msg); $xml = $document->firstChild; $msg = SAML2_Message::fromXML($xml); if (array_key_exists('Signature', $data)) { /* Save the signature validation data until we need it. */ $signatureValidationData = array('Signature' => $data['Signature'], 'Query' => $data['SignedQuery']); } if (array_key_exists('RelayState', $data)) { $msg->setRelayState($data['RelayState']); } if (array_key_exists('Signature', $data)) { if (!array_key_exists('SigAlg', $data)) { throw new Exception('Missing signature algorithm.'); } $signData = array('Signature' => $data['Signature'], 'SigAlg' => $data['SigAlg'], 'Query' => $data['SignedQuery']); $msg->addValidator(array(get_class($this), 'validateSignature'), $signData); } return $msg; }
/** * This function receives a SAML 1.1 artifact. * * @param SimpleSAML_Configuration $spMetadata The metadata of the SP. * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @return string The <saml1p:Response> element, as an XML string. */ public static function receive(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata) { $artifacts = self::getArtifacts(); $request = self::buildRequest($artifacts); SimpleSAML_Utilities::debugMessage($msgStr, 'out'); $url = $idpMetadata->getDefaultEndpoint('ArtifactResolutionService', array('urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding')); $url = $url['Location']; $peerPublicKeys = $idpMetadata->getPublicKeys('signing', TRUE); $certData = ''; foreach ($peerPublicKeys as $key) { if ($key['type'] !== 'X509Certificate') { continue; } $certData .= "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n"; } $file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.crt'; if (!file_exists($file)) { SimpleSAML_Utilities::writeFile($file, $certData); } $spKeyCertFile = SimpleSAML_Utilities::resolveCert($spMetadata->getString('privatekey')); $opts = array('ssl' => array('verify_peer' => TRUE, 'cafile' => $file, 'local_cert' => $spKeyCertFile, 'capture_peer_cert' => TRUE, 'capture_peer_chain' => TRUE), 'http' => array('method' => 'POST', 'content' => $request, 'header' => 'SOAPAction: http://www.oasis-open.org/committees/security' . "\r\n" . 'Content-Type: text/xml')); /* Fetch the artifact. */ $response = SimpleSAML_Utilities::fetch($url, $opts); if ($response === FALSE) { throw new SimpleSAML_Error_Exception('Failed to retrieve assertion from IdP.'); } SimpleSAML_Utilities::debugMessage($response, 'in'); /* Find the response in the SOAP message. */ $response = self::extractResponse($response); return $response; }
/** * This function sends the SOAP message to the service location and returns SOAP response * * @param SAML2_Message $m The request that should be sent. * @param SimpleSAML_Configuration $srcMetadata The metadata of the issuer of the message. * @param SimpleSAML_Configuration $dstMetadata The metadata of the destination of the message. * @return SAML2_Message The response we received. */ public function send(SAML2_Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata = NULL) { $issuer = $msg->getIssuer(); $ctxOpts = array('ssl' => array('capture_peer_cert' => TRUE)); // Determine if we are going to do a MutualSSL connection between the IdP and SP - Shoaib if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) { $ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate')); if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) { $ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass'); } } else { /* Use the SP certificate and privatekey if it is configured. */ $privateKey = SimpleSAML_Utilities::loadPrivateKey($srcMetadata); $publicKey = SimpleSAML_Utilities::loadPublicKey($srcMetadata); if ($privateKey !== NULL && $publicKey !== NULL && isset($publicKey['PEM'])) { $keyCertData = $privateKey['PEM'] . $publicKey['PEM']; $file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($keyCertData) . '.pem'; if (!file_exists($file)) { SimpleSAML_Utilities::writeFile($file, $keyCertData); } $ctxOpts['ssl']['local_cert'] = $file; if (isset($privateKey['password'])) { $ctxOpts['ssl']['passphrase'] = $privateKey['password']; } } } // do peer certificate verification if ($dstMetadata !== NULL) { $peerPublicKeys = $dstMetadata->getPublicKeys('signing', TRUE); $certData = ''; foreach ($peerPublicKeys as $key) { if ($key['type'] !== 'X509Certificate') { continue; } $certData .= "-----BEGIN CERTIFICATE-----\n" . chunk_split($key['X509Certificate'], 64) . "-----END CERTIFICATE-----\n"; } $peerCertFile = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.pem'; if (!file_exists($peerCertFile)) { SimpleSAML_Utilities::writeFile($peerCertFile, $certData); } // create ssl context $ctxOpts['ssl']['verify_peer'] = TRUE; $ctxOpts['ssl']['verify_depth'] = 1; $ctxOpts['ssl']['cafile'] = $peerCertFile; } $context = stream_context_create($ctxOpts); if ($context === NULL) { throw new Exception('Unable to create SSL stream context'); } $options = array('uri' => $issuer, 'location' => $msg->getDestination(), 'stream_context' => $context); $x = new SoapClient(NULL, $options); // Add soap-envelopes $request = $msg->toSignedXML(); $request = self::START_SOAP_ENVELOPE . $request->ownerDocument->saveXML($request) . self::END_SOAP_ENVELOPE; SimpleSAML_Utilities::debugMessage($request, 'out'); $action = 'http://www.oasis-open.org/committees/security'; $version = '1.1'; $destination = $msg->getDestination(); /* Perform SOAP Request over HTTP */ $soapresponsexml = $x->__doRequest($request, $destination, $action, $version); if ($soapresponsexml === NULL || $soapresponsexml === "") { throw new Exception('Empty SOAP response, check peer certificate.'); } SimpleSAML_Utilities::debugMessage($soapresponsexml, 'in'); // Convert to SAML2_Message (DOMElement) $dom = new DOMDocument(); if (!$dom->loadXML($soapresponsexml)) { throw new Exception('Not a SOAP response.'); } $soapfault = $this->getSOAPFault($dom); if (isset($soapfault)) { throw new Exception($soapfault); } //Extract the message from the response $xml = $dom->firstChild; /* Soap Envelope */ $samlresponse = SAML2_Utils::xpQuery($dom->firstChild, '/soap-env:Envelope/soap-env:Body/*[1]'); $samlresponse = SAML2_Message::fromXML($samlresponse[0]); /* Add validator to message which uses the SSL context. */ self::addSSLValidator($samlresponse, $context); SimpleSAML_Logger::debug("Valid ArtifactResponse received from IdP"); return $samlresponse; }
/** * Retrieve the assertion. * * @param XMLSecurityKey $key The key we should use to decrypt the assertion. * @param array $blacklist Blacklisted decryption algorithms. * @return SAML2_Assertion The decrypted assertion. */ public function getAssertion(XMLSecurityKey $inputKey, array $blacklist = array()) { $assertionXML = SAML2_Utils::decryptElement($this->encryptedData, $inputKey, $blacklist); SimpleSAML_Utilities::debugMessage($assertionXML, 'decrypt'); return new SAML2_Assertion($assertionXML); }
/** * {@inheritdoc} */ public function debugMessage($message, $type) { SimpleSAML_Utilities::debugMessage($message, $type); }