addSign() 공개 정적인 메소드

Add signature key and sender certificate to an element (Message or Assertion).
public static addSign ( SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, SAML2\SignedElement $element )
$srcMetadata SimpleSAML_Configuration The metadata of the sender.
$dstMetadata SimpleSAML_Configuration The metadata of the recipient.
$element SAML2\SignedElement The element we should add the data to.
 /**
  * @param SAML2_Response $response
  * @param SimpleSAML_Configuration $idpConfig
  */
 private function addSigns(SAML2_Response $response, SimpleSAML_Configuration $idpConfig)
 {
     $assertions = $response->getAssertions();
     $className = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getMessageUtilClassName();
     // Special case the 'normal' message verification class name so we have IDE support.
     if ($className === 'sspmod_saml_Message') {
         sspmod_saml_Message::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]);
         return;
     }
     $className::addSign($idpConfig, SimpleSAML_Configuration::loadFromArray(array()), $assertions[0]);
 }
예제 #2
0
 /**
  * Receive a SAML 2 message sent using the HTTP-Artifact binding.
  *
  * Throws an exception if it is unable receive the message.
  *
  * @return SAML2_Message  The received message.
  */
 public function receive()
 {
     if (array_key_exists('SAMLart', $_REQUEST)) {
         $artifact = base64_decode($_REQUEST['SAMLart']);
         $endpointIndex = bin2hex(substr($artifact, 2, 2));
         $sourceId = bin2hex(substr($artifact, 4, 20));
     } else {
         throw new Execption('Missing SAMLArt parameter.');
     }
     $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $idpmetadata = $metadataHandler->getMetaDataConfigForSha1($sourceId, 'saml20-idp-remote');
     $endpoint = NULL;
     foreach ($idpmetadata->getEndpoints('ArtifactResolutionService') as $ep) {
         if ($ep['index'] === hexdec($endpointIndex)) {
             $endpoint = $ep;
             break;
         }
     }
     if ($endpoint === NULL) {
         throw new Exception('No ArtifactResolutionService with the correct index.');
     }
     SimpleSAML_Logger::debug("ArtifactResolutionService endpoint being used is := " . $endpoint['Location']);
     //Construct the ArtifactResolve Request
     $ar = new SAML2_ArtifactResolve();
     /* Set the request attributes */
     $ar->setIssuer($this->spMetadata->getString('entityid'));
     $ar->setArtifact($_REQUEST['SAMLart']);
     $ar->setDestination($endpoint['Location']);
     /* Sign the request */
     sspmod_saml_Message::addSign($this->spMetadata, $idpmetadata, $ar);
     // Shoaib - moved from the SOAPClient.
     $soap = new SAML2_SOAPClient();
     // Send message through SoapClient
     $artifactResponse = $soap->send($ar, $this->spMetadata);
     if (!$artifactResponse->isSuccess()) {
         throw new Exception('Received error from ArtifactResolutionService.');
     }
     $xml = $artifactResponse->getAny();
     if ($xml === NULL) {
         /* Empty ArtifactResponse - possibly because of Artifact replay? */
         return NULL;
     }
     $samlresponse = SAML2_Message::fromXML($xml);
     $samlresponse->addValidator(array(get_class($this), 'validateSignature'), $artifactResponse);
     if (isset($_REQUEST['RelayState'])) {
         $samlresponse->setRelayState($_REQUEST['RelayState']);
     }
     return $samlresponse;
 }
예제 #3
0
 /**
  * Build a authentication response based on information in the metadata.
  *
  * @param SimpleSAML_Configuration $idpMetadata  The metadata of the IdP.
  * @param SimpleSAML_Configuration $spMetadata  The metadata of the SP.
  * @param string $consumerURL  The Destination URL of the response.
  */
 private static function buildResponse(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, $consumerURL)
 {
     $signResponse = $spMetadata->getBoolean('saml20.sign.response', NULL);
     if ($signResponse === NULL) {
         $signResponse = $idpMetadata->getBoolean('saml20.sign.response', TRUE);
     }
     $r = new SAML2_Response();
     $r->setIssuer($idpMetadata->getString('entityid'));
     $r->setDestination($consumerURL);
     if ($signResponse) {
         sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $r);
     }
     return $r;
 }
$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-hosted');
if (!$idpMetadata->getBoolean('saml20.sendartifact', FALSE)) {
    throw new SimpleSAML_Error_Error('NOACCESS');
}
$store = SimpleSAML_Store::getInstance();
if ($store === FALSE) {
    throw new Exception('Unable to send artifact without a datastore configured.');
}
$binding = new SAML2_SOAP();
$request = $binding->receive();
if (!$request instanceof SAML2_ArtifactResolve) {
    throw new Exception('Message received on ArtifactResolutionService wasn\'t a ArtifactResolve request.');
}
$issuer = $request->getIssuer();
$spMetadata = $metadata->getMetadataConfig($issuer, 'saml20-sp-remote');
$artifact = $request->getArtifact();
$responseData = $store->get('artifact', $artifact);
$store->delete('artifact', $artifact);
if ($responseData !== NULL) {
    $document = new DOMDocument();
    $document->loadXML($responseData);
    $responseXML = $document->firstChild;
} else {
    $responseXML = NULL;
}
$artifactResponse = new SAML2_ArtifactResponse();
$artifactResponse->setIssuer($idpEntityId);
$artifactResponse->setInResponseTo($request->getId());
$artifactResponse->setAny($responseXML);
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $artifactResponse);
$binding->send($artifactResponse);
        }
        /* Filter which attribute values we should return. */
        $returnAttributes[$name] = array_intersect($values, $attributes[$name]);
    }
}
/* $returnAttributes contains the attributes we should return. Send them. */
$assertion = new SAML2_Assertion();
$assertion->setIssuer($idpEntityId);
$assertion->setNameId($query->getNameId());
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time() + 5 * 60);
$assertion->setValidAudiences(array($spEntityId));
$assertion->setAttributes($returnAttributes);
$assertion->setAttributeNameFormat($attributeNameFormat);
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->Method = SAML2_Const::CM_BEARER;
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$sc->SubjectConfirmationData->NotOnOrAfter = time() + 5 * 60;
$sc->SubjectConfirmationData->Recipient = $endpoint;
$sc->SubjectConfirmationData->InResponseTo = $query->getId();
$assertion->setSubjectConfirmation(array($sc));
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $assertion);
$response = new SAML2_Response();
$response->setRelayState($query->getRelayState());
$response->setDestination($endpoint);
$response->setIssuer($idpEntityId);
$response->setInResponseTo($query->getId());
$response->setAssertions(array($assertion));
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $response);
$binding = new SAML2_HTTPPost();
$binding->send($response);
예제 #6
0
 private function buildResponse($returnAttributes)
 {
     /* SubjectConfirmation */
     $sc = new SAML2_XML_saml_SubjectConfirmation();
     $sc->Method = SAML2_Const::CM_BEARER;
     $sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
     $sc->SubjectConfirmationData->NotBefore = time();
     $sc->SubjectConfirmationData->NotOnOrAfter = time() + $this->config->getInteger('validFor');
     $sc->SubjectConfirmationData->InResponseTo = $this->query->getId();
     $assertion = new SAML2_Assertion();
     $assertion->setSubjectConfirmation(array($sc));
     $assertion->setIssuer($this->aaEntityId);
     $assertion->setNameId($this->query->getNameId());
     $assertion->setNotBefore(time());
     $assertion->setNotOnOrAfter(time() + $this->config->getInteger('validFor'));
     $assertion->setValidAudiences(array($this->spEntityId));
     $assertion->setAttributes($returnAttributes);
     $assertion->setAttributeNameFormat($this->attributeNameFormat);
     if ($this->signAssertion) {
         sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $assertion);
     }
     /* The Response */
     $response = new SAML2_Response();
     $response->setRelayState($this->query->getRelayState());
     $response->setIssuer($this->aaEntityId);
     $response->setInResponseTo($this->query->getId());
     $response->setAssertions(array($assertion));
     if ($this->signResponse) {
         sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $response);
     }
     return $response;
 }
/**
 * build and send AttributeQuery
 */
function sendQuery($dataId, $url, $nameId, $attributes, $attributeNameFormat, $src, $dst)
{
    assert('is_string($dataId)');
    assert('is_string($url)');
    assert('is_array($nameId)');
    assert('is_array($attributes)');
    SimpleSAML_Logger::debug('[attributeaggregator] - sending request');
    $query = new SAML2_AttributeQuery();
    $query->setRelayState($dataId);
    $query->setDestination($url);
    $query->setIssuer($src->getValue('entityid'));
    $query->setNameId($nameId);
    $query->setAttributeNameFormat($attributeNameFormat);
    if (!empty($attributes)) {
        $query->setAttributes($attributes);
    }
    sspmod_saml_Message::addSign($src, $dst, $query);
    if (!$query->getSignatureKey()) {
        throw new SimpleSAML_Error_Exception('[attributeaggregator] - Unable to find private key for signing attribute request.');
    }
    SimpleSAML_Logger::debug('[attributeaggregator] - sending attribute query: ' . var_export($query, 1));
    $binding = new SAML2_SOAPClient();
    $result = $binding->send($query, $src);
    return $result;
}