/**
* Constructs the AuthnRequest object.
*
* @param OneLogin_Saml2_Settings $settings Settings
*/
public function __construct(OneLogin_Saml2_Settings $settings)
{
$this->_settings = $settings;
$spData = $this->_settings->getSPData();
$idpData = $this->_settings->getIdPData();
$security = $this->_settings->getSecurityData();
$id = OneLogin_Saml2_Utils::generateUniqueID();
$issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
$nameIDPolicyFormat = $spData['NameIDFormat'];
if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
$nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
}
$providerNameStr = '';
$organizationData = $settings->getOrganization();
if (!empty($organizationData)) {
$langs = array_keys($organizationData);
if (in_array('en-US', $langs)) {
$lang = 'en-US';
} else {
$lang = $langs[0];
}
if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) {
$providerNameStr = <<<PROVIDERNAME
ProviderName="{$organizationData[$lang]['displayname']}"
PROVIDERNAME;
}
}
$request = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{$id}"
Version="2.0"
{$providerNameStr}
IssueInstant="{$issueInstant}"
Destination="{$idpData['singleSignOnService']['url']}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
<saml:Issuer>{$spData['entityId']}</saml:Issuer>
<samlp:NameIDPolicy
Format="{$nameIDPolicyFormat}"
AllowCreate="true" />
AUTHNREQUEST;
if (!isset($security['allowedAuthContexts'])) {
$security['allowedAuthContexts'] = array('urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport');
}
if ($security['allowedAuthContexts'] && is_array($security['allowedAuthContexts'])) {
$request .= '<samlp:RequestedAuthnContext Comparison="exact">' . "\n";
foreach ($security['allowedAuthContexts'] as $authCtx) {
$request .= '<saml:AuthnContextClassRef>' . $authCtx . "</saml:AuthnContextClassRef>\n";
}
$request .= '</samlp:RequestedAuthnContext> ' . "\n";
}
$request .= '</samlp:AuthnRequest>';
$this->_id = $id;
$this->_authnRequest = $request;
}
/**
* Gets the SLO url.
*
* @return string The url of the Single Logout Service
*/
public function getSLOurl()
{
$url = null;
$idpData = $this->_settings->getIdPData();
if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {
$url = $idpData['singleLogoutService']['url'];
}
return $url;
}
/**
* Generates a Logout Response object.
*
* @param string $inResponseTo InResponseTo value for the Logout Response.
*/
public function build($inResponseTo)
{
$spData = $this->_settings->getSPData();
$idpData = $this->_settings->getIdPData();
$id = OneLogin_Saml2_Utils::generateUniqueID();
$issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
$logoutResponse = <<<LOGOUTRESPONSE
<samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{$id}"
Version="2.0"
IssueInstant="{$issueInstant}"
Destination="{$idpData['singleLogoutService']['url']}"
InResponseTo="{$inResponseTo}"
>
<saml:Issuer>{$spData['entityId']}</saml:Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
</samlp:LogoutResponse>
LOGOUTRESPONSE;
$this->_logoutResponse = $logoutResponse;
}
* SAMPLE Code to demonstrate how to initiate a SAML Authorization request
*
* When the user visits this URL, the browser will be redirected to the SSO
* IdP with an authorization request. If successful, it will then be
* redirected to the consume URL (specified in settings) with the auth
* details.
*/
session_start();
require_once '../_toolkit_loader.php';
if (!isset($_SESSION['samlUserdata'])) {
$settings = new OneLogin_Saml2_Settings();
$authRequest = new OneLogin_Saml2_AuthnRequest($settings);
$samlRequest = $authRequest->getRequest();
$parameters = array('SAMLRequest' => $samlRequest);
$parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfURLNoQuery();
$idpData = $settings->getIdPData();
$ssoUrl = $idpData['singleSignOnService']['url'];
$url = OneLogin_Saml2_Utils::redirect($ssoUrl, $parameters, true);
header("Location: {$url}");
} else {
if (!empty($_SESSION['samlUserdata'])) {
$attributes = $_SESSION['samlUserdata'];
echo 'You have the following attributes:<br>';
echo '<table><thead><th>Name</th><th>Values</th></thead><tbody>';
foreach ($attributes as $attributeName => $attributeValues) {
echo '<tr><td>' . htmlentities($attributeName) . '</td><td><ul>';
foreach ($attributeValues as $attributeValue) {
echo '<li>' . htmlentities($attributeValue) . '</li>';
}
echo '</ul></td></tr>';
}
/**
* Checks if the Logout Request recieved is valid.
*
* @return boolean If the Logout Request is or not valid
*/
public function isValid($retrieveParametersFromServer = false)
{
$this->_error = null;
try {
$dom = new DOMDocument();
$dom = OneLogin_Saml2_Utils::loadXML($dom, $this->_logoutRequest);
$idpData = $this->_settings->getIdPData();
$idPEntityId = $idpData['entityId'];
if ($this->_settings->isStrict()) {
$security = $this->_settings->getSecurityData();
if ($security['wantXMLValidation']) {
$res = OneLogin_Saml2_Utils::validateXML($dom, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive());
if (!$res instanceof DOMDocument) {
throw new Exception("Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd");
}
}
$currentURL = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
// Check NotOnOrAfter
if ($dom->documentElement->hasAttribute('NotOnOrAfter')) {
$na = OneLogin_Saml2_Utils::parseSAML2Time($dom->documentElement->getAttribute('NotOnOrAfter'));
if ($na <= time()) {
throw new Exception('Timing issues (please check your clock settings)');
}
}
// Check destination
if ($dom->documentElement->hasAttribute('Destination')) {
$destination = $dom->documentElement->getAttribute('Destination');
if (!empty($destination)) {
if (strpos($destination, $currentURL) === false) {
throw new Exception("The LogoutRequest was received at {$currentURL} instead of {$destination}");
}
}
}
$nameId = $this->getNameId($dom, $this->_settings->getSPkey());
// Check issuer
$issuer = $this->getIssuer($dom);
if (!empty($issuer) && $issuer != $idPEntityId) {
throw new Exception("Invalid issuer in the Logout Request");
}
if ($security['wantMessagesSigned']) {
if (!isset($_GET['Signature'])) {
throw new Exception("The Message of the Logout Request is not signed and the SP require it");
}
}
}
if (isset($_GET['Signature'])) {
if (!isset($_GET['SigAlg'])) {
$signAlg = XMLSecurityKey::RSA_SHA1;
} else {
$signAlg = $_GET['SigAlg'];
}
if ($retrieveParametersFromServer) {
$signedQuery = 'SAMLRequest=' . OneLogin_Saml2_Utils::extractOriginalQueryParam('SAMLRequest');
if (isset($_GET['RelayState'])) {
$signedQuery .= '&RelayState=' . OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState');
}
$signedQuery .= '&SigAlg=' . OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg');
} else {
$signedQuery = 'SAMLRequest=' . urlencode($_GET['SAMLRequest']);
if (isset($_GET['RelayState'])) {
$signedQuery .= '&RelayState=' . urlencode($_GET['RelayState']);
}
$signedQuery .= '&SigAlg=' . urlencode($signAlg);
}
if (!isset($idpData['x509cert']) || empty($idpData['x509cert'])) {
throw new Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required');
}
$cert = $idpData['x509cert'];
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
$objKey->loadKey($cert, false, true);
if ($signAlg != XMLSecurityKey::RSA_SHA1) {
try {
$objKey = OneLogin_Saml2_Utils::castKey($objKey, $signAlg, 'public');
} catch (Exception $e) {
throw new Exception('Invalid signAlg in the recieved Logout Request');
}
}
if (!$objKey->verifySignature($signedQuery, base64_decode($_GET['Signature']))) {
throw new Exception('Signature validation failed. Logout Request rejected');
}
}
return true;
} catch (Exception $e) {
$this->_error = $e->getMessage();
$debug = $this->_settings->isDebugActive();
if ($debug) {
echo $this->_error;
}
return false;
}
}
/**
* Tests the validateSign method of the OneLogin_Saml2_Utils
*
* @covers OneLogin_Saml2_Utils::validateSign
*/
public function testValidateSign()
{
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$idpData = $settings->getIdPData();
$cert = $idpData['x509cert'];
$fingerprint = OneLogin_Saml2_Utils::calculateX509Fingerprint($cert);
$xmlMetadataSigned = file_get_contents(TEST_ROOT . '/data/metadata/signed_metadata_settings1.xml');
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlMetadataSigned, $cert));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlMetadataSigned, null, $fingerprint));
$xmlResponseMsgSigned = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/signed_message_response.xml.base64'));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseMsgSigned, $cert));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseMsgSigned, null, $fingerprint));
$xmlResponseAssertSigned = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/signed_assertion_response.xml.base64'));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseAssertSigned, $cert));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseAssertSigned, null, $fingerprint));
$xmlResponseDoubleSigned = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/double_signed_response.xml.base64'));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseDoubleSigned, $cert));
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($xmlResponseDoubleSigned, null, $fingerprint));
$dom = new DOMDocument();
$dom->loadXML($xmlResponseMsgSigned);
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($dom, $cert));
$dom->firstChild->firstChild->nodeValue = 'https://example.com/other-idp';
try {
$this->assertFalse(OneLogin_Saml2_Utils::validateSign($dom, $cert));
$this->assertTrue(false);
} catch (Exception $e) {
$this->assertContains('Reference validation failed', $e->getMessage());
}
$dom2 = new DOMDocument();
$dom2->loadXML($xmlResponseMsgSigned);
$assertElem = $dom2->firstChild->firstChild->nextSibling->nextSibling;
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($assertElem, $cert));
$dom3 = new DOMDocument();
$dom3->loadXML($xmlResponseMsgSigned);
$dom3->firstChild->firstChild->nodeValue = 'https://example.com/other-idp';
$assertElem2 = $dom3->firstChild->firstChild->nextSibling->nextSibling;
try {
$this->assertTrue(OneLogin_Saml2_Utils::validateSign($assertElem2, $cert));
$this->assertTrue(false);
} catch (Exception $e) {
$this->assertContains('Reference validation failed', $e->getMessage());
}
$invalidFingerprint = 'afe71c34ef740bc87434be13a2263d31271da1f9';
$this->assertFalse(OneLogin_Saml2_Utils::validateSign($xmlMetadataSigned, null, $invalidFingerprint));
$noSigned = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/invalids/no_signature.xml.base64'));
try {
$this->assertFalse(OneLogin_Saml2_Utils::validateSign($noSigned, $cert));
$this->assertTrue(false);
} catch (Exception $e) {
$this->assertContains('Cannot locate Signature Node', $e->getMessage());
}
$noKey = base64_decode(file_get_contents(TEST_ROOT . '/data/responses/invalids/no_key.xml.base64'));
try {
$this->assertFalse(OneLogin_Saml2_Utils::validateSign($noKey, $cert));
$this->assertTrue(false);
} catch (Exception $e) {
$this->assertContains('We have no idea about the key', $e->getMessage());
}
}
* additional information regarding copyright ownership.
* The Apereo Foundation licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except in
* compliance with the License. You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
session_start();
require_once '_toolkit_loader.php';
$samlSettings = new OneLogin_Saml2_Settings();
$idpData = $samlSettings->getIdPData();
if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) {
$sloUrl = $idpData['singleLogoutService']['url'];
} else {
throw new Exception("The IdP does not support Single Log Out");
}
if (isset($_SESSION['IdPSessionIndex']) && !empty($_SESSION['IdPSessionIndex'])) {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings, null, $_SESSION['IdPSessionIndex']);
} else {
$logoutRequest = new OneLogin_Saml2_LogoutRequest($samlSettings);
}
$samlRequest = $logoutRequest->getRequest();
$parameters = array('SAMLRequest' => $samlRequest);
$url = OneLogin_Saml2_Utils::redirect($sloUrl, $parameters, true);
header("Location: {$url}");
/**
* Tests the getIdPData method of the OneLogin_Saml2_Settings
*
* @covers OneLogin_Saml2_Settings::getIdPData
*/
public function testGetIdPData()
{
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$idpData = $settings->getIdPData();
$this->assertNotEmpty($idpData);
$this->assertArrayHasKey('entityId', $idpData);
$this->assertArrayHasKey('singleSignOnService', $idpData);
$this->assertArrayHasKey('singleLogoutService', $idpData);
$this->assertArrayHasKey('x509cert', $idpData);
$this->assertEquals('http://idp.example.com/', $idpData['entityId']);
$this->assertEquals('http://idp.example.com/SSOService.php', $idpData['singleSignOnService']['url']);
$this->assertEquals('http://idp.example.com/SingleLogoutService.php', $idpData['singleLogoutService']['url']);
$x509cert = 'MIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo';
$formatedx509cert = OneLogin_Saml2_Utils::formatCert($x509cert);
$this->assertEquals($formatedx509cert, $idpData['x509cert']);
}
/**
* Determines if the SAML Response is valid using the certificate.
*
* @param string $requestId The ID of the AuthNRequest sent by this SP to the IdP
*
* @throws Exception
* @return bool Validate the document
*/
public function isValid($requestId = null)
{
$this->_error = null;
try {
// Check SAML version
if ($this->document->documentElement->getAttribute('Version') != '2.0') {
throw new Exception('Unsupported SAML version');
}
if (!$this->document->documentElement->hasAttribute('ID')) {
throw new Exception('Missing ID attribute on SAML Response');
}
$status = $this->checkStatus();
$singleAssertion = $this->validateNumAssertions();
if (!$singleAssertion) {
throw new Exception('SAML Response must contain 1 assertion');
}
$idpData = $this->_settings->getIdPData();
$idPEntityId = $idpData['entityId'];
$spData = $this->_settings->getSPData();
$spEntityId = $spData['entityId'];
$signedElements = array();
if ($this->encrypted) {
$signNodes = $this->decryptedDocument->getElementsByTagName('Signature');
} else {
$signNodes = $this->document->getElementsByTagName('Signature');
}
foreach ($signNodes as $signNode) {
$signedElements[] = $signNode->parentNode->localName;
}
if (!empty($signedElements)) {
// Check SignedElements
if (!$this->validateSignedElements($signedElements)) {
throw new Exception('Found an unexpected Signature Element. SAML Response rejected');
}
}
if ($this->_settings->isStrict()) {
$security = $this->_settings->getSecurityData();
if ($security['wantXMLValidation']) {
$res = OneLogin_Saml2_Utils::validateXML($this->document, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive());
if (!$res instanceof DOMDocument) {
throw new Exception("Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd");
}
}
$currentURL = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
if ($this->document->documentElement->hasAttribute('InResponseTo')) {
$responseInResponseTo = $this->document->documentElement->getAttribute('InResponseTo');
}
// Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided
if (isset($requestId) && isset($responseInResponseTo)) {
if ($requestId != $responseInResponseTo) {
throw new Exception("The InResponseTo of the Response: {$responseInResponseTo}, does not match the ID of the AuthNRequest sent by the SP: {$requestId}");
}
}
if (!$this->encrypted && $security['wantAssertionsEncrypted']) {
throw new Exception("The assertion of the Response is not encrypted and the SP requires it");
}
if ($security['wantNameIdEncrypted']) {
$encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData');
if ($encryptedIdNodes->length == 0) {
throw new Exception("The NameID of the Response is not encrypted and the SP requires it");
}
}
// Validate Asserion timestamps
$validTimestamps = $this->validateTimestamps();
if (!$validTimestamps) {
throw new Exception('Timing issues (please check your clock settings)');
}
// EncryptedAttributes are not supported
$encryptedAttributeNodes = $this->_queryAssertion('/saml:AttributeStatement/saml:EncryptedAttribute');
if ($encryptedAttributeNodes->length > 0) {
throw new Exception("There is an EncryptedAttribute in the Response and this SP not support them");
}
// Check destination
if ($this->document->documentElement->hasAttribute('Destination')) {
$destination = $this->document->documentElement->getAttribute('Destination');
if (!empty($destination)) {
if (strpos($destination, $currentURL) !== 0) {
$currentURLrouted = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
if (strpos($destination, $currentURLrouted) !== 0) {
throw new Exception("The response was received at {$currentURL} instead of {$destination}");
}
}
}
}
// Check audience
$validAudiences = $this->getAudiences();
if (!empty($validAudiences) && !in_array($spEntityId, $validAudiences)) {
throw new Exception("{$spEntityId} is not a valid audience for this Response");
}
// Check the issuers
$issuers = $this->getIssuers();
foreach ($issuers as $issuer) {
if (empty($issuer) || $issuer != $idPEntityId) {
throw new Exception("Invalid issuer in the Assertion/Response");
}
}
// Check the session Expiration
$sessionExpiration = $this->getSessionNotOnOrAfter();
if (!empty($sessionExpiration) && $sessionExpiration <= time()) {
throw new Exception("The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response");
}
// Check the SubjectConfirmation, at least one SubjectConfirmation must be valid
$anySubjectConfirmation = false;
$subjectConfirmationNodes = $this->_queryAssertion('/saml:Subject/saml:SubjectConfirmation');
foreach ($subjectConfirmationNodes as $scn) {
if ($scn->hasAttribute('Method') && $scn->getAttribute('Method') != OneLogin_Saml2_Constants::CM_BEARER) {
continue;
}
$subjectConfirmationDataNodes = $scn->getElementsByTagName('SubjectConfirmationData');
if ($subjectConfirmationDataNodes->length == 0) {
continue;
} else {
$scnData = $subjectConfirmationDataNodes->item(0);
if ($scnData->hasAttribute('InResponseTo')) {
$inResponseTo = $scnData->getAttribute('InResponseTo');
if ($responseInResponseTo != $inResponseTo) {
continue;
}
}
if ($scnData->hasAttribute('Recipient')) {
$recipient = $scnData->getAttribute('Recipient');
if (!empty($recipient) && strpos($recipient, $currentURL) === false) {
continue;
}
}
if ($scnData->hasAttribute('NotOnOrAfter')) {
$noa = OneLogin_Saml2_Utils::parseSAML2Time($scnData->getAttribute('NotOnOrAfter'));
if ($noa <= time()) {
continue;
}
}
if ($scnData->hasAttribute('NotBefore')) {
$nb = OneLogin_Saml2_Utils::parseSAML2Time($scnData->getAttribute('NotBefore'));
if ($nb > time()) {
continue;
}
}
$anySubjectConfirmation = true;
break;
}
}
if (!$anySubjectConfirmation) {
throw new Exception("A valid SubjectConfirmation was not found on this Response");
}
if ($security['wantAssertionsSigned'] && !in_array('Assertion', $signedElements)) {
throw new Exception("The Assertion of the Response is not signed and the SP requires it");
}
if ($security['wantMessagesSigned'] && !in_array('Response', $signedElements)) {
throw new Exception("The Message of the Response is not signed and the SP requires it");
}
}
if (!empty($signedElements)) {
$cert = $idpData['x509cert'];
$fingerprint = $idpData['certFingerprint'];
$fingerprintalg = $idpData['certFingerprintAlgorithm'];
// Only validates the first signed element
if (in_array('Response', $signedElements)) {
$documentToValidate = $this->document;
} else {
$documentToValidate = $signNodes->item(0)->parentNode;
if ($this->encrypted) {
$encryptedIDNodes = OneLogin_Saml2_Utils::query($this->decryptedDocument, '/samlp:Response/saml:EncryptedAssertion/saml:Assertion/saml:Subject/saml:EncryptedID');
if ($encryptedIDNodes->length > 0) {
throw new Exception('Unsigned SAML Response that contains a signed and encrypted Assertion with encrypted nameId is not supported.');
}
}
}
if (!OneLogin_Saml2_Utils::validateSign($documentToValidate, $cert, $fingerprint, $fingerprintalg)) {
throw new Exception('Signature validation failed. SAML Response rejected');
}
} else {
throw new Exception('No Signature found. SAML Response rejected');
}
return true;
} catch (Exception $e) {
$this->_error = $e->getMessage();
$debug = $this->_settings->isDebugActive();
if ($debug) {
echo $this->_error;
}
return false;
}
}
/**
* Constructs the AuthnRequest object.
*
* @param OneLogin_Saml2_Settings $settings Settings
* @param bool $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true'
* @param bool $isPassive When true the AuthNReuqest will set the Ispassive='true'
*/
public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false)
{
$this->_settings = $settings;
$spData = $this->_settings->getSPData();
$idpData = $this->_settings->getIdPData();
$security = $this->_settings->getSecurityData();
$id = OneLogin_Saml2_Utils::generateUniqueID();
$issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
$nameIDPolicyFormat = $spData['NameIDFormat'];
echo "1@@@@@@@@@@@@<br /> nameIDPolicyFormat: ";
print_r($nameIDPolicyFormat);
echo "<br /> OneLogin_Saml2_Constants::NAMEID_ENCRYPTED: ";
print_r(OneLogin_Saml2_Constants::NAMEID_ENCRYPTED);
echo "2@@@@@@@@@@@@<br />";
//$nameIDPolicyFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
$nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
}
$providerNameStr = '';
$organizationData = $settings->getOrganization();
if (!empty($organizationData)) {
$langs = array_keys($organizationData);
if (in_array('en-US', $langs)) {
$lang = 'en-US';
} else {
$lang = $langs[0];
}
if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) {
$providerNameStr = <<<PROVIDERNAME
ProviderName="{$organizationData[$lang]['displayname']}"
PROVIDERNAME;
}
}
$forceAuthnStr = '';
if ($forceAuthn) {
$forceAuthnStr = <<<FORCEAUTHN
ForceAuthn="true"
FORCEAUTHN;
}
$isPassiveStr = '';
if ($isPassive) {
$isPassiveStr = <<<ISPASSIVE
IsPassive="true"
ISPASSIVE;
}
$requestedAuthnStr = '';
if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) {
if ($security['requestedAuthnContext'] === true) {
$requestedAuthnStr = <<<REQUESTEDAUTHN
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
REQUESTEDAUTHN;
} else {
$requestedAuthnStr .= " <samlp:RequestedAuthnContext Comparison=\"exact\">\n";
foreach ($security['requestedAuthnContext'] as $contextValue) {
$requestedAuthnStr .= " <saml:AuthnContextClassRef>" . $contextValue . "</saml:AuthnContextClassRef>\n";
}
$requestedAuthnStr .= ' </samlp:RequestedAuthnContext>';
}
}
$request = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{$id}"
Version="2.0"
{$providerNameStr}{$forceAuthnStr}{$isPassiveStr}
IssueInstant="{$issueInstant}"
Destination="{$idpData['singleSignOnService']['url']}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
<saml:Issuer>{$spData['entityId']}</saml:Issuer>
<samlp:NameIDPolicy
Format="{$nameIDPolicyFormat}"
AllowCreate="true" />
{$requestedAuthnStr}
</samlp:AuthnRequest>
AUTHNREQUEST;
$this->_id = $id;
$this->_authnRequest = $request;
}
/**
* Constructs the AuthnRequest object.
*
* @param OneLogin_Saml2_Settings $settings Settings
* @param bool $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true'
* @param bool $isPassive When true the AuthNReuqest will set the Ispassive='true'
*/
public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false)
{
$this->_settings = $settings;
$spData = $this->_settings->getSPData();
$idpData = $this->_settings->getIdPData();
$security = $this->_settings->getSecurityData();
$id = OneLogin_Saml2_Utils::generateUniqueID();
$issueInstant = OneLogin_Saml2_Utils::parseTime2SAML(time());
$nameIDPolicyFormat = $spData['NameIDFormat'];
if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) {
$nameIDPolicyFormat = OneLogin_Saml2_Constants::NAMEID_ENCRYPTED;
}
$providerNameStr = '';
$organizationData = $settings->getOrganization();
if (!empty($organizationData)) {
$langs = array_keys($organizationData);
if (in_array('en-US', $langs)) {
$lang = 'en-US';
} else {
$lang = $langs[0];
}
if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) {
$providerNameStr = <<<PROVIDERNAME
ProviderName="{$organizationData[$lang]['displayname']}"
PROVIDERNAME;
}
}
$forceAuthnStr = '';
if ($forceAuthn) {
$forceAuthnStr = <<<FORCEAUTHN
ForceAuthn="true"
FORCEAUTHN;
}
$isPassiveStr = '';
if ($isPassive) {
$isPassiveStr = <<<ISPASSIVE
IsPassive="true"
ISPASSIVE;
}
$requestedAuthnStr = '';
if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) {
if ($security['requestedAuthnContext'] === true) {
$requestedAuthnStr = <<<REQUESTEDAUTHN
<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
REQUESTEDAUTHN;
} else {
$requestedAuthnStr .= " <samlp:RequestedAuthnContext Comparison=\"exact\">\n";
foreach ($security['requestedAuthnContext'] as $contextValue) {
$requestedAuthnStr .= " <saml:AuthnContextClassRef>" . $contextValue . "</saml:AuthnContextClassRef>\n";
}
$requestedAuthnStr .= ' </samlp:RequestedAuthnContext>';
}
}
$signature = '';
if (isset($security['authnRequestsSigned']) && $security['authnRequestsSigned']) {
$key = $this->_settings->getSPkey();
$objKey = new XMLSecurityKey($security['signatureAlgorithm'], array('type' => 'private'));
$objKey->loadKey($key, false);
$signatureValue = $objKey->signData(time());
$signatureValue = base64_encode($signatureValue);
$digestValue = base64_encode(sha1(time()));
$x509Cert = $this->_settings->getSPcert();
$x509Cert = OneLogin_Saml2_Utils::formatCert($x509Cert, false);
$signature = <<<SIGNATURE
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference>
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>{$digestValue}</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>asd{$signatureValue}</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>{$x509Cert}</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
SIGNATURE;
}
$request = <<<AUTHNREQUEST
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="{$id}"
Version="2.0"
{$providerNameStr}{$forceAuthnStr}{$isPassiveStr}
IssueInstant="{$issueInstant}"
Destination="{$idpData['singleSignOnService']['url']}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
<saml:Issuer>{$spData['entityId']}</saml:Issuer>
{$signature}
<samlp:NameIDPolicy
Format="{$nameIDPolicyFormat}"
AllowCreate="true" />
{$requestedAuthnStr}
</samlp:AuthnRequest>
AUTHNREQUEST;
$this->_id = $id;
$this->_authnRequest = $request;
}
