Inheritance: extends Request
Exemplo n.º 1
0
    /**
     * Test setting a requesterID.
     */
    public function testRequesterIdIsReadCorrectly()
    {
        $requesterId = array('https://engine.demo.openconext.org/authentication/sp/metadata', 'https://shib.example.edu/SSO/Metadata');
        $xmlRequest = <<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_1234567890abvdefghijkl"
    Version="2.0"
    IssueInstant="2015-05-11T09:02:36Z"
    Destination="https://some.sp.invalid/acs">
    <saml:Issuer>https://some.sp.invalid/metadata</saml:Issuer>
    <samlp:Scoping>
        <samlp:RequesterID>https://engine.demo.openconext.org/authentication/sp/metadata</samlp:RequesterID>
        <samlp:RequesterID>https://shib.example.edu/SSO/Metadata</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>
AUTHNREQUEST;
        $authnRequest = new AuthnRequest(DOMDocumentFactory::fromString($xmlRequest)->firstChild);
        $this->assertEquals($requesterId, $authnRequest->getRequesterID());
    }
 /**
  * @param string $returnTo Where to have IdP send user after login
  * @param \yii\web\Request|null $request
  * @return \Sil\IdpPw\Common\Auth\User
  * @throws \Sil\IdpPw\Common\Auth\InvalidLoginException
  * @throws RedirectException
  */
 public function login($returnTo, Request $request = null)
 {
     $container = new SamlContainer();
     ContainerSingleton::setContainer($container);
     $request = new AuthnRequest();
     $request->setId($container->generateId());
     $request->setIssuer($this->entityId);
     $request->setDestination($this->ssoUrl);
     $request->setRelayState($returnTo);
     /*
      * Sign request if spCertificate and spPrivateKey are provided
      */
     if ($this->signRequest) {
         $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, ['type' => 'private']);
         $key->loadKey($this->spPrivateKey, false);
         $request->setSignatureKey($key);
     }
     try {
         /*
          * Check for SAMLRequest or SAMLResponse to see if user is returning after login
          */
         $binding = new HTTPPost();
         /** @var \SAML2\Response $response */
         $response = $binding->receive();
     } catch (\Exception $e) {
         /*
          * User was not logged in, so redirect to IdP for login
          */
         $binding = new HTTPRedirect();
         $url = $binding->getRedirectURL($request);
         throw new RedirectException($url);
     }
     try {
         /*
          * If needed, check if response is signed
          */
         if ($this->checkResponseSigning) {
             $idpKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, ['type' => 'public']);
             $idpKey->loadKey($this->idpCertificate, false, true);
             if (!$response->validate($idpKey)) {
                 throw new \Exception('SAML response was not signed properly', 1459884735);
             }
         }
         /** @var \SAML2\Assertion[]|\SAML2\EncryptedAssertion[] $assertions */
         $assertions = $response->getAssertions();
         /*
          * If requiring encrypted assertion, use key to decrypt it
          */
         if ($this->requireEncryptedAssertion) {
             $decryptKey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, ['type' => 'private']);
             $decryptKey->loadKey($this->spPrivateKey, false, false);
             if (!$assertions[0] instanceof EncryptedAssertion) {
                 throw new \Exception('Response assertion is required to be encrypted but was not', 1459884392);
             }
             $assertion = $assertions[0]->getAssertion($decryptKey);
         } else {
             $assertion = $assertions[0];
         }
         /*
          * Get attributes using mapping config, make sure expected fields
          * are present, and return as new User
          */
         /** @var \SAML2\Assertion $assertion */
         $samlAttrs = $assertion->getAttributes();
         $normalizedAttrs = $this->extractSamlAttributes($samlAttrs, $this->attributeMap);
         $this->assertHasRequiredSamlAttributes($normalizedAttrs, $this->attributeMap);
         $authUser = new AuthUser();
         $authUser->firstName = $normalizedAttrs['first_name'];
         $authUser->lastName = $normalizedAttrs['last_name'];
         $authUser->email = $normalizedAttrs['email'];
         $authUser->employeeId = $normalizedAttrs['employee_id'];
         $authUser->idpUsername = $normalizedAttrs['idp_username'];
         return $authUser;
     } catch (\Exception $e) {
         /*
          * An error occurred processing SAML data
          */
         throw new InvalidLoginException($e->getMessage(), 1459803743);
     }
 }
Exemplo n.º 3
0
    /**
     * Test setting a requesterID.
     */
    public function testRequesterId()
    {
        // basic AuthnRequest
        $request = new AuthnRequest();
        $request->setIssuer('https://gateway.example.org/saml20/sp/metadata');
        $request->setDestination('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO');
        $request->setRequesterID(array('https://engine.demo.openconext.org/authentication/sp/metadata', 'https://shib.example.edu/SSO/Metadata'));
        $expectedStructureDocument = new DOMDocument();
        $expectedStructureDocument->loadXML(<<<AUTHNREQUEST
<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID=""
    Version=""
    IssueInstant=""
    Destination="">
    <saml:Issuer></saml:Issuer>
    <samlp:Scoping>
        <samlp:RequesterID>https://engine.demo.openconext.org/authentication/sp/metadata</samlp:RequesterID>
        <samlp:RequesterID>https://shib.example.edu/SSO/Metadata</samlp:RequesterID>
    </samlp:Scoping>
</samlp:AuthnRequest>
AUTHNREQUEST
);
        $expectedStructure = $expectedStructureDocument->documentElement;
        $requestStructure = $request->toUnsignedXML();
        $this->assertEqualXMLStructure($expectedStructure, $requestStructure);
    }