/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param array $idpmd The metadata of the IdP which is sending the response.
* @param array $spmd The metadata of the SP which is receiving the response.
* @param string|NULL $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, $idpmd, $spmd, $relayState, $shire)
{
SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
$privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if (array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
$signResponse = $spmd['signresponse'];
if (!is_bool($signResponse)) {
throw new Exception('Expected the \'signresponse\' option in the metadata of the' . ' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
}
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
}
/* Check if we have an assertion to sign. Force to sign the response if not. */
if ($firstassertionroot === NULL) {
$signResponse = TRUE;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if (array_key_exists('certificatechain', $idpmd)) {
$signer->addCertificate($idpmd['certificatechain']);
}
if ($signResponse) {
/* Sign the response - this must be done after encrypting the assertion. */
/* We insert the signature before the saml2p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
if ($this->configuration->getBoolean('debug', FALSE)) {
$p = new SimpleSAML_XHTML_Template($this->configuration, 'post-debug.php');
$p->data['header'] = 'SAML (Shibboleth 1.3) Response Debug-mode';
$p->data['RelayStateName'] = 'TARGET';
$p->data['RelayState'] = $relayState;
$p->data['destination'] = $shire;
$p->data['response'] = str_replace("\n", "", base64_encode($response));
$p->data['responseHTML'] = htmlspecialchars(SimpleSAML_Utilities::formatXMLString($response));
$p->show();
} else {
SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
}
/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
* @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
* @param string|NULL $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
{
SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
$privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if ($spmd->hasValue('signresponse')) {
$signResponse = $spmd->getBoolean['signresponse'];
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
}
/* Check if we have an assertion to sign. Force to sign the response if not. */
if ($firstassertionroot === NULL) {
$signResponse = TRUE;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if ($idpmd->hasValue('certificatechain')) {
$signer->addCertificate($idpmd->getString('certificatechain'));
}
if ($signResponse) {
/* Sign the response - this must be done after encrypting the assertion. */
/* We insert the signature before the saml2p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
SimpleSAML_Utilities::debugMessage($response, 'out');
SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
/**
* Send a SAML 2 message using the HTTP-POST binding.
*
* Note: This function never returns.
*
* @param SAML2_Message $message The message we should send.
*/
public function send(SAML2_Message $message)
{
if ($this->destination === NULL) {
$destination = $message->getDestination();
} else {
$destination = $this->destination;
}
$relayState = $message->getRelayState();
$msgStr = $message->toSignedXML();
$msgStr = $msgStr->ownerDocument->saveXML($msgStr);
SimpleSAML_Utilities::debugMessage($msgStr, 'out');
$msgStr = base64_encode($msgStr);
if ($message instanceof SAML2_Request) {
$msgType = 'SAMLRequest';
} else {
$msgType = 'SAMLResponse';
}
$post = array();
$post[$msgType] = $msgStr;
if ($relayState !== NULL) {
$post['RelayState'] = $relayState;
}
SimpleSAML_Utilities::postRedirect($destination, $post);
}
/**
* Helper function for sending CDC messages.
*
* @param string $to The URL the message should be delivered to.
* @param string $parameter The query parameter the message should be sent in.
* @param array $message The CDC message.
*/
private function send($to, $parameter, array $message)
{
assert('is_string($to)');
assert('is_string($parameter)');
$message['timestamp'] = time();
$message = json_encode($message);
$message = base64_encode($message);
$signature = $this->calcSignature($message);
$params = array($parameter => $message, 'Signature' => $signature);
$url = SimpleSAML_Utilities::addURLparameter($to, $params);
if (strlen($url) < 2048) {
SimpleSAML_Utilities::redirectTrustedURL($url);
} else {
SimpleSAML_Utilities::postRedirect($to, $params);
}
}
public function postRedirect($url, $data = array())
{
SimpleSAML_Utilities::postRedirect($url, $data);
}
<?php
/**
* This page provides a way to create a redirect to a POST request.
*
* @package simpleSAMLphp
* @version $Id$
*/
if (!array_key_exists('RedirId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing RedirId parameter.');
}
$id = $_REQUEST['RedirId'];
$session = SimpleSAML_Session::getInstance();
$postData = $session->getData('core_postdatalink', $id);
if ($postData === NULL) {
/* The post data is missing, probably because it timed out. */
throw new Exception('The POST data we should restore was lost.');
}
assert('is_array($postData)');
assert('array_key_exists("url", $postData)');
assert('array_key_exists("post", $postData)');
$url = $postData['url'];
$post = $postData['post'];
SimpleSAML_Utilities::postRedirect($url, $post);
