/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param array $idpmd The metadata of the IdP which is sending the response.
* @param array $spmd The metadata of the SP which is receiving the response.
* @param string|NULL $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, $idpmd, $spmd, $relayState, $shire)
{
SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
$privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if (array_key_exists('signresponse', $spmd) && $spmd['signresponse'] !== NULL) {
$signResponse = $spmd['signresponse'];
if (!is_bool($signResponse)) {
throw new Exception('Expected the \'signresponse\' option in the metadata of the' . ' SP \'' . $spmd['entityid'] . '\' to be a boolean value.');
}
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
}
/* Check if we have an assertion to sign. Force to sign the response if not. */
if ($firstassertionroot === NULL) {
$signResponse = TRUE;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if (array_key_exists('certificatechain', $idpmd)) {
$signer->addCertificate($idpmd['certificatechain']);
}
if ($signResponse) {
/* Sign the response - this must be done after encrypting the assertion. */
/* We insert the signature before the saml2p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
if ($this->configuration->getBoolean('debug', FALSE)) {
$p = new SimpleSAML_XHTML_Template($this->configuration, 'post-debug.php');
$p->data['header'] = 'SAML (Shibboleth 1.3) Response Debug-mode';
$p->data['RelayStateName'] = 'TARGET';
$p->data['RelayState'] = $relayState;
$p->data['destination'] = $shire;
$p->data['response'] = str_replace("\n", "", base64_encode($response));
$p->data['responseHTML'] = htmlspecialchars(SimpleSAML_Utilities::formatXMLString($response));
$p->show();
} else {
SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
}
/**
* Constructor for the metadata signer.
*
* You can pass an list of options as key-value pairs in the array. This allows you to initialize
* a metadata signer in one call.
*
* The following keys are recognized:
* - privatekey The file with the private key, relative to the cert-directory.
* - privatekey_pass The passphrase for the private key.
* - certificate The file with the certificate, relative to the cert-directory.
* - privatekey_array The private key, as an array returned from SimpleSAML_Utilities::loadPrivateKey.
* - publickey_array The public key, as an array returned from SimpleSAML_Utilities::loadPublicKey.
* - id The name of the ID attribute.
*
* @param $options Associative array with options for the constructor. Defaults to an empty array.
*/
public function __construct($options = array())
{
assert('is_array($options)');
if (self::$certDir === FALSE) {
$config = SimpleSAML_Configuration::getInstance();
self::$certDir = $config->getPathValue('certdir', 'cert/');
}
$this->idAttrName = FALSE;
$this->privateKey = FALSE;
$this->certificate = FALSE;
$this->extraCertificates = array();
if (array_key_exists('privatekey', $options)) {
$pass = NULL;
if (array_key_exists('privatekey_pass', $options)) {
$pass = $options['privatekey_pass'];
}
$this->loadPrivateKey($options['privatekey'], $pass);
}
if (array_key_exists('certificate', $options)) {
$this->loadCertificate($options['certificate']);
}
if (array_key_exists('privatekey_array', $options)) {
$this->loadPrivateKeyArray($options['privatekey_array']);
}
if (array_key_exists('publickey_array', $options)) {
$this->loadPublicKeyArray($options['publickey_array']);
}
if (array_key_exists('id', $options)) {
$this->setIdAttribute($options['id']);
}
}
/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
* @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
* @param string|null $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
{
\SimpleSAML\Utils\XML::checkSAMLMessage($response, 'saml11');
$privatekey = SimpleSAML\Utils\Crypto::loadPrivateKey($idpmd, true);
$publickey = SimpleSAML\Utils\Crypto::loadPublicKey($idpmd, true);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default is to sign the
* Assertion, but that can be overridden by the 'signresponse' option in the SP metadata or
* 'saml20.signresponse' in the global configuration.
*
* TODO: neither 'signresponse' nor 'shib13.signresponse' are valid options any longer. Remove!
*/
if ($spmd->hasValue('signresponse')) {
$signResponse = $spmd->getBoolean('signresponse');
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', true);
}
// check if we have an assertion to sign. Force to sign the response if not
if ($firstassertionroot === null) {
$signResponse = true;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if ($idpmd->hasValue('certificatechain')) {
$signer->addCertificate($idpmd->getString('certificatechain'));
}
if ($signResponse) {
// sign the response - this must be done after encrypting the assertion
// we insert the signature before the saml2p:Status element
$statusElements = SimpleSAML\Utils\XML::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
\SimpleSAML\Utils\XML::debugSAMLMessage($response, 'out');
\SimpleSAML\Utils\HTTP::submitPOSTData($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
/**
* Send an authenticationResponse using HTTP-POST.
*
* @param string $response The response which should be sent.
* @param SimpleSAML_Configuration $idpmd The metadata of the IdP which is sending the response.
* @param SimpleSAML_Configuration $spmd The metadata of the SP which is receiving the response.
* @param string|NULL $relayState The relaystate for the SP.
* @param string $shire The shire which should receive the response.
*/
public function sendResponse($response, SimpleSAML_Configuration $idpmd, SimpleSAML_Configuration $spmd, $relayState, $shire)
{
SimpleSAML_Utilities::validateXMLDocument($response, 'saml11');
$privatekey = SimpleSAML_Utilities::loadPrivateKey($idpmd, TRUE);
$publickey = SimpleSAML_Utilities::loadPublicKey($idpmd, TRUE);
$responsedom = new DOMDocument();
$responsedom->loadXML(str_replace("\r", "", $response));
$responseroot = $responsedom->getElementsByTagName('Response')->item(0);
$firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
/* Determine what we should sign - either the Response element or the Assertion. The default
* is to sign the Assertion, but that can be overridden by the 'signresponse' option in the
* SP metadata or 'saml20.signresponse' in the global configuration.
*/
$signResponse = FALSE;
if ($spmd->hasValue('signresponse')) {
$signResponse = $spmd->getBoolean['signresponse'];
} else {
$signResponse = $this->configuration->getBoolean('shib13.signresponse', TRUE);
}
/* Check if we have an assertion to sign. Force to sign the response if not. */
if ($firstassertionroot === NULL) {
$signResponse = TRUE;
}
$signer = new SimpleSAML_XML_Signer(array('privatekey_array' => $privatekey, 'publickey_array' => $publickey, 'id' => $signResponse ? 'ResponseID' : 'AssertionID'));
if ($idpmd->hasValue('certificatechain')) {
$signer->addCertificate($idpmd->getString('certificatechain'));
}
if ($signResponse) {
/* Sign the response - this must be done after encrypting the assertion. */
/* We insert the signature before the saml2p:Status element. */
$statusElements = SimpleSAML_Utilities::getDOMChildren($responseroot, 'Status', '@saml1p');
assert('count($statusElements) === 1');
$signer->sign($responseroot, $responseroot, $statusElements[0]);
} else {
/* Sign the assertion */
$signer->sign($firstassertionroot, $firstassertionroot);
}
$response = $responsedom->saveXML();
SimpleSAML_Utilities::debugMessage($response, 'out');
SimpleSAML_Utilities::postRedirect($shire, array('TARGET' => $relayState, 'SAMLResponse' => base64_encode($response)));
}
public function getMetadataDocument()
{
// Get metadata entries
$entities = $this->getSources();
// Generate XML Document
$xml = new DOMDocument();
$entitiesDescriptor = $xml->createElementNS('urn:oasis:names:tc:SAML:2.0:metadata', 'EntitiesDescriptor');
$entitiesDescriptor->setAttribute('Name', $this->id);
$xml->appendChild($entitiesDescriptor);
$maxDuration = $this->getMaxDuration();
$reconstruct = $this->getReconstruct();
/* Build EntityDescriptor elements for them. */
foreach ($entities as $entity => $sets) {
$entityDescriptor = NULL;
foreach ($sets as $set => $metadata) {
if (!array_key_exists('entityDescriptor', $metadata)) {
/* One of the sets doesn't contain an EntityDescriptor element. */
$entityDescriptor = FALSE;
break;
}
if ($entityDescriptor == NULL) {
/* First EntityDescriptor elements. */
$entityDescriptor = $metadata['entityDescriptor'];
continue;
}
assert('is_string($entityDescriptor)');
if ($entityDescriptor !== $metadata['entityDescriptor']) {
/* Entity contains multiple different EntityDescriptor elements. */
$entityDescriptor = FALSE;
break;
}
}
if (is_string($entityDescriptor) && !$reconstruct) {
/* All metadata sets for the entity contain the same entity descriptor. Use that one. */
$tmp = new DOMDocument();
$tmp->loadXML(base64_decode($entityDescriptor));
$entityDescriptor = $tmp->documentElement;
} else {
$tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
$orgmeta = NULL;
foreach ($sets as $set => $metadata) {
$tmp->addMetadata($set, $metadata);
$orgmeta = $metadata;
}
$tmp->addOrganizationInfo($orgmeta);
$entityDescriptor = $tmp->getEntityDescriptor();
}
$entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
}
/* Sign the metadata if enabled. */
if ($this->shouldSign()) {
$signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
$signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
}
return $xml;
}
public function getMetadataDocument()
{
// Get metadata entries
$entities = $this->getSources();
$maxDuration = $this->getMaxDuration();
$reconstruct = $this->getReconstruct();
$entitiesDescriptor = new SAML2_XML_md_EntitiesDescriptor();
$entitiesDescriptor->Name = $this->id;
$entitiesDescriptor->validUntil = time() + $maxDuration;
// add RegistrationInfo extension if enabled
if ($this->gConfig->hasValue('RegistrationInfo')) {
$ri = new SAML2_XML_mdrpi_RegistrationInfo();
foreach ($this->gConfig->getArray('RegistrationInfo') as $riName => $riValues) {
switch ($riName) {
case 'authority':
$ri->registrationAuthority = $riValues;
break;
case 'instant':
$ri->registrationInstant = SAML2_Utils::xsDateTimeToTimestamp($riValues);
break;
case 'policies':
$ri->RegistrationPolicy = $riValues;
break;
}
}
$entitiesDescriptor->Extensions[] = $ri;
}
/* Build EntityDescriptor elements for them. */
foreach ($entities as $entity => $sets) {
$entityDescriptor = NULL;
foreach ($sets as $set => $metadata) {
if (!array_key_exists('entityDescriptor', $metadata)) {
/* One of the sets doesn't contain an EntityDescriptor element. */
$entityDescriptor = FALSE;
break;
}
if ($entityDescriptor == NULL) {
/* First EntityDescriptor elements. */
$entityDescriptor = $metadata['entityDescriptor'];
continue;
}
assert('is_string($entityDescriptor)');
if ($entityDescriptor !== $metadata['entityDescriptor']) {
/* Entity contains multiple different EntityDescriptor elements. */
$entityDescriptor = FALSE;
break;
}
}
if (is_string($entityDescriptor) && !$reconstruct) {
/* All metadata sets for the entity contain the same entity descriptor. Use that one. */
$tmp = new DOMDocument();
$tmp->loadXML(base64_decode($entityDescriptor));
$entitiesDescriptor->children[] = new SAML2_XML_md_EntityDescriptor($tmp->documentElement);
} else {
$tmp = new SimpleSAML_Metadata_SAMLBuilder($entity, $maxDuration, $maxDuration);
$orgmeta = NULL;
foreach ($sets as $set => $metadata) {
$tmp->addMetadata($set, $metadata);
$orgmeta = $metadata;
}
$tmp->addOrganizationInfo($orgmeta);
$entitiesDescriptor->children[] = $tmp->getEntityDescriptor();
}
}
$document = $entitiesDescriptor->toXML();
// sign the metadata if enabled
if ($this->shouldSign()) {
$signer = new SimpleSAML_XML_Signer($this->getSigningInfo());
$signer->sign($document, $document, $document->firstChild);
}
return $document;
}
}
/* Make sure that the request isn't suspicious (contains references to current
* directory or parent directory or anything like that. Searching for './' in the
* URL will detect both '../' and './'. Searching for '\' will detect attempts to
* use Windows-style paths.
*/
if (strpos($attributemap, '\\') !== FALSE) {
throw new SimpleSAML_Error_BadRequest('Requested URL contained a backslash.');
} elseif (strpos($attributemap, './') !== FALSE) {
throw new SimpleSAML_Error_BadRequest('Requested URL contained \'./\'.');
}
$arp = new sspmod_aggregator_ARP($md, $attributemap, $prefix, $suffix);
$arpxml = $arp->getXML();
$xml = new DOMDocument();
$xml->loadXML($arpxml);
$firstelement = $xml->firstChild;
if ($aggregator->shouldSign()) {
$signinfo = $aggregator->getSigningInfo();
$signer = new SimpleSAML_XML_Signer($signinfo);
$signer->sign($firstelement, $firstelement, $firstelement->firstChild);
}
$mimetype = 'application/samlmetadata-xml';
$allowedmimetypes = array('text/plain', 'application/samlmetadata-xml', 'application/xml');
if (isset($_GET['mimetype']) && in_array($_GET['mimetype'], $allowedmimetypes)) {
$mimetype = $_GET['mimetype'];
}
if ($mimetype === 'text/plain') {
SimpleSAML_Utilities::formatDOMElement($xml->documentElement);
}
header('Content-Type: ' . $mimetype);
echo $xml->saveXML();
$ssp_metadata = $ssp_metadata . "\n\n" . sspmod_janus_MetaExport::getFlatMetadata($entity['eid'], $entity['revisionid']);
if (empty($entityDescriptor)) {
$t = new SimpleSAML_XHTML_Template($config, 'janus:error.php', 'janus:error');
$t->data['header'] = 'JANUS';
$t->data['title'] = 'error_required_metadata_missing_header';
$t->data['error'] = 'error_required_metadata_missing_entity';
$t->data['error_data'] = array('%ENTITY%' => $entity['entityid']);
$t->data['extra_data'] = implode("\n", sspmod_janus_MetaExport::getError());
$t->show();
exit(0);
}
$entitiesDescriptor->appendChild($xml->importNode($entityDescriptor, TRUE));
}
/* Sign the metadata if enabled. */
if ($janus_config->getBoolean('sign.enable', FALSE)) {
$signer = new SimpleSAML_XML_Signer(array('privatekey' => $janus_config->getString('sign.privatekey'), 'privatekey_pass' => $janus_config->getString('sign.privatekey_pass', NULL), 'certificate' => $janus_config->getString('sign.certificate'), 'id' => 'ID'));
$signer->sign($entitiesDescriptor, $entitiesDescriptor, $entitiesDescriptor->firstChild);
}
if (isset($export_external)) {
$externalconfig = $janus_config->getArray('export.external');
if (array_key_exists($export_external, $externalconfig)) {
$externalconfig = $externalconfig[$export_external];
try {
$exporter = sspmod_janus_Exporter::getInstance($externalconfig['class'], $externalconfig['option']);
$exporter->export($xml->saveXML());
exit(0);
} catch (Exception $e) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'Can not export metadata externally', $e);
}
}
}
/* Build EntitiesDescriptor. */
$doc = new DOMDocument('1.0', 'utf-8');
$root = $doc->createElementNS('urn:oasis:names:tc:SAML:2.0:metadata', 'EntitiesDescriptor');
$doc->appendChild($root);
$store = SimpleSAML_MetaShare_Store::getInstance();
foreach ($store->getEntityList() as $entityId) {
$entityNode = $store->getMetadata($entityId);
if ($entityNode === FALSE) {
/* For some reason we were unable to load the metadata - skip entity. */
continue;
}
$entityNode = $doc->importNode($entityNode, TRUE);
assert($entityNode !== FALSE);
$root->appendChild($entityNode);
}
/* Sign the metadata if enabled. */
if ($metaConfig->getBoolean('metashare.signmetadatalist', FALSE)) {
$privateKey = $metaConfig->getString('metashare.privatekey');
$privateKeyPass = $metaConfig->getString('metashare.privatekey_pass', NULL);
$certificate = $metaConfig->getString('metashare.certificate');
$signer = new SimpleSAML_XML_Signer(array('privatekey' => $privateKey, 'privatekey_pass' => $privateKeyPass, 'certificate' => $certificate, 'id' => 'ID'));
$signer->sign($root, $root, $root->firstChild);
}
/* Show the metadata. */
if (array_key_exists('mimetype', $_GET)) {
$mimeType = $_GET['mimetype'];
} else {
$mimeType = 'application/samlmetadata+xml';
}
header('Content-Type: ' . $mimeType);
echo $doc->saveXML();
