public function serve($serviceName) { $response = $this->_server->getBindingsModule()->receiveResponse(); $_SESSION['consent'][$response->getId()]['response'] = $response; $request = $this->_server->getReceivedRequestFromResponse($response); $serviceProvider = $this->_server->getRepository()->fetchServiceProviderByEntityId($request->getIssuer()); $spMetadataChain = EngineBlock_SamlHelper::getSpRequesterChain($serviceProvider, $request, $this->_server->getRepository()); $identityProviderEntityId = $response->getOriginalIssuer(); $identityProvider = $this->_server->getRepository()->fetchIdentityProviderByEntityId($identityProviderEntityId); // Flush log if SP or IdP has additional logging enabled $requireAdditionalLogging = EngineBlock_SamlHelper::doRemoteEntitiesRequireAdditionalLogging(array_merge($spMetadataChain, array($identityProvider))); if ($requireAdditionalLogging) { $application = EngineBlock_ApplicationSingleton::getInstance(); $application->flushLog('Activated additional logging for one or more SPs in the SP requester chain, or the IdP'); $log = $application->getLogInstance(); $log->info('Raw HTTP request', array('http_request' => (string) $application->getHttpRequest())); } if ($this->isConsentDisabled($spMetadataChain, $identityProvider)) { $response->setConsent(SAML2_Const::CONSENT_INAPPLICABLE); $response->setDestination($response->getReturn()); $response->setDeliverByBinding('INTERNAL'); $this->_server->getBindingsModule()->send($response, $serviceProvider); return; } $consentDestinationEntityMetadata = $spMetadataChain[0]; $attributes = $response->getAssertion()->getAttributes(); $consent = $this->_consentFactory->create($this->_server, $response, $attributes); $priorConsent = $consent->hasStoredConsent($consentDestinationEntityMetadata); if ($priorConsent) { $response->setConsent(SAML2_Const::CONSENT_PRIOR); $response->setDestination($response->getReturn()); $response->setDeliverByBinding('INTERNAL'); $this->_server->getBindingsModule()->send($response, $serviceProvider); return; } $html = $this->_server->renderTemplate('consent', array('action' => $this->_server->getUrl('processConsentService'), 'ID' => $response->getId(), 'attributes' => $attributes, 'sp' => $consentDestinationEntityMetadata, 'idp' => $identityProvider)); $this->_server->sendOutput($html); }
public function send(EngineBlock_Saml2_MessageAnnotationDecorator $message, AbstractRole $remoteEntity) { $bindingUrn = $message->getDeliverByBinding(); $sspMessage = $message->getSspMessage(); if ($bindingUrn === 'INTERNAL') { $this->sendInternal($message); return; } if ($this->shouldMessageBeSigned($sspMessage, $remoteEntity)) { $keyPair = $this->_server->getSigningCertificates(); $sspMessage->setCertificates(array($keyPair->getCertificate()->toPem())); $sspMessage->setSignatureKey($keyPair->getPrivateKey()->toXmlSecurityKey()); } $sspBinding = SAML2_Binding::getBinding($bindingUrn); if ($sspBinding instanceof SAML2_HTTPPost) { // SAML2int dictates that we MUST sign assertions. // The SAML2 library will do that for us, if we just set the key to sign with. if ($sspMessage instanceof SAML2_Response) { foreach ($sspMessage->getAssertions() as $assertion) { $assertion->setCertificates($sspMessage->getCertificates()); $assertion->setSignatureKey($sspMessage->getSignatureKey()); } // BWC dictates that we don't sign responses. $messageElement = $sspMessage->toUnsignedXML(); } else { $messageElement = $sspMessage->toSignedXML(); } $xml = $messageElement->ownerDocument->saveXML($messageElement); $this->validateXml($xml); $extra = ''; $extra .= method_exists($message, 'getReturn') ? '<input type="hidden" name="return" value="' . htmlspecialchars($message->getReturn()) . '">' : ''; $extra .= $sspMessage->getRelayState() ? '<input type="hidden" name="RelayState" value="' . htmlspecialchars($sspMessage->getRelayState()) . '">' : ''; $encodedMessage = htmlspecialchars(base64_encode($xml)); $action = $sspMessage->getDestination(); $log = $this->_server->getSessionLog(); $log->info('HTTP-Post: Sending Message', array('saml_message' => $xml)); $output = $this->_server->renderTemplate('form', array('action' => $action, 'message' => $encodedMessage, 'xtra' => $extra, 'name' => $message->getMessageType(), 'trace' => $this->getTraceHtml($xml))); $this->_server->sendOutput($output); } else { if ($sspBinding instanceof SAML2_HTTPRedirect) { if ($sspMessage instanceof SAML2_Response) { throw new EngineBlock_Corto_Module_Bindings_UnsupportedBindingException('May not send a Reponse via HTTP Redirect'); } $url = $sspBinding->getRedirectURL($sspMessage); $this->_server->redirect($url, $message); } else { throw new EngineBlock_Corto_Module_Bindings_Exception('Unsupported Binding'); } } }