/**
* Tests the getNameId method of the OneLogin_Saml2_Response
* Case valid signed response, signed assertion
*
* @covers OneLogin_Saml2_Response::getNameId
*/
public function testResponseAndAssertionSigned()
{
// Both the Response and the Asseretion are signed
$message = file_get_contents(TEST_ROOT . '/data/responses/simple_saml_php.xml');
$response = new OneLogin_Saml2_Response($this->_settings, base64_encode($message));
$this->assertEquals('*****@*****.**', $response->getNameId());
}
/**
* Tests the getNameId method of the OneLogin_Saml2_Response
* Case valid signed response, signed assertion
*
* @covers OneLogin_Saml2_Response::getNameId
*/
public function testResponseAndAssertionSigned()
{
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settingsInfo['idp']['entityId'] = "https://federate.example.net/saml/saml2/idp/metadata.php";
$settingsInfo['sp']['entityId'] = "hello.com";
$settings = new OneLogin_Saml2_Settings($settingsInfo);
// Both the Response and the Asseretion are signed
$message = file_get_contents(TEST_ROOT . '/data/responses/simple_saml_php.xml');
$response = new OneLogin_Saml2_Response($settings, base64_encode($message));
$this->assertEquals('*****@*****.**', $response->getNameId());
}
/**
* Process the SAML Response sent by the IdP.
*
* @param string $requestId The ID of the AuthNRequest sent by this SP to the IdP
*/
public function processResponse($requestId = null)
{
$this->_errors = array();
if (isset($_POST) && isset($_POST['SAMLResponse'])) {
// AuthnResponse -- HTTP_POST Binding
$response = new OneLogin_Saml2_Response($this->_settings, $_POST['SAMLResponse']);
if ($response->isValid($requestId)) {
$this->_attributes = $response->getAttributes();
$this->_nameid = $response->getNameId();
$this->_authenticated = true;
} else {
$this->_errors[] = 'invalid_response';
}
} else {
$this->_errors[] = 'invalid_binding';
throw new OneLogin_Saml2_Error('SAML Response not found, Only supported HTTP_POST Binding', OneLogin_Saml2_Error::SAML_RESPONSE_NOT_FOUND);
}
}
<?php
/**
* SAMPLE Code to demonstrate how to handle a SAML assertion response.
*
* The URL of this file will have been given during the SAML authorization.
* After a successful authorization, the browser will be directed to this
* link where it will send a certified response via $_POST.
*/
error_reporting(E_ALL);
require_once '../_toolkit_loader.php';
try {
if (isset($_POST['SAMLResponse'])) {
$samlSettings = new OneLogin_Saml2_Settings();
$samlResponse = new OneLogin_Saml2_Response($samlSettings, $_POST['SAMLResponse']);
if ($samlResponse->isValid()) {
echo 'You are: ' . $samlResponse->getNameId() . '<br>';
$attributes = $samlResponse->getAttributes();
if (!empty($attributes)) {
echo 'You have the following attributes:<br>';
echo '<table><thead><th>Name</th><th>Values</th></thead><tbody>';
foreach ($attributes as $attributeName => $attributeValues) {
echo '<tr><td>' . htmlentities($attributeName) . '</td><td><ul>';
foreach ($attributeValues as $attributeValue) {
echo '<li>' . htmlentities($attributeValue) . '</li>';
}
echo '</ul></td></tr>';
}
echo '</tbody></table>';
}
} else {
public function testIsValidSignWithEmptyReferenceURI()
{
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$xml = file_get_contents(TEST_ROOT . '/data/responses/response_without_reference_uri.xml.base64');
$settingsInfo['idp']['x509cert'] = 'MIICGzCCAYQCCQCNNcQXom32VDANBgkqhkiG9w0BAQUFADBSMQswCQYDVQQGEwJVUzELMAkGA1UECBMCSU4xFTATBgNVBAcTDEluZGlhbmFwb2xpczERMA8GA1UEChMIT25lTG9naW4xDDAKBgNVBAsTA0VuZzAeFw0xNDA0MjMxODQxMDFaFw0xNTA0MjMxODQxMDFaMFIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJJTjEVMBMGA1UEBxMMSW5kaWFuYXBvbGlzMREwDwYDVQQKEwhPbmVMb2dpbjEMMAoGA1UECxMDRW5nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo6m+QZvYQ/xL0ElLgupK1QDcYL4f5PckwsNgS9pUvV7fzTqCHk8ThLxTk42MQ2McJsOeUJVP728KhymjFCqxgP4VuwRk9rpAl0+mhy6MPdyjyA6G14jrDWS65ysLchK4t/vwpEDz0SQlEoG1kMzllSm7zZS3XregA7DjNaUYQqwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBALM2vGCiQ/vm+a6v40+VX2zdqHA2Q/1vF1ibQzJ54MJCOVWvs+vQXfZFhdm0OPM2IrDU7oqvKPqP6xOAeJK6H0yP7M4YL3fatSvIYmmfyXC9kt3Svz/NyrHzPhUnJ0ye/sUSXxnzQxwcm/9PwAqrQaA3QpQkH57ybF/OoryPe+2h';
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$response = new OneLogin_Saml2_Response($settings, $xml);
$this->assertTrue($response->isValid());
$attributes = $response->getAttributes();
$this->assertTrue(!empty($attributes));
$this->assertEquals('*****@*****.**', $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0]);
}
/**
* Tests the isValid method of the OneLogin_Saml2_Response
* Case valid sign response / sign assertion / both signed
*
* Strict mode will always fail due destination problem, if we manipulate it
* the sign will fail.
*
* @covers OneLogin_Saml2_Response::isValid
*/
public function testIsValidSign()
{
$xml = file_get_contents(TEST_ROOT . '/data/responses/signed_message_response.xml.base64');
$response = new OneLogin_Saml2_Response($this->_settings, $xml);
$this->assertTrue($response->isValid());
$xml2 = file_get_contents(TEST_ROOT . '/data/responses/signed_assertion_response.xml.base64');
$response2 = new OneLogin_Saml2_Response($this->_settings, $xml2);
$this->assertTrue($response2->isValid());
$xml3 = file_get_contents(TEST_ROOT . '/data/responses/double_signed_response.xml.base64');
$response3 = new OneLogin_Saml2_Response($this->_settings, $xml3);
$this->assertTrue($response3->isValid());
$dom = new DOMDocument();
$dom->loadXML(base64_decode($xml));
$dom->firstChild->firstChild->nodeValue = 'https://example.com/other-idp';
$xml4 = base64_encode($dom->saveXML());
$response4 = new OneLogin_Saml2_Response($this->_settings, $xml4);
$this->assertFalse($response4->isValid());
$dom2 = new DOMDocument();
$dom2->loadXML(base64_decode($xml2));
$dom2->firstChild->firstChild->nodeValue = 'https://example.com/other-idp';
$xml5 = base64_encode($dom2->saveXML());
$response5 = new OneLogin_Saml2_Response($this->_settings, $xml5);
$this->assertTrue($response5->isValid());
$dom3 = new DOMDocument();
$dom3->loadXML(base64_decode($xml3));
$dom3->firstChild->firstChild->nodeValue = 'https://example.com/other-idp';
$xml6 = base64_encode($dom3->saveXML());
$response6 = new OneLogin_Saml2_Response($this->_settings, $xml6);
$this->assertFalse($response6->isValid());
}
/**
* Constructor that process the SAML Response,
* Internally initializes an SP SAML instance
* and an OneLogin_Saml2_Response.
*
* @param OneLogin_Saml_Settings $oldSettings Settings
* @param string $$assertion SAML Response
*/
public function __construct($oldSettings, $assertion)
{
$auth = new OneLogin_Saml2_Auth($oldSettings);
$settings = $auth->getSettings();
parent::__construct($settings, $assertion);
}
}
if (!defined('OPTION_SHOW_USE_LOCAL_CREDENTIALS')) {
define('OPTION_SHOW_USE_LOCAL_CREDENTIALS', false);
}
$force_sso = false;
$wi_remote_user_login = '';
if (defined('OPTION_FORCE_SSO') && OPTION_FORCE_SSO === true) {
if (array_key_exists('REMOTE_USER', $_SERVER)) {
$wi_remote_user_login = $_SERVER['REMOTE_USER'];
$force_sso = true;
$wi_use_local_credentials = 0;
}
}
if (array_key_exists('SAML2', $_SESSION) && $_SESSION['SAML2'] === true && array_key_exists('ovd-sso', $_COOKIE)) {
require_once dirname(__FILE__) . "/auth/saml2/common.inc.php";
$response = new OneLogin_Saml2_Response(new OneLogin_Saml2_Settings(build_saml_settings('https://www.ulteo.com', NULL, NULL)), $_SESSION['SAML2_ticket']);
$sessionExpiration = $response->getSessionNotOnOrAfter();
if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) {
setcookie('ovd-sso', '', time() - 42000, '/ovd/');
require dirname(__FILE__) . "/auth/saml2/sp.php";
}
$wi_remote_user_login = $_SESSION['SAML2_login'];
$force_sso = true;
$wi_use_local_credentials = 0;
setcookie('ovd-sso', 'true', 0, '/ovd/');
} elseif (defined('OPTION_FORCE_SAML2') && OPTION_FORCE_SAML2 === true) {
// Redirect the user to the SAML2 Identity Provider
setcookie('ovd-sso', '', time() - 42000, '/ovd/');
require dirname(__FILE__) . "/auth/saml2/sp.php";
} else {
setcookie('ovd-sso', '', time() - 42000, '/ovd/');
public function testIsValidSignWithEmptyReferenceURI()
{
$xml = file_get_contents(TEST_ROOT . '/data/responses/response_without_reference_uri.xml.base64');
$settingsDir = TEST_ROOT . '/settings/';
include $settingsDir . 'settings1.php';
$settingsInfo['idp']['certFingerprint'] = "194d97e4d8c9c8cfa4b721e5ee497fd9660e5213";
$settingsInfo['idp']['x509cert'] = null;
$settings = new OneLogin_Saml2_Settings($settingsInfo);
$response = new OneLogin_Saml2_Response($settings, $xml);
$this->assertTrue($response->isValid());
}
public function get_login()
{
Logger::debug('main', 'AuthMethod_SAML2::get_login()');
$my_settings = $this->prefs->get('AuthMethod', 'SAML2');
$saml_node = $this->user_node_request->getElementsByTagname('saml_ticket')->item(0);
if (is_null($saml_node)) {
Logger::error('main', 'Authentication SAML2: No incoming SAML ticket');
return NULL;
}
$saml_response_ticket = NULL;
for ($child = $saml_node->firstChild; $child != NULL; $child = $child->nextSibling) {
if ($child->nodeType != XML_TEXT_NODE) {
Logger::error('main', 'Authentication SAML2: node is not text');
continue;
}
$saml_response_ticket = $child->wholeText;
}
if (is_null($saml_response_ticket)) {
Logger::error('main', 'Authentication SAML2: No incoming SAML ticket (bad protocol)');
return NULL;
}
$settings = $this->build_saml_settings($my_settings['idp_url'], $my_settings['idp_fingerprint'], $my_settings['idp_cert']);
try {
$response = new OneLogin_Saml2_Response($settings, $saml_response_ticket);
ob_start();
// Catch debug messages
if (!$response->isValid()) {
Logger::error('main', 'Authentication SAML2: the SAML response is not valid ' . ob_get_contents());
ob_end_clean();
return NULL;
}
ob_end_clean();
$sessionExpiration = $response->getSessionNotOnOrAfter();
if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) {
Logger::error('main', 'Authentication SAML2: Session expired');
return NULL;
}
} catch (Exception $e) {
Logger::error('main', 'Authentication SAML2: ' . $e->getMessage());
return NULL;
}
$attributes = $response->getAttributes();
$user = $this->userDB->import($response->getNameId());
if ($user == NULL) {
Logger::error('main', 'Authentication SAML2: user not found');
throw new Exception();
}
$login = $user->getAttribute('login');
// we recognize following attributes:
// * ovd.group_member: for user group matching
// * ovd.setting.*: for settings
if (array_key_exists("ovd.group_member", $attributes) && is_array($attributes["ovd.group_member"])) {
$userGroupDB = UserGroupDB::getInstance();
$to_delete = array();
$current_groups = array_keys(Abstract_Liaison::loadGroups('UsersGroup', $login));
foreach ($attributes["ovd.group_member"] as $group_name) {
$found = false;
list($groups, $sizelimit_exceeded) = $userGroupDB->getGroupsContains($group_name, array('name'));
foreach ($groups as $group) {
if ($group->name == $group_name) {
$found = True;
if (!in_array($group->getUniqueID(), $current_groups)) {
Logger::info('main', 'Authentication SAML2: Add user "' . $login . '" to group "' . $group->name . '"');
$ret = Abstract_Liaison::save('UsersGroup', $login, $group->getUniqueID());
if ($ret !== true) {
Logger::error('main', 'Authentication SAML2: Unable to add user "' . $login . '" to group "' . $group->name . '"');
throw new Exception();
}
} else {
unset($current_groups[array_search($group->getUniqueID(), $current_groups)]);
}
}
}
if (!$found) {
Logger::error('main', 'Authentication SAML2: group "' . $group_name . '" not found');
throw new Exception();
}
}
foreach ($current_groups as $group) {
Logger::info('main', 'Authentication SAML2: remove group "' . $group . '" from ' . $login);
Abstract_Liaison::delete('UsersGroup', $login, $group);
}
}
$prefs = Preferences::getInstance();
foreach ($attributes as $attribute => $value) {
if (is_array($value) && count($value) == 1) {
$value = $value[0];
}
if (substr($attribute, 0, 12) == 'ovd.setting.') {
$attribute = explode('.', $attribute);
if (count($attribute) != 4) {
Logger::error('main', 'Authentication SAML2: incorrect setting : "' . implode('.', $attribute) . '"');
throw new Exception();
}
$container = $attribute[2];
$setting = $attribute[3];
$session_settings_defaults = $prefs->getElements('general', $container);
if (!array_key_exists($setting, $session_settings_defaults)) {
Logger::error('main', 'Authentication SAML2: setting "' . implode('.', $attribute) . '" does not exists');
throw new Exception();
}
$config_element = clone $session_settings_defaults[$setting];
$ugp = new User_Preferences($login, 'general', $container, $setting, $config_element->content);
Logger::info('main', 'Authentication SAML2: set setting "' . implode('.', $attribute) . '" to ' . str_replace("\n", "", print_r($value, true)));
$ugp->value = $value;
Abstract_User_Preferences::delete($login, 'general', $container, $setting);
$ret = Abstract_User_Preferences::save($ugp);
if (!$ret) {
Logger::error('main', 'Authentication SAML2: impossible to save setting "' . implode('.', $attribute) . '"');
throw new Exception();
}
}
}
// return true or false.. No redirection to any IdP. We must have a valid ticket at this point. No artifact method
return $response->getNameId();
}
