/** * Tests the getNameId method of the OneLogin_Saml2_Response * Case valid signed response, signed assertion * * @covers OneLogin_Saml2_Response::getNameId */ public function testResponseAndAssertionSigned() { // Both the Response and the Asseretion are signed $message = file_get_contents(TEST_ROOT . '/data/responses/simple_saml_php.xml'); $response = new OneLogin_Saml2_Response($this->_settings, base64_encode($message)); $this->assertEquals('*****@*****.**', $response->getNameId()); }
/** * Tests the getNameId method of the OneLogin_Saml2_Response * Case valid signed response, signed assertion * * @covers OneLogin_Saml2_Response::getNameId */ public function testResponseAndAssertionSigned() { $settingsDir = TEST_ROOT . '/settings/'; include $settingsDir . 'settings1.php'; $settingsInfo['idp']['entityId'] = "https://federate.example.net/saml/saml2/idp/metadata.php"; $settingsInfo['sp']['entityId'] = "hello.com"; $settings = new OneLogin_Saml2_Settings($settingsInfo); // Both the Response and the Asseretion are signed $message = file_get_contents(TEST_ROOT . '/data/responses/simple_saml_php.xml'); $response = new OneLogin_Saml2_Response($settings, base64_encode($message)); $this->assertEquals('*****@*****.**', $response->getNameId()); }
/** * Process the SAML Response sent by the IdP. * * @param string $requestId The ID of the AuthNRequest sent by this SP to the IdP */ public function processResponse($requestId = null) { $this->_errors = array(); if (isset($_POST) && isset($_POST['SAMLResponse'])) { // AuthnResponse -- HTTP_POST Binding $response = new OneLogin_Saml2_Response($this->_settings, $_POST['SAMLResponse']); if ($response->isValid($requestId)) { $this->_attributes = $response->getAttributes(); $this->_nameid = $response->getNameId(); $this->_authenticated = true; } else { $this->_errors[] = 'invalid_response'; } } else { $this->_errors[] = 'invalid_binding'; throw new OneLogin_Saml2_Error('SAML Response not found, Only supported HTTP_POST Binding', OneLogin_Saml2_Error::SAML_RESPONSE_NOT_FOUND); } }
/** * SAMPLE Code to demonstrate how to handle a SAML assertion response. * * The URL of this file will have been given during the SAML authorization. * After a successful authorization, the browser will be directed to this * link where it will send a certified response via $_POST. */ error_reporting(E_ALL); require_once '../_toolkit_loader.php'; try { if (isset($_POST['SAMLResponse'])) { $samlSettings = new OneLogin_Saml2_Settings(); $samlResponse = new OneLogin_Saml2_Response($samlSettings, $_POST['SAMLResponse']); if ($samlResponse->isValid()) { echo 'You are: ' . $samlResponse->getNameId() . '<br>'; $attributes = $samlResponse->getAttributes(); if (!empty($attributes)) { echo 'You have the following attributes:<br>'; echo '<table><thead><th>Name</th><th>Values</th></thead><tbody>'; foreach ($attributes as $attributeName => $attributeValues) { echo '<tr><td>' . htmlentities($attributeName) . '</td><td><ul>'; foreach ($attributeValues as $attributeValue) { echo '<li>' . htmlentities($attributeValue) . '</li>'; } echo '</ul></td></tr>'; } echo '</tbody></table>'; } } else { echo 'Invalid SAML Response';
/** * Tests the getNameId method of the OneLogin_Saml2_Response * * Test that the SignatureWrappingAttack is not allowed * * @covers OneLogin_Saml2_Response::getNameId */ public function testDoesNotAllowSignatureWrappingAttack() { $xml = file_get_contents(TEST_ROOT . '/data/responses/response4.xml.base64'); $response = new OneLogin_Saml2_Response($this->_settings, $xml); $this->assertEquals('*****@*****.**', $response->getNameId()); $this->assertFalse($response->isValid()); $this->assertEquals('SAML Response must contain 1 assertion', $response->getError()); }
public function get_login() { Logger::debug('main', 'AuthMethod_SAML2::get_login()'); $my_settings = $this->prefs->get('AuthMethod', 'SAML2'); $saml_node = $this->user_node_request->getElementsByTagname('saml_ticket')->item(0); if (is_null($saml_node)) { Logger::error('main', 'Authentication SAML2: No incoming SAML ticket'); return NULL; } $saml_response_ticket = NULL; for ($child = $saml_node->firstChild; $child != NULL; $child = $child->nextSibling) { if ($child->nodeType != XML_TEXT_NODE) { Logger::error('main', 'Authentication SAML2: node is not text'); continue; } $saml_response_ticket = $child->wholeText; } if (is_null($saml_response_ticket)) { Logger::error('main', 'Authentication SAML2: No incoming SAML ticket (bad protocol)'); return NULL; } $settings = $this->build_saml_settings($my_settings['idp_url'], $my_settings['idp_fingerprint'], $my_settings['idp_cert']); try { $response = new OneLogin_Saml2_Response($settings, $saml_response_ticket); ob_start(); // Catch debug messages if (!$response->isValid()) { Logger::error('main', 'Authentication SAML2: the SAML response is not valid ' . ob_get_contents()); ob_end_clean(); return NULL; } ob_end_clean(); $sessionExpiration = $response->getSessionNotOnOrAfter(); if (!empty($sessionExpiration) && $sessionExpiration <= time() || !$response->validateTimestamps()) { Logger::error('main', 'Authentication SAML2: Session expired'); return NULL; } } catch (Exception $e) { Logger::error('main', 'Authentication SAML2: ' . $e->getMessage()); return NULL; } $attributes = $response->getAttributes(); $user = $this->userDB->import($response->getNameId()); if ($user == NULL) { Logger::error('main', 'Authentication SAML2: user not found'); throw new Exception(); } $login = $user->getAttribute('login'); // we recognize following attributes: // * ovd.group_member: for user group matching // * ovd.setting.*: for settings if (array_key_exists("ovd.group_member", $attributes) && is_array($attributes["ovd.group_member"])) { $userGroupDB = UserGroupDB::getInstance(); $to_delete = array(); $current_groups = array_keys(Abstract_Liaison::loadGroups('UsersGroup', $login)); foreach ($attributes["ovd.group_member"] as $group_name) { $found = false; list($groups, $sizelimit_exceeded) = $userGroupDB->getGroupsContains($group_name, array('name')); foreach ($groups as $group) { if ($group->name == $group_name) { $found = True; if (!in_array($group->getUniqueID(), $current_groups)) { Logger::info('main', 'Authentication SAML2: Add user "' . $login . '" to group "' . $group->name . '"'); $ret = Abstract_Liaison::save('UsersGroup', $login, $group->getUniqueID()); if ($ret !== true) { Logger::error('main', 'Authentication SAML2: Unable to add user "' . $login . '" to group "' . $group->name . '"'); throw new Exception(); } } else { unset($current_groups[array_search($group->getUniqueID(), $current_groups)]); } } } if (!$found) { Logger::error('main', 'Authentication SAML2: group "' . $group_name . '" not found'); throw new Exception(); } } foreach ($current_groups as $group) { Logger::info('main', 'Authentication SAML2: remove group "' . $group . '" from ' . $login); Abstract_Liaison::delete('UsersGroup', $login, $group); } } $prefs = Preferences::getInstance(); foreach ($attributes as $attribute => $value) { if (is_array($value) && count($value) == 1) { $value = $value[0]; } if (substr($attribute, 0, 12) == 'ovd.setting.') { $attribute = explode('.', $attribute); if (count($attribute) != 4) { Logger::error('main', 'Authentication SAML2: incorrect setting : "' . implode('.', $attribute) . '"'); throw new Exception(); } $container = $attribute[2]; $setting = $attribute[3]; $session_settings_defaults = $prefs->getElements('general', $container); if (!array_key_exists($setting, $session_settings_defaults)) { Logger::error('main', 'Authentication SAML2: setting "' . implode('.', $attribute) . '" does not exists'); throw new Exception(); } $config_element = clone $session_settings_defaults[$setting]; $ugp = new User_Preferences($login, 'general', $container, $setting, $config_element->content); Logger::info('main', 'Authentication SAML2: set setting "' . implode('.', $attribute) . '" to ' . str_replace("\n", "", print_r($value, true))); $ugp->value = $value; Abstract_User_Preferences::delete($login, 'general', $container, $setting); $ret = Abstract_User_Preferences::save($ugp); if (!$ret) { Logger::error('main', 'Authentication SAML2: impossible to save setting "' . implode('.', $attribute) . '"'); throw new Exception(); } } } // return true or false.. No redirection to any IdP. We must have a valid ticket at this point. No artifact method return $response->getNameId(); }