public function validate(SAML2_Assertion $assertion, SAML2_Assertion_Validation_Result $result) { $intendedAudiences = $assertion->getValidAudiences(); if ($intendedAudiences === NULL) { return; } $entityId = $this->serviceProvider->getEntityId(); if (!in_array($entityId, $intendedAudiences)) { $result->addError(sprintf('The configured Service Provider [%s] is not a valid audience for the assertion. Audiences: [%s]', $entityId, implode('], [', $intendedAudiences))); } }
public function validate($token) { $data = $this->parseToken($token); // validate digest and thumbprint $assertion = new SAML2_Assertion($data['Assertion']); $certificates = $assertion->getCertificates(); $this->validateCertificateThumbprint($certificates[0]); // validate issuer if ($this->validateIssuer) { $this->validateIssuer($assertion->getIssuer()); } // validate audiences if ($this->validateAudiences) { $this->validateAudiences($assertion->getValidAudiences(), $assertion->getNotBefore(), $assertion->getNotOnOrAfter()); } return $this->getClaims($data); }
public function testUnmarshalling() { // Unmarshall an assertion $document = new \DOMDocument(); $document->loadXML(<<<XML <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_593e33ddf86449ce4d4c22b60ac48e067d98a0b2bf" Version="2.0" IssueInstant="2010-03-05T13:34:28Z" > <saml:Issuer>testIssuer</saml:Issuer> <saml:Conditions> <saml:AudienceRestriction> <saml:Audience>audience1</saml:Audience> <saml:Audience>audience2</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2010-03-05T13:34:28Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>someAuthnContext</saml:AuthnContextClassRef> <saml:AuthenticatingAuthority>someIdP1</saml:AuthenticatingAuthority> <saml:AuthenticatingAuthority>someIdP2</saml:AuthenticatingAuthority> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> XML ); $assertion = new \SAML2_Assertion($document->firstChild); // Test for valid audiences $assertionValidAudiences = $assertion->getValidAudiences(); $this->assertCount(2, $assertionValidAudiences); $this->assertEquals('audience1', $assertionValidAudiences[0]); $this->assertEquals('audience2', $assertionValidAudiences[1]); // Test for Authenticating Authorities $assertionAuthenticatingAuthorities = $assertion->getAuthenticatingAuthority(); $this->assertCount(2, $assertionAuthenticatingAuthorities); $this->assertEquals('someIdP1', $assertionAuthenticatingAuthorities[0]); $this->assertEquals('someIdP2', $assertionAuthenticatingAuthorities[1]); }