/**
* @param SAML2_AuthnRequest $authnRequest
* @param SimpleSAML_Configuration $idpConfig
* @param $nameId
* @param $issuer
* @param array $attributes
* @return SAML2_Response
*/
public function create(SAML2_AuthnRequest $authnRequest, SimpleSAML_Configuration $idpConfig, $nameId, $issuer, array $attributes)
{
/* $returnAttributes contains the attributes we should return. Send them. */
$assertion = new SAML2_Assertion();
$assertion->setIssuer($issuer);
$assertion->setNameId(array('Value' => $nameId, 'Format' => SAML2_Const::NAMEID_UNSPECIFIED));
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time() + 5 * 60);
// Valid audiences is not required so disabled for now
// $assertion->setValidAudiences(array($authnRequest->getIssuer()));
$assertion->setAttributes($attributes);
$assertion->setAttributeNameFormat(SAML2_Const::NAMEFORMAT_UNSPECIFIED);
$assertion->setAuthnContext(SAML2_Const::AC_PASSWORD);
$subjectConfirmation = new SAML2_XML_saml_SubjectConfirmation();
$subjectConfirmation->Method = SAML2_Const::CM_BEARER;
$subjectConfirmation->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$subjectConfirmation->SubjectConfirmationData->NotOnOrAfter = time() + 5 * 60;
$subjectConfirmation->SubjectConfirmationData->Recipient = $authnRequest->getAssertionConsumerServiceURL();
$subjectConfirmation->SubjectConfirmationData->InResponseTo = $authnRequest->getId();
$assertion->setSubjectConfirmation(array($subjectConfirmation));
$response = new SAML2_Response();
$response->setRelayState($authnRequest->getRelayState());
$response->setDestination($authnRequest->getAssertionConsumerServiceURL());
$response->setIssuer($issuer);
$response->setInResponseTo($authnRequest->getId());
$response->setAssertions(array($assertion));
$this->addSigns($response, $idpConfig);
return $response;
}
public function setUp()
{
$this->request = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator(new SAML2_AuthnRequest());
$assertion = new SAML2_Assertion();
$assertion->setAttributes(array());
$response = new SAML2_Response();
$response->setAssertions(array($assertion));
$response = new EngineBlock_Saml2_ResponseAnnotationDecorator($response);
$response->setIntendedNameId('urn:collab:person:example.edu:mock1');
$this->response = $response;
$this->serviceProvider = new ServiceProvider('http://sp.example.edu');
$this->collabPersonId = 'urn:collab:person:example.edu:mock1';
$this->resolver = new EngineBlock_Test_Saml2_NameIdResolverMock();
}
}
/* Filter which attribute values we should return. */
$returnAttributes[$name] = array_intersect($values, $attributes[$name]);
}
}
/* $returnAttributes contains the attributes we should return. Send them. */
$assertion = new SAML2_Assertion();
$assertion->setIssuer($idpEntityId);
$assertion->setNameId($query->getNameId());
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time() + 5 * 60);
$assertion->setValidAudiences(array($spEntityId));
$assertion->setAttributes($returnAttributes);
$assertion->setAttributeNameFormat($attributeNameFormat);
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->Method = SAML2_Const::CM_BEARER;
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$sc->SubjectConfirmationData->NotOnOrAfter = time() + 5 * 60;
$sc->SubjectConfirmationData->Recipient = $endpoint;
$sc->SubjectConfirmationData->InResponseTo = $query->getId();
$assertion->setSubjectConfirmation(array($sc));
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $assertion);
$response = new SAML2_Response();
$response->setRelayState($query->getRelayState());
$response->setDestination($endpoint);
$response->setIssuer($idpEntityId);
$response->setInResponseTo($query->getId());
$response->setAssertions(array($assertion));
sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $response);
$binding = new SAML2_HTTPPost();
$binding->send($response);
private function buildResponse($returnAttributes)
{
/* SubjectConfirmation */
$sc = new SAML2_XML_saml_SubjectConfirmation();
$sc->Method = SAML2_Const::CM_BEARER;
$sc->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData();
$sc->SubjectConfirmationData->NotBefore = time();
$sc->SubjectConfirmationData->NotOnOrAfter = time() + $this->config->getInteger('validFor');
$sc->SubjectConfirmationData->InResponseTo = $this->query->getId();
$assertion = new SAML2_Assertion();
$assertion->setSubjectConfirmation(array($sc));
$assertion->setIssuer($this->aaEntityId);
$assertion->setNameId($this->query->getNameId());
$assertion->setNotBefore(time());
$assertion->setNotOnOrAfter(time() + $this->config->getInteger('validFor'));
$assertion->setValidAudiences(array($this->spEntityId));
$assertion->setAttributes($returnAttributes);
$assertion->setAttributeNameFormat($this->attributeNameFormat);
if ($this->signAssertion) {
sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $assertion);
}
/* The Response */
$response = new SAML2_Response();
$response->setRelayState($this->query->getRelayState());
$response->setIssuer($this->aaEntityId);
$response->setInResponseTo($this->query->getId());
$response->setAssertions(array($assertion));
if ($this->signResponse) {
sspmod_saml_Message::addSign($this->aaMetadata, $this->spMetadata, $response);
}
return $response;
}
/**
* @return SAML2_Response
*/
private function getUnsignedResponseWithSignedAssertion()
{
$doc = new DOMDocument();
$doc->load(__DIR__ . '/response.xml');
$response = new SAML2_Response($doc->firstChild);
$assertions = $response->getAssertions();
$assertion = $assertions[0];
$assertion->setSignatureKey(SAML2_CertificatesMock::getPrivateKey());
$assertion->setCertificates(array(SAML2_CertificatesMock::PUBLIC_KEY_PEM));
$signedAssertion = new SAML2_Assertion($assertion->toXML());
$response->setAssertions(array($signedAssertion));
return $response;
}
/**
* @return EngineBlock_Corto_Module_Bindings
*/
private function mockBindingsModule()
{
$spRequest = new SAML2_AuthnRequest();
$spRequest->setId('SPREQUEST');
$spRequest->setIssuer('testSp');
$spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
$ebRequest = new SAML2_AuthnRequest();
$ebRequest->setId('EBREQUEST');
$ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
$dummyLog = new Psr\Log\NullLogger();
$authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummyLog);
$authnRequestRepository->store($spRequest);
$authnRequestRepository->store($ebRequest);
$authnRequestRepository->link($ebRequest, $spRequest);
$assertion = new SAML2_Assertion();
$assertion->setAttributes(array('urn:org:openconext:corto:internal:sp-entity-id' => array('testSp'), 'urn:mace:dir:attribute-def:cn' => array(null)));
$responseFixture = new SAML2_Response();
$responseFixture->setInResponseTo('EBREQUEST');
$responseFixture->setAssertions(array($assertion));
$responseFixture = new EngineBlock_Saml2_ResponseAnnotationDecorator($responseFixture);
$responseFixture->setOriginalIssuer('testIdP');
// Mock bindings module
/** @var EngineBlock_Corto_Module_Bindings $bindingsModuleMock */
$bindingsModuleMock = Phake::mock('EngineBlock_Corto_Module_Bindings');
Phake::when($bindingsModuleMock)->receiveResponse()->thenReturn($responseFixture);
return $bindingsModuleMock;
}
private function mockGlobals()
{
$_POST['ID'] = 'test';
$_POST['consent'] = 'yes';
$assertion = new SAML2_Assertion();
$assertion->setAttributes(array('urn:mace:dir:attribute-def:mail' => '*****@*****.**'));
$spRequest = new SAML2_AuthnRequest();
$spRequest->setId('SPREQUEST');
$spRequest->setIssuer('https://sp.example.edu');
$spRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($spRequest);
$ebRequest = new SAML2_AuthnRequest();
$ebRequest->setId('EBREQUEST');
$ebRequest = new EngineBlock_Saml2_AuthnRequestAnnotationDecorator($ebRequest);
$dummySessionLog = new Psr\Log\NullLogger();
$authnRequestRepository = new EngineBlock_Saml2_AuthnRequestSessionRepository($dummySessionLog);
$authnRequestRepository->store($spRequest);
$authnRequestRepository->store($ebRequest);
$authnRequestRepository->link($ebRequest, $spRequest);
$sspResponse = new SAML2_Response();
$sspResponse->setInResponseTo('EBREQUEST');
$sspResponse->setAssertions(array($assertion));
$_SESSION['consent']['test']['response'] = new EngineBlock_Saml2_ResponseAnnotationDecorator($sspResponse);
}
private static function combine_response(array $values, \SAML2_Response $response = NULL)
{
if (!isset($response)) {
$response = new \SAML2_Response();
}
$presented_assertions = $response->getAssertions();
$assertion = empty($presented_assertions) ? new \SAML2_Assertion() : $presented_assertions[0];
if (self::original_spid_isset($values)) {
$response->setInResponseTo($values['InResponseTo']);
}
if (array_key_exists('ResponseID', $values)) {
$response->setId($values['ResponseID']);
}
if (array_key_exists('AssertionID', $values)) {
$assertion->setId($values['AssertionID']);
}
if (array_key_exists('Issuer', $values)) {
$response->setIssuer($values['Issuer']);
$assertion->setIssuer($values['Issuer']);
}
if (array_key_exists('NameID', $values)) {
$assertion->setNameId(self::build_name_id($values['NameID']));
}
$not_on_or_after_time = time();
if (array_key_exists('AllowedTimeDelta', $values)) {
$not_on_or_after_time += $values['AllowedTimeDelta'];
$assertion->setNotBefore(time() - $values['AllowedTimeDelta']);
$assertion->setNotOnOrAfter($not_on_or_after_time);
} else {
$not_on_or_after_time += DEFAULT_RESPONSE_TIME_DELTA;
}
if (array_key_exists('Audience', $values)) {
$assertion->setValidAudiences(array($values['Audience']));
}
if (array_key_exists('Attributes', $values)) {
$assertion->setAttributes($values['Attributes']);
}
$assertion->setAuthnInstant(time());
if (array_key_exists('AuthnContextClassRef', $values)) {
$assertion->setAuthnContextClassRef($values['AuthnContextClassRef']);
}
if (array_key_exists('SessionIndex', $values)) {
$assertion->setSessionIndex($values['SessionIndex']);
}
if (self::original_spid_isset($values) || array_key_exists('Destination', $values)) {
$original_confirmations = $assertion->getSubjectConfirmation();
$confirmation = NULL;
if (empty($original_confirmations)) {
$confirmation = new \SAML2_XML_saml_SubjectConfirmation();
$confirmation->Method = SAML_CONFIGURATION_METHOD;
} else {
$confirmation = $original_confirmations[0];
}
$original_data = $confirmation->SubjectConfirmationData;
$data = NULL;
if (empty($original_data)) {
$data = new \SAML2_XML_saml_SubjectConfirmationData();
$data->NotOnOrAfter = $not_on_or_after_time;
} else {
$data = $original_data;
if (empty($data->NotOnOrAfter)) {
$data->NotOnOrAfter = $not_on_or_after_time;
}
}
if (array_key_exists('Destination', $values)) {
$data->Recipient = $values['Destination'];
}
if (self::original_spid_isset($values)) {
$data->InResponseTo = $values['InResponseTo'];
}
$confirmation->SubjectConfirmationData = $data;
$assertion->setSubjectConfirmation(array($confirmation));
}
if (array_key_exists('Destination', $values)) {
$response->setDestination($values['Destination']);
}
if (self::need_sign($values)) {
if (array_key_exists('SHA256KeyFile', $values)) {
$ekey = new \XMLSecurityKey(\XMLSecurityKey::RSA_SHA256, array('type' => 'private'));
$ekey->loadKey($values['SHA256KeyFile'], true);
if (self::need_sign_attributes($values)) {
$assertion->setSignatureKey($ekey);
}
if (self::need_sign_message($values)) {
$response->setSignatureKey($ekey);
}
}
if (array_key_exists('SHA256CertFile', $values)) {
$certifictaes = array(file_get_contents($values['SHA256CertFile']));
if (self::need_sign_attributes($values)) {
$assertion->setCertificates($certifictaes);
}
if (self::need_sign_message($values)) {
$response->setCertificates($certifictaes);
}
}
}
$response->setAssertions(array($assertion));
return $response;
}
