/** * Get the NameID value. * * @param array $state The state array. * @return string|null The NameID value. */ protected function getValue(array &$state) { if (!isset($state['Destination']['entityid'])) { SimpleSAML\Logger::warning('No SP entity ID - not generating persistent NameID.'); return null; } $spEntityId = $state['Destination']['entityid']; if (!isset($state['Source']['entityid'])) { SimpleSAML\Logger::warning('No IdP entity ID - not generating persistent NameID.'); return null; } $idpEntityId = $state['Source']['entityid']; if (!isset($state['Attributes'][$this->attribute]) || count($state['Attributes'][$this->attribute]) === 0) { SimpleSAML\Logger::warning('Missing attribute ' . var_export($this->attribute, true) . ' on user - not generating persistent NameID.'); return null; } if (count($state['Attributes'][$this->attribute]) > 1) { SimpleSAML\Logger::warning('More than one value in attribute ' . var_export($this->attribute, true) . ' on user - not generating persistent NameID.'); return null; } $uid = array_values($state['Attributes'][$this->attribute]); // just in case the first index is no longer 0 $uid = $uid[0]; if (empty($uid)) { SimpleSAML\Logger::warning('Empty value in attribute ' . var_export($this->attribute, true) . ' on user - not generating persistent NameID.'); return null; } $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); $uidData = 'uidhashbase' . $secretSalt; $uidData .= strlen($idpEntityId) . ':' . $idpEntityId; $uidData .= strlen($spEntityId) . ':' . $spEntityId; $uidData .= strlen($uid) . ':' . $uid; $uidData .= $secretSalt; return sha1($uidData); }
/** * @param $secretSalt Must be random and unique per installation * @param $lifeTime Token lifetime in seconds * @param $skew Allowed time skew between server that generates and the one that calculates the token */ public function __construct($lifetime = 900, $secretSalt = NULL, $skew = 1) { if ($secretSalt === NULL) { $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); } $this->secretSalt = $secretSalt; $this->lifetime = $lifetime; $this->skew = $skew; }
/** * Calculate the NameID value that should be used. * * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @param SimpleSAML_Configuration $dstMetadata The metadata of the SP. * @param array &$state The authentication state of the user. * @return string The NameID value. */ private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, array &$state) { $attribute = $spMetadata->getString('simplesaml.nameidattribute', NULL); if ($attribute === NULL) { $attribute = $idpMetadata->getString('simplesaml.nameidattribute', NULL); if ($attribute === NULL) { if (!isset($state['UserID'])) { SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.'); } $attributeValue = $state['UserID']; $idpEntityId = $idpMetadata->getString('entityid'); $spEntityId = $spMetadata->getString('entityid'); $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); $uidData = 'uidhashbase' . $secretSalt; $uidData .= strlen($idpEntityId) . ':' . $idpEntityId; $uidData .= strlen($spEntityId) . ':' . $spEntityId; $uidData .= strlen($attributeValue) . ':' . $attributeValue; $uidData .= $secretSalt; return hash('sha1', $uidData); } } $attributes = $state['Attributes']; if (!array_key_exists($attribute, $attributes)) { SimpleSAML_Logger::error('Unable to add NameID: Missing ' . var_export($attribute, TRUE) . ' in the attributes of the user.'); return NULL; } return $attributes[$attribute][0]; }
/** * Generate a unique targeted identifier * * @param string $userid The user id * @param string $source The source id * @param string $destination The destination id * * @return string SHA1 of the user id, source id, destination id and salt */ public static function getTargetedID($userid, $source, $destination) { return hash('sha1', $userid . '|' . SimpleSAML\Utils\Config::getSecretSalt() . '|' . $source . '|' . $destination); }
/** * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\Config::getSecretSalt() instead. */ public static function getSecretSalt() { return SimpleSAML\Utils\Config::getSecretSalt(); }
/** * Apply filter to add the targeted ID. * * @param array &$state The current state. */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("Attributes", $state)'); if ($this->attribute === NULL) { if (!array_key_exists('UserID', $state)) { throw new Exception('core:TargetedID: Missing UserID for this user. Please' . ' check the \'userid.attribute\' option in the metadata against the' . ' attributes provided by the authentication source.'); } $userID = $state['UserID']; } else { if (!array_key_exists($this->attribute, $state['Attributes'])) { throw new Exception('core:TargetedID: Missing attribute \'' . $this->attribute . '\', which is needed to generate the targeted ID.'); } $userID = $state['Attributes'][$this->attribute][0]; } $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); if (array_key_exists('Source', $state)) { $srcID = self::getEntityId($state['Source']); } else { $srcID = ''; } if (array_key_exists('Destination', $state)) { $dstID = self::getEntityId($state['Destination']); } else { $dstID = ''; } $uidData = 'uidhashbase' . $secretSalt; $uidData .= strlen($srcID) . ':' . $srcID; $uidData .= strlen($dstID) . ':' . $dstID; $uidData .= strlen($userID) . ':' . $userID; $uidData .= $secretSalt; $uid = hash('sha1', $uidData); if ($this->generateNameId) { /* Convert the targeted ID to a SAML 2.0 name identifier element. */ $nameId = array('Format' => SAML2_Const::NAMEID_PERSISTENT, 'Value' => $uid); if (isset($state['Source']['entityid'])) { $nameId['NameQualifier'] = $state['Source']['entityid']; } if (isset($state['Destination']['entityid'])) { $nameId['SPNameQualifier'] = $state['Destination']['entityid']; } $doc = new DOMDocument(); $root = $doc->createElement('root'); $doc->appendChild($root); SAML2_Utils::addNameId($root, $nameId); $uid = $doc->saveXML($root->firstChild); } $state['Attributes']['eduPersonTargetedID'] = array($uid); }
/** * Calculate a signature of some data. * * This function calculates a signature of the data. * * @param string $data The data which should be signed. * * @return string The signed data. */ private static function _sign($data) { assert('is_string($data)'); $secretSalt = SimpleSAML\Utils\Config::getSecretSalt(); return sha1($secretSalt . $data . $secretSalt) . ':' . $data; }