/** * Get the metadata for a requester, if allowed by the configuration. * * @param ServiceProvider $serviceProvider * @param EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request * @param MetadataRepositoryInterface $repository * @return null|ServiceProvider */ public static function findRequesterServiceProvider(ServiceProvider $serviceProvider, EngineBlock_Saml2_AuthnRequestAnnotationDecorator $request, MetadataRepositoryInterface $repository) { if (!$serviceProvider->isTrustedProxy) { return null; } if (!$request->wasSigned()) { return null; } // Requester IDs are appended to as they pass through a proxy, so we always want the last RequesterID // Note that this is not specified in the spec, but this is what we do and what SSP does. $requesterIds = $request->getRequesterIds(); $lastRequesterEntityId = end($requesterIds); if (!$lastRequesterEntityId) { return null; } $lastRequesterEntity = $repository->findServiceProviderByEntityId($lastRequesterEntityId); if (!$lastRequesterEntity) { throw new EngineBlock_Exception_DissimilarServiceProviderWorkflowStates($serviceProvider, $lastRequesterEntityId); } return $lastRequesterEntity; }
/** * @param MetadataRepositoryInterface $metadataRepository * @param EngineBlock_X509_KeyPair $keyPair * @param EngineBlock_Corto_ProxyServer $proxyServer * @return ServiceProvider * @throws EngineBlock_Corto_ProxyServer_Exception * @throws EngineBlock_Exception */ protected function getEngineSpRole(MetadataRepositoryInterface $metadataRepository, EngineBlock_X509_KeyPair $keyPair, EngineBlock_Corto_ProxyServer $proxyServer) { /** * Augment our own SP entry with stuff that can't be set via the Service Registry (yet) */ $spEntityId = $proxyServer->getUrl('spMetadataService'); $engineServiceProvider = $metadataRepository->findServiceProviderByEntityId($spEntityId); if (!$engineServiceProvider) { throw new EngineBlock_Exception("Unable to find EngineBlock configured as Service Provider. No '{$spEntityId}' in repository!"); } $engineServiceProvider->certificates = array($keyPair->getCertificate()); $engineServiceProvider->supportedNameIdFormats = array(SAML2_Const::NAMEID_PERSISTENT, SAML2_Const::NAMEID_TRANSIENT, SAML2_Const::NAMEID_UNSPECIFIED); $metadata = EngineBlock_ApplicationSingleton::getInstance()->getDiContainer()->getAttributeMetadata(); $requestedAttributeIds = $metadata->findRequestedAttributeIds(); $requiredAttributeIds = $metadata->findRequiredAttributeIds(); $requestedAttributes = array(); foreach ($requestedAttributeIds as $requestedAttributeId) { $requestedAttributes[] = new RequestedAttribute($requestedAttributeId); } foreach ($requiredAttributeIds as $requiredAttributeId) { $requestedAttributes[] = new RequestedAttribute($requiredAttributeId, true); } $engineServiceProvider->requestedAttributes = $requestedAttributes; // Allow all Identity Providers for EngineBlock. $engineServiceProvider->allowedIdpEntityIds = $metadataRepository->findAllIdentityProviderEntityIds(); $engineServiceProvider->responseProcessingService = new Service($proxyServer->getUrl('provideConsentService'), 'INTERNAL'); return $engineServiceProvider; }