public function validate(Assertion $assertion, Result $result)
{
$notBeforeTimestamp = $assertion->getNotBefore();
if ($notBeforeTimestamp && $notBeforeTimestamp > Temporal::getTime() + 60) {
$result->addError('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.');
}
}
public function validate(SubjectConfirmation $subjectConfirmation, Result $result)
{
$notBefore = $subjectConfirmation->SubjectConfirmationData->NotBefore;
if ($notBefore && $notBefore > Temporal::getTime() + 60) {
$result->addError('NotBefore in SubjectConfirmationData is in the future');
}
}
public function validate(SubjectConfirmation $subjectConfirmation, Result $result)
{
$notOnOrAfter = $subjectConfirmation->SubjectConfirmationData->NotOnOrAfter;
if ($notOnOrAfter && $notOnOrAfter <= Temporal::getTime() - 60) {
$result->addError('NotOnOrAfter in SubjectConfirmationData is in the past');
}
}
public function validate(Assertion $assertion, Result $result)
{
$notValidOnOrAfterTimestamp = $assertion->getNotOnOrAfter();
if ($notValidOnOrAfterTimestamp && $notValidOnOrAfterTimestamp <= Temporal::getTime() - 60) {
$result->addError('Received an assertion that has expired. Check clock synchronization on IdP and SP.');
}
}
public function validate(Assertion $assertion, Result $result)
{
$sessionNotOnOrAfterTimestamp = $assertion->getSessionNotOnOrAfter();
$currentTime = Temporal::getTime();
if ($sessionNotOnOrAfterTimestamp && $sessionNotOnOrAfterTimestamp <= $currentTime - 60) {
$result->addError('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.');
}
}
/**
* Create the redirect URL for a message.
*
* @param \SAML2\Message $message The message.
* @return string The URL the user should be redirected to in order to send a message.
* @throws \Exception
*/
public function getRedirectURL(Message $message)
{
$store = SimpleSAML_Store::getInstance();
if ($store === false) {
throw new \Exception('Unable to send artifact without a datastore configured.');
}
$generatedId = pack('H*', (string) SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(20)));
$artifact = base64_encode("" . sha1($message->getIssuer(), true) . $generatedId);
$artifactData = $message->toUnsignedXML();
$artifactDataString = $artifactData->ownerDocument->saveXML($artifactData);
$store->set('artifact', $artifact, $artifactDataString, Temporal::getTime() + 15 * 60);
$params = array('SAMLart' => $artifact);
$relayState = $message->getRelayState();
if ($relayState !== null) {
$params['RelayState'] = $relayState;
}
return SimpleSAML_Utilities::addURLparameter($message->getDestination(), $params);
}
/**
* Initialize a message.
*
* This constructor takes an optional parameter with a \DOMElement. If this
* parameter is given, the message will be initialized with data from that
* XML element.
*
* If no XML element is given, the message is initialized with suitable
* default values.
*
* @param string $tagName The tag name of the root element.
* @param \DOMElement|null $xml The input message.
* @throws \Exception
*/
protected function __construct($tagName, \DOMElement $xml = null)
{
assert('is_string($tagName)');
$this->tagName = $tagName;
$this->id = Utils::getContainer()->generateId();
$this->issueInstant = Temporal::getTime();
$this->certificates = array();
$this->validators = array();
if ($xml === null) {
return;
}
if (!$xml->hasAttribute('ID')) {
throw new \Exception('Missing ID attribute on SAML message.');
}
$this->id = $xml->getAttribute('ID');
if ($xml->getAttribute('Version') !== '2.0') {
/* Currently a very strict check. */
throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
}
$this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
if ($xml->hasAttribute('Destination')) {
$this->destination = $xml->getAttribute('Destination');
}
if ($xml->hasAttribute('Consent')) {
$this->consent = $xml->getAttribute('Consent');
}
$issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
if (!empty($issuer)) {
$this->issuer = trim($issuer[0]->textContent);
}
/* Validate the signature element of the message. */
try {
$sig = Utils::validateElement($xml);
if ($sig !== false) {
$this->messageContainedSignatureUponConstruction = true;
$this->certificates = $sig['Certificates'];
$this->validators[] = array('Function' => array('\\SAML2\\Utils', 'validateSignature'), 'Data' => $sig);
}
} catch (\Exception $e) {
/* Ignore signature validation errors. */
}
$this->extensions = Extensions::getList($xml);
}
/**
* Initialize a message.
*
* This constructor takes an optional parameter with a \DOMElement. If this
* parameter is given, the message will be initialized with data from that
* XML element.
*
* If no XML element is given, the message is initialized with suitable
* default values.
*
* @param string $tagName The tag name of the root element
* @param \DOMElement|null $xml The input message
*
* @throws \Exception
*/
protected function __construct($tagName, \DOMElement $xml = null)
{
assert('is_string($tagName)');
$this->tagName = $tagName;
$this->id = Utils::getContainer()->generateId();
$this->issueInstant = Temporal::getTime();
$this->certificates = array();
$this->validators = array();
if ($xml === null) {
return;
}
if (!$xml->hasAttribute('ID')) {
throw new \Exception('Missing ID attribute on SAML message.');
}
$this->id = $xml->getAttribute('ID');
if ($xml->getAttribute('Version') !== '2.0') {
/* Currently a very strict check. */
throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
}
$this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
if ($xml->hasAttribute('Destination')) {
$this->destination = $xml->getAttribute('Destination');
}
if ($xml->hasAttribute('Consent')) {
$this->consent = $xml->getAttribute('Consent');
}
$issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
if (!empty($issuer)) {
$this->issuer = new XML\saml\Issuer($issuer[0]);
if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
$this->issuer = $this->issuer->value;
}
}
$this->validateSignature($xml);
$this->extensions = Extensions::getList($xml);
}
/**
* Constructor for SAML 2 assertions.
*
* @param \DOMElement|null $xml The input assertion.
* @throws \Exception
*/
public function __construct(\DOMElement $xml = null)
{
$this->id = Utils::getContainer()->generateId();
$this->issueInstant = Temporal::getTime();
$this->issuer = '';
$this->authnInstant = Temporal::getTime();
$this->attributes = array();
$this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
$this->certificates = array();
$this->AuthenticatingAuthority = array();
$this->SubjectConfirmation = array();
if ($xml === null) {
return;
}
if (!$xml->hasAttribute('ID')) {
throw new \Exception('Missing ID attribute on SAML assertion.');
}
$this->id = $xml->getAttribute('ID');
if ($xml->getAttribute('Version') !== '2.0') {
/* Currently a very strict check. */
throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
}
$this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
$issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
if (empty($issuer)) {
throw new \Exception('Missing <saml:Issuer> in assertion.');
}
$this->issuer = new XML\saml\Issuer($issuer[0]);
if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
$this->issuer = $this->issuer->value;
}
$this->parseSubject($xml);
$this->parseConditions($xml);
$this->parseAuthnStatement($xml);
$this->parseAttributes($xml);
$this->parseEncryptedAttributes($xml);
$this->parseSignature($xml);
}