ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Public Member Functions | Data Fields | Static Protected Member Functions | Private Member Functions | Private Attributes
SimpleSAML\XML\Shib13\AuthnResponse Class Reference
+ Collaboration diagram for SimpleSAML\XML\Shib13\AuthnResponse:

Public Member Functions

 setMessageValidated ($messageValidated)
 Set whether this message was validated externally. More...
 
 setXML ($xml)
 
 setRelayState ($relayState)
 
 getRelayState ()
 
 validate ()
 
 getSessionIndex ()
 Retrieve the session index of this response. More...
 
 getIssuer ()
 
 getNameID ()
 
 generate (\SimpleSAML_Configuration $idp, \SimpleSAML_Configuration $sp, $shire, $attributes)
 Build a authentication response. More...
 

Data Fields

const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'
 
const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'
 

Static Protected Member Functions

static checkDateConditions ($start=null, $end=null)
 Check if we are currently between the given date & time conditions. More...
 

Private Member Functions

 isNodeValidated ($node)
 Checks if the given node is validated by the signature on this response. More...
 
 doXPathQuery ($query, $node=null)
 This function runs an xPath query on this authentication response. More...
 
 enc_attribute ($name, $values, $base64, $scopedAttributes)
 Format a shib13 attribute. More...
 

Private Attributes

 $validator = null
 
 $messageValidated = false
 
 $dom
 
 $relayState = null
 

Detailed Description

Definition at line 19 of file AuthnResponse.php.

Member Function Documentation

◆ checkDateConditions()

static SimpleSAML\XML\Shib13\AuthnResponse::checkDateConditions (   $start = null,
  $end = null 
)
staticprotected

Check if we are currently between the given date & time conditions.

Note that this function allows a 10-minute leap from the initial time as marked by $start.

Parameters
string | null$startA SAML2 timestamp marking the start of the period to check. Defaults to null, in which case there's no limitations in the past.
string | null$endA SAML2 timestamp marking the end of the period to check. Defaults to null, in which case there's no limitations in the future.
Returns
bool True if the current time belongs to the period specified by $start and $end. False otherwise.
See also
::xsDateTimeToTimestamp.
Author
Andreas Solberg, UNINETT AS andre.nosp@m.as.s.nosp@m.olber.nosp@m.g@un.nosp@m.inett.nosp@m..no
Olav Morken, UNINETT AS olav..nosp@m.mork.nosp@m.en@un.nosp@m.inet.nosp@m.t.no

Definition at line 459 of file AuthnResponse.php.

References $end, time, and SAML2\Utils\xsDateTimeToTimestamp().

460  {
461  $currentTime = time();
462 
463  if (!empty($start)) {
464  $startTime = Utils::xsDateTimeToTimestamp($start);
465  // allow for a 10 minute difference in time
466  if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
467  return false;
468  }
469  }
470  if (!empty($end)) {
471  $endTime = Utils::xsDateTimeToTimestamp($end);
472  if (($endTime < 0) || ($endTime <= $currentTime)) {
473  return false;
474  }
475  }
476  return true;
477  }
$end
$end
Definition: saml1-acs.php:18
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp...
Definition: Utils.php:721
time
Add data(end) time
Method that wraps PHPs time in order to allow simulations with the workflow.
Definition: 40duplicateStyle.php:39
+ Here is the call graph for this function:

◆ doXPathQuery()

SimpleSAML\XML\Shib13\AuthnResponse::doXPathQuery (   $query,
  $node = null 
)
private

This function runs an xPath query on this authentication response.

Parameters
string$queryThe query which should be run.
\DOMNode$nodeThe node which this query is relative to. If this node is NULL (the default) then the query will be relative to the root of the response.
Returns

Definition at line 164 of file AuthnResponse.php.

References $query.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML\XML\Shib13\AuthnResponse\getNameID(), and SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

165  {
166  assert('is_string($query)');
167  assert('$this->dom instanceof DOMDocument');
168 
169  if ($node === null) {
170  $node = $this->dom->documentElement;
171  }
172 
173  assert('$node instanceof DOMNode');
174 
175  $xPath = new \DOMXpath($this->dom);
176  $xPath->registerNamespace('shibp', self::SHIB_PROTOCOL_NS);
177  $xPath->registerNamespace('shib', self::SHIB_ASSERT_NS);
178 
179  return $xPath->query($query, $node);
180  }
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the caller graph for this function:

◆ enc_attribute()

SimpleSAML\XML\Shib13\AuthnResponse::enc_attribute (   $name,
  $values,
  $base64,
  $scopedAttributes 
)
private

Format a shib13 attribute.

Parameters
string$nameName of the attribute.
array$valuesValues of the attribute (as an array of strings).
bool$base64Whether the attriubte values should be base64-encoded.
array$scopedAttributesArray of attributes names which are scoped.
Returns
string The attribute encoded as an XML-string.

Definition at line 407 of file AuthnResponse.php.

References $name.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\generate().

408  {
409  assert('is_string($name)');
410  assert('is_array($values)');
411  assert('is_bool($base64)');
412  assert('is_array($scopedAttributes)');
413 
414  if (in_array($name, $scopedAttributes, true)) {
415  $scoped = true;
416  } else {
417  $scoped = false;
418  }
419 
420  $attr = '<Attribute AttributeName="' . htmlspecialchars($name) . '" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">';
421  foreach ($values as $value) {
422  $scopePart = '';
423  if ($scoped) {
424  $tmp = explode('@', $value, 2);
425  if (count($tmp) === 2) {
426  $value = $tmp[0];
427  $scopePart = ' Scope="' . htmlspecialchars($tmp[1]) . '"';
428  }
429  }
430 
431  if ($base64) {
432  $value = base64_encode($value);
433  }
434 
435  $attr .= '<AttributeValue' . $scopePart . '>' . htmlspecialchars($value) . '</AttributeValue>';
436  }
437  $attr .= '</Attribute>';
438 
439  return $attr;
440  }
$name
if($format !==null) $name
Definition: metadata.php:146
+ Here is the caller graph for this function:

◆ generate()

SimpleSAML\XML\Shib13\AuthnResponse::generate ( \SimpleSAML_Configuration  $idp,
\SimpleSAML_Configuration  $sp,
  $shire,
  $attributes 
)

Build a authentication response.

Parameters
\SimpleSAML_Configuration$idpMetadata for the IdP the response is sent from.
\SimpleSAML_Configuration$spMetadata for the SP the response is sent to.
string$shireThe endpoint on the SP the response is sent to.
array | null$attributesThe attributes which should be included in the response.
Returns
string The response.

Definition at line 307 of file AuthnResponse.php.

References $attributes, $id, $name, $nameid, $response, $spEntityId, array, SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute(), SimpleSAML\Utils\Random\generateID(), SimpleSAML\Utils\Time\generateTimestamp(), SimpleSAML_Configuration\getArray(), SimpleSAML_Configuration\getBoolean(), SimpleSAML_Configuration\getString(), SimpleSAML_Configuration\hasValue(), and time.

308  {
309  assert('is_string($shire)');
310  assert('$attributes === NULL || is_array($attributes)');
311 
312  if ($sp->hasValue('scopedattributes')) {
313  $scopedAttributes = $sp->getArray('scopedattributes');
314  } elseif ($idp->hasValue('scopedattributes')) {
315  $scopedAttributes = $idp->getArray('scopedattributes');
316  } else {
317  $scopedAttributes = array();
318  }
319 
320  $id = Random::generateID();
321 
322  $issueInstant = Time::generateTimestamp();
323 
324  // 30 seconds timeskew back in time to allow differing clocks
325  $notBefore = Time::generateTimestamp(time() - 30);
326 
327 
328  $assertionExpire = Time::generateTimestamp(time() + 60 * 5);# 5 minutes
329  $assertionid = Random::generateID();
330 
331  $spEntityId = $sp->getString('entityid');
332 
333  $audience = $sp->getString('audience', $spEntityId);
334  $base64 = $sp->getBoolean('base64attributes', false);
335 
336  $namequalifier = $sp->getString('NameQualifier', $spEntityId);
337  $nameid = Random::generateID();
338  $subjectNode =
339  '<Subject>' .
340  '<NameIdentifier' .
341  ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' .
342  ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' .
343  '>' .
344  htmlspecialchars($nameid) .
345  '</NameIdentifier>' .
346  '<SubjectConfirmation>' .
347  '<ConfirmationMethod>' .
348  'urn:oasis:names:tc:SAML:1.0:cm:bearer' .
349  '</ConfirmationMethod>' .
350  '</SubjectConfirmation>' .
351  '</Subject>';
352 
353  $encodedattributes = '';
354 
355  if (is_array($attributes)) {
356  $encodedattributes .= '<AttributeStatement>';
357  $encodedattributes .= $subjectNode;
358 
359  foreach ($attributes as $name => $value) {
360  $encodedattributes .= $this->enc_attribute($name, $value, $base64, $scopedAttributes);
361  }
362 
363  $encodedattributes .= '</AttributeStatement>';
364  }
365 
366  /*
367  * The SAML 1.1 response message
368  */
369  $response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
370  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
371  xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
372  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant. '"
373  MajorVersion="1" MinorVersion="1"
374  Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '">
375  <Status>
376  <StatusCode Value="samlp:Success" />
377  </Status>
378  <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
379  AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant. '"
380  Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1">
381  <Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="'. $assertionExpire . '">
382  <AudienceRestrictionCondition>
383  <Audience>' . htmlspecialchars($audience) . '</Audience>
384  </AudienceRestrictionCondition>
385  </Conditions>
386  <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
387  AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' .
388  $subjectNode . '
389  </AuthenticationStatement>
390  ' . $encodedattributes . '
391  </Assertion>
392 </Response>';
393 
394  return $response;
395  }
SimpleSAML\Utils\Random\generateID
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
$spEntityId
$spEntityId
Definition: attributeserver.php:14
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute
enc_attribute($name, $values, $base64, $scopedAttributes)
Format a shib13 attribute.
Definition: AuthnResponse.php:407
$attributes
$attributes
Definition: serviceValidate.php:33
SimpleSAML\Utils\Time\generateTimestamp
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:32
$name
if($format !==null) $name
Definition: metadata.php:146
$nameid
$nameid
Definition: status.php:36
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
$idp
$idp
Definition: prp.php:13
time
Add data(end) time
Method that wraps PHPs time in order to allow simulations with the workflow.
Definition: 40duplicateStyle.php:39
$response
$response
Definition: proxy_ylocal.php:39
+ Here is the call graph for this function:

◆ getIssuer()

SimpleSAML\XML\Shib13\AuthnResponse::getIssuer ( )

Definition at line 270 of file AuthnResponse.php.

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex(), and SimpleSAML\XML\Shib13\AuthnResponse\validate().

271  {
272  $query = '/shibp:Response/shib:Assertion/@Issuer';
273  $nodelist = $this->doXPathQuery($query);
274 
275  if ($attr = $nodelist->item(0)) {
276  return $attr->value;
277  } else {
278  throw new \Exception('Could not find Issuer field in Authentication response');
279  }
280  }
$query
$query
Definition: proxy_ylocal.php:13
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:164
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getNameID()

SimpleSAML\XML\Shib13\AuthnResponse::getNameID ( )

Definition at line 282 of file AuthnResponse.php.

References $query, array, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

283  {
284  $nameID = array();
285 
286  $query = '/shibp:Response/shib:Assertion/shib:AuthenticationStatement/shib:Subject/shib:NameIdentifier';
287  $nodelist = $this->doXPathQuery($query);
288 
289  if ($node = $nodelist->item(0)) {
290  $nameID["Value"] = $node->nodeValue;
291  $nameID["Format"] = $node->getAttribute('Format');
292  }
293 
294  return $nameID;
295  }
$query
$query
Definition: proxy_ylocal.php:13
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:164
+ Here is the call graph for this function:

◆ getRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::getRelayState ( )

Definition at line 78 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

79  {
80  return $this->relayState;
81  }

◆ getSessionIndex()

SimpleSAML\XML\Shib13\AuthnResponse::getSessionIndex ( )

Retrieve the session index of this response.

Returns
string|null The session index of this response.

Definition at line 187 of file AuthnResponse.php.

References $attributes, $end, $metadata, $name, $query, array, SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery(), Monolog\Handler\error_log(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), and SimpleSAML\XML\Shib13\AuthnResponse\isNodeValidated().

188  {
189  assert('$this->dom instanceof DOMDocument');
190 
191  $query = '/shibp:Response/shib:Assertion/shib:AuthnStatement';
192  $nodelist = $this->doXPathQuery($query);
193  if ($node = $nodelist->item(0)) {
194  return $node->getAttribute('SessionIndex');
195  }
196 
197  return null;
198  }
$query
$query
Definition: proxy_ylocal.php:13
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:164
+ Here is the call graph for this function:

◆ isNodeValidated()

SimpleSAML\XML\Shib13\AuthnResponse::isNodeValidated (   $node)
private

Checks if the given node is validated by the signature on this response.

Parameters
\DOMElement$nodeNode to be validated.
Returns
bool TRUE if the node is validated or FALSE if not.

Definition at line 134 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

135  {
136  if ($this->messageValidated) {
137  // This message was validated externally
138  return true;
139  }
140 
141  if ($this->validator === null) {
142  return false;
143  }
144 
145  // Convert the node to a DOM node if it is an element from SimpleXML
146  if ($node instanceof \SimpleXMLElement) {
147  $node = dom_import_simplexml($node);
148  }
149 
150  assert('$node instanceof DOMNode');
151 
152  return $this->validator->isNodeValidated($node);
153  }
+ Here is the caller graph for this function:

◆ setMessageValidated()

SimpleSAML\XML\Shib13\AuthnResponse::setMessageValidated (   $messageValidated)

Set whether this message was validated externally.

Parameters
bool$messageValidatedTRUE if the message is already validated, FALSE if not.

Definition at line 54 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$messageValidated.

55  {
56  assert('is_bool($messageValidated)');
57 
58  $this->messageValidated = $messageValidated;
59  }

◆ setRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::setRelayState (   $relayState)

Definition at line 73 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

74  {
75  $this->relayState = $relayState;
76  }

◆ setXML()

SimpleSAML\XML\Shib13\AuthnResponse::setXML (   $xml)

Definition at line 62 of file AuthnResponse.php.

References $xml, and SAML2\DOMDocumentFactory\fromString().

63  {
64  assert('is_string($xml)');
65 
66  try {
67  $this->dom = DOMDocumentFactory::fromString(str_replace("\r", "", $xml));
68  } catch (\Exception $e) {
69  throw new \Exception('Unable to parse AuthnResponse XML.');
70  }
71  }
$xml
$xml
Definition: metadata.php:240
+ Here is the call graph for this function:

◆ validate()

SimpleSAML\XML\Shib13\AuthnResponse::validate ( )

Definition at line 83 of file AuthnResponse.php.

References $issuer, $key, $metadata, array, SimpleSAML\Utils\Config\getCertPath(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

84  {
85  assert('$this->dom instanceof DOMDocument');
86 
87  if ($this->messageValidated) {
88  // This message was validated externally
89  return true;
90  }
91 
92  // Validate the signature
93  $this->validator = new Validator($this->dom, array('ResponseID', 'AssertionID'));
94 
95  // Get the issuer of the response
96  $issuer = $this->getIssuer();
97 
98  // Get the metadata of the issuer
99  $metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
100  $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
101 
102  $publicKeys = $md->getPublicKeys('signing');
103  if ($publicKeys !== null) {
104  $certFingerprints = array();
105  foreach ($publicKeys as $key) {
106  if ($key['type'] !== 'X509Certificate') {
107  continue;
108  }
109  $certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
110  }
111  $this->validator->validateFingerprint($certFingerprints);
112  } elseif ($md->hasValue('certFingerprint')) {
113  $certFingerprints = $md->getArrayizeString('certFingerprint');
114 
115  // Validate the fingerprint
116  $this->validator->validateFingerprint($certFingerprints);
117  } elseif ($md->hasValue('caFile')) {
118  // Validate against CA
119  $this->validator->validateCA(Config::getCertPath($md->getString('caFile')));
120  } else {
121  throw new \SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
122  }
123 
124  return true;
125  }
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$metadata
$metadata['__DYNAMIC:1__']
Definition: adfs-idp-hosted.php:3
$issuer
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
Definition: ArtifactResolutionService.php:48
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
SimpleSAML\Utils\Config\getCertPath
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
$key
$key
Definition: croninfo.php:18
+ Here is the call graph for this function:

Field Documentation

◆ $dom

SimpleSAML\XML\Shib13\AuthnResponse::$dom
private

Definition at line 41 of file AuthnResponse.php.

◆ $messageValidated

SimpleSAML\XML\Shib13\AuthnResponse::$messageValidated = false
private

Definition at line 31 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\setMessageValidated().

◆ $relayState

SimpleSAML\XML\Shib13\AuthnResponse::$relayState = null
private

Definition at line 46 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getRelayState(), and SimpleSAML\XML\Shib13\AuthnResponse\setRelayState().

◆ $validator

SimpleSAML\XML\Shib13\AuthnResponse::$validator = null
private

Definition at line 25 of file AuthnResponse.php.

◆ SHIB_ASSERT_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'

Definition at line 35 of file AuthnResponse.php.

◆ SHIB_PROTOCOL_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'

Definition at line 34 of file AuthnResponse.php.

The documentation for this class was generated from the following file: