ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
SimpleSAML\XML\Shib13\AuthnResponse Class Reference
+ Collaboration diagram for SimpleSAML\XML\Shib13\AuthnResponse:

Public Member Functions

 setMessageValidated ($messageValidated)
 Set whether this message was validated externally. More...
 
 setXML ($xml)
 
 setRelayState ($relayState)
 
 getRelayState ()
 
 validate ()
 
 getSessionIndex ()
 Retrieve the session index of this response. More...
 
 getIssuer ()
 
 getNameID ()
 
 generate (\SimpleSAML_Configuration $idp, \SimpleSAML_Configuration $sp, $shire, $attributes)
 Build a authentication response. More...
 

Data Fields

const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'
 
const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'
 

Static Protected Member Functions

static checkDateConditions ($start=null, $end=null)
 Check if we are currently between the given date & time conditions. More...
 

Private Member Functions

 isNodeValidated ($node)
 Checks if the given node is validated by the signature on this response. More...
 
 doXPathQuery ($query, $node=null)
 This function runs an xPath query on this authentication response. More...
 
 enc_attribute ($name, $values, $base64, $scopedAttributes)
 Format a shib13 attribute. More...
 

Private Attributes

 $validator = null
 
 $messageValidated = false
 
 $dom
 
 $relayState = null
 

Detailed Description

Definition at line 19 of file AuthnResponse.php.

Member Function Documentation

◆ checkDateConditions()

static SimpleSAML\XML\Shib13\AuthnResponse::checkDateConditions (   $start = null,
  $end = null 
)
staticprotected

Check if we are currently between the given date & time conditions.

Note that this function allows a 10-minute leap from the initial time as marked by $start.

Parameters
string | null$startA SAML2 timestamp marking the start of the period to check. Defaults to null, in which case there's no limitations in the past.
string | null$endA SAML2 timestamp marking the end of the period to check. Defaults to null, in which case there's no limitations in the future.
Returns
bool True if the current time belongs to the period specified by $start and $end. False otherwise.
See also
\SAML2\Utils::xsDateTimeToTimestamp.
Author
Andreas Solberg, UNINETT AS andre.nosp@m.as.s.nosp@m.olber.nosp@m.g@un.nosp@m.inett.nosp@m..no
Olav Morken, UNINETT AS olav..nosp@m.mork.nosp@m.en@un.nosp@m.inet.nosp@m.t.no

Definition at line 459 of file AuthnResponse.php.

460 {
461 $currentTime = time();
462
463 if (!empty($start)) {
464 $startTime = Utils::xsDateTimeToTimestamp($start);
465 // allow for a 10 minute difference in time
466 if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
467 return false;
468 }
469 }
470 if (!empty($end)) {
472 if (($endTime < 0) || ($endTime <= $currentTime)) {
473 return false;
474 }
475 }
476 return true;
477 }
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp.
Definition: Utils.php:721
$end
Definition: saml1-acs.php:18

References $end, and SAML2\Utils\xsDateTimeToTimestamp().

+ Here is the call graph for this function:

◆ doXPathQuery()

SimpleSAML\XML\Shib13\AuthnResponse::doXPathQuery (   $query,
  $node = null 
)
private

This function runs an xPath query on this authentication response.

Parameters
string$queryThe query which should be run.
\DOMNode$nodeThe node which this query is relative to. If this node is NULL (the default) then the query will be relative to the root of the response.
Returns
\DOMNodeList

Definition at line 164 of file AuthnResponse.php.

165 {
166 assert('is_string($query)');
167 assert('$this->dom instanceof DOMDocument');
168
169 if ($node === null) {
170 $node = $this->dom->documentElement;
171 }
172
173 assert('$node instanceof DOMNode');
174
175 $xPath = new \DOMXpath($this->dom);
176 $xPath->registerNamespace('shibp', self::SHIB_PROTOCOL_NS);
177 $xPath->registerNamespace('shib', self::SHIB_ASSERT_NS);
178
179 return $xPath->query($query, $node);
180 }
$query

References $query.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML\XML\Shib13\AuthnResponse\getNameID(), and SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

+ Here is the caller graph for this function:

◆ enc_attribute()

SimpleSAML\XML\Shib13\AuthnResponse::enc_attribute (   $name,
  $values,
  $base64,
  $scopedAttributes 
)
private

Format a shib13 attribute.

Parameters
string$nameName of the attribute.
array$valuesValues of the attribute (as an array of strings).
bool$base64Whether the attriubte values should be base64-encoded.
array$scopedAttributesArray of attributes names which are scoped.
Returns
string The attribute encoded as an XML-string.

Definition at line 407 of file AuthnResponse.php.

408 {
409 assert('is_string($name)');
410 assert('is_array($values)');
411 assert('is_bool($base64)');
412 assert('is_array($scopedAttributes)');
413
414 if (in_array($name, $scopedAttributes, true)) {
415 $scoped = true;
416 } else {
417 $scoped = false;
418 }
419
420 $attr = '<Attribute AttributeName="' . htmlspecialchars($name) . '" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">';
421 foreach ($values as $value) {
422 $scopePart = '';
423 if ($scoped) {
424 $tmp = explode('@', $value, 2);
425 if (count($tmp) === 2) {
426 $value = $tmp[0];
427 $scopePart = ' Scope="' . htmlspecialchars($tmp[1]) . '"';
428 }
429 }
430
431 if ($base64) {
432 $value = base64_encode($value);
433 }
434
435 $attr .= '<AttributeValue' . $scopePart . '>' . htmlspecialchars($value) . '</AttributeValue>';
436 }
437 $attr .= '</Attribute>';
438
439 return $attr;
440 }
if($format !==null) $name
Definition: metadata.php:146

References $name.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\generate().

+ Here is the caller graph for this function:

◆ generate()

SimpleSAML\XML\Shib13\AuthnResponse::generate ( \SimpleSAML_Configuration  $idp,
\SimpleSAML_Configuration  $sp,
  $shire,
  $attributes 
)

Build a authentication response.

Parameters
\SimpleSAML_Configuration$idpMetadata for the IdP the response is sent from.
\SimpleSAML_Configuration$spMetadata for the SP the response is sent to.
string$shireThe endpoint on the SP the response is sent to.
array | null$attributesThe attributes which should be included in the response.
Returns
string The response.

Definition at line 307 of file AuthnResponse.php.

308 {
309 assert('is_string($shire)');
310 assert('$attributes === NULL || is_array($attributes)');
311
312 if ($sp->hasValue('scopedattributes')) {
313 $scopedAttributes = $sp->getArray('scopedattributes');
314 } elseif ($idp->hasValue('scopedattributes')) {
315 $scopedAttributes = $idp->getArray('scopedattributes');
316 } else {
317 $scopedAttributes = array();
318 }
319
321
322 $issueInstant = Time::generateTimestamp();
323
324 // 30 seconds timeskew back in time to allow differing clocks
325 $notBefore = Time::generateTimestamp(time() - 30);
326
327
328 $assertionExpire = Time::generateTimestamp(time() + 60 * 5);# 5 minutes
329 $assertionid = Random::generateID();
330
331 $spEntityId = $sp->getString('entityid');
332
333 $audience = $sp->getString('audience', $spEntityId);
334 $base64 = $sp->getBoolean('base64attributes', false);
335
336 $namequalifier = $sp->getString('NameQualifier', $spEntityId);
338 $subjectNode =
339 '<Subject>' .
340 '<NameIdentifier' .
341 ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' .
342 ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' .
343 '>' .
344 htmlspecialchars($nameid) .
345 '</NameIdentifier>' .
346 '<SubjectConfirmation>' .
347 '<ConfirmationMethod>' .
348 'urn:oasis:names:tc:SAML:1.0:cm:bearer' .
349 '</ConfirmationMethod>' .
350 '</SubjectConfirmation>' .
351 '</Subject>';
352
353 $encodedattributes = '';
354
355 if (is_array($attributes)) {
356 $encodedattributes .= '<AttributeStatement>';
357 $encodedattributes .= $subjectNode;
358
359 foreach ($attributes as $name => $value) {
360 $encodedattributes .= $this->enc_attribute($name, $value, $base64, $scopedAttributes);
361 }
362
363 $encodedattributes .= '</AttributeStatement>';
364 }
365
366 /*
367 * The SAML 1.1 response message
368 */
369 $response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
370 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
371 xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
372 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant. '"
373 MajorVersion="1" MinorVersion="1"
374 Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '">
375 <Status>
376 <StatusCode Value="samlp:Success" />
377 </Status>
378 <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
379 AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant. '"
380 Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1">
381 <Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="'. $assertionExpire . '">
382 <AudienceRestrictionCondition>
383 <Audience>' . htmlspecialchars($audience) . '</Audience>
384 </AudienceRestrictionCondition>
385 </Conditions>
386 <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
387 AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' .
388 $subjectNode . '
389 </AuthenticationStatement>
390 ' . $encodedattributes . '
391 </Assertion>
392</Response>';
393
394 return $response;
395 }
$spEntityId
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:32
enc_attribute($name, $values, $base64, $scopedAttributes)
Format a shib13 attribute.
if(!array_key_exists('StateId', $_REQUEST)) $id
$response
$idp
Definition: prp.php:13
$attributes
$nameid
Definition: status.php:36

References $attributes, $id, $idp, $name, $nameid, $response, $spEntityId, SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute(), SimpleSAML\Utils\Random\generateID(), SimpleSAML\Utils\Time\generateTimestamp(), SimpleSAML_Configuration\getArray(), SimpleSAML_Configuration\getBoolean(), SimpleSAML_Configuration\getString(), and SimpleSAML_Configuration\hasValue().

+ Here is the call graph for this function:

◆ getIssuer()

SimpleSAML\XML\Shib13\AuthnResponse::getIssuer ( )

Definition at line 270 of file AuthnResponse.php.

271 {
272 $query = '/shibp:Response/shib:Assertion/@Issuer';
273 $nodelist = $this->doXPathQuery($query);
274
275 if ($attr = $nodelist->item(0)) {
276 return $attr->value;
277 } else {
278 throw new \Exception('Could not find Issuer field in Authentication response');
279 }
280 }
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\validate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getNameID()

SimpleSAML\XML\Shib13\AuthnResponse::getNameID ( )

Definition at line 282 of file AuthnResponse.php.

283 {
284 $nameID = array();
285
286 $query = '/shibp:Response/shib:Assertion/shib:AuthenticationStatement/shib:Subject/shib:NameIdentifier';
287 $nodelist = $this->doXPathQuery($query);
288
289 if ($node = $nodelist->item(0)) {
290 $nameID["Value"] = $node->nodeValue;
291 $nameID["Format"] = $node->getAttribute('Format');
292 }
293
294 return $nameID;
295 }

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

+ Here is the call graph for this function:

◆ getRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::getRelayState ( )

◆ getSessionIndex()

SimpleSAML\XML\Shib13\AuthnResponse::getSessionIndex ( )

Retrieve the session index of this response.

Returns
string|null The session index of this response.

Definition at line 187 of file AuthnResponse.php.

188 {
189 assert('$this->dom instanceof DOMDocument');
190
191 $query = '/shibp:Response/shib:Assertion/shib:AuthnStatement';
192 $nodelist = $this->doXPathQuery($query);
193 if ($node = $nodelist->item(0)) {
194 return $node->getAttribute('SessionIndex');
195 }
196
197 return null;
198 }

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

+ Here is the call graph for this function:

◆ isNodeValidated()

SimpleSAML\XML\Shib13\AuthnResponse::isNodeValidated (   $node)
private

Checks if the given node is validated by the signature on this response.

Parameters
\DOMElement$nodeNode to be validated.
Returns
bool TRUE if the node is validated or FALSE if not.

Definition at line 134 of file AuthnResponse.php.

135 {
136 if ($this->messageValidated) {
137 // This message was validated externally
138 return true;
139 }
140
141 if ($this->validator === null) {
142 return false;
143 }
144
145 // Convert the node to a DOM node if it is an element from SimpleXML
146 if ($node instanceof \SimpleXMLElement) {
147 $node = dom_import_simplexml($node);
148 }
149
150 assert('$node instanceof DOMNode');
151
152 return $this->validator->isNodeValidated($node);
153 }

◆ setMessageValidated()

SimpleSAML\XML\Shib13\AuthnResponse::setMessageValidated (   $messageValidated)

Set whether this message was validated externally.

Parameters
bool$messageValidatedTRUE if the message is already validated, FALSE if not.

Definition at line 54 of file AuthnResponse.php.

55 {
56 assert('is_bool($messageValidated)');
57
58 $this->messageValidated = $messageValidated;
59 }

References SimpleSAML\XML\Shib13\AuthnResponse\$messageValidated.

◆ setRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::setRelayState (   $relayState)

Definition at line 73 of file AuthnResponse.php.

74 {
75 $this->relayState = $relayState;
76 }

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

◆ setXML()

SimpleSAML\XML\Shib13\AuthnResponse::setXML (   $xml)

Definition at line 62 of file AuthnResponse.php.

63 {
64 assert('is_string($xml)');
65
66 try {
67 $this->dom = DOMDocumentFactory::fromString(str_replace("\r", "", $xml));
68 } catch (\Exception $e) {
69 throw new \Exception('Unable to parse AuthnResponse XML.');
70 }
71 }
$xml
Definition: metadata.php:240

References $xml, and SAML2\DOMDocumentFactory\fromString().

+ Here is the call graph for this function:

◆ validate()

SimpleSAML\XML\Shib13\AuthnResponse::validate ( )

Definition at line 83 of file AuthnResponse.php.

84 {
85 assert('$this->dom instanceof DOMDocument');
86
87 if ($this->messageValidated) {
88 // This message was validated externally
89 return true;
90 }
91
92 // Validate the signature
93 $this->validator = new Validator($this->dom, array('ResponseID', 'AssertionID'));
94
95 // Get the issuer of the response
96 $issuer = $this->getIssuer();
97
98 // Get the metadata of the issuer
100 $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
101
102 $publicKeys = $md->getPublicKeys('signing');
103 if ($publicKeys !== null) {
104 $certFingerprints = array();
105 foreach ($publicKeys as $key) {
106 if ($key['type'] !== 'X509Certificate') {
107 continue;
108 }
109 $certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
110 }
111 $this->validator->validateFingerprint($certFingerprints);
112 } elseif ($md->hasValue('certFingerprint')) {
113 $certFingerprints = $md->getArrayizeString('certFingerprint');
114
115 // Validate the fingerprint
116 $this->validator->validateFingerprint($certFingerprints);
117 } elseif ($md->hasValue('caFile')) {
118 // Validate against CA
119 $this->validator->validateCA(Config::getCertPath($md->getString('caFile')));
120 } else {
121 throw new \SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
122 }
123
124 return true;
125 }
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
$metadata['__DYNAMIC:1__']
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
$key
Definition: croninfo.php:18

References $issuer, $key, $metadata, SimpleSAML\Utils\Config\getCertPath(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

+ Here is the call graph for this function:

Field Documentation

◆ $dom

SimpleSAML\XML\Shib13\AuthnResponse::$dom
private

Definition at line 41 of file AuthnResponse.php.

◆ $messageValidated

SimpleSAML\XML\Shib13\AuthnResponse::$messageValidated = false
private

◆ $relayState

SimpleSAML\XML\Shib13\AuthnResponse::$relayState = null
private

◆ $validator

SimpleSAML\XML\Shib13\AuthnResponse::$validator = null
private

Definition at line 25 of file AuthnResponse.php.

◆ SHIB_ASSERT_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'

Definition at line 35 of file AuthnResponse.php.

◆ SHIB_PROTOCOL_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'

Definition at line 34 of file AuthnResponse.php.


The documentation for this class was generated from the following file: