Collaboration diagram for sspmod_saml_Message:

Static Public Member Functions
static	addSign (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\SignedElement $element)
	Add signature key and sender certificate to an element (Message or Assertion). More...

static	checkSign (SimpleSAML_Configuration $srcMetadata, \SAML2\SignedElement $element)
	Check the signature on a SAML2 message or assertion. More...

static	validateMessage (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\Message $message)
	Check signature on a SAML2 message if enabled. More...

static	getDecryptionKeys (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Retrieve the decryption keys from metadata. More...

static	getBlacklistedAlgorithms (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Retrieve blacklisted algorithms. More...

static	getResponseError (\SAML2\StatusResponse $response)
	Retrieve the status code of a response as a sspmod_saml_Error. More...

static	buildAuthnRequest (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
	Build an authentication request based on information in the metadata. More...

static	buildLogoutRequest (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Build a logout request based on information in the metadata. More...

static	buildLogoutResponse (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
	Build a logout response based on information in the metadata. More...

static	processResponse (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response)
	Process a response message. More...

static	getEncryptionKey (SimpleSAML_Configuration $metadata)
	Retrieve the encryption key for the given entity. More...

Static Private Member Functions
static	addRedirectSign (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, \SAML2\Message $message)
	Add signature key and and senders certificate to message. More...

static	findCertificate (array $certFingerprints, array $certificates)
	Find the certificate used to sign a message or assertion. More...

static	decryptAssertion (SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, $assertion)
	Decrypt an assertion. More...

static	processAssertion (SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response, $assertion, $responseSigned)
	Process an assertion in a response. More...

Detailed Description

Definition at line 10 of file Message.php.

Member Function Documentation

◆ addRedirectSign()

static sspmod_saml_Message::addRedirectSign	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\Message	$message
	)

staticprivate

Add signature key and and senders certificate to message.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\Message	$message	The message we should add the data to.

Definition at line 79 of file Message.php.

References SimpleSAML_Configuration\getBoolean().

       {
 
         $signingEnabled = null;
         if ($message instanceof \SAML2\LogoutRequest || $message instanceof \SAML2\LogoutResponse) {
             $signingEnabled = $srcMetadata->getBoolean('sign.logout', null);
             if ($signingEnabled === null) {
                 $signingEnabled = $dstMetadata->getBoolean('sign.logout', null);
             }
         } elseif ($message instanceof \SAML2\AuthnRequest) {
             $signingEnabled = $srcMetadata->getBoolean('sign.authnrequest', null);
             if ($signingEnabled === null) {
                 $signingEnabled = $dstMetadata->getBoolean('sign.authnrequest', null);
             }
         }
 
         if ($signingEnabled === null) {
             $signingEnabled = $dstMetadata->getBoolean('redirect.sign', null);
             if ($signingEnabled === null) {
                 $signingEnabled = $srcMetadata->getBoolean('redirect.sign', false);
             }
         }
         if (!$signingEnabled) {
             return;
         }
 
         self::addSign($srcMetadata, $dstMetadata, $message);
     }

Here is the call graph for this function:

◆ addSign()

static sspmod_saml_Message::addSign	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\SignedElement	$element
	)

static

Add signature key and sender certificate to an element (Message or Assertion).

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\SignedElement	$element	The element we should add the data to.

Definition at line 20 of file Message.php.

References $algo, array, SimpleSAML_Configuration\getString(), SimpleSAML\Utils\Crypto\loadPrivateKey(), and SimpleSAML\Utils\Crypto\loadPublicKey().

Referenced by sspmod_saml_IdP_SAML2\buildAssertion(), sspmod_saml_IdP_SAML2\buildResponse(), and SAML2\HTTPArtifact\send().

       {
         $dstPrivateKey = $dstMetadata->getString('signature.privatekey', null);
 
         if ($dstPrivateKey !== null) {
             $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, true, 'signature.');
             $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($dstMetadata, false, 'signature.');
         } else {
             $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($srcMetadata, true);
             $certArray = SimpleSAML\Utils\Crypto::loadPublicKey($srcMetadata, false);
         }
 
         $algo = $dstMetadata->getString('signature.algorithm', null);
         if ($algo === null) {
             /*
              * In the NIST Special Publication 800-131A, SHA-1 became deprecated for generating
              * new digital signatures in 2011, and will be explicitly disallowed starting the 1st
              * of January, 2014. We'll keep this as a default for the next release and mark it
              * as deprecated, as part of the transition to SHA-256.
              *
              * See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf for more info.
              *
              * TODO: change default to XMLSecurityKey::RSA_SHA256.
              */
             $algo = $srcMetadata->getString('signature.algorithm', XMLSecurityKey::RSA_SHA1);
         }
 
         $privateKey = new XMLSecurityKey($algo, array('type' => 'private'));
         if (array_key_exists('password', $keyArray)) {
             $privateKey->passphrase = $keyArray['password'];
         }
         $privateKey->loadKey($keyArray['PEM'], false);
 
         $element->setSignatureKey($privateKey);
 
         if ($certArray === null) {
             // we don't have a certificate to add
             return;
         }
 
         if (!array_key_exists('PEM', $certArray)) {
             // we have a public key with only a fingerprint
             return;
         }
 
         $element->setCertificates(array($certArray['PEM']));
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildAuthnRequest()

static sspmod_saml_Message::buildAuthnRequest	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata
	)

static

Build an authentication request based on information in the metadata.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.

Returns: An authentication request object.

Definition at line 431 of file Message.php.

References array, SimpleSAML_Configuration\getArrayizeString(), SimpleSAML_Configuration\getBoolean(), SimpleSAML_Configuration\getInteger(), SimpleSAML_Configuration\getString(), SimpleSAML_Configuration\getValue(), SimpleSAML_Configuration\getValueValidate(), SimpleSAML_Configuration\hasValue(), and SimpleSAML_Configuration\loadFromArray().

Referenced by sspmod_saml_Auth_Source_SP\startSSO2().

       {
         $ar = new \SAML2\AuthnRequest();
 
         // get the NameIDPolicy to apply. IdP metadata has precedence.
         $nameIdPolicy = array();
         if ($idpMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $idpMetadata->getValue('NameIDPolicy');
         } elseif ($spMetadata->hasValue('NameIDPolicy')) {
             $nameIdPolicy = $spMetadata->getValue('NameIDPolicy');
         }
 
         if (!is_array($nameIdPolicy)) {
             // handle old configurations where 'NameIDPolicy' was used to specify just the format
             $nameIdPolicy = array('Format' => $nameIdPolicy);
         }
 
         $nameIdPolicy_cf = SimpleSAML_Configuration::loadFromArray($nameIdPolicy);
         $policy = array(
             'Format'      => $nameIdPolicy_cf->getString('Format', \SAML2\Constants::NAMEID_TRANSIENT),
             'AllowCreate' => $nameIdPolicy_cf->getBoolean('AllowCreate', true),
         );
         $spNameQualifier = $nameIdPolicy_cf->getString('SPNameQualifier', false);
         if ($spNameQualifier !== false) {
             $policy['SPNameQualifier'] = $spNameQualifier;
         }
         $ar->setNameIdPolicy($policy);
 
         $ar->setForceAuthn($spMetadata->getBoolean('ForceAuthn', false));
         $ar->setIsPassive($spMetadata->getBoolean('IsPassive', false));
 
         $protbind = $spMetadata->getValueValidate('ProtocolBinding', array(
             \SAML2\Constants::BINDING_HTTP_POST,
             \SAML2\Constants::BINDING_HOK_SSO,
             \SAML2\Constants::BINDING_HTTP_ARTIFACT,
             \SAML2\Constants::BINDING_HTTP_REDIRECT,
         ), \SAML2\Constants::BINDING_HTTP_POST);
 
         // Shoaib: setting the appropriate binding based on parameter in sp-metadata defaults to HTTP_POST
         $ar->setProtocolBinding($protbind);
         $ar->setIssuer($spMetadata->getString('entityid'));
         $ar->setAssertionConsumerServiceIndex($spMetadata->getInteger('AssertionConsumerServiceIndex', null));
         $ar->setAttributeConsumingServiceIndex($spMetadata->getInteger('AttributeConsumingServiceIndex', null));
 
         if ($spMetadata->hasValue('AuthnContextClassRef')) {
             $accr = $spMetadata->getArrayizeString('AuthnContextClassRef');
             $comp = $spMetadata->getValueValidate('AuthnContextComparison', array(
                 \SAML2\Constants::COMPARISON_EXACT,
                 \SAML2\Constants::COMPARISON_MINIMUM,
                 \SAML2\Constants::COMPARISON_MAXIMUM,
                 \SAML2\Constants::COMPARISON_BETTER,
             ), \SAML2\Constants::COMPARISON_EXACT);
             $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
         }
 
         self::addRedirectSign($spMetadata, $idpMetadata, $ar);
 
         return $ar;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildLogoutRequest()

static sspmod_saml_Message::buildLogoutRequest	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Build a logout request based on information in the metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: A logout request object.

Definition at line 501 of file Message.php.

References $lr, and SimpleSAML_Configuration\getString().

Referenced by sspmod_saml_IdP_SAML2\buildLogoutRequest(), and sspmod_saml_Auth_Source_SP\startSLO2().

       {
         $lr = new \SAML2\LogoutRequest();
         $lr->setIssuer($srcMetadata->getString('entityid'));
 
         self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
 
         return $lr;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ buildLogoutResponse()

static sspmod_saml_Message::buildLogoutResponse	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Build a logout response based on information in the metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: A logout response object.

Definition at line 521 of file Message.php.

References $lr, and SimpleSAML_Configuration\getString().

Referenced by sspmod_saml_IdP_SAML2\sendLogoutResponse().

       {
         $lr = new \SAML2\LogoutResponse();
         $lr->setIssuer($srcMetadata->getString('entityid'));
 
         self::addRedirectSign($srcMetadata, $dstMetadata, $lr);
 
         return $lr;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ checkSign()

static sspmod_saml_Message::checkSign	(	SimpleSAML_Configuration	$srcMetadata,
		\SAML2\SignedElement	$element
	)

static

Check the signature on a SAML2 message or assertion.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
\SAML2\SignedElement	$element	Either a or a .

Returns: boolean True if the signature is correct, false otherwise.

Exceptions

Definition at line 159 of file Message.php.

References $certificates, $i, $key, $keys, $res, array, SimpleSAML\Logger\debug(), SimpleSAML_Configuration\getArrayizeString(), SimpleSAML_Configuration\getPublicKeys(), SimpleSAML_Configuration\getString(), SimpleSAML_Configuration\hasValue(), and SimpleSAML\Logger\notice().

     {
         // find the public key that should verify signatures by this entity
         $keys = $srcMetadata->getPublicKeys('signing');
         if ($keys !== null) {
             $pemKeys = array();
             foreach ($keys as $key) {
                 switch ($key['type']) {
                     case 'X509Certificate':
                         $pemKeys[] = "-----BEGIN CERTIFICATE-----\n".
                             chunk_split($key['X509Certificate'], 64).
                             "-----END CERTIFICATE-----\n";
                         break;
                     default:
                         SimpleSAML\Logger::debug('Skipping unknown key type: '.$key['type']);
                 }
             }
         } elseif ($srcMetadata->hasValue('certFingerprint')) {
             SimpleSAML\Logger::notice(
                 "Validating certificates by fingerprint is deprecated. Please use ".
                 "certData or certificate options in your remote metadata configuration."
             );
 
             $certFingerprint = $srcMetadata->getArrayizeString('certFingerprint');
             foreach ($certFingerprint as &$fp) {
                 $fp = strtolower(str_replace(':', '', $fp));
             }
 
             $certificates = $element->getCertificates();
 
             // we don't have the full certificate stored. Try to find it in the message or the assertion instead
             if (count($certificates) === 0) {
                 /* We need the full certificate in order to match it against the fingerprint. */
                 SimpleSAML\Logger::debug('No certificate in message when validating against fingerprint.');
                 return false;
             } else {
                 SimpleSAML\Logger::debug('Found '.count($certificates).' certificates in '.get_class($element));
             }
 
             $pemCert = self::findCertificate($certFingerprint, $certificates);
             $pemKeys = array($pemCert);
         } else {
             throw new SimpleSAML_Error_Exception(
                 'Missing certificate in metadata for '.
                 var_export($srcMetadata->getString('entityid'), true)
             );
         }
 
         SimpleSAML\Logger::debug('Has '.count($pemKeys).' candidate keys for validation.');
 
         $lastException = null;
         foreach ($pemKeys as $i => $pem) {
             $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
             $key->loadKey($pem);
 
             try {
                 // make sure that we have a valid signature on either the response or the assertion
                 $res = $element->validate($key);
                 if ($res) {
                     SimpleSAML\Logger::debug('Validation with key #'.$i.' succeeded.');
                     return true;
                 }
                 SimpleSAML\Logger::debug('Validation with key #'.$i.' failed without exception.');
             } catch (Exception $e) {
                 SimpleSAML\Logger::debug('Validation with key #'.$i.' failed with exception: '.$e->getMessage());
                 $lastException = $e;
             }
         }
 
         // we were unable to validate the signature with any of our keys
         if ($lastException !== null) {
             throw $lastException;
         } else {
             return false;
         }
     }

Here is the call graph for this function:

◆ decryptAssertion()

static sspmod_saml_Message::decryptAssertion	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
			$assertion
	)

staticprivate

Decrypt an assertion.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender (IdP).
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient (SP).
\SAML2\Assertion \| \SAML2\EncryptedAssertion	$assertion	The assertion we are decrypting.

Returns: The assertion.

Exceptions

Definition at line 367 of file Message.php.

References $i, $key, $keys, $ret, SimpleSAML\Logger\debug(), and SimpleSAML_Configuration\getBoolean().

       {
         assert('$assertion instanceof \SAML2\Assertion || $assertion instanceof \SAML2\EncryptedAssertion');
 
         if ($assertion instanceof \SAML2\Assertion) {
             $encryptAssertion = $srcMetadata->getBoolean('assertion.encryption', null);
             if ($encryptAssertion === null) {
                 $encryptAssertion = $dstMetadata->getBoolean('assertion.encryption', false);
             }
             if ($encryptAssertion) {
                 /* The assertion was unencrypted, but we have encryption enabled. */
                 throw new Exception('Received unencrypted assertion, but encryption was enabled.');
             }
 
             return $assertion;
         }
 
         try {
             $keys = self::getDecryptionKeys($srcMetadata, $dstMetadata);
         } catch (Exception $e) {
             throw new SimpleSAML_Error_Exception('Error decrypting assertion: '.$e->getMessage());
         }
 
         $blacklist = self::getBlacklistedAlgorithms($srcMetadata, $dstMetadata);
 
         $lastException = null;
         foreach ($keys as $i => $key) {
             try {
                 $ret = $assertion->getAssertion($key, $blacklist);
                 SimpleSAML\Logger::debug('Decryption with key #'.$i.' succeeded.');
                 return $ret;
             } catch (Exception $e) {
                 SimpleSAML\Logger::debug('Decryption with key #'.$i.' failed with exception: '.$e->getMessage());
                 $lastException = $e;
             }
         }
         throw $lastException;
     }

Here is the call graph for this function:

◆ findCertificate()

static sspmod_saml_Message::findCertificate	(	array	$certFingerprints,
		array	$certificates
	)

staticprivate

Find the certificate used to sign a message or assertion.

An exception is thrown if we are unable to locate the certificate.

Parameters

array	$certFingerprints	The fingerprints we are looking for.
array	$certificates	Array of certificates.

Returns: string Certificate, in PEM-format.

Exceptions

SimpleSAML_Error_Exception if we cannot find the certificate matching the fingerprint.

Definition at line 124 of file Message.php.

References array.

     {
         $candidates = array();
 
         foreach ($certificates as $cert) {
             $fp = strtolower(sha1(base64_decode($cert)));
             if (!in_array($fp, $certFingerprints, true)) {
                 $candidates[] = $fp;
                 continue;
             }
 
             /* We have found a matching fingerprint. */
             $pem = "-----BEGIN CERTIFICATE-----\n".
                 chunk_split($cert, 64).
                 "-----END CERTIFICATE-----\n";
             return $pem;
         }
 
         $candidates = "'".implode("', '", $candidates)."'";
         $fps = "'".implode("', '", $certFingerprints)."'";
         throw new SimpleSAML_Error_Exception('Unable to find a certificate matching the configured '.
             'fingerprint. Candidates: '.$candidates.'; certFingerprint: '.$fps.'.');
     }

◆ getBlacklistedAlgorithms()

static sspmod_saml_Message::getBlacklistedAlgorithms	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Retrieve blacklisted algorithms.

Remote configuration overrides local configuration.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.

Returns: array Array of blacklisted algorithms.

Definition at line 342 of file Message.php.

References array, and SimpleSAML_Configuration\getArray().

       {
         $blacklist = $srcMetadata->getArray('encryption.blacklisted-algorithms', null);
         if ($blacklist === null) {
             $blacklist = $dstMetadata->getArray('encryption.blacklisted-algorithms', array(XMLSecurityKey::RSA_1_5));
         }
         return $blacklist;
     }

Here is the call graph for this function:

◆ getDecryptionKeys()

static sspmod_saml_Message::getDecryptionKeys	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata
	)

static

Retrieve the decryption keys from metadata.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender (IdP).
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient (SP).

Returns: array Array of decryption keys.

Definition at line 291 of file Message.php.

References $key, $keys, array, SimpleSAML_Configuration\getString(), and SimpleSAML\Utils\Crypto\loadPrivateKey().

       {
         $sharedKey = $srcMetadata->getString('sharedkey', null);
         if ($sharedKey !== null) {
             $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
             $key->loadKey($sharedKey);
             return array($key);
         }
 
         $keys = array();
 
         // load the new private key if it exists
         $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, false, 'new_');
         if ($keyArray !== null) {
             assert('isset($keyArray["PEM"])');
 
             $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
             if (array_key_exists('password', $keyArray)) {
                 $key->passphrase = $keyArray['password'];
             }
             $key->loadKey($keyArray['PEM']);
             $keys[] = $key;
         }
 
         // find the existing private key
         $keyArray = SimpleSAML\Utils\Crypto::loadPrivateKey($dstMetadata, true);
         assert('isset($keyArray["PEM"])');
 
         $key = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type' => 'private'));
         if (array_key_exists('password', $keyArray)) {
             $key->passphrase = $keyArray['password'];
         }
         $key->loadKey($keyArray['PEM']);
         $keys[] = $key;
 
         return $keys;
     }

Here is the call graph for this function:

◆ getEncryptionKey()

static sspmod_saml_Message::getEncryptionKey ( SimpleSAML_Configuration $metadata )

static

Retrieve the encryption key for the given entity.

Parameters

SimpleSAML_Configuration $metadata The metadata of the entity.

Returns: The encryption key.

Exceptions

Definition at line 829 of file Message.php.

References $key, $keys, array, SimpleSAML_Configuration\getPublicKeys(), and SimpleSAML_Configuration\getString().

Referenced by sspmod_saml_IdP_SAML2\buildAssertion(), sspmod_saml_IdP_SAML2\buildLogoutRequest(), and sspmod_saml_Auth_Source_SP\startSLO2().

     {
 
         $sharedKey = $metadata->getString('sharedkey', null);
         if ($sharedKey !== null) {
             $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
             $key->loadKey($sharedKey);
             return $key;
         }
 
         $keys = $metadata->getPublicKeys('encryption', true);
         foreach ($keys as $key) {
             switch ($key['type']) {
                 case 'X509Certificate':
                     $pemKey = "-----BEGIN CERTIFICATE-----\n".
                         chunk_split($key['X509Certificate'], 64).
                         "-----END CERTIFICATE-----\n";
                     $key = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type' => 'public'));
                     $key->loadKey($pemKey);
                     return $key;
             }
         }
 
         throw new SimpleSAML_Error_Exception('No supported encryption key in '.
             var_export($metadata->getString('entityid'), true));
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getResponseError()

static sspmod_saml_Message::getResponseError ( \SAML2\StatusResponse $response )

static

Retrieve the status code of a response as a sspmod_saml_Error.

Parameters

\SAML2\StatusResponse $response The response.

Returns: sspmod_saml_Error The error.

Definition at line 417 of file Message.php.

Referenced by sspmod_saml_IdP_SAML2\receiveLogoutMessage().

     {
         $status = $response->getStatus();
         return new sspmod_saml_Error($status['Code'], $status['SubCode'], $status['Message']);
     }

Here is the caller graph for this function:

◆ processAssertion()

static sspmod_saml_Message::processAssertion	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata,
		\SAML2\Response	$response,
			$assertion,
			$responseSigned
	)

staticprivate

Process an assertion in a response.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.
\SAML2\Response	$response	The response containing the assertion.
\SAML2\Assertion \| \SAML2\EncryptedAssertion	$assertion	The assertion.
bool	$responseSigned	Whether the response is signed.

Returns: The assertion, if it is valid.

Exceptions

Definition at line 601 of file Message.php.

References $_SERVER, $attributes, $i, $key, $keys, $name, $sc, $spEntityId, array, data, SimpleSAML\Logger\debug(), SimpleSAML_Configuration\getBoolean(), SimpleSAML\Utils\HTTP\getSelfURLNoQuery(), SimpleSAML_Configuration\getString(), and time.

       {
         assert('$assertion instanceof \SAML2\Assertion || $assertion instanceof \SAML2\EncryptedAssertion');
         assert('is_bool($responseSigned)');
 
         $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion);
 
         if (!self::checkSign($idpMetadata, $assertion)) {
             if (!$responseSigned) {
                 throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.');
             }
         } // at least one valid signature found
 
         $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
 
         // check various properties of the assertion
         $notBefore = $assertion->getNotBefore();
         if ($notBefore !== null && $notBefore > time() + 60) {
             throw new SimpleSAML_Error_Exception(
                 'Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'
             );
         }
         $notOnOrAfter = $assertion->getNotOnOrAfter();
         if ($notOnOrAfter !== null && $notOnOrAfter <= time() - 60) {
             throw new SimpleSAML_Error_Exception(
                 'Received an assertion that has expired. Check clock synchronization on IdP and SP.'
             );
         }
         $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter();
         if ($sessionNotOnOrAfter !== null && $sessionNotOnOrAfter <= time() - 60) {
             throw new SimpleSAML_Error_Exception(
                 'Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'
             );
         }
         $validAudiences = $assertion->getValidAudiences();
         if ($validAudiences !== null) {
             $spEntityId = $spMetadata->getString('entityid');
             if (!in_array($spEntityId, $validAudiences, true)) {
                 $candidates = '['.implode('], [', $validAudiences).']';
                 throw new SimpleSAML_Error_Exception('This SP ['.$spEntityId.
                     ']  is not a valid audience for the assertion. Candidates were: '.$candidates);
             }
         }
 
         $found = false;
         $lastError = 'No SubjectConfirmation element in Subject.';
         $validSCMethods = array(\SAML2\Constants::CM_BEARER, \SAML2\Constants::CM_HOK, \SAML2\Constants::CM_VOUCHES);
         foreach ($assertion->getSubjectConfirmation() as $sc) {
             if (!in_array($sc->Method, $validSCMethods, true)) {
                 $lastError = 'Invalid Method on SubjectConfirmation: '.var_export($sc->Method, true);
                 continue;
             }
 
             // is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration
             $hok = $idpMetadata->getBoolean('saml20.hok.assertion', null);
             if ($hok === null) {
                 $hok = $spMetadata->getBoolean('saml20.hok.assertion', false);
             }
             if ($sc->Method === \SAML2\Constants::CM_BEARER && $hok) {
                 $lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed';
                 continue;
             }
             if ($sc->Method === \SAML2\Constants::CM_HOK && !$hok) {
                 $lastError = 'Holder-of-Key SubjectConfirmation received, '.
                     'but the Holder-of-Key profile is not enabled.';
                 continue;
             }
 
             $scd = $sc->SubjectConfirmationData;
             if ($sc->Method === \SAML2\Constants::CM_HOK) {
                 // check HoK Assertion
                 if (\SimpleSAML\Utils\HTTP::isHTTPS() === false) {
                     $lastError = 'No HTTPS connection, but required for Holder-of-Key SSO';
                     continue;
                 }
                 if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) {
                     $lastError = 'No client certificate provided during TLS Handshake with SP';
                     continue;
                 }
                 // extract certificate data (if this is a certificate)
                 $clientCert = $_SERVER['SSL_CLIENT_CERT'];
                 $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m';
                 if (!preg_match($pattern, $clientCert, $matches)) {
                     $lastError = 'Error while looking for client certificate during TLS handshake with SP, the client '.
                         'certificate does not have the expected structure';
                     continue;
                 }
                 // we have a valid client certificate from the browser
                 $clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]);
 
                 $keyInfo = array();
                 foreach ($scd->info as $thing) {
                     if ($thing instanceof \SAML2\XML\ds\KeyInfo) {
                         $keyInfo[] = $thing;
                     }
                 }
                 if (count($keyInfo) != 1) {
                     $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in '.
                         '<SubjectConfirmationData> allowed';
                     continue;
                 }
 
                 $x509data = array();
                 foreach ($keyInfo[0]->info as $thing) {
                     if ($thing instanceof \SAML2\XML\ds\X509Data) {
                         $x509data[] = $thing;
                     }
                 }
                 if (count($x509data) != 1) {
                     $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in '.
                         '<ds:KeyInfo> within <SubjectConfirmationData> allowed';
                     continue;
                 }
 
                 $x509cert = array();
                 foreach ($x509data[0]->data as $thing) {
                     if ($thing instanceof \SAML2\XML\ds\X509Certificate) {
                         $x509cert[] = $thing;
                     }
                 }
                 if (count($x509cert) != 1) {
                     $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in '.
                         '<ds:X509Data> within <SubjectConfirmationData> allowed';
                     continue;
                 }
 
                 $HoKCertificate = $x509cert[0]->certificate;
                 if ($HoKCertificate !== $clientCert) {
                     $lastError = 'Provided client certificate does not match the certificate bound to the '.
                         'Holder-of-Key assertion';
                     continue;
                 }
             }
 
             // if no SubjectConfirmationData then don't do anything.
             if ($scd === null) {
                 $lastError = 'No SubjectConfirmationData provided';
                 continue;
             }
 
             if ($scd->NotBefore && $scd->NotBefore > time() + 60) {
                 $lastError = 'NotBefore in SubjectConfirmationData is in the future: '.$scd->NotBefore;
                 continue;
             }
             if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) {
                 $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: '.$scd->NotOnOrAfter;
                 continue;
             }
             if ($scd->Recipient !== null && $scd->Recipient !== $currentURL) {
                 $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is '.
                     var_export($scd->Recipient, true).', current URL is '.var_export($currentURL, true).'.';
                 continue;
             }
             if ($scd->InResponseTo !== null && $response->getInResponseTo() !== null &&
                 $scd->InResponseTo !== $response->getInResponseTo()
             ) {
                 $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has '.
                     var_export($response->getInResponseTo(), true).
                     ', SubjectConfirmationData has '.var_export($scd->InResponseTo, true).'.';
                 continue;
             }
             $found = true;
             break;
         }
         if (!$found) {
             throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: '.$lastError);
         } // as far as we can tell, the assertion is valid
 
         // maybe we need to base64 decode the attributes in the assertion?
         if ($idpMetadata->getBoolean('base64attributes', false)) {
             $attributes = $assertion->getAttributes();
             $newAttributes = array();
             foreach ($attributes as $name => $values) {
                 $newAttributes[$name] = array();
                 foreach ($values as $value) {
                     foreach (explode('_', $value) as $v) {
                         $newAttributes[$name][] = base64_decode($v);
                     }
                 }
             }
             $assertion->setAttributes($newAttributes);
         }
 
         // decrypt the NameID element if it is encrypted
         if ($assertion->isNameIdEncrypted()) {
             try {
                 $keys = self::getDecryptionKeys($idpMetadata, $spMetadata);
             } catch (Exception $e) {
                 throw new SimpleSAML_Error_Exception('Error decrypting NameID: '.$e->getMessage());
             }
 
             $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata);
 
             $lastException = null;
             foreach ($keys as $i => $key) {
                 try {
                     $assertion->decryptNameId($key, $blacklist);
                     SimpleSAML\Logger::debug('Decryption with key #'.$i.' succeeded.');
                     $lastException = null;
                     break;
                 } catch (Exception $e) {
                     SimpleSAML\Logger::debug('Decryption with key #'.$i.' failed with exception: '.$e->getMessage());
                     $lastException = $e;
                 }
             }
             if ($lastException !== null) {
                 throw $lastException;
             }
         }
 
         return $assertion;
     }

Here is the call graph for this function:

◆ processResponse()

static sspmod_saml_Message::processResponse	(	SimpleSAML_Configuration	$spMetadata,
		SimpleSAML_Configuration	$idpMetadata,
		\SAML2\Response	$response
	)

static

Process a response message.

If the response is an error response, we will throw a sspmod_saml_Error exception with the error.

Parameters

SimpleSAML_Configuration	$spMetadata	The metadata of the service provider.
SimpleSAML_Configuration	$idpMetadata	The metadata of the identity provider.
\SAML2\Response	$response	The response.

Returns: array Array with objects, containing valid assertions from the response.

Exceptions

Definition at line 548 of file Message.php.

References $ret, array, and SimpleSAML\Utils\HTTP\getSelfURLNoQuery().

       {
         if (!$response->isSuccess()) {
             throw self::getResponseError($response);
         }
 
         // validate Response-element destination
         $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery();
         $msgDestination = $response->getDestination();
         if ($msgDestination !== null && $msgDestination !== $currentURL) {
             throw new Exception('Destination in response doesn\'t match the current URL. Destination is "'.
                 $msgDestination.'", current URL is "'.$currentURL.'".');
         }
 
         $responseSigned = self::checkSign($idpMetadata, $response);
 
         /*
          * When we get this far, the response itself is valid.
          * We only need to check signatures and conditions of the response.
          */
         $assertion = $response->getAssertions();
         if (empty($assertion)) {
             throw new SimpleSAML_Error_Exception('No assertions found in response from IdP.');
         }
 
         $ret = array();
         foreach ($assertion as $a) {
             $ret[] = self::processAssertion($spMetadata, $idpMetadata, $response, $a, $responseSigned);
         }
 
         return $ret;
     }

Here is the call graph for this function:

◆ validateMessage()

static sspmod_saml_Message::validateMessage	(	SimpleSAML_Configuration	$srcMetadata,
		SimpleSAML_Configuration	$dstMetadata,
		\SAML2\Message	$message
	)

static

Check signature on a SAML2 message if enabled.

Parameters

SimpleSAML_Configuration	$srcMetadata	The metadata of the sender.
SimpleSAML_Configuration	$dstMetadata	The metadata of the recipient.
\SAML2\Message	$message	The message we should check the signature on.

Exceptions

Definition at line 246 of file Message.php.

References SimpleSAML_Configuration\getBoolean().

Referenced by sspmod_saml_IdP_SAML2\receiveAuthnRequest(), and sspmod_saml_IdP_SAML2\receiveLogoutMessage().

       {
         $enabled = null;
         if ($message instanceof \SAML2\LogoutRequest || $message instanceof \SAML2\LogoutResponse) {
             $enabled = $srcMetadata->getBoolean('validate.logout', null);
             if ($enabled === null) {
                 $enabled = $dstMetadata->getBoolean('validate.logout', null);
             }
         } elseif ($message instanceof \SAML2\AuthnRequest) {
             $enabled = $srcMetadata->getBoolean('validate.authnrequest', null);
             if ($enabled === null) {
                 $enabled = $dstMetadata->getBoolean('validate.authnrequest', null);
             }
         }
 
         if ($enabled === null) {
             $enabled = $srcMetadata->getBoolean('redirect.validate', null);
             if ($enabled === null) {
                 $enabled = $dstMetadata->getBoolean('redirect.validate', false);
             }
         }
 
         if (!$enabled) {
             return;
         }
 
         if (!self::checkSign($srcMetadata, $message)) {
             throw new SimpleSAML_Error_Exception(
                 'Validation of received messages enabled, but no signature found on message.'
             );
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Message.php

Static Public Member Functions

Static Private Member Functions

Detailed Description

Member Function Documentation

◆ addRedirectSign()

◆ addSign()

◆ buildAuthnRequest()

◆ buildLogoutRequest()

◆ buildLogoutResponse()

◆ checkSign()

◆ decryptAssertion()

◆ findCertificate()

◆ getBlacklistedAlgorithms()

◆ getDecryptionKeys()

◆ getEncryptionKey()

◆ getResponseError()

◆ processAssertion()

◆ processResponse()

◆ validateMessage()