52 private $IDPList = array();
59 private $ProxyCount =
null;
67 private $RequesterID = array();
114 private $subjectConfirmation = array();
134 parent::__construct(
'AuthnRequest',
$xml);
136 $this->nameIdPolicy = array();
137 $this->forceAuthn =
false;
138 $this->isPassive =
false;
144 $this->forceAuthn = Utils::parseBoolean(
$xml,
'ForceAuthn',
false);
145 $this->isPassive = Utils::parseBoolean(
$xml,
'IsPassive',
false);
147 if (
$xml->hasAttribute(
'AssertionConsumerServiceURL')) {
148 $this->assertionConsumerServiceURL =
$xml->getAttribute(
'AssertionConsumerServiceURL');
151 if (
$xml->hasAttribute(
'ProtocolBinding')) {
152 $this->protocolBinding =
$xml->getAttribute(
'ProtocolBinding');
155 if (
$xml->hasAttribute(
'AttributeConsumingServiceIndex')) {
156 $this->attributeConsumingServiceIndex = (int)
$xml->getAttribute(
'AttributeConsumingServiceIndex');
159 if (
$xml->hasAttribute(
'AssertionConsumerServiceIndex')) {
160 $this->assertionConsumerServiceIndex = (int)
$xml->getAttribute(
'AssertionConsumerServiceIndex');
163 if (
$xml->hasAttribute(
'ProviderName')) {
164 $this->ProviderName =
$xml->getAttribute(
'ProviderName');
167 $this->parseSubject(
$xml);
168 $this->parseNameIdPolicy(
$xml);
169 $this->parseRequestedAuthnContext(
$xml);
170 $this->parseScoping(
$xml);
180 $subject = Utils::xpQuery(
$xml,
'./saml_assertion:Subject');
181 if (empty($subject)) {
185 if (count($subject) > 1) {
186 throw new \Exception(
'More than one <saml:Subject> in <saml:AuthnRequest>.');
188 $subject = $subject[0];
192 './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
195 throw new \Exception(
'Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
196 } elseif (count(
$nameId) > 1) {
197 throw new \Exception(
'More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
200 if (
$nameId->localName ===
'EncryptedData') {
202 $this->encryptedNameId =
$nameId;
207 $subjectConfirmation = Utils::xpQuery($subject,
'./saml_assertion:SubjectConfirmation');
208 foreach ($subjectConfirmation as
$sc) {
220 $nameIdPolicy = Utils::xpQuery(
$xml,
'./saml_protocol:NameIDPolicy');
221 if (empty($nameIdPolicy)) {
225 $nameIdPolicy = $nameIdPolicy[0];
226 if ($nameIdPolicy->hasAttribute(
'Format')) {
227 $this->nameIdPolicy[
'Format'] = $nameIdPolicy->getAttribute(
'Format');
229 if ($nameIdPolicy->hasAttribute(
'SPNameQualifier')) {
230 $this->nameIdPolicy[
'SPNameQualifier'] = $nameIdPolicy->getAttribute(
'SPNameQualifier');
232 if ($nameIdPolicy->hasAttribute(
'AllowCreate')) {
233 $this->nameIdPolicy[
'AllowCreate'] = Utils::parseBoolean($nameIdPolicy,
'AllowCreate',
false);
242 $requestedAuthnContext = Utils::xpQuery(
$xml,
'./saml_protocol:RequestedAuthnContext');
243 if (empty($requestedAuthnContext)) {
247 $requestedAuthnContext = $requestedAuthnContext[0];
250 'AuthnContextClassRef' => array(),
251 'Comparison' => Constants::COMPARISON_EXACT,
254 $accr = Utils::xpQuery($requestedAuthnContext,
'./saml_assertion:AuthnContextClassRef');
255 foreach ($accr as
$i) {
256 $rac[
'AuthnContextClassRef'][] = trim(
$i->textContent);
259 if ($requestedAuthnContext->hasAttribute(
'Comparison')) {
260 $rac[
'Comparison'] = $requestedAuthnContext->getAttribute(
'Comparison');
263 $this->requestedAuthnContext = $rac;
273 $scoping = Utils::xpQuery(
$xml,
'./saml_protocol:Scoping');
274 if (empty($scoping)) {
278 $scoping = $scoping[0];
280 if ($scoping->hasAttribute(
'ProxyCount')) {
281 $this->ProxyCount = (int) $scoping->getAttribute(
'ProxyCount');
283 $idpEntries = Utils::xpQuery($scoping,
'./saml_protocol:IDPList/saml_protocol:IDPEntry');
285 foreach ($idpEntries as $idpEntry) {
286 if (!$idpEntry->hasAttribute(
'ProviderID')) {
287 throw new \Exception(
"Could not get ProviderID from Scoping/IDPEntry element in AuthnRequest object");
289 $this->IDPList[] = $idpEntry->getAttribute(
'ProviderID');
292 $requesterIDs = Utils::xpQuery($scoping,
'./saml_protocol:RequesterID');
293 foreach ($requesterIDs as $requesterID) {
294 $this->RequesterID[] = trim($requesterID->textContent);
306 return $this->nameIdPolicy;
322 if (isset($nameIdPolicy[
'Format']) && !is_string($nameIdPolicy[
'Format'])) {
323 throw InvalidArgumentException::invalidType(
'string', $nameIdPolicy[
'Format']);
325 if (isset($nameIdPolicy[
'SPNameQualifier']) && !is_string($nameIdPolicy[
'SPNameQualifier'])) {
326 throw InvalidArgumentException::invalidType(
'string', $nameIdPolicy[
'SPNameQualifier']);
328 if (isset($nameIdPolicy[
'AllowCreate']) && !is_bool($nameIdPolicy[
'AllowCreate'])) {
329 throw InvalidArgumentException::invalidType(
'bool', $nameIdPolicy[
'AllowCreate']);
332 $this->nameIdPolicy = $nameIdPolicy;
367 return $this->ProviderName;
378 assert(is_string($ProviderName));
380 $this->ProviderName = $ProviderName;
423 assert(is_array($IDPList));
424 $this->IDPList = $IDPList;
435 return $this->IDPList;
443 assert(is_int($ProxyCount));
444 $this->ProxyCount = $ProxyCount;
452 return $this->ProxyCount;
460 $this->RequesterID = $RequesterID;
468 return $this->RequesterID;
478 return $this->assertionConsumerServiceURL;
488 assert(is_string($assertionConsumerServiceURL) || is_null($assertionConsumerServiceURL));
490 $this->assertionConsumerServiceURL = $assertionConsumerServiceURL;
500 return $this->protocolBinding;
510 assert(is_string($protocolBinding) || is_null($protocolBinding));
512 $this->protocolBinding = $protocolBinding;
522 return $this->attributeConsumingServiceIndex;
532 assert(is_int($attributeConsumingServiceIndex) || is_null($attributeConsumingServiceIndex));
534 $this->attributeConsumingServiceIndex = $attributeConsumingServiceIndex;
544 return $this->assertionConsumerServiceIndex;
554 assert(is_int($assertionConsumerServiceIndex) || is_null($assertionConsumerServiceIndex));
556 $this->assertionConsumerServiceIndex = $assertionConsumerServiceIndex;
566 return $this->requestedAuthnContext;
576 assert(is_array($requestedAuthnContext) || is_null($requestedAuthnContext));
578 $this->requestedAuthnContext = $requestedAuthnContext;
589 if ($this->encryptedNameId !==
null) {
590 throw new \Exception(
'Attempted to retrieve encrypted NameID without decrypting it first.');
619 $doc = new \DOMDocument();
620 $root = $doc->createElement(
'root');
621 $doc->appendChild($root);
622 $this->nameId->toXML($root);
625 Utils::getContainer()->debugMessage(
$nameId,
'encrypt');
631 $enc->type = XMLSecEnc::Element;
635 $symmetricKey->generateSessionKey();
636 $enc->encryptKey(
$key, $symmetricKey);
638 $this->encryptedNameId = $enc->encryptNode($symmetricKey);
639 $this->nameId =
null;
650 if ($this->encryptedNameId ===
null) {
655 $nameId = Utils::decryptElement($this->encryptedNameId,
$key, $blacklist);
656 Utils::getContainer()->debugMessage(
$nameId,
'decrypt');
659 $this->encryptedNameId =
null;
669 return $this->subjectConfirmation;
679 $this->subjectConfirmation = $subjectConfirmation;
689 $root = parent::toUnsignedXML();
691 if ($this->forceAuthn) {
692 $root->setAttribute(
'ForceAuthn',
'true');
695 if ($this->ProviderName !==
null) {
696 $root->setAttribute(
'ProviderName', $this->ProviderName);
699 if ($this->isPassive) {
700 $root->setAttribute(
'IsPassive',
'true');
703 if ($this->assertionConsumerServiceIndex !==
null) {
704 $root->setAttribute(
'AssertionConsumerServiceIndex', $this->assertionConsumerServiceIndex);
706 if ($this->assertionConsumerServiceURL !==
null) {
707 $root->setAttribute(
'AssertionConsumerServiceURL', $this->assertionConsumerServiceURL);
709 if ($this->protocolBinding !==
null) {
710 $root->setAttribute(
'ProtocolBinding', $this->protocolBinding);
714 if ($this->attributeConsumingServiceIndex !==
null) {
715 $root->setAttribute(
'AttributeConsumingServiceIndex', $this->attributeConsumingServiceIndex);
718 $this->addSubject($root);
720 if (!empty($this->nameIdPolicy)) {
721 $nameIdPolicy = $this->document->createElementNS(Constants::NS_SAMLP,
'NameIDPolicy');
722 if (array_key_exists(
'Format', $this->nameIdPolicy)) {
723 $nameIdPolicy->setAttribute(
'Format', $this->nameIdPolicy[
'Format']);
725 if (array_key_exists(
'SPNameQualifier', $this->nameIdPolicy)) {
726 $nameIdPolicy->setAttribute(
'SPNameQualifier', $this->nameIdPolicy[
'SPNameQualifier']);
728 if (array_key_exists(
'AllowCreate', $this->nameIdPolicy)) {
729 $nameIdPolicy->setAttribute(
'AllowCreate', ($this->nameIdPolicy[
'AllowCreate']) ?
'true' :
'false');
731 $root->appendChild($nameIdPolicy);
734 $rac = $this->requestedAuthnContext;
735 if (!empty($rac) && !empty($rac[
'AuthnContextClassRef'])) {
736 $e = $this->document->createElementNS(Constants::NS_SAMLP,
'RequestedAuthnContext');
737 $root->appendChild($e);
738 if (isset($rac[
'Comparison']) && $rac[
'Comparison'] !== Constants::COMPARISON_EXACT) {
739 $e->setAttribute(
'Comparison', $rac[
'Comparison']);
741 foreach ($rac[
'AuthnContextClassRef'] as $accr) {
742 Utils::addString($e, Constants::NS_SAML,
'AuthnContextClassRef', $accr);
746 if ($this->ProxyCount !==
null || count($this->IDPList) > 0 || count($this->RequesterID) > 0) {
747 $scoping = $this->document->createElementNS(Constants::NS_SAMLP,
'Scoping');
748 $root->appendChild($scoping);
749 if ($this->ProxyCount !==
null) {
750 $scoping->setAttribute(
'ProxyCount', $this->ProxyCount);
752 if (count($this->IDPList) > 0) {
753 $idplist = $this->document->createElementNS(Constants::NS_SAMLP,
'IDPList');
755 $idpEntry = $this->document->createElementNS(Constants::NS_SAMLP,
'IDPEntry');
757 $idpEntry->setAttribute(
'ProviderID',
$provider);
759 foreach (
$provider as $attribute => $value) {
760 if (in_array($attribute, array(
765 $idpEntry->setAttribute($attribute, $value);
769 $idplist->appendChild($idpEntry);
771 $scoping->appendChild($idplist);
773 if (count($this->RequesterID) > 0) {
774 Utils::addStrings($scoping, Constants::NS_SAMLP,
'RequesterID',
false, $this->RequesterID);
789 if ($this->nameId ===
null && $this->encryptedNameId ===
null) {
793 $subject = $root->ownerDocument->createElementNS(Constants::NS_SAML,
'saml:Subject');
794 $root->appendChild($subject);
796 if ($this->encryptedNameId ===
null) {
797 $this->nameId->toXML($subject);
799 $eid = $subject->ownerDocument->createElementNS(Constants::NS_SAML,
'saml:EncryptedID');
800 $eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId,
true));
801 $subject->appendChild($eid);
804 foreach ($this->subjectConfirmation as
$sc) {
805 $sc->toXML($subject);
An exception for terminatinating execution or to throw for unit testing.
setForceAuthn($forceAuthn)
Set the value of the ForceAuthn attribute.
getProviderName()
Retrieve the value of the ProviderName attribute.
getIDPList()
This function retrieves the list of providerIDs from this authentication request.
getIsPassive()
Retrieve the value of the IsPassive attribute.
setSubjectConfirmation(array $subjectConfirmation)
Set the SubjectConfirmation elements that should be included in the assertion.
setAssertionConsumerServiceURL($assertionConsumerServiceURL)
Set the value of the AssertionConsumerServiceURL attribute.
getNameIdPolicy()
Retrieve the NameIdPolicy.
parseScoping(\DOMElement $xml)
getForceAuthn()
Retrieve the value of the ForceAuthn attribute.
parseRequestedAuthnContext(\DOMElement $xml)
setRequestedAuthnContext($requestedAuthnContext)
Set the RequestedAuthnContext.
getAssertionConsumerServiceURL()
Retrieve the value of the AssertionConsumerServiceURL attribute.
getProtocolBinding()
Retrieve the value of the ProtocolBinding attribute.
$assertionConsumerServiceURL
getSubjectConfirmation()
Retrieve the SubjectConfirmation elements we have in our Subject element.
parseSubject(\DOMElement $xml)
getNameId()
Retrieve the NameId of the subject in the assertion.
setIsPassive($isPassive)
Set the value of the IsPassive attribute.
setRequesterID(array $RequesterID)
setIDPList($IDPList)
This function sets the scoping for the request.
setNameIdPolicy(array $nameIdPolicy)
Set the NameIDPolicy.
setProxyCount($ProxyCount)
$attributeConsumingServiceIndex
toUnsignedXML()
Convert this authentication request to an XML element.
parseNameIdPolicy(\DOMElement $xml)
addSubject(\DOMElement $root)
Add a Subject-node to the assertion.
setAssertionConsumerServiceIndex($assertionConsumerServiceIndex)
Set the value of the AssertionConsumerServiceIndex attribute.
encryptNameId(XMLSecurityKey $key)
Encrypt the NameID in the AuthnRequest.
getRequestedAuthnContext()
Retrieve the RequestedAuthnContext.
$assertionConsumerServiceIndex
setNameId($nameId)
Set the NameId of the subject in the assertion.
setProviderName($ProviderName)
Set the value of the ProviderName attribute.
decryptNameId(XMLSecurityKey $key, array $blacklist=array())
Decrypt the NameId of the subject in the assertion.
setProtocolBinding($protocolBinding)
Set the value of the ProtocolBinding attribute.
getAssertionConsumerServiceIndex()
Retrieve the value of the AssertionConsumerServiceIndex attribute.
__construct(\DOMElement $xml=null)
Constructor for SAML 2 authentication request messages.
setAttributeConsumingServiceIndex($attributeConsumingServiceIndex)
Set the value of the AttributeConsumingServiceIndex attribute.
getAttributeConsumingServiceIndex()
Retrieve the value of the AttributeConsumingServiceIndex attribute.