ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Data Fields | Static Protected Member Functions | Private Member Functions | Private Attributes
SimpleSAML\XML\Shib13\AuthnResponse Class Reference
+ Collaboration diagram for SimpleSAML\XML\Shib13\AuthnResponse:

Public Member Functions

 setMessageValidated ($messageValidated)
 Set whether this message was validated externally. More...
 
 setXML ($xml)
 
 setRelayState ($relayState)
 
 getRelayState ()
 
 validate ()
 
 getSessionIndex ()
 Retrieve the session index of this response. More...
 
 getIssuer ()
 
 getNameID ()
 
 generate (\SimpleSAML_Configuration $idp, \SimpleSAML_Configuration $sp, $shire, $attributes)
 Build a authentication response. More...
 

Data Fields

const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'
 
const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'
 

Static Protected Member Functions

static checkDateConditions ($start=null, $end=null)
 Check if we are currently between the given date & time conditions. More...
 

Private Member Functions

 isNodeValidated ($node)
 Checks if the given node is validated by the signature on this response. More...
 
 doXPathQuery ($query, $node=null)
 This function runs an xPath query on this authentication response. More...
 
 enc_attribute ($name, $values, $base64, $scopedAttributes)
 Format a shib13 attribute. More...
 

Private Attributes

 $validator = null
 
 $messageValidated = false
 
 $dom
 
 $relayState = null
 

Detailed Description

Definition at line 21 of file AuthnResponse.php.

Member Function Documentation

◆ checkDateConditions()

static SimpleSAML\XML\Shib13\AuthnResponse::checkDateConditions (   $start = null,
  $end = null 
)
staticprotected

Check if we are currently between the given date & time conditions.

Note that this function allows a 10-minute leap from the initial time as marked by $start.

Parameters
string | null$startA SAML2 timestamp marking the start of the period to check. Defaults to null, in which case there's no limitations in the past.
string | null$endA SAML2 timestamp marking the end of the period to check. Defaults to null, in which case there's no limitations in the future.
Returns
bool True if the current time belongs to the period specified by $start and $end. False otherwise.
See also
::xsDateTimeToTimestamp.
Author
Andreas Solberg, UNINETT AS andre.nosp@m.as.s.nosp@m.olber.nosp@m.g@un.nosp@m.inett.nosp@m..no
Olav Morken, UNINETT AS olav..nosp@m.mork.nosp@m.en@un.nosp@m.inet.nosp@m.t.no

Definition at line 461 of file AuthnResponse.php.

References $end, $start, and SAML2\Utils\xsDateTimeToTimestamp().

462  {
463  $currentTime = time();
464 
465  if (!empty($start)) {
466  $startTime = Utils::xsDateTimeToTimestamp($start);
467  // allow for a 10 minute difference in time
468  if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
469  return false;
470  }
471  }
472  if (!empty($end)) {
473  $endTime = Utils::xsDateTimeToTimestamp($end);
474  if (($endTime < 0) || ($endTime <= $currentTime)) {
475  return false;
476  }
477  }
478  return true;
479  }
$end
$end
Definition: bench_freebusygenerator.php:28
$start
$start
Definition: bench.php:8
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp...
Definition: Utils.php:721
+ Here is the call graph for this function:

◆ doXPathQuery()

SimpleSAML\XML\Shib13\AuthnResponse::doXPathQuery (   $query,
  $node = null 
)
private

This function runs an xPath query on this authentication response.

Parameters
string$queryThe query which should be run.
\DOMNode$nodeThe node which this query is relative to. If this node is NULL (the default) then the query will be relative to the root of the response.
Returns

Definition at line 166 of file AuthnResponse.php.

References $query.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML\XML\Shib13\AuthnResponse\getNameID(), and SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

167  {
168  assert(is_string($query));
169  assert($this->dom instanceof DOMDocument);
170 
171  if ($node === null) {
172  $node = $this->dom->documentElement;
173  }
174 
175  assert($node instanceof DOMNode);
176 
177  $xPath = new \DOMXpath($this->dom);
178  $xPath->registerNamespace('shibp', self::SHIB_PROTOCOL_NS);
179  $xPath->registerNamespace('shib', self::SHIB_ASSERT_NS);
180 
181  return $xPath->query($query, $node);
182  }
$query
$query
Definition: proxy_ylocal.php:13
+ Here is the caller graph for this function:

◆ enc_attribute()

SimpleSAML\XML\Shib13\AuthnResponse::enc_attribute (   $name,
  $values,
  $base64,
  $scopedAttributes 
)
private

Format a shib13 attribute.

Parameters
string$nameName of the attribute.
array$valuesValues of the attribute (as an array of strings).
bool$base64Whether the attriubte values should be base64-encoded.
array$scopedAttributesArray of attributes names which are scoped.
Returns
string The attribute encoded as an XML-string.

Definition at line 409 of file AuthnResponse.php.

References $name, and $values.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\generate().

410  {
411  assert(is_string($name));
412  assert(is_array($values));
413  assert(is_bool($base64));
414  assert(is_array($scopedAttributes));
415 
416  if (in_array($name, $scopedAttributes, true)) {
417  $scoped = true;
418  } else {
419  $scoped = false;
420  }
421 
422  $attr = '<Attribute AttributeName="' . htmlspecialchars($name) . '" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">';
423  foreach ($values as $value) {
424  $scopePart = '';
425  if ($scoped) {
426  $tmp = explode('@', $value, 2);
427  if (count($tmp) === 2) {
428  $value = $tmp[0];
429  $scopePart = ' Scope="' . htmlspecialchars($tmp[1]) . '"';
430  }
431  }
432 
433  if ($base64) {
434  $value = base64_encode($value);
435  }
436 
437  $attr .= '<AttributeValue' . $scopePart . '>' . htmlspecialchars($value) . '</AttributeValue>';
438  }
439  $attr .= '</Attribute>';
440 
441  return $attr;
442  }
$values
$values
Definition: testOperations.php:7
$name
$name
Definition: client_example.php:35
+ Here is the caller graph for this function:

◆ generate()

SimpleSAML\XML\Shib13\AuthnResponse::generate ( \SimpleSAML_Configuration  $idp,
\SimpleSAML_Configuration  $sp,
  $shire,
  $attributes 
)

Build a authentication response.

Parameters
\SimpleSAML_Configuration$idpMetadata for the IdP the response is sent from.
\SimpleSAML_Configuration$spMetadata for the SP the response is sent to.
string$shireThe endpoint on the SP the response is sent to.
array | null$attributesThe attributes which should be included in the response.
Returns
string The response.

Definition at line 309 of file AuthnResponse.php.

References $attributes, $id, $name, $nameid, $response, $spEntityId, SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute(), SimpleSAML\Utils\Random\generateID(), SimpleSAML\Utils\Time\generateTimestamp(), SimpleSAML_Configuration\getArray(), SimpleSAML_Configuration\getBoolean(), SimpleSAML_Configuration\getString(), and SimpleSAML_Configuration\hasValue().

310  {
311  assert(is_string($shire));
312  assert($attributes === null || is_array($attributes));
313 
314  if ($sp->hasValue('scopedattributes')) {
315  $scopedAttributes = $sp->getArray('scopedattributes');
316  } elseif ($idp->hasValue('scopedattributes')) {
317  $scopedAttributes = $idp->getArray('scopedattributes');
318  } else {
319  $scopedAttributes = array();
320  }
321 
322  $id = Random::generateID();
323 
324  $issueInstant = Time::generateTimestamp();
325 
326  // 30 seconds timeskew back in time to allow differing clocks
327  $notBefore = Time::generateTimestamp(time() - 30);
328 
329 
330  $assertionExpire = Time::generateTimestamp(time() + 60 * 5);# 5 minutes
331  $assertionid = Random::generateID();
332 
333  $spEntityId = $sp->getString('entityid');
334 
335  $audience = $sp->getString('audience', $spEntityId);
336  $base64 = $sp->getBoolean('base64attributes', false);
337 
338  $namequalifier = $sp->getString('NameQualifier', $spEntityId);
339  $nameid = Random::generateID();
340  $subjectNode =
341  '<Subject>' .
342  '<NameIdentifier' .
343  ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' .
344  ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' .
345  '>' .
346  htmlspecialchars($nameid) .
347  '</NameIdentifier>' .
348  '<SubjectConfirmation>' .
349  '<ConfirmationMethod>' .
350  'urn:oasis:names:tc:SAML:1.0:cm:bearer' .
351  '</ConfirmationMethod>' .
352  '</SubjectConfirmation>' .
353  '</Subject>';
354 
355  $encodedattributes = '';
356 
357  if (is_array($attributes)) {
358  $encodedattributes .= '<AttributeStatement>';
359  $encodedattributes .= $subjectNode;
360 
361  foreach ($attributes as $name => $value) {
362  $encodedattributes .= $this->enc_attribute($name, $value, $base64, $scopedAttributes);
363  }
364 
365  $encodedattributes .= '</AttributeStatement>';
366  }
367 
368  /*
369  * The SAML 1.1 response message
370  */
371  $response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
372  xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
373  xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
374  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant. '"
375  MajorVersion="1" MinorVersion="1"
376  Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '">
377  <Status>
378  <StatusCode Value="samlp:Success" />
379  </Status>
380  <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
381  AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant. '"
382  Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1">
383  <Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="'. $assertionExpire . '">
384  <AudienceRestrictionCondition>
385  <Audience>' . htmlspecialchars($audience) . '</Audience>
386  </AudienceRestrictionCondition>
387  </Conditions>
388  <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
389  AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' .
390  $subjectNode . '
391  </AuthenticationStatement>
392  ' . $encodedattributes . '
393  </Assertion>
394 </Response>';
395 
396  return $response;
397  }
SimpleSAML\Utils\Random\generateID
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
$spEntityId
$spEntityId
Definition: attributeserver.php:14
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute
enc_attribute($name, $values, $base64, $scopedAttributes)
Format a shib13 attribute.
Definition: AuthnResponse.php:409
SimpleSAML\Utils\Time\generateTimestamp
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:31
$nameid
$nameid
Definition: status.php:36
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$idp
$idp
Definition: prp.php:13
$name
$name
Definition: client_example.php:35
$response
$response
Definition: proxy_ylocal.php:39
+ Here is the call graph for this function:

◆ getIssuer()

SimpleSAML\XML\Shib13\AuthnResponse::getIssuer ( )

Definition at line 272 of file AuthnResponse.php.

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex(), and SimpleSAML\XML\Shib13\AuthnResponse\validate().

273  {
274  $query = '/shibp:Response/shib:Assertion/@Issuer';
275  $nodelist = $this->doXPathQuery($query);
276 
277  if ($attr = $nodelist->item(0)) {
278  return $attr->value;
279  } else {
280  throw new \Exception('Could not find Issuer field in Authentication response');
281  }
282  }
$query
$query
Definition: proxy_ylocal.php:13
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:166
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getNameID()

SimpleSAML\XML\Shib13\AuthnResponse::getNameID ( )

Definition at line 284 of file AuthnResponse.php.

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

285  {
286  $nameID = array();
287 
288  $query = '/shibp:Response/shib:Assertion/shib:AuthenticationStatement/shib:Subject/shib:NameIdentifier';
289  $nodelist = $this->doXPathQuery($query);
290 
291  if ($node = $nodelist->item(0)) {
292  $nameID["Value"] = $node->nodeValue;
293  $nameID["Format"] = $node->getAttribute('Format');
294  }
295 
296  return $nameID;
297  }
$query
$query
Definition: proxy_ylocal.php:13
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:166
+ Here is the call graph for this function:

◆ getRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::getRelayState ( )

Definition at line 80 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

81  {
82  return $this->relayState;
83  }

◆ getSessionIndex()

SimpleSAML\XML\Shib13\AuthnResponse::getSessionIndex ( )

Retrieve the session index of this response.

Returns
string|null The session index of this response.

Definition at line 189 of file AuthnResponse.php.

References $attributes, $end, $metadata, $name, $query, $start, SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery(), Monolog\Handler\error_log(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), and SimpleSAML\XML\Shib13\AuthnResponse\isNodeValidated().

190  {
191  assert($this->dom instanceof DOMDocument);
192 
193  $query = '/shibp:Response/shib:Assertion/shib:AuthnStatement';
194  $nodelist = $this->doXPathQuery($query);
195  if ($node = $nodelist->item(0)) {
196  return $node->getAttribute('SessionIndex');
197  }
198 
199  return null;
200  }
$query
$query
Definition: proxy_ylocal.php:13
SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.
Definition: AuthnResponse.php:166
+ Here is the call graph for this function:

◆ isNodeValidated()

SimpleSAML\XML\Shib13\AuthnResponse::isNodeValidated (   $node)
private

Checks if the given node is validated by the signature on this response.

Parameters
\DOMElement$nodeNode to be validated.
Returns
bool TRUE if the node is validated or FALSE if not.

Definition at line 136 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

137  {
138  if ($this->messageValidated) {
139  // This message was validated externally
140  return true;
141  }
142 
143  if ($this->validator === null) {
144  return false;
145  }
146 
147  // Convert the node to a DOM node if it is an element from SimpleXML
148  if ($node instanceof \SimpleXMLElement) {
149  $node = dom_import_simplexml($node);
150  }
151 
152  assert($node instanceof DOMNode);
153 
154  return $this->validator->isNodeValidated($node);
155  }
+ Here is the caller graph for this function:

◆ setMessageValidated()

SimpleSAML\XML\Shib13\AuthnResponse::setMessageValidated (   $messageValidated)

Set whether this message was validated externally.

Parameters
bool$messageValidatedTRUE if the message is already validated, FALSE if not.

Definition at line 56 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$messageValidated.

57  {
58  assert(is_bool($messageValidated));
59 
60  $this->messageValidated = $messageValidated;
61  }

◆ setRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::setRelayState (   $relayState)

Definition at line 75 of file AuthnResponse.php.

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

76  {
77  $this->relayState = $relayState;
78  }

◆ setXML()

SimpleSAML\XML\Shib13\AuthnResponse::setXML (   $xml)

Definition at line 64 of file AuthnResponse.php.

References $xml, and SAML2\DOMDocumentFactory\fromString().

65  {
66  assert(is_string($xml));
67 
68  try {
69  $this->dom = DOMDocumentFactory::fromString(str_replace("\r", "", $xml));
70  } catch (\Exception $e) {
71  throw new \Exception('Unable to parse AuthnResponse XML.');
72  }
73  }
$xml
$xml
Definition: fetch_windows_zones.php:11
+ Here is the call graph for this function:

◆ validate()

SimpleSAML\XML\Shib13\AuthnResponse::validate ( )

Definition at line 85 of file AuthnResponse.php.

References $issuer, $key, $metadata, SimpleSAML\Utils\Config\getCertPath(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

86  {
87  assert($this->dom instanceof DOMDocument);
88 
89  if ($this->messageValidated) {
90  // This message was validated externally
91  return true;
92  }
93 
94  // Validate the signature
95  $this->validator = new Validator($this->dom, array('ResponseID', 'AssertionID'));
96 
97  // Get the issuer of the response
98  $issuer = $this->getIssuer();
99 
100  // Get the metadata of the issuer
101  $metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
102  $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
103 
104  $publicKeys = $md->getPublicKeys('signing');
105  if (!empty($publicKeys)) {
106  $certFingerprints = array();
107  foreach ($publicKeys as $key) {
108  if ($key['type'] !== 'X509Certificate') {
109  continue;
110  }
111  $certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
112  }
113  $this->validator->validateFingerprint($certFingerprints);
114  } elseif ($md->hasValue('certFingerprint')) {
115  $certFingerprints = $md->getArrayizeString('certFingerprint');
116 
117  // Validate the fingerprint
118  $this->validator->validateFingerprint($certFingerprints);
119  } elseif ($md->hasValue('caFile')) {
120  // Validate against CA
121  $this->validator->validateCA(Config::getCertPath($md->getString('caFile')));
122  } else {
123  throw new \SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
124  }
125 
126  return true;
127  }
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$metadata
$metadata['__DYNAMIC:1__']
Definition: adfs-idp-hosted.php:3
$issuer
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
Definition: ArtifactResolutionService.php:48
SimpleSAML\Utils\Config\getCertPath
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
$key
$key
Definition: croninfo.php:18
+ Here is the call graph for this function:

Field Documentation

◆ $dom

SimpleSAML\XML\Shib13\AuthnResponse::$dom
private

Definition at line 43 of file AuthnResponse.php.

◆ $messageValidated

SimpleSAML\XML\Shib13\AuthnResponse::$messageValidated = false
private

Definition at line 33 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\setMessageValidated().

◆ $relayState

SimpleSAML\XML\Shib13\AuthnResponse::$relayState = null
private

Definition at line 48 of file AuthnResponse.php.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getRelayState(), and SimpleSAML\XML\Shib13\AuthnResponse\setRelayState().

◆ $validator

SimpleSAML\XML\Shib13\AuthnResponse::$validator = null
private

Definition at line 27 of file AuthnResponse.php.

◆ SHIB_ASSERT_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'

Definition at line 37 of file AuthnResponse.php.

◆ SHIB_PROTOCOL_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'

Definition at line 36 of file AuthnResponse.php.

The documentation for this class was generated from the following file: