ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
SimpleSAML\XML\Shib13\AuthnResponse Class Reference
+ Collaboration diagram for SimpleSAML\XML\Shib13\AuthnResponse:

Public Member Functions

 setMessageValidated ($messageValidated)
 Set whether this message was validated externally. More...
 
 setXML ($xml)
 
 setRelayState ($relayState)
 
 getRelayState ()
 
 validate ()
 
 getSessionIndex ()
 Retrieve the session index of this response. More...
 
 getIssuer ()
 
 getNameID ()
 
 generate (\SimpleSAML_Configuration $idp, \SimpleSAML_Configuration $sp, $shire, $attributes)
 Build a authentication response. More...
 

Data Fields

const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'
 
const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'
 

Static Protected Member Functions

static checkDateConditions ($start=null, $end=null)
 Check if we are currently between the given date & time conditions. More...
 

Private Member Functions

 isNodeValidated ($node)
 Checks if the given node is validated by the signature on this response. More...
 
 doXPathQuery ($query, $node=null)
 This function runs an xPath query on this authentication response. More...
 
 enc_attribute ($name, $values, $base64, $scopedAttributes)
 Format a shib13 attribute. More...
 

Private Attributes

 $validator = null
 
 $messageValidated = false
 
 $dom
 
 $relayState = null
 

Detailed Description

Definition at line 21 of file AuthnResponse.php.

Member Function Documentation

◆ checkDateConditions()

static SimpleSAML\XML\Shib13\AuthnResponse::checkDateConditions (   $start = null,
  $end = null 
)
staticprotected

Check if we are currently between the given date & time conditions.

Note that this function allows a 10-minute leap from the initial time as marked by $start.

Parameters
string | null$startA SAML2 timestamp marking the start of the period to check. Defaults to null, in which case there's no limitations in the past.
string | null$endA SAML2 timestamp marking the end of the period to check. Defaults to null, in which case there's no limitations in the future.
Returns
bool True if the current time belongs to the period specified by $start and $end. False otherwise.
See also
\SAML2\Utils::xsDateTimeToTimestamp.
Author
Andreas Solberg, UNINETT AS andre.nosp@m.as.s.nosp@m.olber.nosp@m.g@un.nosp@m.inett.nosp@m..no
Olav Morken, UNINETT AS olav..nosp@m.mork.nosp@m.en@un.nosp@m.inet.nosp@m.t.no

Definition at line 461 of file AuthnResponse.php.

462 {
463 $currentTime = time();
464
465 if (!empty($start)) {
467 // allow for a 10 minute difference in time
468 if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
469 return false;
470 }
471 }
472 if (!empty($end)) {
474 if (($endTime < 0) || ($endTime <= $currentTime)) {
475 return false;
476 }
477 }
478 return true;
479 }
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp.
Definition: Utils.php:721
$start
Definition: bench.php:8

References $end, $start, and SAML2\Utils\xsDateTimeToTimestamp().

+ Here is the call graph for this function:

◆ doXPathQuery()

SimpleSAML\XML\Shib13\AuthnResponse::doXPathQuery (   $query,
  $node = null 
)
private

This function runs an xPath query on this authentication response.

Parameters
string$queryThe query which should be run.
\DOMNode$nodeThe node which this query is relative to. If this node is NULL (the default) then the query will be relative to the root of the response.
Returns
\DOMNodeList

Definition at line 166 of file AuthnResponse.php.

167 {
168 assert(is_string($query));
169 assert($this->dom instanceof DOMDocument);
170
171 if ($node === null) {
172 $node = $this->dom->documentElement;
173 }
174
175 assert($node instanceof DOMNode);
176
177 $xPath = new \DOMXpath($this->dom);
178 $xPath->registerNamespace('shibp', self::SHIB_PROTOCOL_NS);
179 $xPath->registerNamespace('shib', self::SHIB_ASSERT_NS);
180
181 return $xPath->query($query, $node);
182 }
$query

References $query.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), SimpleSAML\XML\Shib13\AuthnResponse\getNameID(), and SimpleSAML\XML\Shib13\AuthnResponse\getSessionIndex().

+ Here is the caller graph for this function:

◆ enc_attribute()

SimpleSAML\XML\Shib13\AuthnResponse::enc_attribute (   $name,
  $values,
  $base64,
  $scopedAttributes 
)
private

Format a shib13 attribute.

Parameters
string$nameName of the attribute.
array$valuesValues of the attribute (as an array of strings).
bool$base64Whether the attriubte values should be base64-encoded.
array$scopedAttributesArray of attributes names which are scoped.
Returns
string The attribute encoded as an XML-string.

Definition at line 409 of file AuthnResponse.php.

410 {
411 assert(is_string($name));
412 assert(is_array($values));
413 assert(is_bool($base64));
414 assert(is_array($scopedAttributes));
415
416 if (in_array($name, $scopedAttributes, true)) {
417 $scoped = true;
418 } else {
419 $scoped = false;
420 }
421
422 $attr = '<Attribute AttributeName="' . htmlspecialchars($name) . '" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">';
423 foreach ($values as $value) {
424 $scopePart = '';
425 if ($scoped) {
426 $tmp = explode('@', $value, 2);
427 if (count($tmp) === 2) {
428 $value = $tmp[0];
429 $scopePart = ' Scope="' . htmlspecialchars($tmp[1]) . '"';
430 }
431 }
432
433 if ($base64) {
434 $value = base64_encode($value);
435 }
436
437 $attr .= '<AttributeValue' . $scopePart . '>' . htmlspecialchars($value) . '</AttributeValue>';
438 }
439 $attr .= '</Attribute>';
440
441 return $attr;
442 }
$values

References $name, and $values.

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\generate().

+ Here is the caller graph for this function:

◆ generate()

SimpleSAML\XML\Shib13\AuthnResponse::generate ( \SimpleSAML_Configuration  $idp,
\SimpleSAML_Configuration  $sp,
  $shire,
  $attributes 
)

Build a authentication response.

Parameters
\SimpleSAML_Configuration$idpMetadata for the IdP the response is sent from.
\SimpleSAML_Configuration$spMetadata for the SP the response is sent to.
string$shireThe endpoint on the SP the response is sent to.
array | null$attributesThe attributes which should be included in the response.
Returns
string The response.

Definition at line 309 of file AuthnResponse.php.

310 {
311 assert(is_string($shire));
312 assert($attributes === null || is_array($attributes));
313
314 if ($sp->hasValue('scopedattributes')) {
315 $scopedAttributes = $sp->getArray('scopedattributes');
316 } elseif ($idp->hasValue('scopedattributes')) {
317 $scopedAttributes = $idp->getArray('scopedattributes');
318 } else {
319 $scopedAttributes = array();
320 }
321
323
324 $issueInstant = Time::generateTimestamp();
325
326 // 30 seconds timeskew back in time to allow differing clocks
327 $notBefore = Time::generateTimestamp(time() - 30);
328
329
330 $assertionExpire = Time::generateTimestamp(time() + 60 * 5);# 5 minutes
331 $assertionid = Random::generateID();
332
333 $spEntityId = $sp->getString('entityid');
334
335 $audience = $sp->getString('audience', $spEntityId);
336 $base64 = $sp->getBoolean('base64attributes', false);
337
338 $namequalifier = $sp->getString('NameQualifier', $spEntityId);
340 $subjectNode =
341 '<Subject>' .
342 '<NameIdentifier' .
343 ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' .
344 ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' .
345 '>' .
346 htmlspecialchars($nameid) .
347 '</NameIdentifier>' .
348 '<SubjectConfirmation>' .
349 '<ConfirmationMethod>' .
350 'urn:oasis:names:tc:SAML:1.0:cm:bearer' .
351 '</ConfirmationMethod>' .
352 '</SubjectConfirmation>' .
353 '</Subject>';
354
355 $encodedattributes = '';
356
357 if (is_array($attributes)) {
358 $encodedattributes .= '<AttributeStatement>';
359 $encodedattributes .= $subjectNode;
360
361 foreach ($attributes as $name => $value) {
362 $encodedattributes .= $this->enc_attribute($name, $value, $base64, $scopedAttributes);
363 }
364
365 $encodedattributes .= '</AttributeStatement>';
366 }
367
368 /*
369 * The SAML 1.1 response message
370 */
371 $response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
372 xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
373 xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
374 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant. '"
375 MajorVersion="1" MinorVersion="1"
376 Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '">
377 <Status>
378 <StatusCode Value="samlp:Success" />
379 </Status>
380 <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
381 AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant. '"
382 Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1">
383 <Conditions NotBefore="' . $notBefore. '" NotOnOrAfter="'. $assertionExpire . '">
384 <AudienceRestrictionCondition>
385 <Audience>' . htmlspecialchars($audience) . '</Audience>
386 </AudienceRestrictionCondition>
387 </Conditions>
388 <AuthenticationStatement AuthenticationInstant="' . $issueInstant. '"
389 AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' .
390 $subjectNode . '
391 </AuthenticationStatement>
392 ' . $encodedattributes . '
393 </Assertion>
394</Response>';
395
396 return $response;
397 }
$spEntityId
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:31
enc_attribute($name, $values, $base64, $scopedAttributes)
Format a shib13 attribute.
if(!array_key_exists('StateId', $_REQUEST)) $id
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$response
$idp
Definition: prp.php:13
$nameid
Definition: status.php:36

References $attributes, $id, $idp, $name, $nameid, $response, $spEntityId, SimpleSAML\XML\Shib13\AuthnResponse\enc_attribute(), SimpleSAML\Utils\Random\generateID(), SimpleSAML\Utils\Time\generateTimestamp(), SimpleSAML_Configuration\getArray(), SimpleSAML_Configuration\getBoolean(), SimpleSAML_Configuration\getString(), and SimpleSAML_Configuration\hasValue().

+ Here is the call graph for this function:

◆ getIssuer()

SimpleSAML\XML\Shib13\AuthnResponse::getIssuer ( )

Definition at line 272 of file AuthnResponse.php.

273 {
274 $query = '/shibp:Response/shib:Assertion/@Issuer';
275 $nodelist = $this->doXPathQuery($query);
276
277 if ($attr = $nodelist->item(0)) {
278 return $attr->value;
279 } else {
280 throw new \Exception('Could not find Issuer field in Authentication response');
281 }
282 }
doXPathQuery($query, $node=null)
This function runs an xPath query on this authentication response.

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

Referenced by SimpleSAML\XML\Shib13\AuthnResponse\validate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getNameID()

SimpleSAML\XML\Shib13\AuthnResponse::getNameID ( )

Definition at line 284 of file AuthnResponse.php.

285 {
286 $nameID = array();
287
288 $query = '/shibp:Response/shib:Assertion/shib:AuthenticationStatement/shib:Subject/shib:NameIdentifier';
289 $nodelist = $this->doXPathQuery($query);
290
291 if ($node = $nodelist->item(0)) {
292 $nameID["Value"] = $node->nodeValue;
293 $nameID["Format"] = $node->getAttribute('Format');
294 }
295
296 return $nameID;
297 }

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

+ Here is the call graph for this function:

◆ getRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::getRelayState ( )

◆ getSessionIndex()

SimpleSAML\XML\Shib13\AuthnResponse::getSessionIndex ( )

Retrieve the session index of this response.

Returns
string|null The session index of this response.

Definition at line 189 of file AuthnResponse.php.

190 {
191 assert($this->dom instanceof DOMDocument);
192
193 $query = '/shibp:Response/shib:Assertion/shib:AuthnStatement';
194 $nodelist = $this->doXPathQuery($query);
195 if ($node = $nodelist->item(0)) {
196 return $node->getAttribute('SessionIndex');
197 }
198
199 return null;
200 }

References $query, and SimpleSAML\XML\Shib13\AuthnResponse\doXPathQuery().

+ Here is the call graph for this function:

◆ isNodeValidated()

SimpleSAML\XML\Shib13\AuthnResponse::isNodeValidated (   $node)
private

Checks if the given node is validated by the signature on this response.

Parameters
\DOMElement$nodeNode to be validated.
Returns
bool TRUE if the node is validated or FALSE if not.

Definition at line 136 of file AuthnResponse.php.

137 {
138 if ($this->messageValidated) {
139 // This message was validated externally
140 return true;
141 }
142
143 if ($this->validator === null) {
144 return false;
145 }
146
147 // Convert the node to a DOM node if it is an element from SimpleXML
148 if ($node instanceof \SimpleXMLElement) {
149 $node = dom_import_simplexml($node);
150 }
151
152 assert($node instanceof DOMNode);
153
154 return $this->validator->isNodeValidated($node);
155 }

◆ setMessageValidated()

SimpleSAML\XML\Shib13\AuthnResponse::setMessageValidated (   $messageValidated)

Set whether this message was validated externally.

Parameters
bool$messageValidatedTRUE if the message is already validated, FALSE if not.

Definition at line 56 of file AuthnResponse.php.

57 {
58 assert(is_bool($messageValidated));
59
60 $this->messageValidated = $messageValidated;
61 }

References SimpleSAML\XML\Shib13\AuthnResponse\$messageValidated.

◆ setRelayState()

SimpleSAML\XML\Shib13\AuthnResponse::setRelayState (   $relayState)

Definition at line 75 of file AuthnResponse.php.

76 {
77 $this->relayState = $relayState;
78 }

References SimpleSAML\XML\Shib13\AuthnResponse\$relayState.

◆ setXML()

SimpleSAML\XML\Shib13\AuthnResponse::setXML (   $xml)

Definition at line 64 of file AuthnResponse.php.

65 {
66 assert(is_string($xml));
67
68 try {
69 $this->dom = DOMDocumentFactory::fromString(str_replace("\r", "", $xml));
70 } catch (\Exception $e) {
71 throw new \Exception('Unable to parse AuthnResponse XML.');
72 }
73 }

References $xml, and SAML2\DOMDocumentFactory\fromString().

+ Here is the call graph for this function:

◆ validate()

SimpleSAML\XML\Shib13\AuthnResponse::validate ( )

Definition at line 85 of file AuthnResponse.php.

86 {
87 assert($this->dom instanceof DOMDocument);
88
89 if ($this->messageValidated) {
90 // This message was validated externally
91 return true;
92 }
93
94 // Validate the signature
95 $this->validator = new Validator($this->dom, array('ResponseID', 'AssertionID'));
96
97 // Get the issuer of the response
98 $issuer = $this->getIssuer();
99
100 // Get the metadata of the issuer
102 $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
103
104 $publicKeys = $md->getPublicKeys('signing');
105 if (!empty($publicKeys)) {
106 $certFingerprints = array();
107 foreach ($publicKeys as $key) {
108 if ($key['type'] !== 'X509Certificate') {
109 continue;
110 }
111 $certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
112 }
113 $this->validator->validateFingerprint($certFingerprints);
114 } elseif ($md->hasValue('certFingerprint')) {
115 $certFingerprints = $md->getArrayizeString('certFingerprint');
116
117 // Validate the fingerprint
118 $this->validator->validateFingerprint($certFingerprints);
119 } elseif ($md->hasValue('caFile')) {
120 // Validate against CA
121 $this->validator->validateCA(Config::getCertPath($md->getString('caFile')));
122 } else {
123 throw new \SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
124 }
125
126 return true;
127 }
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
$metadata['__DYNAMIC:1__']
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
$key
Definition: croninfo.php:18

References $issuer, $key, $metadata, SimpleSAML\Utils\Config\getCertPath(), SimpleSAML\XML\Shib13\AuthnResponse\getIssuer(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

+ Here is the call graph for this function:

Field Documentation

◆ $dom

SimpleSAML\XML\Shib13\AuthnResponse::$dom
private

Definition at line 43 of file AuthnResponse.php.

◆ $messageValidated

SimpleSAML\XML\Shib13\AuthnResponse::$messageValidated = false
private

◆ $relayState

SimpleSAML\XML\Shib13\AuthnResponse::$relayState = null
private

◆ $validator

SimpleSAML\XML\Shib13\AuthnResponse::$validator = null
private

Definition at line 27 of file AuthnResponse.php.

◆ SHIB_ASSERT_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'

Definition at line 37 of file AuthnResponse.php.

◆ SHIB_PROTOCOL_NS

const SimpleSAML\XML\Shib13\AuthnResponse::SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'

Definition at line 36 of file AuthnResponse.php.


The documentation for this class was generated from the following file: