ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Protected Attributes | Private Member Functions | Private Attributes
SAML2\Assertion Class Reference
+ Inheritance diagram for SAML2\Assertion:
+ Collaboration diagram for SAML2\Assertion:

Public Member Functions

 __construct (\DOMElement $xml=null)
 Constructor for SAML 2 assertions. More...
 
 validate (XMLSecurityKey $key)
 Validate this assertion against a public key. More...
 
 getId ()
 Retrieve the identifier of this assertion. More...
 
 setId ($id)
 Set the identifier of this assertion. More...
 
 getIssueInstant ()
 Retrieve the issue timestamp of this assertion. More...
 
 setIssueInstant ($issueInstant)
 Set the issue timestamp of this assertion. More...
 
 getIssuer ()
 Retrieve the issuer if this assertion. More...
 
 setIssuer ($issuer)
 Set the issuer of this message. More...
 
 getNameId ()
 Retrieve the NameId of the subject in the assertion. More...
 
 setNameId ($nameId)
 Set the NameId of the subject in the assertion. More...
 
 isNameIdEncrypted ()
 Check whether the NameId is encrypted. More...
 
 encryptNameId (XMLSecurityKey $key)
 Encrypt the NameID in the Assertion. More...
 
 decryptNameId (XMLSecurityKey $key, array $blacklist=array())
 Decrypt the NameId of the subject in the assertion. More...
 
 hasEncryptedAttributes ()
 Did this Assertion contain encrypted Attributes? More...
 
 decryptAttributes (XMLSecurityKey $key, array $blacklist=array())
 Decrypt the assertion attributes. More...
 
 getNotBefore ()
 Retrieve the earliest timestamp this assertion is valid. More...
 
 setNotBefore ($notBefore)
 Set the earliest timestamp this assertion can be used. More...
 
 getNotOnOrAfter ()
 Retrieve the expiration timestamp of this assertion. More...
 
 setNotOnOrAfter ($notOnOrAfter)
 Set the expiration timestamp of this assertion. More...
 
 setEncryptedAttributes ($ea)
 Set $EncryptedAttributes if attributes will send encrypted. More...
 
 getValidAudiences ()
 Retrieve the audiences that are allowed to receive this assertion. More...
 
 setValidAudiences (array $validAudiences=null)
 Set the audiences that are allowed to receive this assertion. More...
 
 getAuthnInstant ()
 Retrieve the AuthnInstant of the assertion. More...
 
 setAuthnInstant ($authnInstant)
 Set the AuthnInstant of the assertion. More...
 
 getSessionNotOnOrAfter ()
 Retrieve the session expiration timestamp. More...
 
 setSessionNotOnOrAfter ($sessionNotOnOrAfter)
 Set the session expiration timestamp. More...
 
 getSessionIndex ()
 Retrieve the session index of the user at the IdP. More...
 
 setSessionIndex ($sessionIndex)
 Set the session index of the user at the IdP. More...
 
 getAuthnContext ()
 Retrieve the authentication method used to authenticate the user. More...
 
 setAuthnContext ($authnContext)
 Set the authentication method used to authenticate the user. More...
 
 getAuthnContextClassRef ()
 Retrieve the authentication method used to authenticate the user. More...
 
 setAuthnContextClassRef ($authnContextClassRef)
 Set the authentication method used to authenticate the user. More...
 
 setAuthnContextDecl (Chunk $authnContextDecl)
 Set the authentication context declaration. More...
 
 getAuthnContextDecl ()
 Get the authentication context declaration. More...
 
 setAuthnContextDeclRef ($authnContextDeclRef)
 Set the authentication context declaration reference. More...
 
 getAuthnContextDeclRef ()
 Get the authentication context declaration reference. More...
 
 getAuthenticatingAuthority ()
 Retrieve the AuthenticatingAuthority. More...
 
 setAuthenticatingAuthority ($authenticatingAuthority)
 Set the AuthenticatingAuthority. More...
 
 getAttributes ()
 Retrieve all attributes. More...
 
 setAttributes (array $attributes)
 Replace all attributes. More...
 
 getAttributesValueTypes ()
 Retrieve all attributes value types. More...
 
 setAttributesValueTypes (array $attributesValueTypes)
 Replace all attributes value types. More...
 
 getAttributeNameFormat ()
 Retrieve the NameFormat used on all attributes. More...
 
 setAttributeNameFormat ($nameFormat)
 Set the NameFormat used on all attributes. More...
 
 getSubjectConfirmation ()
 Retrieve the SubjectConfirmation elements we have in our Subject element. More...
 
 setSubjectConfirmation (array $SubjectConfirmation)
 Set the SubjectConfirmation elements that should be included in the assertion. More...
 
 getSignatureKey ()
 Retrieve the private key we should use to sign the assertion. More...
 
 setSignatureKey (XMLSecurityKey $signatureKey=null)
 Set the private key we should use to sign the assertion. More...
 
 getEncryptionKey ()
 Return the key we should use to encrypt the assertion. More...
 
 setEncryptionKey (XMLSecurityKey $Key=null)
 Set the private key we should use to encrypt the attributes. More...
 
 setCertificates (array $certificates)
 Set the certificates that should be included in the assertion. More...
 
 getCertificates ()
 Retrieve the certificates that are included in the assertion. More...
 
 getWasSignedAtConstruction ()
 
 getSignatureMethod ()
 
 toXML (\DOMNode $parentElement=null)
 Convert this assertion to an XML element. More...
 
 validate (XMLSecurityKey $key)
 Validate this element against a public key. More...
 
 setCertificates (array $certificates)
 Set the certificates that should be included in the element. More...
 
 getCertificates ()
 Retrieve the certificates that are included in the element (if any). More...
 
 getSignatureKey ()
 Retrieve the private key we should use to sign the element. More...
 
 setSignatureKey (XMLSecurityKey $signatureKey=null)
 Set the private key we should use to sign the element. More...
 

Protected Attributes

 $wasSignedAtConstruction = false
 

Private Member Functions

 parseSubject (\DOMElement $xml)
 Parse subject in assertion. More...
 
 parseConditions (\DOMElement $xml)
 Parse conditions in assertion. More...
 
 parseAuthnStatement (\DOMElement $xml)
 Parse AuthnStatement in assertion. More...
 
 parseAuthnContext (\DOMElement $authnStatementEl)
 Parse AuthnContext in AuthnStatement. More...
 
 parseAttributes (\DOMElement $xml)
 Parse attribute statements in assertion. More...
 
 parseEncryptedAttributes (\DOMElement $xml)
 Parse encrypted attribute statements in assertion. More...
 
 addSubject (\DOMElement $root)
 Add a Subject-node to the assertion. More...
 
 addConditions (\DOMElement $root)
 Add a Conditions-node to the assertion. More...
 
 addAuthnStatement (\DOMElement $root)
 Add a AuthnStatement-node to the assertion. More...
 
 addAttributeStatement (\DOMElement $root)
 Add an AttributeStatement-node to the assertion. More...
 
 addEncryptedAttributeStatement (\DOMElement $root)
 Add an EncryptedAttribute Statement-node to the assertion. More...
 

Private Attributes

 $id
 
 $issueInstant
 
 $issuer
 
 $nameId
 
 $encryptedNameId
 
 $encryptedAttributes
 
 $encryptionKey
 
 $notBefore
 
 $notOnOrAfter
 
 $validAudiences
 
 $sessionNotOnOrAfter
 
 $sessionIndex
 
 $authnInstant
 
 $authnContextClassRef
 
 $authnContextDecl
 
 $authnContextDeclRef
 
 $AuthenticatingAuthority
 
 $attributes
 
 $attributesValueTypes
 
 $nameFormat
 
 $signatureKey
 
 $certificates
 
 $signatureData
 
 $requiredEncAttributes
 
 $SubjectConfirmation
 
 $signatureMethod
 

Detailed Description

Definition at line 17 of file Assertion.php.

Constructor & Destructor Documentation

◆ __construct()

SAML2\Assertion::__construct ( \DOMElement  $xml = null)

Constructor for SAML 2 assertions.

Parameters
\DOMElement | null$xmlThe input assertion.
Exceptions

Exception

Definition at line 257 of file Assertion.php.

258 {
259 $this->id = Utils::getContainer()->generateId();
260 $this->issueInstant = Temporal::getTime();
261 $this->issuer = '';
262 $this->authnInstant = Temporal::getTime();
263 $this->attributes = array();
264 $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
265 $this->certificates = array();
266 $this->AuthenticatingAuthority = array();
267 $this->SubjectConfirmation = array();
268 $this->requiredEncAttributes = false;
269
270 if ($xml === null) {
271 return;
272 }
273
274 if (!$xml->hasAttribute('ID')) {
275 throw new \Exception('Missing ID attribute on SAML assertion.');
276 }
277 $this->id = $xml->getAttribute('ID');
278
279 if ($xml->getAttribute('Version') !== '2.0') {
280 /* Currently a very strict check. */
281 throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
282 }
283
284 $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
285
286 $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
287 if (empty($issuer)) {
288 throw new \Exception('Missing <saml:Issuer> in assertion.');
289 }
290 $this->issuer = new XML\saml\Issuer($issuer[0]);
291 if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
292 $this->issuer = $this->issuer->value;
293 }
294
295 $this->parseSubject($xml);
296 $this->parseConditions($xml);
297 $this->parseAuthnStatement($xml);
298 $this->parseAttributes($xml);
299 $this->parseEncryptedAttributes($xml);
300 $this->parseSignature($xml);
301 }
SAML2\Assertion\parseEncryptedAttributes
parseEncryptedAttributes(\DOMElement $xml)
Parse encrypted attribute statements in assertion.
Definition: Assertion.php:605
SAML2\Assertion\parseConditions
parseConditions(\DOMElement $xml)
Parse conditions in assertion.
Definition: Assertion.php:353
SAML2\Assertion\parseAttributes
parseAttributes(\DOMElement $xml)
Parse attribute statements in assertion.
Definition: Assertion.php:510
SAML2\Assertion\parseAuthnStatement
parseAuthnStatement(\DOMElement $xml)
Parse AuthnStatement in assertion.
Definition: Assertion.php:417
SAML2\Assertion\parseSubject
parseSubject(\DOMElement $xml)
Parse subject in assertion.
Definition: Assertion.php:309
SAML2\Constants\NAMEID_ENTITY
const NAMEID_ENTITY
Entity NameID format.
Definition: Constants.php:190
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
SAML2\Utilities\Temporal\getTime
static getTime()
Getter for getting the current timestamp.
Definition: Temporal.php:13
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp.
Definition: Utils.php:721
SAML2\Utils\getContainer
static getContainer()
Definition: Utils.php:752
$xml
$xml
Definition: fetch_windows_zones.php:11

References $issuer, $xml, and getTime().

+ Here is the call graph for this function:

Member Function Documentation

◆ addAttributeStatement()

SAML2\Assertion::addAttributeStatement ( \DOMElement  $root)
private

Add an AttributeStatement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the subject to.

Definition at line 1537 of file Assertion.php.

1538 {
1539 if (empty($this->attributes)) {
1540 return;
1541 }
1542
1543 $document = $root->ownerDocument;
1544
1545 $attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement');
1546 $root->appendChild($attributeStatement);
1547
1548 foreach ($this->attributes as $name => $values) {
1549 $attribute = $document->createElementNS(Constants::NS_SAML, 'saml:Attribute');
1550 $attributeStatement->appendChild($attribute);
1551 $attribute->setAttribute('Name', $name);
1552
1553 if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) {
1554 $attribute->setAttribute('NameFormat', $this->nameFormat);
1555 }
1556
1557 // make sure eduPersonTargetedID can be handled properly as a NameID
1558 if ($name === Constants::EPTI_URN_MACE || $name === Constants::EPTI_URN_OID) {
1559 foreach ($values as $eptiValue) {
1560 $attributeValue = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1561 $attribute->appendChild($attributeValue);
1562 if ($eptiValue instanceof XML\saml\NameID) {
1563 $eptiValue->toXML($attributeValue);
1564 } elseif ($eptiValue instanceof \DOMNodeList) {
1565 $node = $root->ownerDocument->importNode($eptiValue->item(0), true);
1566 $attributeValue->appendChild($node);
1567 } else {
1568 $attributeValue->textContent = $eptiValue;
1569 }
1570 }
1571
1572 continue;
1573 }
1574
1575 // get value type(s) for the current attribute
1576 if (is_array($this->attributesValueTypes) && array_key_exists($name, $this->attributesValueTypes)) {
1577 $valueTypes = $this->attributesValueTypes[$name];
1578 if (is_array($valueTypes) && count($valueTypes) != count($values)) {
1579 throw new \Exception('Array of value types and array of values have different size for attribute '. var_export($name, true));
1580 }
1581 } else {
1582 // if no type(s), default behaviour
1583 $valueTypes = null;
1584 }
1585
1586 $vidx = -1;
1587 foreach ($values as $value) {
1588 $vidx++;
1589
1590 // try to get type from current types
1591 $type = null;
1592 if (!is_null($valueTypes)) {
1593 if (is_array($valueTypes)) {
1594 $type = $valueTypes[$vidx];
1595 } else {
1596 $type = $valueTypes;
1597 }
1598 }
1599
1600 // if no type get from types, use default behaviour
1601 if (is_null($type)) {
1602 if (is_string($value)) {
1603 $type = 'xs:string';
1604 } elseif (is_int($value)) {
1605 $type = 'xs:integer';
1606 } else {
1607 $type = null;
1608 }
1609 }
1610
1611 $attributeValue = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1612 $attribute->appendChild($attributeValue);
1613 if ($type !== null) {
1614 $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type);
1615 }
1616 if (is_null($value)) {
1617 $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:nil', 'true');
1618 }
1619
1620 if ($value instanceof \DOMNodeList) {
1621 for ($i = 0; $i < $value->length; $i++) {
1622 $node = $document->importNode($value->item($i), true);
1623 $attributeValue->appendChild($node);
1624 }
1625 } else {
1626 $attributeValue->appendChild($document->createTextNode($value));
1627 }
1628 }
1629 }
1630 }
SAML2\Constants\EPTI_URN_OID
const EPTI_URN_OID
Definition: Constants.php:141
SAML2\Constants\EPTI_URN_MACE
const EPTI_URN_MACE
Definition: Constants.php:139
SAML2\Constants\NS_XSI
const NS_XSI
The namespace for XML schema instance.
Definition: Constants.php:240
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225
$name
$name
Definition: client_example.php:35
$i
$i
Definition: disco.tpl.php:19
$type
$type
Definition: proxy_ylocal.php:10
$root
$root
Definition: sabredav.php:45
$values
$values
Definition: testOperations.php:7

References $i, $name, $root, $type, and $values.

◆ addAuthnStatement()

SAML2\Assertion::addAuthnStatement ( \DOMElement  $root)
private

Add a AuthnStatement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the authentication statement to.

Definition at line 1471 of file Assertion.php.

1472 {
1473 if ($this->authnInstant === null ||
1474 (
1475 $this->authnContextClassRef === null &&
1476 $this->authnContextDecl === null &&
1477 $this->authnContextDeclRef === null
1478 )
1479 ) {
1480 /* No authentication context or AuthnInstant => no authentication statement. */
1481
1482 return;
1483 }
1484
1485 $document = $root->ownerDocument;
1486
1487 $authnStatementEl = $document->createElementNS(Constants::NS_SAML, 'saml:AuthnStatement');
1488 $root->appendChild($authnStatementEl);
1489
1490 $authnStatementEl->setAttribute('AuthnInstant', gmdate('Y-m-d\TH:i:s\Z', $this->authnInstant));
1491
1492 if ($this->sessionNotOnOrAfter !== null) {
1493 $authnStatementEl->setAttribute('SessionNotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->sessionNotOnOrAfter));
1494 }
1495 if ($this->sessionIndex !== null) {
1496 $authnStatementEl->setAttribute('SessionIndex', $this->sessionIndex);
1497 }
1498
1499 $authnContextEl = $document->createElementNS(Constants::NS_SAML, 'saml:AuthnContext');
1500 $authnStatementEl->appendChild($authnContextEl);
1501
1502 if (!empty($this->authnContextClassRef)) {
1503 Utils::addString(
1504 $authnContextEl,
1505 Constants::NS_SAML,
1506 'saml:AuthnContextClassRef',
1507 $this->authnContextClassRef
1508 );
1509 }
1510 if (!empty($this->authnContextDecl)) {
1511 $this->authnContextDecl->toXML($authnContextEl);
1512 }
1513 if (!empty($this->authnContextDeclRef)) {
1514 Utils::addString(
1515 $authnContextEl,
1516 Constants::NS_SAML,
1517 'saml:AuthnContextDeclRef',
1518 $this->authnContextDeclRef
1519 );
1520 }
1521
1522 Utils::addStrings(
1523 $authnContextEl,
1524 Constants::NS_SAML,
1525 'saml:AuthenticatingAuthority',
1526 false,
1527 $this->AuthenticatingAuthority
1528 );
1529 }
SAML2\Utils\addString
static addString(\DOMElement $parent, $namespace, $name, $value)
Append string element.
Definition: Utils.php:635
SAML2\Utils\addStrings
static addStrings(\DOMElement $parent, $namespace, $name, $localized, array $values)
Append string elements.
Definition: Utils.php:659

References $root.

◆ addConditions()

SAML2\Assertion::addConditions ( \DOMElement  $root)
private

Add a Conditions-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the conditions to.

Definition at line 1443 of file Assertion.php.

1444 {
1445 $document = $root->ownerDocument;
1446
1447 $conditions = $document->createElementNS(Constants::NS_SAML, 'saml:Conditions');
1448 $root->appendChild($conditions);
1449
1450 if ($this->notBefore !== null) {
1451 $conditions->setAttribute('NotBefore', gmdate('Y-m-d\TH:i:s\Z', $this->notBefore));
1452 }
1453 if ($this->notOnOrAfter !== null) {
1454 $conditions->setAttribute('NotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->notOnOrAfter));
1455 }
1456
1457 if ($this->validAudiences !== null) {
1458 $ar = $document->createElementNS(Constants::NS_SAML, 'saml:AudienceRestriction');
1459 $conditions->appendChild($ar);
1460
1461 Utils::addStrings($ar, Constants::NS_SAML, 'saml:Audience', false, $this->validAudiences);
1462 }
1463 }

References $root.

◆ addEncryptedAttributeStatement()

SAML2\Assertion::addEncryptedAttributeStatement ( \DOMElement  $root)
private

Add an EncryptedAttribute Statement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the Encrypted Attribute Statement to.

Definition at line 1638 of file Assertion.php.

1639 {
1640 if ($this->requiredEncAttributes === false) {
1641 return;
1642 }
1643
1644 $document = $root->ownerDocument;
1645
1646 $attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement');
1647 $root->appendChild($attributeStatement);
1648
1649 foreach ($this->attributes as $name => $values) {
1650 $document2 = DOMDocumentFactory::create();
1651 $attribute = $document2->createElementNS(Constants::NS_SAML, 'saml:Attribute');
1652 $attribute->setAttribute('Name', $name);
1653 $document2->appendChild($attribute);
1654
1655 if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) {
1656 $attribute->setAttribute('NameFormat', $this->nameFormat);
1657 }
1658
1659 foreach ($values as $value) {
1660 if (is_string($value)) {
1661 $type = 'xs:string';
1662 } elseif (is_int($value)) {
1663 $type = 'xs:integer';
1664 } else {
1665 $type = null;
1666 }
1667
1668 $attributeValue = $document2->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1669 $attribute->appendChild($attributeValue);
1670 if ($type !== null) {
1671 $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type);
1672 }
1673
1674 if ($value instanceof \DOMNodeList) {
1675 for ($i = 0; $i < $value->length; $i++) {
1676 $node = $document2->importNode($value->item($i), true);
1677 $attributeValue->appendChild($node);
1678 }
1679 } else {
1680 $attributeValue->appendChild($document2->createTextNode($value));
1681 }
1682 }
1683 /*Once the attribute nodes are built, the are encrypted*/
1684 $EncAssert = new XMLSecEnc();
1685 $EncAssert->setNode($document2->documentElement);
1686 $EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
1687 /*
1688 * Attributes are encrypted with a session key and this one with
1689 * $EncryptionKey
1690 */
1691 $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
1692 $symmetricKey->generateSessionKey();
1693 $EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
1694 $EncrNode = $EncAssert->encryptNode($symmetricKey);
1695
1696 $EncAttribute = $document->createElementNS(Constants::NS_SAML, 'saml:EncryptedAttribute');
1697 $attributeStatement->appendChild($EncAttribute);
1698 $n = $document->importNode($EncrNode, true);
1699 $EncAttribute->appendChild($n);
1700 }
1701 }
$n
$n
Definition: RandomTest.php:85

References $i, $n, $name, $root, $type, and $values.

◆ addSubject()

SAML2\Assertion::addSubject ( \DOMElement  $root)
private

Add a Subject-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the subject to.

Definition at line 1413 of file Assertion.php.

1414 {
1415 if ($this->nameId === null && $this->encryptedNameId === null) {
1416 /* We don't have anything to create a Subject node for. */
1417
1418 return;
1419 }
1420
1421 $subject = $root->ownerDocument->createElementNS(Constants::NS_SAML, 'saml:Subject');
1422 $root->appendChild($subject);
1423
1424 if ($this->encryptedNameId === null) {
1425 $this->nameId->toXML($subject);
1426 } else {
1427 $eid = $subject->ownerDocument->createElementNS(Constants::NS_SAML, 'saml:' . 'EncryptedID');
1428 $subject->appendChild($eid);
1429 $eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId, true));
1430 }
1431
1432 foreach ($this->SubjectConfirmation as $sc) {
1433 $sc->toXML($subject);
1434 }
1435 }

References $root, and $sc.

◆ decryptAttributes()

SAML2\Assertion::decryptAttributes ( XMLSecurityKey  $key,
array  $blacklist = array() 
)

Decrypt the assertion attributes.

Parameters
XMLSecurityKey$key
array$blacklist
Exceptions

Exception

Definition at line 835 of file Assertion.php.

836 {
837 if (!$this->hasEncryptedAttributes()) {
838 return;
839 }
840 $firstAttribute = true;
841 $attributes = $this->encryptedAttributes;
842 foreach ($attributes as $attributeEnc) {
843 /*Decrypt node <EncryptedAttribute>*/
844 $attribute = Utils::decryptElement(
845 $attributeEnc->getElementsByTagName('EncryptedData')->item(0),
846 $key,
847 $blacklist
848 );
849
850 if (!$attribute->hasAttribute('Name')) {
851 throw new \Exception('Missing name on <saml:Attribute> element.');
852 }
853 $name = $attribute->getAttribute('Name');
854
855 if ($attribute->hasAttribute('NameFormat')) {
856 $nameFormat = $attribute->getAttribute('NameFormat');
857 } else {
858 $nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
859 }
860
861 if ($firstAttribute) {
862 $this->nameFormat = $nameFormat;
863 $firstAttribute = false;
864 } else {
865 if ($this->nameFormat !== $nameFormat) {
866 $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
867 }
868 }
869
870 if (!array_key_exists($name, $this->attributes)) {
871 $this->attributes[$name] = array();
872 }
873
874 $this->parseAttributeValue($attribute, $name);
875 }
876 }
SAML2\Assertion\hasEncryptedAttributes
hasEncryptedAttributes()
Did this Assertion contain encrypted Attributes?
Definition: Assertion.php:823
SAML2\Utils\decryptElement
static decryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array $blacklist=array())
Decrypt an encrypted element.
Definition: Utils.php:558
$key
$key
Definition: croninfo.php:18

References $attributes, $key, and $name.

◆ decryptNameId()

SAML2\Assertion::decryptNameId ( XMLSecurityKey  $key,
array  $blacklist = array() 
)

Decrypt the NameId of the subject in the assertion.

Parameters
XMLSecurityKey$keyThe decryption key.
array$blacklistBlacklisted decryption algorithms.

Definition at line 803 of file Assertion.php.

804 {
805 if ($this->encryptedNameId === null) {
806 /* No NameID to decrypt. */
807
808 return;
809 }
810
811 $nameId = Utils::decryptElement($this->encryptedNameId, $key, $blacklist);
812 Utils::getContainer()->debugMessage($nameId, 'decrypt');
813 $this->nameId = new XML\saml\NameID($nameId);
814
815 $this->encryptedNameId = null;
816 }

References $key, and $nameId.

Referenced by SAML2\Assertion\Transformer\NameIdDecryptionTransformer\transform().

+ Here is the caller graph for this function:

◆ encryptNameId()

SAML2\Assertion::encryptNameId ( XMLSecurityKey  $key)

Encrypt the NameID in the Assertion.

Parameters
XMLSecurityKey$keyThe encryption key.

Definition at line 771 of file Assertion.php.

772 {
773 /* First create a XML representation of the NameID. */
774 $doc = DOMDocumentFactory::create();
775 $root = $doc->createElement('root');
776 $doc->appendChild($root);
777 $this->nameId->toXML($root);
778 $nameId = $root->firstChild;
779
780 Utils::getContainer()->debugMessage($nameId, 'encrypt');
781
782 /* Encrypt the NameID. */
783 $enc = new XMLSecEnc();
784 $enc->setNode($nameId);
785 // @codingStandardsIgnoreStart
786 $enc->type = XMLSecEnc::Element;
787 // @codingStandardsIgnoreEnd
788
789 $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
790 $symmetricKey->generateSessionKey();
791 $enc->encryptKey($key, $symmetricKey);
792
793 $this->encryptedNameId = $enc->encryptNode($symmetricKey);
794 $this->nameId = null;
795 }

References $key, $nameId, and $root.

◆ getAttributeNameFormat()

SAML2\Assertion::getAttributeNameFormat ( )

Retrieve the NameFormat used on all attributes.

If more than one NameFormat is used in the received attributes, this returns the unspecified NameFormat.

Returns
string The NameFormat used on all attributes.

Definition at line 1238 of file Assertion.php.

1239 {
1240 return $this->nameFormat;
1241 }

◆ getAttributes()

SAML2\Assertion::getAttributes ( )

Retrieve all attributes.

Returns
array All attributes, as an associative array.

Definition at line 1195 of file Assertion.php.

1196 {
1197 return $this->attributes;
1198 }

References $attributes.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

+ Here is the caller graph for this function:

◆ getAttributesValueTypes()

SAML2\Assertion::getAttributesValueTypes ( )

Retrieve all attributes value types.

Returns
array All attributes value types, as an associative array.

Definition at line 1215 of file Assertion.php.

1216 {
1217 return $this->attributesValueTypes;
1218 }

◆ getAuthenticatingAuthority()

SAML2\Assertion::getAuthenticatingAuthority ( )

Retrieve the AuthenticatingAuthority.

Returns
array

Definition at line 1174 of file Assertion.php.

1175 {
1176 return $this->AuthenticatingAuthority;
1177 }

◆ getAuthnContext()

SAML2\Assertion::getAuthnContext ( )

Retrieve the authentication method used to authenticate the user.

This will return null if no authentication statement was included in the assertion.

Note that this returns either the AuthnContextClassRef or the AuthnConextDeclRef, whose definition overlaps but is slightly different (consult the specification for more information). This was done to work around an old bug of Shibboleth ( https://bugs.internet2.edu/jira/browse/SIDP-187 ). Should no longer be required, please use either getAuthnConextClassRef or getAuthnContextDeclRef.

Deprecated:
use getAuthnContextClassRef
Returns
string|null The authentication method.

Definition at line 1055 of file Assertion.php.

1056 {
1057 if (!empty($this->authnContextClassRef)) {
1058 return $this->authnContextClassRef;
1059 }
1060 if (!empty($this->authnContextDeclRef)) {
1061 return $this->authnContextDeclRef;
1062 }
1063 return null;
1064 }

◆ getAuthnContextClassRef()

SAML2\Assertion::getAuthnContextClassRef ( )

Retrieve the authentication method used to authenticate the user.

This will return null if no authentication statement was included in the assertion.

Returns
string|null The authentication method.

Definition at line 1088 of file Assertion.php.

1089 {
1090 return $this->authnContextClassRef;
1091 }

◆ getAuthnContextDecl()

SAML2\Assertion::getAuthnContextDecl ( )

Get the authentication context declaration.

See: @url http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

Returns
\SAML2\XML\Chunk|null

Definition at line 1133 of file Assertion.php.

1134 {
1135 return $this->authnContextDecl;
1136 }

◆ getAuthnContextDeclRef()

SAML2\Assertion::getAuthnContextDeclRef ( )

Get the authentication context declaration reference.

URI reference that identifies an authentication context declaration.

The URI reference MAY directly resolve into an XML document containing the referenced declaration.

Returns
string

Definition at line 1163 of file Assertion.php.

1164 {
1165 return $this->authnContextDeclRef;
1166 }

◆ getAuthnInstant()

SAML2\Assertion::getAuthnInstant ( )

Retrieve the AuthnInstant of the assertion.

Returns
int|null The timestamp the user was authenticated, or NULL if the user isn't authenticated.

Definition at line 971 of file Assertion.php.

972 {
973 return $this->authnInstant;
974 }

◆ getCertificates()

SAML2\Assertion::getCertificates ( )

Retrieve the certificates that are included in the assertion.

Returns
array An array of certificates.

Implements SAML2\SignedElement.

Definition at line 1335 of file Assertion.php.

1336 {
1337 return $this->certificates;
1338 }

References $certificates.

◆ getEncryptionKey()

SAML2\Assertion::getEncryptionKey ( )

Return the key we should use to encrypt the assertion.

Returns
XMLSecurityKey|null The key, or NULL if no key is specified..

Definition at line 1303 of file Assertion.php.

1304 {
1305 return $this->encryptionKey;
1306 }

◆ getId()

SAML2\Assertion::getId ( )

Retrieve the identifier of this assertion.

Returns
string The identifier of this assertion.

Definition at line 661 of file Assertion.php.

662 {
663 return $this->id;
664 }

References $id.

◆ getIssueInstant()

SAML2\Assertion::getIssueInstant ( )

Retrieve the issue timestamp of this assertion.

Returns
int The issue timestamp of this assertion, as an UNIX timestamp.

Definition at line 683 of file Assertion.php.

684 {
685 return $this->issueInstant;
686 }

◆ getIssuer()

SAML2\Assertion::getIssuer ( )

Retrieve the issuer if this assertion.

Returns
string|\SAML2\XML\saml\Issuer The issuer of this assertion.

Definition at line 705 of file Assertion.php.

706 {
707 return $this->issuer;
708 }

References $issuer.

◆ getNameId()

SAML2\Assertion::getNameId ( )

Retrieve the NameId of the subject in the assertion.

Returns
\SAML2\XML\saml\NameID|null The name identifier of the assertion.
Exceptions

Exception

Definition at line 728 of file Assertion.php.

729 {
730 if ($this->encryptedNameId !== null) {
731 throw new \Exception('Attempted to retrieve encrypted NameID without decrypting it first.');
732 }
733
734 return $this->nameId;
735 }

References $nameId.

◆ getNotBefore()

SAML2\Assertion::getNotBefore ( )

Retrieve the earliest timestamp this assertion is valid.

This function returns null if there are no restrictions on how early the assertion can be used.

Returns
int|null The earliest timestamp this assertion is valid.

Definition at line 886 of file Assertion.php.

887 {
888 return $this->notBefore;
889 }

Referenced by SAML2\Assertion\Validation\ConstraintValidator\NotBefore\validate().

+ Here is the caller graph for this function:

◆ getNotOnOrAfter()

SAML2\Assertion::getNotOnOrAfter ( )

Retrieve the expiration timestamp of this assertion.

This function returns null if there are no restrictions on how late the assertion can be used.

Returns
int|null The latest timestamp this assertion is valid.

Definition at line 913 of file Assertion.php.

914 {
915 return $this->notOnOrAfter;
916 }

Referenced by SAML2\Assertion\Validation\ConstraintValidator\NotOnOrAfter\validate().

+ Here is the caller graph for this function:

◆ getSessionIndex()

SAML2\Assertion::getSessionIndex ( )

Retrieve the session index of the user at the IdP.

Returns
string|null The session index of the user at the IdP.

Definition at line 1021 of file Assertion.php.

1022 {
1023 return $this->sessionIndex;
1024 }

References $sessionIndex.

◆ getSessionNotOnOrAfter()

SAML2\Assertion::getSessionNotOnOrAfter ( )

Retrieve the session expiration timestamp.

This function returns null if there are no restrictions on the session lifetime.

Returns
int|null The latest timestamp this session is valid.

Definition at line 997 of file Assertion.php.

998 {
999 return $this->sessionNotOnOrAfter;
1000 }

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SessionNotOnOrAfter\validate().

+ Here is the caller graph for this function:

◆ getSignatureKey()

SAML2\Assertion::getSignatureKey ( )

Retrieve the private key we should use to sign the assertion.

Returns
XMLSecurityKey|null The key, or NULL if no key is specified.

Implements SAML2\SignedElement.

Definition at line 1280 of file Assertion.php.

1281 {
1282 return $this->signatureKey;
1283 }

◆ getSignatureMethod()

SAML2\Assertion::getSignatureMethod ( )
Returns
null|string

Definition at line 1351 of file Assertion.php.

1352 {
1353 return $this->signatureMethod;
1354 }

◆ getSubjectConfirmation()

SAML2\Assertion::getSubjectConfirmation ( )

Retrieve the SubjectConfirmation elements we have in our Subject element.

Returns
array Array of \SAML2\XML\saml\SubjectConfirmation elements.

Definition at line 1260 of file Assertion.php.

1261 {
1262 return $this->SubjectConfirmation;
1263 }

Referenced by SAML2\Assertion\Processor\validateAssertion().

+ Here is the caller graph for this function:

◆ getValidAudiences()

SAML2\Assertion::getValidAudiences ( )

Retrieve the audiences that are allowed to receive this assertion.

This may be null, in which case all audiences are allowed.

Returns
array|null The allowed audiences.

Definition at line 949 of file Assertion.php.

950 {
951 return $this->validAudiences;
952 }

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SpIsValidAudience\validate().

+ Here is the caller graph for this function:

◆ getWasSignedAtConstruction()

SAML2\Assertion::getWasSignedAtConstruction ( )
Returns
bool

Definition at line 1343 of file Assertion.php.

1344 {
1345 return $this->wasSignedAtConstruction;
1346 }

◆ hasEncryptedAttributes()

SAML2\Assertion::hasEncryptedAttributes ( )

Did this Assertion contain encrypted Attributes?

Returns
bool

Definition at line 823 of file Assertion.php.

824 {
825 return $this->encryptedAttributes !== [];
826 }

◆ isNameIdEncrypted()

SAML2\Assertion::isNameIdEncrypted ( )

Check whether the NameId is encrypted.

Returns
true if the NameId is encrypted, false if not.

Definition at line 761 of file Assertion.php.

762 {
763 return $this->encryptedNameId !== null;
764 }

Referenced by SAML2\Assertion\Transformer\NameIdDecryptionTransformer\transform().

+ Here is the caller graph for this function:

◆ parseAttributes()

SAML2\Assertion::parseAttributes ( \DOMElement  $xml)
private

Parse attribute statements in assertion.

Parameters
\DOMElement$xmlThe XML element with the assertion.
Exceptions

Exception

Definition at line 510 of file Assertion.php.

511 {
512 $firstAttribute = true;
513 $attributes = Utils::xpQuery($xml, './saml_assertion:AttributeStatement/saml_assertion:Attribute');
514 foreach ($attributes as $attribute) {
515 if (!$attribute->hasAttribute('Name')) {
516 throw new \Exception('Missing name on <saml:Attribute> element.');
517 }
518 $name = $attribute->getAttribute('Name');
519
520 if ($attribute->hasAttribute('NameFormat')) {
521 $nameFormat = $attribute->getAttribute('NameFormat');
522 } else {
523 $nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
524 }
525
526 if ($firstAttribute) {
527 $this->nameFormat = $nameFormat;
528 $firstAttribute = false;
529 } else {
530 if ($this->nameFormat !== $nameFormat) {
531 $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
532 }
533 }
534
535 if (!array_key_exists($name, $this->attributes)) {
536 $this->attributes[$name] = array();
537 $this->attributesValueTypes[$name] = array();
538 }
539
540 $this->parseAttributeValue($attribute, $name);
541 }
542 }

References $attributes, $name, and $xml.

◆ parseAuthnContext()

SAML2\Assertion::parseAuthnContext ( \DOMElement  $authnStatementEl)
private

Parse AuthnContext in AuthnStatement.

Parameters
\DOMElement$authnStatementEl
Exceptions

Exception

Definition at line 451 of file Assertion.php.

452 {
453 // Get the AuthnContext element
454 $authnContexts = Utils::xpQuery($authnStatementEl, './saml_assertion:AuthnContext');
455 if (count($authnContexts) > 1) {
456 throw new \Exception('More than one <saml:AuthnContext> in <saml:AuthnStatement>.');
457 } elseif (empty($authnContexts)) {
458 throw new \Exception('Missing required <saml:AuthnContext> in <saml:AuthnStatement>.');
459 }
460 $authnContextEl = $authnContexts[0];
461
462 // Get the AuthnContextDeclRef (if available)
463 $authnContextDeclRefs = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextDeclRef');
464 if (count($authnContextDeclRefs) > 1) {
465 throw new \Exception(
466 'More than one <saml:AuthnContextDeclRef> found?'
467 );
468 } elseif (count($authnContextDeclRefs) === 1) {
469 $this->setAuthnContextDeclRef(trim($authnContextDeclRefs[0]->textContent));
470 }
471
472 // Get the AuthnContextDecl (if available)
473 $authnContextDecls = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextDecl');
474 if (count($authnContextDecls) > 1) {
475 throw new \Exception(
476 'More than one <saml:AuthnContextDecl> found?'
477 );
478 } elseif (count($authnContextDecls) === 1) {
479 $this->setAuthnContextDecl(new Chunk($authnContextDecls[0]));
480 }
481
482 // Get the AuthnContextClassRef (if available)
483 $authnContextClassRefs = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextClassRef');
484 if (count($authnContextClassRefs) > 1) {
485 throw new \Exception('More than one <saml:AuthnContextClassRef> in <saml:AuthnContext>.');
486 } elseif (count($authnContextClassRefs) === 1) {
487 $this->setAuthnContextClassRef(trim($authnContextClassRefs[0]->textContent));
488 }
489
490 // Constraint from XSD: MUST have one of the three
491 if (empty($this->authnContextClassRef) && empty($this->authnContextDecl) && empty($this->authnContextDeclRef)) {
492 throw new \Exception(
493 'Missing either <saml:AuthnContextClassRef> or <saml:AuthnContextDeclRef> or <saml:AuthnContextDecl>'
494 );
495 }
496
497 $this->AuthenticatingAuthority = Utils::extractStrings(
498 $authnContextEl,
499 Constants::NS_SAML,
500 'AuthenticatingAuthority'
501 );
502 }
SAML2\Assertion\setAuthnContextDeclRef
setAuthnContextDeclRef($authnContextDeclRef)
Set the authentication context declaration reference.
Definition: Assertion.php:1144
SAML2\Assertion\setAuthnContextClassRef
setAuthnContextClassRef($authnContextClassRef)
Set the authentication method used to authenticate the user.
Definition: Assertion.php:1101
SAML2\Assertion\setAuthnContextDecl
setAuthnContextDecl(Chunk $authnContextDecl)
Set the authentication context declaration.
Definition: Assertion.php:1114
SAML2\Utils\extractStrings
static extractStrings(\DOMElement $parent, $namespaceURI, $localName)
Extract strings from a set of nodes.
Definition: Utils.php:610

◆ parseAuthnStatement()

SAML2\Assertion::parseAuthnStatement ( \DOMElement  $xml)
private

Parse AuthnStatement in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Exception

Definition at line 417 of file Assertion.php.

418 {
419 $authnStatements = Utils::xpQuery($xml, './saml_assertion:AuthnStatement');
420 if (empty($authnStatements)) {
421 $this->authnInstant = null;
422
423 return;
424 } elseif (count($authnStatements) > 1) {
425 throw new \Exception('More than one <saml:AuthnStatement> in <saml:Assertion> not supported.');
426 }
427 $authnStatement = $authnStatements[0];
428
429 if (!$authnStatement->hasAttribute('AuthnInstant')) {
430 throw new \Exception('Missing required AuthnInstant attribute on <saml:AuthnStatement>.');
431 }
432 $this->authnInstant = Utils::xsDateTimeToTimestamp($authnStatement->getAttribute('AuthnInstant'));
433
434 if ($authnStatement->hasAttribute('SessionNotOnOrAfter')) {
435 $this->sessionNotOnOrAfter = Utils::xsDateTimeToTimestamp($authnStatement->getAttribute('SessionNotOnOrAfter'));
436 }
437
438 if ($authnStatement->hasAttribute('SessionIndex')) {
439 $this->sessionIndex = $authnStatement->getAttribute('SessionIndex');
440 }
441
442 $this->parseAuthnContext($authnStatement);
443 }
SAML2\Assertion\parseAuthnContext
parseAuthnContext(\DOMElement $authnStatementEl)
Parse AuthnContext in AuthnStatement.
Definition: Assertion.php:451

References $xml.

◆ parseConditions()

SAML2\Assertion::parseConditions ( \DOMElement  $xml)
private

Parse conditions in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Exception

Definition at line 353 of file Assertion.php.

354 {
355 $conditions = Utils::xpQuery($xml, './saml_assertion:Conditions');
356 if (empty($conditions)) {
357 /* No <saml:Conditions> node. */
358
359 return;
360 } elseif (count($conditions) > 1) {
361 throw new \Exception('More than one <saml:Conditions> in <saml:Assertion>.');
362 }
363 $conditions = $conditions[0];
364
365 if ($conditions->hasAttribute('NotBefore')) {
366 $notBefore = Utils::xsDateTimeToTimestamp($conditions->getAttribute('NotBefore'));
367 if ($this->notBefore === null || $this->notBefore < $notBefore) {
368 $this->notBefore = $notBefore;
369 }
370 }
371 if ($conditions->hasAttribute('NotOnOrAfter')) {
372 $notOnOrAfter = Utils::xsDateTimeToTimestamp($conditions->getAttribute('NotOnOrAfter'));
373 if ($this->notOnOrAfter === null || $this->notOnOrAfter > $notOnOrAfter) {
374 $this->notOnOrAfter = $notOnOrAfter;
375 }
376 }
377
378 for ($node = $conditions->firstChild; $node !== null; $node = $node->nextSibling) {
379 if ($node instanceof \DOMText) {
380 continue;
381 }
382 if ($node->namespaceURI !== Constants::NS_SAML) {
383 throw new \Exception('Unknown namespace of condition: ' . var_export($node->namespaceURI, true));
384 }
385 switch ($node->localName) {
386 case 'AudienceRestriction':
387 $audiences = Utils::extractStrings($node, Constants::NS_SAML, 'Audience');
388 if ($this->validAudiences === null) {
389 /* The first (and probably last) AudienceRestriction element. */
390 $this->validAudiences = $audiences;
391 } else {
392 /*
393 * The set of AudienceRestriction are ANDed together, so we need
394 * the subset that are present in all of them.
395 */
396 $this->validAudiences = array_intersect($this->validAudiences, $audiences);
397 }
398 break;
399 case 'OneTimeUse':
400 /* Currently ignored. */
401 break;
402 case 'ProxyRestriction':
403 /* Currently ignored. */
404 break;
405 default:
406 throw new \Exception('Unknown condition: ' . var_export($node->localName, true));
407 }
408 }
409 }

References $xml.

◆ parseEncryptedAttributes()

SAML2\Assertion::parseEncryptedAttributes ( \DOMElement  $xml)
private

Parse encrypted attribute statements in assertion.

Parameters
\DOMElement$xmlThe XML element with the assertion.

Definition at line 605 of file Assertion.php.

606 {
607 $this->encryptedAttributes = Utils::xpQuery(
608 $xml,
609 './saml_assertion:AttributeStatement/saml_assertion:EncryptedAttribute'
610 );
611 }

References $xml.

◆ parseSubject()

SAML2\Assertion::parseSubject ( \DOMElement  $xml)
private

Parse subject in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Exception

Definition at line 309 of file Assertion.php.

310 {
311 $subject = Utils::xpQuery($xml, './saml_assertion:Subject');
312 if (empty($subject)) {
313 /* No Subject node. */
314
315 return;
316 } elseif (count($subject) > 1) {
317 throw new \Exception('More than one <saml:Subject> in <saml:Assertion>.');
318 }
319 $subject = $subject[0];
320
321 $nameId = Utils::xpQuery(
322 $subject,
323 './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
324 );
325 if (count($nameId) > 1) {
326 throw new \Exception('More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
327 } elseif (!empty($nameId)) {
328 $nameId = $nameId[0];
329 if ($nameId->localName === 'EncryptedData') {
330 /* The NameID element is encrypted. */
331 $this->encryptedNameId = $nameId;
332 } else {
333 $this->nameId = new XML\saml\NameID($nameId);
334 }
335 }
336
337 $subjectConfirmation = Utils::xpQuery($subject, './saml_assertion:SubjectConfirmation');
338 if (empty($subjectConfirmation) && empty($nameId)) {
339 throw new \Exception('Missing <saml:SubjectConfirmation> in <saml:Subject>.');
340 }
341
342 foreach ($subjectConfirmation as $sc) {
343 $this->SubjectConfirmation[] = new SubjectConfirmation($sc);
344 }
345 }

References $nameId, $sc, and $xml.

◆ setAttributeNameFormat()

SAML2\Assertion::setAttributeNameFormat (   $nameFormat)

Set the NameFormat used on all attributes.

Parameters
string$nameFormatThe NameFormat used on all attributes.

Definition at line 1248 of file Assertion.php.

1249 {
1250 assert(is_string($nameFormat));
1251
1252 $this->nameFormat = $nameFormat;
1253 }

◆ setAttributes()

SAML2\Assertion::setAttributes ( array  $attributes)

Replace all attributes.

Parameters
array$attributesAll new attributes, as an associative array.

Definition at line 1205 of file Assertion.php.

1206 {
1207 $this->attributes = $attributes;
1208 }

References $attributes.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

+ Here is the caller graph for this function:

◆ setAttributesValueTypes()

SAML2\Assertion::setAttributesValueTypes ( array  $attributesValueTypes)

Replace all attributes value types.

Parameters
array$attributesValueTypesAll new attribute value types, as an associative array.

Definition at line 1225 of file Assertion.php.

1226 {
1227 $this->attributesValueTypes = $attributesValueTypes;
1228 }

◆ setAuthenticatingAuthority()

SAML2\Assertion::setAuthenticatingAuthority (   $authenticatingAuthority)

Set the AuthenticatingAuthority.

Parameters
array.

Definition at line 1185 of file Assertion.php.

1186 {
1187 $this->AuthenticatingAuthority = $authenticatingAuthority;
1188 }
$authenticatingAuthority
catch(sspmod_saml_Error $e) $authenticatingAuthority
Definition: saml2-acs.php:137

References $authenticatingAuthority.

◆ setAuthnContext()

SAML2\Assertion::setAuthnContext (   $authnContext)

Set the authentication method used to authenticate the user.

If this is set to null, no authentication statement will be included in the assertion. The default is null.

Deprecated:
use setAuthnContextClassRef
Parameters
string | null$authnContextThe authentication method.

Definition at line 1075 of file Assertion.php.

1076 {
1077 $this->setAuthnContextClassRef($authnContext);
1078 }

◆ setAuthnContextClassRef()

SAML2\Assertion::setAuthnContextClassRef (   $authnContextClassRef)

Set the authentication method used to authenticate the user.

If this is set to null, no authentication statement will be included in the assertion. The default is null.

Parameters
string | null$authnContextClassRefThe authentication method.

Definition at line 1101 of file Assertion.php.

1102 {
1103 assert(is_string($authnContextClassRef) || is_null($authnContextClassRef));
1104
1105 $this->authnContextClassRef = $authnContextClassRef;
1106 }

◆ setAuthnContextDecl()

SAML2\Assertion::setAuthnContextDecl ( Chunk  $authnContextDecl)

Set the authentication context declaration.

Parameters
\SAML2\XML\Chunk$authnContextDecl
Exceptions

Exception

Definition at line 1114 of file Assertion.php.

1115 {
1116 if (!empty($this->authnContextDeclRef)) {
1117 throw new \Exception(
1118 'AuthnContextDeclRef is already registered! May only have either a Decl or a DeclRef, not both!'
1119 );
1120 }
1121
1122 $this->authnContextDecl = $authnContextDecl;
1123 }

◆ setAuthnContextDeclRef()

SAML2\Assertion::setAuthnContextDeclRef (   $authnContextDeclRef)

Set the authentication context declaration reference.

Parameters
string$authnContextDeclRef
Exceptions

Exception

Definition at line 1144 of file Assertion.php.

1145 {
1146 if (!empty($this->authnContextDecl)) {
1147 throw new \Exception(
1148 'AuthnContextDecl is already registered! May only have either a Decl or a DeclRef, not both!'
1149 );
1150 }
1151
1152 $this->authnContextDeclRef = $authnContextDeclRef;
1153 }

◆ setAuthnInstant()

SAML2\Assertion::setAuthnInstant (   $authnInstant)

Set the AuthnInstant of the assertion.

Parameters
int | null$authnInstantTimestamp the user was authenticated, or NULL if we don't want an AuthnStatement.

Definition at line 982 of file Assertion.php.

983 {
984 assert(is_int($authnInstant) || is_null($authnInstant));
985
986 $this->authnInstant = $authnInstant;
987 }

◆ setCertificates()

SAML2\Assertion::setCertificates ( array  $certificates)

Set the certificates that should be included in the assertion.

The certificates should be strings with the PEM encoded data.

Parameters
array$certificatesAn array of certificates.

Implements SAML2\SignedElement.

Definition at line 1325 of file Assertion.php.

1326 {
1327 $this->certificates = $certificates;
1328 }

References $certificates.

◆ setEncryptedAttributes()

SAML2\Assertion::setEncryptedAttributes (   $ea)

Set $EncryptedAttributes if attributes will send encrypted.

Parameters
boolean$eatrue to encrypt attributes in the assertion.

Definition at line 937 of file Assertion.php.

938 {
939 $this->requiredEncAttributes = $ea;
940 }

◆ setEncryptionKey()

SAML2\Assertion::setEncryptionKey ( XMLSecurityKey  $Key = null)

Set the private key we should use to encrypt the attributes.

Parameters
XMLSecurityKey | null$Key

Definition at line 1313 of file Assertion.php.

1314 {
1315 $this->encryptionKey = $Key;
1316 }

◆ setId()

SAML2\Assertion::setId (   $id)

Set the identifier of this assertion.

Parameters
string$idThe new identifier of this assertion.

Definition at line 671 of file Assertion.php.

672 {
673 assert(is_string($id));
674
675 $this->id = $id;
676 }

References $id.

◆ setIssueInstant()

SAML2\Assertion::setIssueInstant (   $issueInstant)

Set the issue timestamp of this assertion.

Parameters
int$issueInstantThe new issue timestamp of this assertion, as an UNIX timestamp.

Definition at line 693 of file Assertion.php.

694 {
695 assert(is_int($issueInstant));
696
697 $this->issueInstant = $issueInstant;
698 }

◆ setIssuer()

SAML2\Assertion::setIssuer (   $issuer)

Set the issuer of this message.

Parameters
string | \SAML2\XML\saml\Issuer$issuerThe new issuer of this assertion.

Definition at line 715 of file Assertion.php.

716 {
717 assert(is_string($issuer) || $issuer instanceof XML\saml\Issuer);
718
719 $this->issuer = $issuer;
720 }

References $issuer.

◆ setNameId()

SAML2\Assertion::setNameId (   $nameId)

Set the NameId of the subject in the assertion.

The NameId must be a \SAML2\XML\saml\NameID object or an array in the format accepted by \SAML2\Utils::addNameId() (an array, deprecated).

See also
\SAML2\Utils::addNameId()
Parameters
\SAML2\XML\saml\NameID | array | null$nameIdThe name identifier of the assertion.

Definition at line 746 of file Assertion.php.

747 {
748 assert(is_array($nameId) || is_null($nameId) || $nameId instanceof XML\saml\NameID);
749
750 if (is_array($nameId)) {
751 $nameId = XML\saml\NameID::fromArray($nameId);
752 }
753 $this->nameId = $nameId;
754 }
SAML2\XML\saml\NameIDType\fromArray
static fromArray(array $nameId)
Create a \SAML2\XML\saml\NameID object from an array with its contents.
Definition: NameIDType.php:87

References $nameId.

◆ setNotBefore()

SAML2\Assertion::setNotBefore (   $notBefore)

Set the earliest timestamp this assertion can be used.

Set this to null if no limit is required.

Parameters
int | null$notBeforeThe earliest timestamp this assertion is valid.

Definition at line 898 of file Assertion.php.

899 {
900 assert(is_int($notBefore) || is_null($notBefore));
901
902 $this->notBefore = $notBefore;
903 }

◆ setNotOnOrAfter()

SAML2\Assertion::setNotOnOrAfter (   $notOnOrAfter)

Set the expiration timestamp of this assertion.

Set this to null if no limit is required.

Parameters
int | null$notOnOrAfterThe latest timestamp this assertion is valid.

Definition at line 925 of file Assertion.php.

926 {
927 assert(is_int($notOnOrAfter) || is_null($notOnOrAfter));
928
929 $this->notOnOrAfter = $notOnOrAfter;
930 }

◆ setSessionIndex()

SAML2\Assertion::setSessionIndex (   $sessionIndex)

Set the session index of the user at the IdP.

Note that the authentication context must be set before the session index can be inluded in the assertion.

Parameters
string | null$sessionIndexThe session index of the user at the IdP.

Definition at line 1034 of file Assertion.php.

1035 {
1036 assert(is_string($sessionIndex) || is_null($sessionIndex));
1037
1038 $this->sessionIndex = $sessionIndex;
1039 }

References $sessionIndex.

◆ setSessionNotOnOrAfter()

SAML2\Assertion::setSessionNotOnOrAfter (   $sessionNotOnOrAfter)

Set the session expiration timestamp.

Set this to null if no limit is required.

Parameters
int | null$sessionNotOnOrAfterThe latest timestamp this session is valid.

Definition at line 1009 of file Assertion.php.

1010 {
1011 assert(is_int($sessionNotOnOrAfter) || is_null($sessionNotOnOrAfter));
1012
1013 $this->sessionNotOnOrAfter = $sessionNotOnOrAfter;
1014 }

◆ setSignatureKey()

SAML2\Assertion::setSignatureKey ( XMLSecurityKey  $signatureKey = null)

Set the private key we should use to sign the assertion.

If the key is null, the assertion will be sent unsigned.

Parameters
XMLSecurityKey | null$signatureKey

Implements SAML2\SignedElement.

Definition at line 1292 of file Assertion.php.

1293 {
1294 $this->signatureKey = $signatureKey;
1295 }

◆ setSubjectConfirmation()

SAML2\Assertion::setSubjectConfirmation ( array  $SubjectConfirmation)

Set the SubjectConfirmation elements that should be included in the assertion.

Parameters
array$SubjectConfirmationArray of \SAML2\XML\saml\SubjectConfirmation elements.

Definition at line 1270 of file Assertion.php.

1271 {
1272 $this->SubjectConfirmation = $SubjectConfirmation;
1273 }

◆ setValidAudiences()

SAML2\Assertion::setValidAudiences ( array  $validAudiences = null)

Set the audiences that are allowed to receive this assertion.

This may be null, in which case all audiences are allowed.

Parameters
array | null$validAudiencesThe allowed audiences.

Definition at line 961 of file Assertion.php.

962 {
963 $this->validAudiences = $validAudiences;
964 }

◆ toXML()

SAML2\Assertion::toXML ( \DOMNode  $parentElement = null)

Convert this assertion to an XML element.

Parameters
\DOMNode | null$parentElementThe DOM node the assertion should be created in.
Returns
\DOMElement This assertion.

Definition at line 1362 of file Assertion.php.

1363 {
1364 if ($parentElement === null) {
1365 $document = DOMDocumentFactory::create();
1366 $parentElement = $document;
1367 } else {
1368 $document = $parentElement->ownerDocument;
1369 }
1370
1371 $root = $document->createElementNS(Constants::NS_SAML, 'saml:' . 'Assertion');
1372 $parentElement->appendChild($root);
1373
1374 /* Ugly hack to add another namespace declaration to the root element. */
1375 $root->setAttributeNS(Constants::NS_SAMLP, 'samlp:tmp', 'tmp');
1376 $root->removeAttributeNS(Constants::NS_SAMLP, 'tmp');
1377 $root->setAttributeNS(Constants::NS_XSI, 'xsi:tmp', 'tmp');
1378 $root->removeAttributeNS(Constants::NS_XSI, 'tmp');
1379 $root->setAttributeNS(Constants::NS_XS, 'xs:tmp', 'tmp');
1380 $root->removeAttributeNS(Constants::NS_XS, 'tmp');
1381
1382 $root->setAttribute('ID', $this->id);
1383 $root->setAttribute('Version', '2.0');
1384 $root->setAttribute('IssueInstant', gmdate('Y-m-d\TH:i:s\Z', $this->issueInstant));
1385
1386 if (is_string($this->issuer)) {
1387 $issuer = Utils::addString($root, Constants::NS_SAML, 'saml:Issuer', $this->issuer);
1388 } elseif ($this->issuer instanceof XML\saml\Issuer) {
1389 $issuer = $this->issuer->toXML($root);
1390 }
1391
1392 $this->addSubject($root);
1393 $this->addConditions($root);
1394 $this->addAuthnStatement($root);
1395 if ($this->requiredEncAttributes === false) {
1396 $this->addAttributeStatement($root);
1397 } else {
1398 $this->addEncryptedAttributeStatement($root);
1399 }
1400
1401 if ($this->signatureKey !== null) {
1402 Utils::insertSignature($this->signatureKey, $this->certificates, $root, $issuer->nextSibling);
1403 }
1404
1405 return $root;
1406 }
SAML2\Assertion\addAuthnStatement
addAuthnStatement(\DOMElement $root)
Add a AuthnStatement-node to the assertion.
Definition: Assertion.php:1471
SAML2\Assertion\addConditions
addConditions(\DOMElement $root)
Add a Conditions-node to the assertion.
Definition: Assertion.php:1443
SAML2\Assertion\addAttributeStatement
addAttributeStatement(\DOMElement $root)
Add an AttributeStatement-node to the assertion.
Definition: Assertion.php:1537
SAML2\Assertion\addSubject
addSubject(\DOMElement $root)
Add a Subject-node to the assertion.
Definition: Assertion.php:1413
SAML2\Assertion\addEncryptedAttributeStatement
addEncryptedAttributeStatement(\DOMElement $root)
Add an EncryptedAttribute Statement-node to the assertion.
Definition: Assertion.php:1638
SAML2\Constants\NS_XS
const NS_XS
The namespace fox XML schema.
Definition: Constants.php:235
SAML2\Constants\NS_SAMLP
const NS_SAMLP
The namespace for the SAML 2 protocol.
Definition: Constants.php:220
SAML2\Utils\insertSignature
static insertSignature(XMLSecurityKey $key, array $certificates, \DOMElement $root, \DOMNode $insertBefore=null)
Insert a Signature-node.
Definition: Utils.php:364

References $issuer, and $root.

Referenced by SAML2\EncryptedAssertion\setAssertion().

+ Here is the caller graph for this function:

◆ validate()

SAML2\Assertion::validate ( XMLSecurityKey  $key)

Validate this assertion against a public key.

If no signature was present on the assertion, we will return false. Otherwise, true will be returned. An exception is thrown if the signature validation fails.

Parameters
XMLSecurityKey$keyThe key we should check against.
Returns
boolean true if successful, false if it is unsigned.

Implements SAML2\SignedElement.

Definition at line 643 of file Assertion.php.

644 {
645 assert($key->type === \RobRichards\XMLSecLibs\XMLSecurityKey::RSA_SHA256);
646
647 if ($this->signatureData === null) {
648 return false;
649 }
650
651 Utils::validateSignature($this->signatureData, $key);
652
653 return true;
654 }

References $key.

Field Documentation

◆ $attributes

SAML2\Assertion::$attributes
private

Definition at line 174 of file Assertion.php.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

◆ $attributesValueTypes

SAML2\Assertion::$attributesValueTypes
private

Definition at line 191 of file Assertion.php.

◆ $AuthenticatingAuthority

SAML2\Assertion::$AuthenticatingAuthority
private

Definition at line 156 of file Assertion.php.

◆ $authnContextClassRef

SAML2\Assertion::$authnContextClassRef
private

Definition at line 130 of file Assertion.php.

◆ $authnContextDecl

SAML2\Assertion::$authnContextDecl
private

Definition at line 140 of file Assertion.php.

◆ $authnContextDeclRef

SAML2\Assertion::$authnContextDeclRef
private

Definition at line 149 of file Assertion.php.

◆ $authnInstant

SAML2\Assertion::$authnInstant
private

Definition at line 123 of file Assertion.php.

◆ $certificates

SAML2\Assertion::$certificates
private

Definition at line 217 of file Assertion.php.

◆ $encryptedAttributes

SAML2\Assertion::$encryptedAttributes
private

Definition at line 68 of file Assertion.php.

◆ $encryptedNameId

SAML2\Assertion::$encryptedNameId
private

Definition at line 59 of file Assertion.php.

◆ $encryptionKey

SAML2\Assertion::$encryptionKey
private

Definition at line 75 of file Assertion.php.

◆ $id

SAML2\Assertion::$id
private

Definition at line 24 of file Assertion.php.

◆ $issueInstant

SAML2\Assertion::$issueInstant
private

Definition at line 31 of file Assertion.php.

◆ $issuer

SAML2\Assertion::$issuer
private

Definition at line 41 of file Assertion.php.

◆ $nameFormat

SAML2\Assertion::$nameFormat
private

Definition at line 201 of file Assertion.php.

◆ $nameId

SAML2\Assertion::$nameId
private

Definition at line 50 of file Assertion.php.

◆ $notBefore

SAML2\Assertion::$notBefore
private

Definition at line 82 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SubjectConfirmationNotBefore\validate().

◆ $notOnOrAfter

SAML2\Assertion::$notOnOrAfter
private

Definition at line 89 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SubjectConfirmationNotOnOrAfter\validate().

◆ $requiredEncAttributes

SAML2\Assertion::$requiredEncAttributes
private

Definition at line 232 of file Assertion.php.

◆ $sessionIndex

SAML2\Assertion::$sessionIndex
private

Definition at line 116 of file Assertion.php.

◆ $sessionNotOnOrAfter

SAML2\Assertion::$sessionNotOnOrAfter
private

Definition at line 107 of file Assertion.php.

◆ $signatureData

SAML2\Assertion::$signatureData
private

Definition at line 224 of file Assertion.php.

◆ $signatureKey

SAML2\Assertion::$signatureKey
private

Definition at line 210 of file Assertion.php.

◆ $signatureMethod

SAML2\Assertion::$signatureMethod
private

Definition at line 249 of file Assertion.php.

◆ $SubjectConfirmation

SAML2\Assertion::$SubjectConfirmation
private

Definition at line 239 of file Assertion.php.

◆ $validAudiences

SAML2\Assertion::$validAudiences
private

Definition at line 100 of file Assertion.php.

◆ $wasSignedAtConstruction

SAML2\Assertion::$wasSignedAtConstruction = false
protected

Definition at line 244 of file Assertion.php.

The documentation for this class was generated from the following file: