ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Protected Attributes | Private Member Functions | Private Attributes
SAML2\Assertion Class Reference
+ Inheritance diagram for SAML2\Assertion:
+ Collaboration diagram for SAML2\Assertion:

Public Member Functions

 __construct (\DOMElement $xml=null)
 Constructor for SAML 2 assertions. More...
 
 validate (XMLSecurityKey $key)
 Validate this assertion against a public key. More...
 
 getId ()
 Retrieve the identifier of this assertion. More...
 
 setId ($id)
 Set the identifier of this assertion. More...
 
 getIssueInstant ()
 Retrieve the issue timestamp of this assertion. More...
 
 setIssueInstant ($issueInstant)
 Set the issue timestamp of this assertion. More...
 
 getIssuer ()
 Retrieve the issuer if this assertion. More...
 
 setIssuer ($issuer)
 Set the issuer of this message. More...
 
 getNameId ()
 Retrieve the NameId of the subject in the assertion. More...
 
 setNameId ($nameId)
 Set the NameId of the subject in the assertion. More...
 
 isNameIdEncrypted ()
 Check whether the NameId is encrypted. More...
 
 encryptNameId (XMLSecurityKey $key)
 Encrypt the NameID in the Assertion. More...
 
 decryptNameId (XMLSecurityKey $key, array $blacklist=array())
 Decrypt the NameId of the subject in the assertion. More...
 
 hasEncryptedAttributes ()
 Did this Assertion contain encrypted Attributes? More...
 
 decryptAttributes (XMLSecurityKey $key, array $blacklist=array())
 Decrypt the assertion attributes. More...
 
 getNotBefore ()
 Retrieve the earliest timestamp this assertion is valid. More...
 
 setNotBefore ($notBefore)
 Set the earliest timestamp this assertion can be used. More...
 
 getNotOnOrAfter ()
 Retrieve the expiration timestamp of this assertion. More...
 
 setNotOnOrAfter ($notOnOrAfter)
 Set the expiration timestamp of this assertion. More...
 
 setEncryptedAttributes ($ea)
 Set $EncryptedAttributes if attributes will send encrypted. More...
 
 getValidAudiences ()
 Retrieve the audiences that are allowed to receive this assertion. More...
 
 setValidAudiences (array $validAudiences=null)
 Set the audiences that are allowed to receive this assertion. More...
 
 getAuthnInstant ()
 Retrieve the AuthnInstant of the assertion. More...
 
 setAuthnInstant ($authnInstant)
 Set the AuthnInstant of the assertion. More...
 
 getSessionNotOnOrAfter ()
 Retrieve the session expiration timestamp. More...
 
 setSessionNotOnOrAfter ($sessionNotOnOrAfter)
 Set the session expiration timestamp. More...
 
 getSessionIndex ()
 Retrieve the session index of the user at the IdP. More...
 
 setSessionIndex ($sessionIndex)
 Set the session index of the user at the IdP. More...
 
 getAuthnContext ()
 Retrieve the authentication method used to authenticate the user. More...
 
 setAuthnContext ($authnContext)
 Set the authentication method used to authenticate the user. More...
 
 getAuthnContextClassRef ()
 Retrieve the authentication method used to authenticate the user. More...
 
 setAuthnContextClassRef ($authnContextClassRef)
 Set the authentication method used to authenticate the user. More...
 
 setAuthnContextDecl (Chunk $authnContextDecl)
 Set the authentication context declaration. More...
 
 getAuthnContextDecl ()
 Get the authentication context declaration. More...
 
 setAuthnContextDeclRef ($authnContextDeclRef)
 Set the authentication context declaration reference. More...
 
 getAuthnContextDeclRef ()
 Get the authentication context declaration reference. More...
 
 getAuthenticatingAuthority ()
 Retrieve the AuthenticatingAuthority. More...
 
 setAuthenticatingAuthority ($authenticatingAuthority)
 Set the AuthenticatingAuthority. More...
 
 getAttributes ()
 Retrieve all attributes. More...
 
 setAttributes (array $attributes)
 Replace all attributes. More...
 
 getAttributesValueTypes ()
 Retrieve all attributes value types. More...
 
 setAttributesValueTypes (array $attributesValueTypes)
 Replace all attributes value types. More...
 
 getAttributeNameFormat ()
 Retrieve the NameFormat used on all attributes. More...
 
 setAttributeNameFormat ($nameFormat)
 Set the NameFormat used on all attributes. More...
 
 getSubjectConfirmation ()
 Retrieve the SubjectConfirmation elements we have in our Subject element. More...
 
 setSubjectConfirmation (array $SubjectConfirmation)
 Set the SubjectConfirmation elements that should be included in the assertion. More...
 
 getSignatureKey ()
 Retrieve the private key we should use to sign the assertion. More...
 
 setSignatureKey (XMLSecurityKey $signatureKey=null)
 Set the private key we should use to sign the assertion. More...
 
 getEncryptionKey ()
 Return the key we should use to encrypt the assertion. More...
 
 setEncryptionKey (XMLSecurityKey $Key=null)
 Set the private key we should use to encrypt the attributes. More...
 
 setCertificates (array $certificates)
 Set the certificates that should be included in the assertion. More...
 
 getCertificates ()
 Retrieve the certificates that are included in the assertion. More...
 
 getWasSignedAtConstruction ()
 
 getSignatureMethod ()
 
 toXML (\DOMNode $parentElement=null)
 Convert this assertion to an XML element. More...
 

Protected Attributes

 $wasSignedAtConstruction = false
 

Private Member Functions

 parseSubject (\DOMElement $xml)
 Parse subject in assertion. More...
 
 parseConditions (\DOMElement $xml)
 Parse conditions in assertion. More...
 
 parseAuthnStatement (\DOMElement $xml)
 Parse AuthnStatement in assertion. More...
 
 parseAuthnContext (\DOMElement $authnStatementEl)
 Parse AuthnContext in AuthnStatement. More...
 
 parseAttributes (\DOMElement $xml)
 Parse attribute statements in assertion. More...
 
 parseEncryptedAttributes (\DOMElement $xml)
 Parse encrypted attribute statements in assertion. More...
 
 addSubject (\DOMElement $root)
 Add a Subject-node to the assertion. More...
 
 addConditions (\DOMElement $root)
 Add a Conditions-node to the assertion. More...
 
 addAuthnStatement (\DOMElement $root)
 Add a AuthnStatement-node to the assertion. More...
 
 addAttributeStatement (\DOMElement $root)
 Add an AttributeStatement-node to the assertion. More...
 
 addEncryptedAttributeStatement (\DOMElement $root)
 Add an EncryptedAttribute Statement-node to the assertion. More...
 

Private Attributes

 $id
 
 $issueInstant
 
 $issuer
 
 $nameId
 
 $encryptedNameId
 
 $encryptedAttributes
 
 $encryptionKey
 
 $notBefore
 
 $notOnOrAfter
 
 $validAudiences
 
 $sessionNotOnOrAfter
 
 $sessionIndex
 
 $authnInstant
 
 $authnContextClassRef
 
 $authnContextDecl
 
 $authnContextDeclRef
 
 $AuthenticatingAuthority
 
 $attributes
 
 $attributesValueTypes
 
 $nameFormat
 
 $signatureKey
 
 $certificates
 
 $signatureData
 
 $requiredEncAttributes
 
 $SubjectConfirmation
 
 $signatureMethod
 

Detailed Description

Definition at line 17 of file Assertion.php.

Constructor & Destructor Documentation

◆ __construct()

SAML2\Assertion::__construct ( \DOMElement  $xml = null)

Constructor for SAML 2 assertions.

Parameters
\DOMElement | null$xmlThe input assertion.
Exceptions

Definition at line 257 of file Assertion.php.

References $issuer, and $xml.

258  {
259  $this->id = Utils::getContainer()->generateId();
260  $this->issueInstant = Temporal::getTime();
261  $this->issuer = '';
262  $this->authnInstant = Temporal::getTime();
263  $this->attributes = array();
264  $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
265  $this->certificates = array();
266  $this->AuthenticatingAuthority = array();
267  $this->SubjectConfirmation = array();
268  $this->requiredEncAttributes = false;
269 
270  if ($xml === null) {
271  return;
272  }
273 
274  if (!$xml->hasAttribute('ID')) {
275  throw new \Exception('Missing ID attribute on SAML assertion.');
276  }
277  $this->id = $xml->getAttribute('ID');
278 
279  if ($xml->getAttribute('Version') !== '2.0') {
280  /* Currently a very strict check. */
281  throw new \Exception('Unsupported version: ' . $xml->getAttribute('Version'));
282  }
283 
284  $this->issueInstant = Utils::xsDateTimeToTimestamp($xml->getAttribute('IssueInstant'));
285 
286  $issuer = Utils::xpQuery($xml, './saml_assertion:Issuer');
287  if (empty($issuer)) {
288  throw new \Exception('Missing <saml:Issuer> in assertion.');
289  }
290  $this->issuer = new XML\saml\Issuer($issuer[0]);
291  if ($this->issuer->Format === Constants::NAMEID_ENTITY) {
292  $this->issuer = $this->issuer->value;
293  }
294 
295  $this->parseSubject($xml);
296  $this->parseConditions($xml);
297  $this->parseAuthnStatement($xml);
298  $this->parseAttributes($xml);
299  $this->parseEncryptedAttributes($xml);
300  $this->parseSignature($xml);
301  }
SAML2\Assertion\parseAuthnStatement
parseAuthnStatement(\DOMElement $xml)
Parse AuthnStatement in assertion.
Definition: Assertion.php:417
SAML2\Utilities\Temporal\getTime
static getTime()
Getter for getting the current timestamp.
Definition: Temporal.php:13
SAML2\Assertion\parseAttributes
parseAttributes(\DOMElement $xml)
Parse attribute statements in assertion.
Definition: Assertion.php:510
SAML2\Assertion\parseEncryptedAttributes
parseEncryptedAttributes(\DOMElement $xml)
Parse encrypted attribute statements in assertion.
Definition: Assertion.php:605
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
SAML2\Assertion\parseSubject
parseSubject(\DOMElement $xml)
Parse subject in assertion.
Definition: Assertion.php:309
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp...
Definition: Utils.php:721
$xml
$xml
Definition: fetch_windows_zones.php:11
SAML2\Assertion\parseConditions
parseConditions(\DOMElement $xml)
Parse conditions in assertion.
Definition: Assertion.php:353
SAML2\Constants\NAMEID_ENTITY
const NAMEID_ENTITY
Entity NameID format.
Definition: Constants.php:190
SAML2\Utils\getContainer
static getContainer()
Definition: Utils.php:752

Member Function Documentation

◆ addAttributeStatement()

SAML2\Assertion::addAttributeStatement ( \DOMElement  $root)
private

Add an AttributeStatement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the subject to.

Definition at line 1537 of file Assertion.php.

References $i, $name, $type, and $values.

1538  {
1539  if (empty($this->attributes)) {
1540  return;
1541  }
1542 
1543  $document = $root->ownerDocument;
1544 
1545  $attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement');
1546  $root->appendChild($attributeStatement);
1547 
1548  foreach ($this->attributes as $name => $values) {
1549  $attribute = $document->createElementNS(Constants::NS_SAML, 'saml:Attribute');
1550  $attributeStatement->appendChild($attribute);
1551  $attribute->setAttribute('Name', $name);
1552 
1553  if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) {
1554  $attribute->setAttribute('NameFormat', $this->nameFormat);
1555  }
1556 
1557  // make sure eduPersonTargetedID can be handled properly as a NameID
1558  if ($name === Constants::EPTI_URN_MACE || $name === Constants::EPTI_URN_OID) {
1559  foreach ($values as $eptiValue) {
1560  $attributeValue = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1561  $attribute->appendChild($attributeValue);
1562  if ($eptiValue instanceof XML\saml\NameID) {
1563  $eptiValue->toXML($attributeValue);
1564  } elseif ($eptiValue instanceof \DOMNodeList) {
1565  $node = $root->ownerDocument->importNode($eptiValue->item(0), true);
1566  $attributeValue->appendChild($node);
1567  } else {
1568  $attributeValue->textContent = $eptiValue;
1569  }
1570  }
1571 
1572  continue;
1573  }
1574 
1575  // get value type(s) for the current attribute
1576  if (is_array($this->attributesValueTypes) && array_key_exists($name, $this->attributesValueTypes)) {
1577  $valueTypes = $this->attributesValueTypes[$name];
1578  if (is_array($valueTypes) && count($valueTypes) != count($values)) {
1579  throw new \Exception('Array of value types and array of values have different size for attribute '. var_export($name, true));
1580  }
1581  } else {
1582  // if no type(s), default behaviour
1583  $valueTypes = null;
1584  }
1585 
1586  $vidx = -1;
1587  foreach ($values as $value) {
1588  $vidx++;
1589 
1590  // try to get type from current types
1591  $type = null;
1592  if (!is_null($valueTypes)) {
1593  if (is_array($valueTypes)) {
1594  $type = $valueTypes[$vidx];
1595  } else {
1596  $type = $valueTypes;
1597  }
1598  }
1599 
1600  // if no type get from types, use default behaviour
1601  if (is_null($type)) {
1602  if (is_string($value)) {
1603  $type = 'xs:string';
1604  } elseif (is_int($value)) {
1605  $type = 'xs:integer';
1606  } else {
1607  $type = null;
1608  }
1609  }
1610 
1611  $attributeValue = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1612  $attribute->appendChild($attributeValue);
1613  if ($type !== null) {
1614  $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type);
1615  }
1616  if (is_null($value)) {
1617  $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:nil', 'true');
1618  }
1619 
1620  if ($value instanceof \DOMNodeList) {
1621  for ($i = 0; $i < $value->length; $i++) {
1622  $node = $document->importNode($value->item($i), true);
1623  $attributeValue->appendChild($node);
1624  }
1625  } else {
1626  $attributeValue->appendChild($document->createTextNode($value));
1627  }
1628  }
1629  }
1630  }
$type
$type
Definition: proxy_ylocal.php:10
SAML2\Constants\EPTI_URN_OID
const EPTI_URN_OID
Definition: Constants.php:141
$values
$values
Definition: testOperations.php:7
SAML2\Constants\NS_XSI
const NS_XSI
The namespace for XML schema instance.
Definition: Constants.php:240
$root
$root
Definition: sabredav.php:45
SAML2\Constants\EPTI_URN_MACE
const EPTI_URN_MACE
Definition: Constants.php:139
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
$i
$i
Definition: disco.tpl.php:19
$name
$name
Definition: client_example.php:35
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ addAuthnStatement()

SAML2\Assertion::addAuthnStatement ( \DOMElement  $root)
private

Add a AuthnStatement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the authentication statement to.

Definition at line 1471 of file Assertion.php.

1472  {
1473  if ($this->authnInstant === null ||
1474  (
1475  $this->authnContextClassRef === null &&
1476  $this->authnContextDecl === null &&
1477  $this->authnContextDeclRef === null
1478  )
1479  ) {
1480  /* No authentication context or AuthnInstant => no authentication statement. */
1481 
1482  return;
1483  }
1484 
1485  $document = $root->ownerDocument;
1486 
1487  $authnStatementEl = $document->createElementNS(Constants::NS_SAML, 'saml:AuthnStatement');
1488  $root->appendChild($authnStatementEl);
1489 
1490  $authnStatementEl->setAttribute('AuthnInstant', gmdate('Y-m-d\TH:i:s\Z', $this->authnInstant));
1491 
1492  if ($this->sessionNotOnOrAfter !== null) {
1493  $authnStatementEl->setAttribute('SessionNotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->sessionNotOnOrAfter));
1494  }
1495  if ($this->sessionIndex !== null) {
1496  $authnStatementEl->setAttribute('SessionIndex', $this->sessionIndex);
1497  }
1498 
1499  $authnContextEl = $document->createElementNS(Constants::NS_SAML, 'saml:AuthnContext');
1500  $authnStatementEl->appendChild($authnContextEl);
1501 
1502  if (!empty($this->authnContextClassRef)) {
1503  Utils::addString(
1504  $authnContextEl,
1505  Constants::NS_SAML,
1506  'saml:AuthnContextClassRef',
1507  $this->authnContextClassRef
1508  );
1509  }
1510  if (!empty($this->authnContextDecl)) {
1511  $this->authnContextDecl->toXML($authnContextEl);
1512  }
1513  if (!empty($this->authnContextDeclRef)) {
1514  Utils::addString(
1515  $authnContextEl,
1516  Constants::NS_SAML,
1517  'saml:AuthnContextDeclRef',
1518  $this->authnContextDeclRef
1519  );
1520  }
1521 
1522  Utils::addStrings(
1523  $authnContextEl,
1524  Constants::NS_SAML,
1525  'saml:AuthenticatingAuthority',
1526  false,
1527  $this->AuthenticatingAuthority
1528  );
1529  }
SAML2\Utils\addStrings
static addStrings(\DOMElement $parent, $namespace, $name, $localized, array $values)
Append string elements.
Definition: Utils.php:659
SAML2\Utils\addString
static addString(\DOMElement $parent, $namespace, $name, $value)
Append string element.
Definition: Utils.php:635
$root
$root
Definition: sabredav.php:45
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ addConditions()

SAML2\Assertion::addConditions ( \DOMElement  $root)
private

Add a Conditions-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the conditions to.

Definition at line 1443 of file Assertion.php.

1444  {
1445  $document = $root->ownerDocument;
1446 
1447  $conditions = $document->createElementNS(Constants::NS_SAML, 'saml:Conditions');
1448  $root->appendChild($conditions);
1449 
1450  if ($this->notBefore !== null) {
1451  $conditions->setAttribute('NotBefore', gmdate('Y-m-d\TH:i:s\Z', $this->notBefore));
1452  }
1453  if ($this->notOnOrAfter !== null) {
1454  $conditions->setAttribute('NotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->notOnOrAfter));
1455  }
1456 
1457  if ($this->validAudiences !== null) {
1458  $ar = $document->createElementNS(Constants::NS_SAML, 'saml:AudienceRestriction');
1459  $conditions->appendChild($ar);
1460 
1461  Utils::addStrings($ar, Constants::NS_SAML, 'saml:Audience', false, $this->validAudiences);
1462  }
1463  }
SAML2\Utils\addStrings
static addStrings(\DOMElement $parent, $namespace, $name, $localized, array $values)
Append string elements.
Definition: Utils.php:659
$root
$root
Definition: sabredav.php:45
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ addEncryptedAttributeStatement()

SAML2\Assertion::addEncryptedAttributeStatement ( \DOMElement  $root)
private

Add an EncryptedAttribute Statement-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the Encrypted Attribute Statement to.

Definition at line 1638 of file Assertion.php.

References $i, $n, $name, $type, and $values.

1639  {
1640  if ($this->requiredEncAttributes === false) {
1641  return;
1642  }
1643 
1644  $document = $root->ownerDocument;
1645 
1646  $attributeStatement = $document->createElementNS(Constants::NS_SAML, 'saml:AttributeStatement');
1647  $root->appendChild($attributeStatement);
1648 
1649  foreach ($this->attributes as $name => $values) {
1650  $document2 = DOMDocumentFactory::create();
1651  $attribute = $document2->createElementNS(Constants::NS_SAML, 'saml:Attribute');
1652  $attribute->setAttribute('Name', $name);
1653  $document2->appendChild($attribute);
1654 
1655  if ($this->nameFormat !== Constants::NAMEFORMAT_UNSPECIFIED) {
1656  $attribute->setAttribute('NameFormat', $this->nameFormat);
1657  }
1658 
1659  foreach ($values as $value) {
1660  if (is_string($value)) {
1661  $type = 'xs:string';
1662  } elseif (is_int($value)) {
1663  $type = 'xs:integer';
1664  } else {
1665  $type = null;
1666  }
1667 
1668  $attributeValue = $document2->createElementNS(Constants::NS_SAML, 'saml:AttributeValue');
1669  $attribute->appendChild($attributeValue);
1670  if ($type !== null) {
1671  $attributeValue->setAttributeNS(Constants::NS_XSI, 'xsi:type', $type);
1672  }
1673 
1674  if ($value instanceof \DOMNodeList) {
1675  for ($i = 0; $i < $value->length; $i++) {
1676  $node = $document2->importNode($value->item($i), true);
1677  $attributeValue->appendChild($node);
1678  }
1679  } else {
1680  $attributeValue->appendChild($document2->createTextNode($value));
1681  }
1682  }
1683  /*Once the attribute nodes are built, the are encrypted*/
1684  $EncAssert = new XMLSecEnc();
1685  $EncAssert->setNode($document2->documentElement);
1686  $EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
1687  /*
1688  * Attributes are encrypted with a session key and this one with
1689  * $EncryptionKey
1690  */
1691  $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
1692  $symmetricKey->generateSessionKey();
1693  $EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
1694  $EncrNode = $EncAssert->encryptNode($symmetricKey);
1695 
1696  $EncAttribute = $document->createElementNS(Constants::NS_SAML, 'saml:EncryptedAttribute');
1697  $attributeStatement->appendChild($EncAttribute);
1698  $n = $document->importNode($EncrNode, true);
1699  $EncAttribute->appendChild($n);
1700  }
1701  }
$type
$type
Definition: proxy_ylocal.php:10
$values
$values
Definition: testOperations.php:7
SAML2\Constants\NS_XSI
const NS_XSI
The namespace for XML schema instance.
Definition: Constants.php:240
$n
$n
Definition: RandomTest.php:85
$root
$root
Definition: sabredav.php:45
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
$i
$i
Definition: disco.tpl.php:19
$name
$name
Definition: client_example.php:35
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ addSubject()

SAML2\Assertion::addSubject ( \DOMElement  $root)
private

Add a Subject-node to the assertion.

Parameters
\DOMElement$rootThe assertion element we should add the subject to.

Definition at line 1413 of file Assertion.php.

References $sc.

1414  {
1415  if ($this->nameId === null && $this->encryptedNameId === null) {
1416  /* We don't have anything to create a Subject node for. */
1417 
1418  return;
1419  }
1420 
1421  $subject = $root->ownerDocument->createElementNS(Constants::NS_SAML, 'saml:Subject');
1422  $root->appendChild($subject);
1423 
1424  if ($this->encryptedNameId === null) {
1425  $this->nameId->toXML($subject);
1426  } else {
1427  $eid = $subject->ownerDocument->createElementNS(Constants::NS_SAML, 'saml:' . 'EncryptedID');
1428  $subject->appendChild($eid);
1429  $eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId, true));
1430  }
1431 
1432  foreach ($this->SubjectConfirmation as $sc) {
1433  $sc->toXML($subject);
1434  }
1435  }
$root
$root
Definition: sabredav.php:45
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ decryptAttributes()

SAML2\Assertion::decryptAttributes ( XMLSecurityKey  $key,
array  $blacklist = array() 
)

Decrypt the assertion attributes.

Parameters
XMLSecurityKey$key
array$blacklist
Exceptions

Definition at line 835 of file Assertion.php.

References $attributes, $key, and $name.

836  {
837  if (!$this->hasEncryptedAttributes()) {
838  return;
839  }
840  $firstAttribute = true;
841  $attributes = $this->encryptedAttributes;
842  foreach ($attributes as $attributeEnc) {
843  /*Decrypt node <EncryptedAttribute>*/
844  $attribute = Utils::decryptElement(
845  $attributeEnc->getElementsByTagName('EncryptedData')->item(0),
846  $key,
847  $blacklist
848  );
849 
850  if (!$attribute->hasAttribute('Name')) {
851  throw new \Exception('Missing name on <saml:Attribute> element.');
852  }
853  $name = $attribute->getAttribute('Name');
854 
855  if ($attribute->hasAttribute('NameFormat')) {
856  $nameFormat = $attribute->getAttribute('NameFormat');
857  } else {
858  $nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
859  }
860 
861  if ($firstAttribute) {
862  $this->nameFormat = $nameFormat;
863  $firstAttribute = false;
864  } else {
865  if ($this->nameFormat !== $nameFormat) {
866  $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
867  }
868  }
869 
870  if (!array_key_exists($name, $this->attributes)) {
871  $this->attributes[$name] = array();
872  }
873 
874  $this->parseAttributeValue($attribute, $name);
875  }
876  }
SAML2\Utils\decryptElement
static decryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array $blacklist=array())
Decrypt an encrypted element.
Definition: Utils.php:558
SAML2\Assertion\hasEncryptedAttributes
hasEncryptedAttributes()
Did this Assertion contain encrypted Attributes?
Definition: Assertion.php:823
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
$name
$name
Definition: client_example.php:35
$key
$key
Definition: croninfo.php:18

◆ decryptNameId()

SAML2\Assertion::decryptNameId ( XMLSecurityKey  $key,
array  $blacklist = array() 
)

Decrypt the NameId of the subject in the assertion.

Parameters
XMLSecurityKey$keyThe decryption key.
array$blacklistBlacklisted decryption algorithms.

Definition at line 803 of file Assertion.php.

References $nameId.

Referenced by SAML2\Assertion\Transformer\NameIdDecryptionTransformer\transform().

804  {
805  if ($this->encryptedNameId === null) {
806  /* No NameID to decrypt. */
807 
808  return;
809  }
810 
811  $nameId = Utils::decryptElement($this->encryptedNameId, $key, $blacklist);
812  Utils::getContainer()->debugMessage($nameId, 'decrypt');
813  $this->nameId = new XML\saml\NameID($nameId);
814 
815  $this->encryptedNameId = null;
816  }
SAML2\Utils\decryptElement
static decryptElement(\DOMElement $encryptedData, XMLSecurityKey $inputKey, array $blacklist=array())
Decrypt an encrypted element.
Definition: Utils.php:558
$key
$key
Definition: croninfo.php:18
SAML2\Utils\getContainer
static getContainer()
Definition: Utils.php:752
+ Here is the caller graph for this function:

◆ encryptNameId()

SAML2\Assertion::encryptNameId ( XMLSecurityKey  $key)

Encrypt the NameID in the Assertion.

Parameters
XMLSecurityKey$keyThe encryption key.

Definition at line 771 of file Assertion.php.

References $nameId, and $root.

772  {
773  /* First create a XML representation of the NameID. */
774  $doc = DOMDocumentFactory::create();
775  $root = $doc->createElement('root');
776  $doc->appendChild($root);
777  $this->nameId->toXML($root);
778  $nameId = $root->firstChild;
779 
780  Utils::getContainer()->debugMessage($nameId, 'encrypt');
781 
782  /* Encrypt the NameID. */
783  $enc = new XMLSecEnc();
784  $enc->setNode($nameId);
785  // @codingStandardsIgnoreStart
786  $enc->type = XMLSecEnc::Element;
787  // @codingStandardsIgnoreEnd
788 
789  $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
790  $symmetricKey->generateSessionKey();
791  $enc->encryptKey($key, $symmetricKey);
792 
793  $this->encryptedNameId = $enc->encryptNode($symmetricKey);
794  $this->nameId = null;
795  }
$root
$root
Definition: sabredav.php:45
$key
$key
Definition: croninfo.php:18
SAML2\Utils\getContainer
static getContainer()
Definition: Utils.php:752

◆ getAttributeNameFormat()

SAML2\Assertion::getAttributeNameFormat ( )

Retrieve the NameFormat used on all attributes.

If more than one NameFormat is used in the received attributes, this returns the unspecified NameFormat.

Returns
string The NameFormat used on all attributes.

Definition at line 1238 of file Assertion.php.

1239  {
1240  return $this->nameFormat;
1241  }

◆ getAttributes()

SAML2\Assertion::getAttributes ( )

Retrieve all attributes.

Returns
array All attributes, as an associative array.

Definition at line 1195 of file Assertion.php.

References $attributes.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

1196  {
1197  return $this->attributes;
1198  }
+ Here is the caller graph for this function:

◆ getAttributesValueTypes()

SAML2\Assertion::getAttributesValueTypes ( )

Retrieve all attributes value types.

Returns
array All attributes value types, as an associative array.

Definition at line 1215 of file Assertion.php.

1216  {
1217  return $this->attributesValueTypes;
1218  }

◆ getAuthenticatingAuthority()

SAML2\Assertion::getAuthenticatingAuthority ( )

Retrieve the AuthenticatingAuthority.

Returns
array

Definition at line 1174 of file Assertion.php.

1175  {
1176  return $this->AuthenticatingAuthority;
1177  }

◆ getAuthnContext()

SAML2\Assertion::getAuthnContext ( )

Retrieve the authentication method used to authenticate the user.

This will return null if no authentication statement was included in the assertion.

Note that this returns either the AuthnContextClassRef or the AuthnConextDeclRef, whose definition overlaps but is slightly different (consult the specification for more information). This was done to work around an old bug of Shibboleth ( https://bugs.internet2.edu/jira/browse/SIDP-187 ). Should no longer be required, please use either getAuthnConextClassRef or getAuthnContextDeclRef.

Deprecated:
use getAuthnContextClassRef
Returns
string|null The authentication method.

Definition at line 1055 of file Assertion.php.

1056  {
1057  if (!empty($this->authnContextClassRef)) {
1058  return $this->authnContextClassRef;
1059  }
1060  if (!empty($this->authnContextDeclRef)) {
1061  return $this->authnContextDeclRef;
1062  }
1063  return null;
1064  }

◆ getAuthnContextClassRef()

SAML2\Assertion::getAuthnContextClassRef ( )

Retrieve the authentication method used to authenticate the user.

This will return null if no authentication statement was included in the assertion.

Returns
string|null The authentication method.

Definition at line 1088 of file Assertion.php.

1089  {
1090  return $this->authnContextClassRef;
1091  }

◆ getAuthnContextDecl()

SAML2\Assertion::getAuthnContextDecl ( )

Get the authentication context declaration.

See: http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

Returns
|null

Definition at line 1133 of file Assertion.php.

1134  {
1135  return $this->authnContextDecl;
1136  }

◆ getAuthnContextDeclRef()

SAML2\Assertion::getAuthnContextDeclRef ( )

Get the authentication context declaration reference.

URI reference that identifies an authentication context declaration.

The URI reference MAY directly resolve into an XML document containing the referenced declaration.

Returns
string

Definition at line 1163 of file Assertion.php.

1164  {
1165  return $this->authnContextDeclRef;
1166  }

◆ getAuthnInstant()

SAML2\Assertion::getAuthnInstant ( )

Retrieve the AuthnInstant of the assertion.

Returns
int|null The timestamp the user was authenticated, or NULL if the user isn't authenticated.

Definition at line 971 of file Assertion.php.

972  {
973  return $this->authnInstant;
974  }

◆ getCertificates()

SAML2\Assertion::getCertificates ( )

Retrieve the certificates that are included in the assertion.

Returns
array An array of certificates.

Implements SAML2\SignedElement.

Definition at line 1335 of file Assertion.php.

References $certificates.

1336  {
1337  return $this->certificates;
1338  }

◆ getEncryptionKey()

SAML2\Assertion::getEncryptionKey ( )

Return the key we should use to encrypt the assertion.

Returns
XMLSecurityKey|null The key, or NULL if no key is specified..

Definition at line 1303 of file Assertion.php.

1304  {
1305  return $this->encryptionKey;
1306  }

◆ getId()

SAML2\Assertion::getId ( )

Retrieve the identifier of this assertion.

Returns
string The identifier of this assertion.

Definition at line 661 of file Assertion.php.

References $id.

662  {
663  return $this->id;
664  }

◆ getIssueInstant()

SAML2\Assertion::getIssueInstant ( )

Retrieve the issue timestamp of this assertion.

Returns
int The issue timestamp of this assertion, as an UNIX timestamp.

Definition at line 683 of file Assertion.php.

684  {
685  return $this->issueInstant;
686  }

◆ getIssuer()

SAML2\Assertion::getIssuer ( )

Retrieve the issuer if this assertion.

Returns
string| The issuer of this assertion.

Definition at line 705 of file Assertion.php.

References $issuer.

706  {
707  return $this->issuer;
708  }

◆ getNameId()

SAML2\Assertion::getNameId ( )

Retrieve the NameId of the subject in the assertion.

Returns
|null The name identifier of the assertion.
Exceptions

Definition at line 728 of file Assertion.php.

References $nameId.

729  {
730  if ($this->encryptedNameId !== null) {
731  throw new \Exception('Attempted to retrieve encrypted NameID without decrypting it first.');
732  }
733 
734  return $this->nameId;
735  }

◆ getNotBefore()

SAML2\Assertion::getNotBefore ( )

Retrieve the earliest timestamp this assertion is valid.

This function returns null if there are no restrictions on how early the assertion can be used.

Returns
int|null The earliest timestamp this assertion is valid.

Definition at line 886 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\NotBefore\validate().

887  {
888  return $this->notBefore;
889  }
+ Here is the caller graph for this function:

◆ getNotOnOrAfter()

SAML2\Assertion::getNotOnOrAfter ( )

Retrieve the expiration timestamp of this assertion.

This function returns null if there are no restrictions on how late the assertion can be used.

Returns
int|null The latest timestamp this assertion is valid.

Definition at line 913 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\NotOnOrAfter\validate().

914  {
915  return $this->notOnOrAfter;
916  }
+ Here is the caller graph for this function:

◆ getSessionIndex()

SAML2\Assertion::getSessionIndex ( )

Retrieve the session index of the user at the IdP.

Returns
string|null The session index of the user at the IdP.

Definition at line 1021 of file Assertion.php.

References $sessionIndex.

1022  {
1023  return $this->sessionIndex;
1024  }

◆ getSessionNotOnOrAfter()

SAML2\Assertion::getSessionNotOnOrAfter ( )

Retrieve the session expiration timestamp.

This function returns null if there are no restrictions on the session lifetime.

Returns
int|null The latest timestamp this session is valid.

Definition at line 997 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SessionNotOnOrAfter\validate().

998  {
999  return $this->sessionNotOnOrAfter;
1000  }
+ Here is the caller graph for this function:

◆ getSignatureKey()

SAML2\Assertion::getSignatureKey ( )

Retrieve the private key we should use to sign the assertion.

Returns
XMLSecurityKey|null The key, or NULL if no key is specified.

Implements SAML2\SignedElement.

Definition at line 1280 of file Assertion.php.

1281  {
1282  return $this->signatureKey;
1283  }

◆ getSignatureMethod()

SAML2\Assertion::getSignatureMethod ( )
Returns
null|string

Definition at line 1351 of file Assertion.php.

1352  {
1353  return $this->signatureMethod;
1354  }

◆ getSubjectConfirmation()

SAML2\Assertion::getSubjectConfirmation ( )

Retrieve the SubjectConfirmation elements we have in our Subject element.

Returns
array Array of elements.

Definition at line 1260 of file Assertion.php.

Referenced by SAML2\Assertion\Processor\validateAssertion().

1261  {
1262  return $this->SubjectConfirmation;
1263  }
+ Here is the caller graph for this function:

◆ getValidAudiences()

SAML2\Assertion::getValidAudiences ( )

Retrieve the audiences that are allowed to receive this assertion.

This may be null, in which case all audiences are allowed.

Returns
array|null The allowed audiences.

Definition at line 949 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SpIsValidAudience\validate().

950  {
951  return $this->validAudiences;
952  }
+ Here is the caller graph for this function:

◆ getWasSignedAtConstruction()

SAML2\Assertion::getWasSignedAtConstruction ( )
Returns
bool

Definition at line 1343 of file Assertion.php.

1344  {
1345  return $this->wasSignedAtConstruction;
1346  }

◆ hasEncryptedAttributes()

SAML2\Assertion::hasEncryptedAttributes ( )

Did this Assertion contain encrypted Attributes?

Returns
bool

Definition at line 823 of file Assertion.php.

824  {
825  return $this->encryptedAttributes !== [];
826  }

◆ isNameIdEncrypted()

SAML2\Assertion::isNameIdEncrypted ( )

Check whether the NameId is encrypted.

Returns
true if the NameId is encrypted, false if not.

Definition at line 761 of file Assertion.php.

Referenced by SAML2\Assertion\Transformer\NameIdDecryptionTransformer\transform().

762  {
763  return $this->encryptedNameId !== null;
764  }
+ Here is the caller graph for this function:

◆ parseAttributes()

SAML2\Assertion::parseAttributes ( \DOMElement  $xml)
private

Parse attribute statements in assertion.

Parameters
\DOMElement$xmlThe XML element with the assertion.
Exceptions

Definition at line 510 of file Assertion.php.

References $attributes, $index, $name, $type, and $values.

511  {
512  $firstAttribute = true;
513  $attributes = Utils::xpQuery($xml, './saml_assertion:AttributeStatement/saml_assertion:Attribute');
514  foreach ($attributes as $attribute) {
515  if (!$attribute->hasAttribute('Name')) {
516  throw new \Exception('Missing name on <saml:Attribute> element.');
517  }
518  $name = $attribute->getAttribute('Name');
519 
520  if ($attribute->hasAttribute('NameFormat')) {
521  $nameFormat = $attribute->getAttribute('NameFormat');
522  } else {
523  $nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
524  }
525 
526  if ($firstAttribute) {
527  $this->nameFormat = $nameFormat;
528  $firstAttribute = false;
529  } else {
530  if ($this->nameFormat !== $nameFormat) {
531  $this->nameFormat = Constants::NAMEFORMAT_UNSPECIFIED;
532  }
533  }
534 
535  if (!array_key_exists($name, $this->attributes)) {
536  $this->attributes[$name] = array();
537  $this->attributesValueTypes[$name] = array();
538  }
539 
540  $this->parseAttributeValue($attribute, $name);
541  }
542  }
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Constants\NAMEFORMAT_UNSPECIFIED
const NAMEFORMAT_UNSPECIFIED
The interpretation of the attribute name is left to individual implementations.
Definition: Constants.php:146
$xml
$xml
Definition: fetch_windows_zones.php:11
$name
$name
Definition: client_example.php:35

◆ parseAuthnContext()

SAML2\Assertion::parseAuthnContext ( \DOMElement  $authnStatementEl)
private

Parse AuthnContext in AuthnStatement.

Parameters
\DOMElement$authnStatementEl
Exceptions

Definition at line 451 of file Assertion.php.

452  {
453  // Get the AuthnContext element
454  $authnContexts = Utils::xpQuery($authnStatementEl, './saml_assertion:AuthnContext');
455  if (count($authnContexts) > 1) {
456  throw new \Exception('More than one <saml:AuthnContext> in <saml:AuthnStatement>.');
457  } elseif (empty($authnContexts)) {
458  throw new \Exception('Missing required <saml:AuthnContext> in <saml:AuthnStatement>.');
459  }
460  $authnContextEl = $authnContexts[0];
461 
462  // Get the AuthnContextDeclRef (if available)
463  $authnContextDeclRefs = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextDeclRef');
464  if (count($authnContextDeclRefs) > 1) {
465  throw new \Exception(
466  'More than one <saml:AuthnContextDeclRef> found?'
467  );
468  } elseif (count($authnContextDeclRefs) === 1) {
469  $this->setAuthnContextDeclRef(trim($authnContextDeclRefs[0]->textContent));
470  }
471 
472  // Get the AuthnContextDecl (if available)
473  $authnContextDecls = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextDecl');
474  if (count($authnContextDecls) > 1) {
475  throw new \Exception(
476  'More than one <saml:AuthnContextDecl> found?'
477  );
478  } elseif (count($authnContextDecls) === 1) {
479  $this->setAuthnContextDecl(new Chunk($authnContextDecls[0]));
480  }
481 
482  // Get the AuthnContextClassRef (if available)
483  $authnContextClassRefs = Utils::xpQuery($authnContextEl, './saml_assertion:AuthnContextClassRef');
484  if (count($authnContextClassRefs) > 1) {
485  throw new \Exception('More than one <saml:AuthnContextClassRef> in <saml:AuthnContext>.');
486  } elseif (count($authnContextClassRefs) === 1) {
487  $this->setAuthnContextClassRef(trim($authnContextClassRefs[0]->textContent));
488  }
489 
490  // Constraint from XSD: MUST have one of the three
491  if (empty($this->authnContextClassRef) && empty($this->authnContextDecl) && empty($this->authnContextDeclRef)) {
492  throw new \Exception(
493  'Missing either <saml:AuthnContextClassRef> or <saml:AuthnContextDeclRef> or <saml:AuthnContextDecl>'
494  );
495  }
496 
497  $this->AuthenticatingAuthority = Utils::extractStrings(
498  $authnContextEl,
499  Constants::NS_SAML,
500  'AuthenticatingAuthority'
501  );
502  }
SAML2\Assertion\setAuthnContextDeclRef
setAuthnContextDeclRef($authnContextDeclRef)
Set the authentication context declaration reference.
Definition: Assertion.php:1144
SAML2\Assertion\setAuthnContextDecl
setAuthnContextDecl(Chunk $authnContextDecl)
Set the authentication context declaration.
Definition: Assertion.php:1114
SAML2\Assertion\setAuthnContextClassRef
setAuthnContextClassRef($authnContextClassRef)
Set the authentication method used to authenticate the user.
Definition: Assertion.php:1101
SAML2\Utils\extractStrings
static extractStrings(\DOMElement $parent, $namespaceURI, $localName)
Extract strings from a set of nodes.
Definition: Utils.php:610
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ parseAuthnStatement()

SAML2\Assertion::parseAuthnStatement ( \DOMElement  $xml)
private

Parse AuthnStatement in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Definition at line 417 of file Assertion.php.

418  {
419  $authnStatements = Utils::xpQuery($xml, './saml_assertion:AuthnStatement');
420  if (empty($authnStatements)) {
421  $this->authnInstant = null;
422 
423  return;
424  } elseif (count($authnStatements) > 1) {
425  throw new \Exception('More than one <saml:AuthnStatement> in <saml:Assertion> not supported.');
426  }
427  $authnStatement = $authnStatements[0];
428 
429  if (!$authnStatement->hasAttribute('AuthnInstant')) {
430  throw new \Exception('Missing required AuthnInstant attribute on <saml:AuthnStatement>.');
431  }
432  $this->authnInstant = Utils::xsDateTimeToTimestamp($authnStatement->getAttribute('AuthnInstant'));
433 
434  if ($authnStatement->hasAttribute('SessionNotOnOrAfter')) {
435  $this->sessionNotOnOrAfter = Utils::xsDateTimeToTimestamp($authnStatement->getAttribute('SessionNotOnOrAfter'));
436  }
437 
438  if ($authnStatement->hasAttribute('SessionIndex')) {
439  $this->sessionIndex = $authnStatement->getAttribute('SessionIndex');
440  }
441 
442  $this->parseAuthnContext($authnStatement);
443  }
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Assertion\parseAuthnContext
parseAuthnContext(\DOMElement $authnStatementEl)
Parse AuthnContext in AuthnStatement.
Definition: Assertion.php:451
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp...
Definition: Utils.php:721
$xml
$xml
Definition: fetch_windows_zones.php:11

◆ parseConditions()

SAML2\Assertion::parseConditions ( \DOMElement  $xml)
private

Parse conditions in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Definition at line 353 of file Assertion.php.

354  {
355  $conditions = Utils::xpQuery($xml, './saml_assertion:Conditions');
356  if (empty($conditions)) {
357  /* No <saml:Conditions> node. */
358 
359  return;
360  } elseif (count($conditions) > 1) {
361  throw new \Exception('More than one <saml:Conditions> in <saml:Assertion>.');
362  }
363  $conditions = $conditions[0];
364 
365  if ($conditions->hasAttribute('NotBefore')) {
366  $notBefore = Utils::xsDateTimeToTimestamp($conditions->getAttribute('NotBefore'));
367  if ($this->notBefore === null || $this->notBefore < $notBefore) {
368  $this->notBefore = $notBefore;
369  }
370  }
371  if ($conditions->hasAttribute('NotOnOrAfter')) {
372  $notOnOrAfter = Utils::xsDateTimeToTimestamp($conditions->getAttribute('NotOnOrAfter'));
373  if ($this->notOnOrAfter === null || $this->notOnOrAfter > $notOnOrAfter) {
374  $this->notOnOrAfter = $notOnOrAfter;
375  }
376  }
377 
378  for ($node = $conditions->firstChild; $node !== null; $node = $node->nextSibling) {
379  if ($node instanceof \DOMText) {
380  continue;
381  }
382  if ($node->namespaceURI !== Constants::NS_SAML) {
383  throw new \Exception('Unknown namespace of condition: ' . var_export($node->namespaceURI, true));
384  }
385  switch ($node->localName) {
386  case 'AudienceRestriction':
387  $audiences = Utils::extractStrings($node, Constants::NS_SAML, 'Audience');
388  if ($this->validAudiences === null) {
389  /* The first (and probably last) AudienceRestriction element. */
390  $this->validAudiences = $audiences;
391  } else {
392  /*
393  * The set of AudienceRestriction are ANDed together, so we need
394  * the subset that are present in all of them.
395  */
396  $this->validAudiences = array_intersect($this->validAudiences, $audiences);
397  }
398  break;
399  case 'OneTimeUse':
400  /* Currently ignored. */
401  break;
402  case 'ProxyRestriction':
403  /* Currently ignored. */
404  break;
405  default:
406  throw new \Exception('Unknown condition: ' . var_export($node->localName, true));
407  }
408  }
409  }
SAML2\Utils\extractStrings
static extractStrings(\DOMElement $parent, $namespaceURI, $localName)
Extract strings from a set of nodes.
Definition: Utils.php:610
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
SAML2\Utils\xsDateTimeToTimestamp
static xsDateTimeToTimestamp($time)
This function converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp...
Definition: Utils.php:721
$xml
$xml
Definition: fetch_windows_zones.php:11
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225

◆ parseEncryptedAttributes()

SAML2\Assertion::parseEncryptedAttributes ( \DOMElement  $xml)
private

Parse encrypted attribute statements in assertion.

Parameters
\DOMElement$xmlThe XML element with the assertion.

Definition at line 605 of file Assertion.php.

References $xml.

606  {
607  $this->encryptedAttributes = Utils::xpQuery(
608  $xml,
609  './saml_assertion:AttributeStatement/saml_assertion:EncryptedAttribute'
610  );
611  }
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
$xml
$xml
Definition: fetch_windows_zones.php:11

◆ parseSubject()

SAML2\Assertion::parseSubject ( \DOMElement  $xml)
private

Parse subject in assertion.

Parameters
\DOMElement$xmlThe assertion XML element.
Exceptions

Definition at line 309 of file Assertion.php.

References $nameId, and $sc.

310  {
311  $subject = Utils::xpQuery($xml, './saml_assertion:Subject');
312  if (empty($subject)) {
313  /* No Subject node. */
314 
315  return;
316  } elseif (count($subject) > 1) {
317  throw new \Exception('More than one <saml:Subject> in <saml:Assertion>.');
318  }
319  $subject = $subject[0];
320 
321  $nameId = Utils::xpQuery(
322  $subject,
323  './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
324  );
325  if (count($nameId) > 1) {
326  throw new \Exception('More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
327  } elseif (!empty($nameId)) {
328  $nameId = $nameId[0];
329  if ($nameId->localName === 'EncryptedData') {
330  /* The NameID element is encrypted. */
331  $this->encryptedNameId = $nameId;
332  } else {
333  $this->nameId = new XML\saml\NameID($nameId);
334  }
335  }
336 
337  $subjectConfirmation = Utils::xpQuery($subject, './saml_assertion:SubjectConfirmation');
338  if (empty($subjectConfirmation) && empty($nameId)) {
339  throw new \Exception('Missing <saml:SubjectConfirmation> in <saml:Subject>.');
340  }
341 
342  foreach ($subjectConfirmation as $sc) {
343  $this->SubjectConfirmation[] = new SubjectConfirmation($sc);
344  }
345  }
SAML2\Utils\xpQuery
static xpQuery(\DOMNode $node, $query)
Do an XPath query on an XML node.
Definition: Utils.php:191
$xml
$xml
Definition: fetch_windows_zones.php:11

◆ setAttributeNameFormat()

SAML2\Assertion::setAttributeNameFormat (   $nameFormat)

Set the NameFormat used on all attributes.

Parameters
string$nameFormatThe NameFormat used on all attributes.

Definition at line 1248 of file Assertion.php.

1249  {
1250  assert(is_string($nameFormat));
1251 
1252  $this->nameFormat = $nameFormat;
1253  }

◆ setAttributes()

SAML2\Assertion::setAttributes ( array  $attributes)

Replace all attributes.

Parameters
array$attributesAll new attributes, as an associative array.

Definition at line 1205 of file Assertion.php.

References $attributes.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

1206  {
1207  $this->attributes = $attributes;
1208  }
+ Here is the caller graph for this function:

◆ setAttributesValueTypes()

SAML2\Assertion::setAttributesValueTypes ( array  $attributesValueTypes)

Replace all attributes value types.

Parameters
array$attributesValueTypesAll new attribute value types, as an associative array.

Definition at line 1225 of file Assertion.php.

1226  {
1227  $this->attributesValueTypes = $attributesValueTypes;
1228  }

◆ setAuthenticatingAuthority()

SAML2\Assertion::setAuthenticatingAuthority (   $authenticatingAuthority)

Set the AuthenticatingAuthority.

Parameters
array.

Definition at line 1185 of file Assertion.php.

References $authenticatingAuthority.

1186  {
1187  $this->AuthenticatingAuthority = $authenticatingAuthority;
1188  }
$authenticatingAuthority
catch(sspmod_saml_Error $e) $authenticatingAuthority
Definition: saml2-acs.php:137

◆ setAuthnContext()

SAML2\Assertion::setAuthnContext (   $authnContext)

Set the authentication method used to authenticate the user.

If this is set to null, no authentication statement will be included in the assertion. The default is null.

Deprecated:
use setAuthnContextClassRef
Parameters
string | null$authnContextThe authentication method.

Definition at line 1075 of file Assertion.php.

1076  {
1077  $this->setAuthnContextClassRef($authnContext);
1078  }
SAML2\Assertion\setAuthnContextClassRef
setAuthnContextClassRef($authnContextClassRef)
Set the authentication method used to authenticate the user.
Definition: Assertion.php:1101

◆ setAuthnContextClassRef()

SAML2\Assertion::setAuthnContextClassRef (   $authnContextClassRef)

Set the authentication method used to authenticate the user.

If this is set to null, no authentication statement will be included in the assertion. The default is null.

Parameters
string | null$authnContextClassRefThe authentication method.

Definition at line 1101 of file Assertion.php.

1102  {
1103  assert(is_string($authnContextClassRef) || is_null($authnContextClassRef));
1104 
1105  $this->authnContextClassRef = $authnContextClassRef;
1106  }

◆ setAuthnContextDecl()

SAML2\Assertion::setAuthnContextDecl ( Chunk  $authnContextDecl)

Set the authentication context declaration.

Parameters
\SAML2\XML\Chunk$authnContextDecl
Exceptions

Definition at line 1114 of file Assertion.php.

1115  {
1116  if (!empty($this->authnContextDeclRef)) {
1117  throw new \Exception(
1118  'AuthnContextDeclRef is already registered! May only have either a Decl or a DeclRef, not both!'
1119  );
1120  }
1121 
1122  $this->authnContextDecl = $authnContextDecl;
1123  }

◆ setAuthnContextDeclRef()

SAML2\Assertion::setAuthnContextDeclRef (   $authnContextDeclRef)

Set the authentication context declaration reference.

Parameters
string$authnContextDeclRef
Exceptions

Definition at line 1144 of file Assertion.php.

1145  {
1146  if (!empty($this->authnContextDecl)) {
1147  throw new \Exception(
1148  'AuthnContextDecl is already registered! May only have either a Decl or a DeclRef, not both!'
1149  );
1150  }
1151 
1152  $this->authnContextDeclRef = $authnContextDeclRef;
1153  }

◆ setAuthnInstant()

SAML2\Assertion::setAuthnInstant (   $authnInstant)

Set the AuthnInstant of the assertion.

Parameters
int | null$authnInstantTimestamp the user was authenticated, or NULL if we don't want an AuthnStatement.

Definition at line 982 of file Assertion.php.

983  {
984  assert(is_int($authnInstant) || is_null($authnInstant));
985 
986  $this->authnInstant = $authnInstant;
987  }

◆ setCertificates()

SAML2\Assertion::setCertificates ( array  $certificates)

Set the certificates that should be included in the assertion.

The certificates should be strings with the PEM encoded data.

Parameters
array$certificatesAn array of certificates.

Implements SAML2\SignedElement.

Definition at line 1325 of file Assertion.php.

References $certificates.

1326  {
1327  $this->certificates = $certificates;
1328  }

◆ setEncryptedAttributes()

SAML2\Assertion::setEncryptedAttributes (   $ea)

Set $EncryptedAttributes if attributes will send encrypted.

Parameters
boolean$eatrue to encrypt attributes in the assertion.

Definition at line 937 of file Assertion.php.

938  {
939  $this->requiredEncAttributes = $ea;
940  }

◆ setEncryptionKey()

SAML2\Assertion::setEncryptionKey ( XMLSecurityKey  $Key = null)

Set the private key we should use to encrypt the attributes.

Parameters
XMLSecurityKey | null$Key

Definition at line 1313 of file Assertion.php.

1314  {
1315  $this->encryptionKey = $Key;
1316  }

◆ setId()

SAML2\Assertion::setId (   $id)

Set the identifier of this assertion.

Parameters
string$idThe new identifier of this assertion.

Definition at line 671 of file Assertion.php.

References $id.

672  {
673  assert(is_string($id));
674 
675  $this->id = $id;
676  }

◆ setIssueInstant()

SAML2\Assertion::setIssueInstant (   $issueInstant)

Set the issue timestamp of this assertion.

Parameters
int$issueInstantThe new issue timestamp of this assertion, as an UNIX timestamp.

Definition at line 693 of file Assertion.php.

694  {
695  assert(is_int($issueInstant));
696 
697  $this->issueInstant = $issueInstant;
698  }

◆ setIssuer()

SAML2\Assertion::setIssuer (   $issuer)

Set the issuer of this message.

Parameters
string | \SAML2\XML\saml\Issuer$issuerThe new issuer of this assertion.

Definition at line 715 of file Assertion.php.

References $issuer.

716  {
717  assert(is_string($issuer) || $issuer instanceof XML\saml\Issuer);
718 
719  $this->issuer = $issuer;
720  }

◆ setNameId()

SAML2\Assertion::setNameId (   $nameId)

Set the NameId of the subject in the assertion.

The NameId must be a object or an array in the format accepted by ::addNameId() (an array, deprecated).

See also
::addNameId()
Parameters
\SAML2\XML\saml\NameID | array | null$nameIdThe name identifier of the assertion.

Definition at line 746 of file Assertion.php.

References $nameId.

747  {
748  assert(is_array($nameId) || is_null($nameId) || $nameId instanceof XML\saml\NameID);
749 
750  if (is_array($nameId)) {
751  $nameId = XML\saml\NameID::fromArray($nameId);
752  }
753  $this->nameId = $nameId;
754  }
SAML2\XML\saml\NameIDType\fromArray
static fromArray(array $nameId)
Create a object from an array with its contents.
Definition: NameIDType.php:87

◆ setNotBefore()

SAML2\Assertion::setNotBefore (   $notBefore)

Set the earliest timestamp this assertion can be used.

Set this to null if no limit is required.

Parameters
int | null$notBeforeThe earliest timestamp this assertion is valid.

Definition at line 898 of file Assertion.php.

899  {
900  assert(is_int($notBefore) || is_null($notBefore));
901 
902  $this->notBefore = $notBefore;
903  }

◆ setNotOnOrAfter()

SAML2\Assertion::setNotOnOrAfter (   $notOnOrAfter)

Set the expiration timestamp of this assertion.

Set this to null if no limit is required.

Parameters
int | null$notOnOrAfterThe latest timestamp this assertion is valid.

Definition at line 925 of file Assertion.php.

926  {
927  assert(is_int($notOnOrAfter) || is_null($notOnOrAfter));
928 
929  $this->notOnOrAfter = $notOnOrAfter;
930  }

◆ setSessionIndex()

SAML2\Assertion::setSessionIndex (   $sessionIndex)

Set the session index of the user at the IdP.

Note that the authentication context must be set before the session index can be inluded in the assertion.

Parameters
string | null$sessionIndexThe session index of the user at the IdP.

Definition at line 1034 of file Assertion.php.

References $sessionIndex.

1035  {
1036  assert(is_string($sessionIndex) || is_null($sessionIndex));
1037 
1038  $this->sessionIndex = $sessionIndex;
1039  }

◆ setSessionNotOnOrAfter()

SAML2\Assertion::setSessionNotOnOrAfter (   $sessionNotOnOrAfter)

Set the session expiration timestamp.

Set this to null if no limit is required.

Parameters
int | null$sessionNotOnOrAfterThe latest timestamp this session is valid.

Definition at line 1009 of file Assertion.php.

1010  {
1011  assert(is_int($sessionNotOnOrAfter) || is_null($sessionNotOnOrAfter));
1012 
1013  $this->sessionNotOnOrAfter = $sessionNotOnOrAfter;
1014  }

◆ setSignatureKey()

SAML2\Assertion::setSignatureKey ( XMLSecurityKey  $signatureKey = null)

Set the private key we should use to sign the assertion.

If the key is null, the assertion will be sent unsigned.

Parameters
XMLSecurityKey | null$signatureKey

Implements SAML2\SignedElement.

Definition at line 1292 of file Assertion.php.

1293  {
1294  $this->signatureKey = $signatureKey;
1295  }

◆ setSubjectConfirmation()

SAML2\Assertion::setSubjectConfirmation ( array  $SubjectConfirmation)

Set the SubjectConfirmation elements that should be included in the assertion.

Parameters
array$SubjectConfirmationArray of elements.

Definition at line 1270 of file Assertion.php.

1271  {
1272  $this->SubjectConfirmation = $SubjectConfirmation;
1273  }

◆ setValidAudiences()

SAML2\Assertion::setValidAudiences ( array  $validAudiences = null)

Set the audiences that are allowed to receive this assertion.

This may be null, in which case all audiences are allowed.

Parameters
array | null$validAudiencesThe allowed audiences.

Definition at line 961 of file Assertion.php.

962  {
963  $this->validAudiences = $validAudiences;
964  }

◆ toXML()

SAML2\Assertion::toXML ( \DOMNode  $parentElement = null)

Convert this assertion to an XML element.

Parameters
\DOMNode | null$parentElementThe DOM node the assertion should be created in.
Returns
This assertion.

Definition at line 1362 of file Assertion.php.

References $issuer, and $root.

Referenced by SAML2\EncryptedAssertion\setAssertion().

1363  {
1364  if ($parentElement === null) {
1365  $document = DOMDocumentFactory::create();
1366  $parentElement = $document;
1367  } else {
1368  $document = $parentElement->ownerDocument;
1369  }
1370 
1371  $root = $document->createElementNS(Constants::NS_SAML, 'saml:' . 'Assertion');
1372  $parentElement->appendChild($root);
1373 
1374  /* Ugly hack to add another namespace declaration to the root element. */
1375  $root->setAttributeNS(Constants::NS_SAMLP, 'samlp:tmp', 'tmp');
1376  $root->removeAttributeNS(Constants::NS_SAMLP, 'tmp');
1377  $root->setAttributeNS(Constants::NS_XSI, 'xsi:tmp', 'tmp');
1378  $root->removeAttributeNS(Constants::NS_XSI, 'tmp');
1379  $root->setAttributeNS(Constants::NS_XS, 'xs:tmp', 'tmp');
1380  $root->removeAttributeNS(Constants::NS_XS, 'tmp');
1381 
1382  $root->setAttribute('ID', $this->id);
1383  $root->setAttribute('Version', '2.0');
1384  $root->setAttribute('IssueInstant', gmdate('Y-m-d\TH:i:s\Z', $this->issueInstant));
1385 
1386  if (is_string($this->issuer)) {
1387  $issuer = Utils::addString($root, Constants::NS_SAML, 'saml:Issuer', $this->issuer);
1388  } elseif ($this->issuer instanceof XML\saml\Issuer) {
1389  $issuer = $this->issuer->toXML($root);
1390  }
1391 
1392  $this->addSubject($root);
1393  $this->addConditions($root);
1394  $this->addAuthnStatement($root);
1395  if ($this->requiredEncAttributes === false) {
1396  $this->addAttributeStatement($root);
1397  } else {
1398  $this->addEncryptedAttributeStatement($root);
1399  }
1400 
1401  if ($this->signatureKey !== null) {
1402  Utils::insertSignature($this->signatureKey, $this->certificates, $root, $issuer->nextSibling);
1403  }
1404 
1405  return $root;
1406  }
SAML2\Assertion\addAuthnStatement
addAuthnStatement(\DOMElement $root)
Add a AuthnStatement-node to the assertion.
Definition: Assertion.php:1471
SAML2\Assertion\addSubject
addSubject(\DOMElement $root)
Add a Subject-node to the assertion.
Definition: Assertion.php:1413
SAML2\Utils\insertSignature
static insertSignature(XMLSecurityKey $key, array $certificates, \DOMElement $root, \DOMNode $insertBefore=null)
Insert a Signature-node.
Definition: Utils.php:364
SAML2\Utils\addString
static addString(\DOMElement $parent, $namespace, $name, $value)
Append string element.
Definition: Utils.php:635
SAML2\Constants\NS_XS
const NS_XS
The namespace fox XML schema.
Definition: Constants.php:235
SAML2\Constants\NS_XSI
const NS_XSI
The namespace for XML schema instance.
Definition: Constants.php:240
$root
$root
Definition: sabredav.php:45
SAML2\Constants\NS_SAMLP
const NS_SAMLP
The namespace for the SAML 2 protocol.
Definition: Constants.php:220
SAML2\Assertion\addEncryptedAttributeStatement
addEncryptedAttributeStatement(\DOMElement $root)
Add an EncryptedAttribute Statement-node to the assertion.
Definition: Assertion.php:1638
SAML2\Assertion\addAttributeStatement
addAttributeStatement(\DOMElement $root)
Add an AttributeStatement-node to the assertion.
Definition: Assertion.php:1537
SAML2\Assertion\addConditions
addConditions(\DOMElement $root)
Add a Conditions-node to the assertion.
Definition: Assertion.php:1443
SAML2\Constants\NS_SAML
const NS_SAML
The namespace for the SAML 2 assertions.
Definition: Constants.php:225
+ Here is the caller graph for this function:

◆ validate()

SAML2\Assertion::validate ( XMLSecurityKey  $key)

Validate this assertion against a public key.

If no signature was present on the assertion, we will return false. Otherwise, true will be returned. An exception is thrown if the signature validation fails.

Parameters
XMLSecurityKey$keyThe key we should check against.
Returns
boolean true if successful, false if it is unsigned.

Implements SAML2\SignedElement.

Definition at line 643 of file Assertion.php.

644  {
645  assert($key->type === \RobRichards\XMLSecLibs\XMLSecurityKey::RSA_SHA256);
646 
647  if ($this->signatureData === null) {
648  return false;
649  }
650 
651  Utils::validateSignature($this->signatureData, $key);
652 
653  return true;
654  }
$key
$key
Definition: croninfo.php:18

Field Documentation

◆ $attributes

SAML2\Assertion::$attributes
private

Definition at line 174 of file Assertion.php.

Referenced by SAML2\Assertion\Transformer\DecodeBase64Transformer\transform().

◆ $attributesValueTypes

SAML2\Assertion::$attributesValueTypes
private

Definition at line 191 of file Assertion.php.

◆ $AuthenticatingAuthority

SAML2\Assertion::$AuthenticatingAuthority
private

Definition at line 156 of file Assertion.php.

◆ $authnContextClassRef

SAML2\Assertion::$authnContextClassRef
private

Definition at line 130 of file Assertion.php.

◆ $authnContextDecl

SAML2\Assertion::$authnContextDecl
private

Definition at line 140 of file Assertion.php.

◆ $authnContextDeclRef

SAML2\Assertion::$authnContextDeclRef
private

Definition at line 149 of file Assertion.php.

◆ $authnInstant

SAML2\Assertion::$authnInstant
private

Definition at line 123 of file Assertion.php.

◆ $certificates

SAML2\Assertion::$certificates
private

Definition at line 217 of file Assertion.php.

◆ $encryptedAttributes

SAML2\Assertion::$encryptedAttributes
private

Definition at line 68 of file Assertion.php.

◆ $encryptedNameId

SAML2\Assertion::$encryptedNameId
private

Definition at line 59 of file Assertion.php.

◆ $encryptionKey

SAML2\Assertion::$encryptionKey
private

Definition at line 75 of file Assertion.php.

◆ $id

SAML2\Assertion::$id
private

Definition at line 24 of file Assertion.php.

◆ $issueInstant

SAML2\Assertion::$issueInstant
private

Definition at line 31 of file Assertion.php.

◆ $issuer

SAML2\Assertion::$issuer
private

Definition at line 41 of file Assertion.php.

◆ $nameFormat

SAML2\Assertion::$nameFormat
private

Definition at line 201 of file Assertion.php.

◆ $nameId

SAML2\Assertion::$nameId
private

Definition at line 50 of file Assertion.php.

◆ $notBefore

SAML2\Assertion::$notBefore
private

Definition at line 82 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SubjectConfirmationNotBefore\validate().

◆ $notOnOrAfter

SAML2\Assertion::$notOnOrAfter
private

Definition at line 89 of file Assertion.php.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SubjectConfirmationNotOnOrAfter\validate().

◆ $requiredEncAttributes

SAML2\Assertion::$requiredEncAttributes
private

Definition at line 232 of file Assertion.php.

◆ $sessionIndex

SAML2\Assertion::$sessionIndex
private

Definition at line 116 of file Assertion.php.

◆ $sessionNotOnOrAfter

SAML2\Assertion::$sessionNotOnOrAfter
private

Definition at line 107 of file Assertion.php.

◆ $signatureData

SAML2\Assertion::$signatureData
private

Definition at line 224 of file Assertion.php.

◆ $signatureKey

SAML2\Assertion::$signatureKey
private

Definition at line 210 of file Assertion.php.

◆ $signatureMethod

SAML2\Assertion::$signatureMethod
private

Definition at line 249 of file Assertion.php.

◆ $SubjectConfirmation

SAML2\Assertion::$SubjectConfirmation
private

Definition at line 239 of file Assertion.php.

◆ $validAudiences

SAML2\Assertion::$validAudiences
private

Definition at line 100 of file Assertion.php.

◆ $wasSignedAtConstruction

SAML2\Assertion::$wasSignedAtConstruction = false
protected

Definition at line 244 of file Assertion.php.

The documentation for this class was generated from the following file: