52 private $IDPList = array();
59 private $ProxyCount =
null;
67 private $RequesterID = array();
114 private $subjectConfirmation = array();
134 parent::__construct(
'AuthnRequest',
$xml);
136 $this->nameIdPolicy = array();
137 $this->forceAuthn =
false;
138 $this->isPassive =
false;
144 $this->forceAuthn = Utils::parseBoolean(
$xml,
'ForceAuthn',
false);
145 $this->isPassive = Utils::parseBoolean(
$xml,
'IsPassive',
false);
147 if (
$xml->hasAttribute(
'AssertionConsumerServiceURL')) {
148 $this->assertionConsumerServiceURL =
$xml->getAttribute(
'AssertionConsumerServiceURL');
151 if (
$xml->hasAttribute(
'ProtocolBinding')) {
152 $this->protocolBinding =
$xml->getAttribute(
'ProtocolBinding');
155 if (
$xml->hasAttribute(
'AttributeConsumingServiceIndex')) {
156 $this->attributeConsumingServiceIndex = (int)
$xml->getAttribute(
'AttributeConsumingServiceIndex');
159 if (
$xml->hasAttribute(
'AssertionConsumerServiceIndex')) {
160 $this->assertionConsumerServiceIndex = (int)
$xml->getAttribute(
'AssertionConsumerServiceIndex');
163 if (
$xml->hasAttribute(
'ProviderName')) {
164 $this->ProviderName =
$xml->getAttribute(
'ProviderName');
167 $this->parseSubject(
$xml);
168 $this->parseNameIdPolicy(
$xml);
169 $this->parseRequestedAuthnContext(
$xml);
170 $this->parseScoping(
$xml);
180 $subject = Utils::xpQuery(
$xml,
'./saml_assertion:Subject');
181 if (empty($subject)) {
185 if (count($subject) > 1) {
186 throw new \Exception(
'More than one <saml:Subject> in <saml:AuthnRequest>.');
188 $subject = $subject[0];
192 './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
195 throw new \Exception(
'Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
196 } elseif (count(
$nameId) > 1) {
197 throw new \Exception(
'More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
200 if (
$nameId->localName ===
'EncryptedData') {
202 $this->encryptedNameId =
$nameId;
207 $subjectConfirmation = Utils::xpQuery($subject,
'./saml_assertion:SubjectConfirmation');
208 foreach ($subjectConfirmation as
$sc) {
220 $nameIdPolicy = Utils::xpQuery(
$xml,
'./saml_protocol:NameIDPolicy');
221 if (empty($nameIdPolicy)) {
225 $nameIdPolicy = $nameIdPolicy[0];
226 if ($nameIdPolicy->hasAttribute(
'Format')) {
227 $this->nameIdPolicy[
'Format'] = $nameIdPolicy->getAttribute(
'Format');
229 if ($nameIdPolicy->hasAttribute(
'SPNameQualifier')) {
230 $this->nameIdPolicy[
'SPNameQualifier'] = $nameIdPolicy->getAttribute(
'SPNameQualifier');
232 if ($nameIdPolicy->hasAttribute(
'AllowCreate')) {
233 $this->nameIdPolicy[
'AllowCreate'] = Utils::parseBoolean($nameIdPolicy,
'AllowCreate',
false);
242 $requestedAuthnContext = Utils::xpQuery(
$xml,
'./saml_protocol:RequestedAuthnContext');
243 if (empty($requestedAuthnContext)) {
247 $requestedAuthnContext = $requestedAuthnContext[0];
250 'AuthnContextClassRef' => array(),
251 'Comparison' => Constants::COMPARISON_EXACT,
254 $accr = Utils::xpQuery($requestedAuthnContext,
'./saml_assertion:AuthnContextClassRef');
255 foreach ($accr as
$i) {
256 $rac[
'AuthnContextClassRef'][] = trim(
$i->textContent);
259 if ($requestedAuthnContext->hasAttribute(
'Comparison')) {
260 $rac[
'Comparison'] = $requestedAuthnContext->getAttribute(
'Comparison');
263 $this->requestedAuthnContext = $rac;
273 $scoping = Utils::xpQuery(
$xml,
'./saml_protocol:Scoping');
274 if (empty($scoping)) {
278 $scoping = $scoping[0];
280 if ($scoping->hasAttribute(
'ProxyCount')) {
281 $this->ProxyCount = (int) $scoping->getAttribute(
'ProxyCount');
283 $idpEntries = Utils::xpQuery($scoping,
'./saml_protocol:IDPList/saml_protocol:IDPEntry');
285 foreach ($idpEntries as $idpEntry) {
286 if (!$idpEntry->hasAttribute(
'ProviderID')) {
287 throw new \Exception(
"Could not get ProviderID from Scoping/IDPEntry element in AuthnRequest object");
289 $this->IDPList[] = $idpEntry->getAttribute(
'ProviderID');
292 $requesterIDs = Utils::xpQuery($scoping,
'./saml_protocol:RequesterID');
293 foreach ($requesterIDs as $requesterID) {
294 $this->RequesterID[] = trim($requesterID->textContent);
306 return $this->nameIdPolicy;
322 if (isset($nameIdPolicy[
'Format']) && !is_string($nameIdPolicy[
'Format'])) {
323 throw InvalidArgumentException::invalidType(
'string', $nameIdPolicy[
'Format']);
325 if (isset($nameIdPolicy[
'SPNameQualifier']) && !is_string($nameIdPolicy[
'SPNameQualifier'])) {
326 throw InvalidArgumentException::invalidType(
'string', $nameIdPolicy[
'SPNameQualifier']);
328 if (isset($nameIdPolicy[
'AllowCreate']) && !is_bool($nameIdPolicy[
'AllowCreate'])) {
329 throw InvalidArgumentException::invalidType(
'bool', $nameIdPolicy[
'AllowCreate']);
332 $this->nameIdPolicy = $nameIdPolicy;
343 return $this->forceAuthn;
354 assert(is_bool($forceAuthn));
356 $this->forceAuthn = $forceAuthn;
367 return $this->ProviderName;
378 assert(is_string($ProviderName));
380 $this->ProviderName = $ProviderName;
391 return $this->isPassive;
402 assert(is_bool($isPassive));
404 $this->isPassive = $isPassive;
425 $this->IDPList = $IDPList;
436 return $this->IDPList;
444 assert(is_int($ProxyCount));
445 $this->ProxyCount = $ProxyCount;
453 return $this->ProxyCount;
461 $this->RequesterID = $RequesterID;
469 return $this->RequesterID;
479 return $this->assertionConsumerServiceURL;
489 assert(is_string($assertionConsumerServiceURL) || is_null($assertionConsumerServiceURL));
491 $this->assertionConsumerServiceURL = $assertionConsumerServiceURL;
501 return $this->protocolBinding;
511 assert(is_string($protocolBinding) || is_null($protocolBinding));
513 $this->protocolBinding = $protocolBinding;
523 return $this->attributeConsumingServiceIndex;
533 assert(is_int($attributeConsumingServiceIndex) || is_null($attributeConsumingServiceIndex));
535 $this->attributeConsumingServiceIndex = $attributeConsumingServiceIndex;
545 return $this->assertionConsumerServiceIndex;
555 assert(is_int($assertionConsumerServiceIndex) || is_null($assertionConsumerServiceIndex));
557 $this->assertionConsumerServiceIndex = $assertionConsumerServiceIndex;
567 return $this->requestedAuthnContext;
577 assert(is_array($requestedAuthnContext) || is_null($requestedAuthnContext));
579 $this->requestedAuthnContext = $requestedAuthnContext;
590 if ($this->encryptedNameId !==
null) {
591 throw new \Exception(
'Attempted to retrieve encrypted NameID without decrypting it first.');
620 $doc = new \DOMDocument();
621 $root = $doc->createElement(
'root');
622 $doc->appendChild(
$root);
623 $this->nameId->toXML(
$root);
626 Utils::getContainer()->debugMessage(
$nameId,
'encrypt');
632 $enc->type = XMLSecEnc::Element;
636 $symmetricKey->generateSessionKey();
637 $enc->encryptKey(
$key, $symmetricKey);
639 $this->encryptedNameId = $enc->encryptNode($symmetricKey);
640 $this->nameId =
null;
651 if ($this->encryptedNameId ===
null) {
656 $nameId = Utils::decryptElement($this->encryptedNameId,
$key, $blacklist);
657 Utils::getContainer()->debugMessage(
$nameId,
'decrypt');
660 $this->encryptedNameId =
null;
670 return $this->subjectConfirmation;
680 $this->subjectConfirmation = $subjectConfirmation;
690 $root = parent::toUnsignedXML();
692 if ($this->forceAuthn) {
693 $root->setAttribute(
'ForceAuthn',
'true');
696 if ($this->ProviderName !==
null) {
697 $root->setAttribute(
'ProviderName', $this->ProviderName);
700 if ($this->isPassive) {
701 $root->setAttribute(
'IsPassive',
'true');
704 if ($this->assertionConsumerServiceIndex !==
null) {
705 $root->setAttribute(
'AssertionConsumerServiceIndex', $this->assertionConsumerServiceIndex);
707 if ($this->assertionConsumerServiceURL !==
null) {
708 $root->setAttribute(
'AssertionConsumerServiceURL', $this->assertionConsumerServiceURL);
710 if ($this->protocolBinding !==
null) {
711 $root->setAttribute(
'ProtocolBinding', $this->protocolBinding);
715 if ($this->attributeConsumingServiceIndex !==
null) {
716 $root->setAttribute(
'AttributeConsumingServiceIndex', $this->attributeConsumingServiceIndex);
719 $this->addSubject(
$root);
721 if (!empty($this->nameIdPolicy)) {
722 $nameIdPolicy = $this->document->createElementNS(Constants::NS_SAMLP,
'NameIDPolicy');
723 if (array_key_exists(
'Format', $this->nameIdPolicy)) {
724 $nameIdPolicy->setAttribute(
'Format', $this->nameIdPolicy[
'Format']);
726 if (array_key_exists(
'SPNameQualifier', $this->nameIdPolicy)) {
727 $nameIdPolicy->setAttribute(
'SPNameQualifier', $this->nameIdPolicy[
'SPNameQualifier']);
729 if (array_key_exists(
'AllowCreate', $this->nameIdPolicy)) {
730 $nameIdPolicy->setAttribute(
'AllowCreate', ($this->nameIdPolicy[
'AllowCreate']) ?
'true' :
'false');
732 $root->appendChild($nameIdPolicy);
735 $rac = $this->requestedAuthnContext;
736 if (!empty($rac) && !empty($rac[
'AuthnContextClassRef'])) {
737 $e = $this->document->createElementNS(Constants::NS_SAMLP,
'RequestedAuthnContext');
738 $root->appendChild($e);
739 if (isset($rac[
'Comparison']) && $rac[
'Comparison'] !== Constants::COMPARISON_EXACT) {
740 $e->setAttribute(
'Comparison', $rac[
'Comparison']);
742 foreach ($rac[
'AuthnContextClassRef'] as $accr) {
743 Utils::addString($e, Constants::NS_SAML,
'AuthnContextClassRef', $accr);
747 if ($this->ProxyCount !==
null || count($this->IDPList) > 0 || count($this->RequesterID) > 0) {
748 $scoping = $this->document->createElementNS(Constants::NS_SAMLP,
'Scoping');
749 $root->appendChild($scoping);
750 if ($this->ProxyCount !==
null) {
751 $scoping->setAttribute(
'ProxyCount', $this->ProxyCount);
753 if (count($this->IDPList) > 0) {
754 $idplist = $this->document->createElementNS(Constants::NS_SAMLP,
'IDPList');
756 $idpEntry = $this->document->createElementNS(Constants::NS_SAMLP,
'IDPEntry');
758 $idpEntry->setAttribute(
'ProviderID',
$provider);
760 foreach (
$provider as $attribute => $value) {
761 if (in_array($attribute, array(
766 $idpEntry->setAttribute($attribute, $value);
770 $idplist->appendChild($idpEntry);
772 $scoping->appendChild($idplist);
774 if (count($this->RequesterID) > 0) {
775 Utils::addStrings($scoping, Constants::NS_SAMLP,
'RequesterID',
false, $this->RequesterID);
790 if ($this->nameId ===
null && $this->encryptedNameId ===
null) {
794 $subject =
$root->ownerDocument->createElementNS(Constants::NS_SAML,
'saml:Subject');
795 $root->appendChild($subject);
797 if ($this->encryptedNameId ===
null) {
798 $this->nameId->toXML($subject);
800 $eid = $subject->ownerDocument->createElementNS(Constants::NS_SAML,
'saml:EncryptedID');
801 $eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId,
true));
802 $subject->appendChild($eid);
805 foreach ($this->subjectConfirmation as
$sc) {
806 $sc->toXML($subject);
An exception for terminatinating execution or to throw for unit testing.
setForceAuthn($forceAuthn)
Set the value of the ForceAuthn attribute.
getProviderName()
Retrieve the value of the ProviderName attribute.
getIDPList()
This function retrieves the list of providerIDs from this authentication request.
getIsPassive()
Retrieve the value of the IsPassive attribute.
setSubjectConfirmation(array $subjectConfirmation)
Set the SubjectConfirmation elements that should be included in the assertion.
setAssertionConsumerServiceURL($assertionConsumerServiceURL)
Set the value of the AssertionConsumerServiceURL attribute.
getNameIdPolicy()
Retrieve the NameIdPolicy.
parseScoping(\DOMElement $xml)
getForceAuthn()
Retrieve the value of the ForceAuthn attribute.
parseRequestedAuthnContext(\DOMElement $xml)
setRequestedAuthnContext($requestedAuthnContext)
Set the RequestedAuthnContext.
getAssertionConsumerServiceURL()
Retrieve the value of the AssertionConsumerServiceURL attribute.
getProtocolBinding()
Retrieve the value of the ProtocolBinding attribute.
$assertionConsumerServiceURL
getSubjectConfirmation()
Retrieve the SubjectConfirmation elements we have in our Subject element.
parseSubject(\DOMElement $xml)
getNameId()
Retrieve the NameId of the subject in the assertion.
setIsPassive($isPassive)
Set the value of the IsPassive attribute.
setRequesterID(array $RequesterID)
setNameIdPolicy(array $nameIdPolicy)
Set the NameIDPolicy.
setProxyCount($ProxyCount)
$attributeConsumingServiceIndex
toUnsignedXML()
Convert this authentication request to an XML element.
parseNameIdPolicy(\DOMElement $xml)
setIDPList(array $IDPList)
This function sets the scoping for the request.
addSubject(\DOMElement $root)
Add a Subject-node to the assertion.
setAssertionConsumerServiceIndex($assertionConsumerServiceIndex)
Set the value of the AssertionConsumerServiceIndex attribute.
encryptNameId(XMLSecurityKey $key)
Encrypt the NameID in the AuthnRequest.
getRequestedAuthnContext()
Retrieve the RequestedAuthnContext.
$assertionConsumerServiceIndex
setNameId($nameId)
Set the NameId of the subject in the assertion.
setProviderName($ProviderName)
Set the value of the ProviderName attribute.
decryptNameId(XMLSecurityKey $key, array $blacklist=array())
Decrypt the NameId of the subject in the assertion.
setProtocolBinding($protocolBinding)
Set the value of the ProtocolBinding attribute.
getAssertionConsumerServiceIndex()
Retrieve the value of the AssertionConsumerServiceIndex attribute.
__construct(\DOMElement $xml=null)
Constructor for SAML 2 authentication request messages.
setAttributeConsumingServiceIndex($attributeConsumingServiceIndex)
Set the value of the AttributeConsumingServiceIndex attribute.
getAttributeConsumingServiceIndex()
Retrieve the value of the AttributeConsumingServiceIndex attribute.