diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index c7ffb9b19739c25cb81e6b0975ab9a299bd5bab0..d0e8ccaecc80849427c7e4ea4500aed481cde480 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -491,12 +491,17 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
* Handling attributes.
*/
$base64 = isset($spmd['base64attributes']) ? $spmd['base64attributes'] : false;
+ $nameidformat = isset($spmd['NameIDFormat']) ? $spmd['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
+
$encodedattributes = '';
foreach ($attributes AS $name => $values) {
$encodedattributes .= self::enc_attribute($name, $values, $base64);
}
$attributestatement = '<saml:AttributeStatement>' . $encodedattributes . '</saml:AttributeStatement>';
- if (!$spmd['simplesaml.attributes'])
+
+ $sendattributes = isset($spmd['simplesaml.attributes']) ? $spmd['simplesaml.attributes'] : true;
+
+ if (!$sendattributes)
$attributestatement = '';
@@ -504,10 +509,10 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
* Handling NameID
*/
$nameid = null;
- if ($spmd['NameIDFormat'] == self::EMAIL) {
- $nameid = $this->generateNameID($spmd['NameIDFormat'], $attributes[$spmd['simplesaml.nameidattribute']][0]);
+ if ($nameidformat == self::EMAIL) {
+ $nameid = $this->generateNameID($nameidformat, $attributes[$spmd['simplesaml.nameidattribute']][0]);
} else {
- $nameid = $this->generateNameID($spmd['NameIDFormat'], self::generateID());
+ $nameid = $this->generateNameID($nameidformat, self::generateID());
}
/**
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
index 1fe6972aa9ffd9825ba0b98dc8ae9a1b1339603b..ef3ae1666417e655f2e1637aeaf7b0cb20d840dd 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
@@ -83,7 +83,11 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
$idpmetadata = $this->metadata->getMetaData($destination, 'shib13-idp-remote');
$spmetadata = $this->metadata->getMetaData($this->getIssuer(), 'shib13-sp-hosted');
- $desturl = $idpmetadata['SingleSignOnUrl'];
+ if (!isset($idpmetadata['SingleSignOnService'])) {
+ throw new Exception('Could not find the SingleSignOnService parameter in the Shib 1.3 IdP Remote metadata. This parameter has changed name from an earlier version of simpleSAMLphp, when it was called SingleSignOnUrl. Please check your shib13-sp-remote.php configuration the IdP with entity id ' . $destination . ' and make sure the SingleSignOnService parameter is set.');
+ }
+
+ $desturl = $idpmetadata['SingleSignOnService'];
$shire = $this->metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted');
$target = $this->getRelayState();
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index 3d46c4c2f46fc4e816832e37292f0dc11fcd00f6..1dada8ea5bf4c6e6e189daa5d6c899e26ea2552d 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -4,6 +4,24 @@
*
* The SAML 2.0 IdP Hosted config is used by the SAML 2.0 IdP to identify itself.
*
+ * Required parameters:
+ * - host
+ * - privatekey
+ * - certificate
+ * - auth
+ * - authority
+ *
+ * Optional Parameters:
+ *
+ *
+ * Request signing (optional paramters)
+ * When request.signing is true the privatekey and certificate of the SP
+ * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ * The certificate and privatekey from above will be used for signing and
+ * verification purposes.
+ *
+ * - request.signing
+ *
*/
@@ -20,16 +38,7 @@ $metadata = array(
'certificate' => 'server.crt',
// Authentication plugin to use. login.php is the default one that uses LDAP.
- 'auth' => 'auth/login.php',
-
- /*
- * When request.signing is true the privatekey and certificate of the SP
- * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
- *
- * The certificate and privatekey from above will be used for signing and
- * verification purposes.
- */
- 'request.signing' => true
+ 'auth' => 'auth/login.php'
)
);
diff --git a/metadata-templates/saml20-idp-remote.php b/metadata-templates/saml20-idp-remote.php
index a9e934c7d11f0bd82b68c025180f2768b8c4e2ad..1f385121986fc4fa5a6a144bd3b0eccb906ff236 100644
--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -16,6 +16,7 @@ $metadata = array(
'idp.example.org' => array(
'name' => 'Test',
'description' => 'Description of this example entry',
+
'SingleSignOnService' => 'https://idp.example.org/simplesaml/saml2/idp/SSOService.php',
'SingleLogoutService' => 'https://idp.example.org/simplesaml/saml2/idp/SingleLogoutService.php',
'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
diff --git a/metadata-templates/saml20-sp-hosted.php b/metadata-templates/saml20-sp-hosted.php
index 1600ce357062733130056a11cb667afdc6ccf61c..4a38eef7572af52036cd569747d040fda712d7a2 100644
--- a/metadata-templates/saml20-sp-hosted.php
+++ b/metadata-templates/saml20-sp-hosted.php
@@ -4,6 +4,22 @@
*
* The SAML 2.0 IdP Remote config is used by the SAML 2.0 SP to identify itself.
*
+ * Required fields:
+ * - host
+ *
+ * Optional fields:
+ * - NameIDFormat
+ * - ForceAuthn
+ *
+ * Authentication request signing
+ * When request.signing is true the privatekey and certificate of the SP
+ * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
+ * Certificate and privatekey must be placed in the cert directory.
+ * All these attributes are optional:
+ *
+ * - 'request.signing' => true,
+ * - 'privatekey' => 'server.pem',
+ * - 'certificate' => 'server.pem',
*/
$metadata = array(
@@ -11,23 +27,8 @@ $metadata = array(
/*
* Example of a hosted SP
*/
- 'sp.example.org' => array(
- 'host' => 'sp.example.org',
- 'spNameQualifier' => 'sp.example.org',
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
- 'ForceAuthn' => 'false',
-
-
- /*
- * When request.signing is true the privatekey and certificate of the SP
- * will be used to sign/verify all messages received/sent with the HTTPRedirect binding.
- *
- * Certificate and privatekey must be placed in the cert directory.
- */
- 'request.signing' => true,
- 'privatekey' => 'server.pem',
- 'certificate' => 'server.pem',
-
+ 'sp-entityid' => array(
+ 'host' => 'sp.example.org'
)
);
diff --git a/metadata-templates/saml20-sp-remote.php b/metadata-templates/saml20-sp-remote.php
index eee631f75213f410ef91c39775270a1d403302cc..0778573848f503f6baaafcfc927968b286028dab 100644
--- a/metadata-templates/saml20-sp-remote.php
+++ b/metadata-templates/saml20-sp-remote.php
@@ -4,16 +4,30 @@
*
* The SAML 2.0 SP Remote config is used by the SAML 2.0 IdP to identify trusted SAML 2.0 SPs.
*
- * Required parameters:
- *
- * spNameQualifier
- * NameIDFormat
- * simplesaml.attributes (Will you send an attributestatement [true/false])
+ * Required parameters:
+ * - AssertionConsumerService
+ * - SingleLogoutService
*
- * Optional parameters:
+ * Optional parameters:
*
- * ForceAuthn (default: "false")
- * simplesaml.nameidattribute (only needed when you are using NameID format email.
+ * - simplesaml.attributes (Will you send an attributestatement [true/false])
+ * - NameIDFormat
+ * - ForceAuthn (default: "false")
+ * - simplesaml.nameidattribute (only needed when you are using NameID format email.
+ *
+ * - 'base64attributes' => false,
+ * - 'simplesaml.attributes' => true,
+ * - 'attributemap' => 'test',
+ * - 'attributes' => array('mail'),
+ *
+ * Request signing
+ * When request.signing is true the certificate of the sp
+ * will be used to verify all messages received with the HTTPRedirect binding.
+ * The certificate from the SP must be installed in the cert directory
+ * before verification can be done.
+ *
+ * 'request.signing' => false,
+ * 'certificate' => "saml2sp.example.org.crt"
*
*/
@@ -24,28 +38,7 @@ $metadata = array(
*/
'saml2sp.example.org' => array(
'AssertionConsumerService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/AssertionConsumerService.php',
- 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php',
- 'ForceAuthn' => 'false',
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
-
- /* If base64attributes is set to true, then all attributes will be base64 encoded. Make sure
- * that you set the SP to have the same value for this.
- */
- 'base64attributes' => false,
- 'simplesaml.attributes' => true,
- //'attributemap' => 'test',
- //'attributes' => array('mail'),
-
-
- /*
- * When request.signing is true the certificate of the sp
- * will be used to verify all messages received with the HTTPRedirect binding.
- *
- * The certificate from the SP must be installed in the cert directory
- * before verification can be done.
- */
- 'request.signing' => false,
- 'certificate' => "saml2sp.example.org.crt"
+ 'SingleLogoutService' => 'https://saml2sp.example.org/simplesaml/saml2/sp/SingleLogoutService.php'
),
/*
@@ -57,9 +50,7 @@ $metadata = array(
'google.com' => array(
'AssertionConsumerService' => 'https://www.google.com/a/g.feide.no/acs',
'SingleLogoutService' => '',
- 'ForceAuthn' => 'false',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
-
'simplesaml.nameidattribute' => 'uid',
'simplesaml.attributes' => false
)
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index 1217f40a4124d031024fa5b71f110295d7841ff8..d6f1761eae1fa4b0d1f6bd536b87a7727d1809e4 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -33,8 +33,8 @@ try {
$metalist = $metadata->getList('saml20-sp-hosted');
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
- array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
- array('request.signing','certificate','privatekey')
+ array('entityid', 'host'),
+ array('request.signing','certificate','privatekey', 'NameIDFormat', 'ForceAuthn')
);
}
$et->data['metadata.saml20-sp-hosted'] = $results;
@@ -66,8 +66,8 @@ try {
$metalist = $metadata->getList('saml20-sp-remote');
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
- array('entityid', 'AssertionConsumerService', 'SingleLogoutService', 'NameIDFormat'),
- array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate')
+ array('entityid', 'AssertionConsumerService', 'SingleLogoutService'),
+ array('base64attributes', 'attributemap', 'simplesaml.attributes', 'attributes', 'name', 'description','request.signing','certificate', 'NameIDFormat')
);
}
$et->data['metadata.saml20-sp-remote'] = $results;
@@ -83,8 +83,8 @@ try {
$metalist = $metadata->getList('shib13-sp-hosted');
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
- array('entityid', 'host', 'NameIDFormat', 'ForceAuthn'),
- array()
+ array('entityid', 'host'),
+ array('NameIDFormat', 'ForceAuthn')
);
}
$et->data['metadata.shib13-sp-hosted'] = $results;
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 5c2c6fdcdffbd406b90ec9b9d6eca2fd668af142..2bee682168d6969be737a4563b2f2be1c63a528c 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -196,6 +196,9 @@ if (!isset($session) || !$session->isValid($authority) ) {
}
$filteredattributes = $afilter->getAttributes();
+
+ //echo '<pre>before filter:' ; print_r($session->getAttributes()); echo "\n\n"; print_r($filteredattributes); echo '</pre>'; exit;
+
// Generate an SAML 2.0 AuthNResponse message
$authnResponseXML = $ar->generate($idpentityid, $spentityid,
$requestid, null, $filteredattributes);
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index 71ac5b1a81a9bd1dc65d45b0eb71411bd72a3795..731cdd13c8893a649429f26e129e6d1b03185cb7 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -68,7 +68,7 @@ if (isset($_GET['shire'])) {
$logger->log(LOG_INFO, $session->getTrackID(), 'Shib1.3', 'IdP.SSOService', 'EVENT', $requestid, 'Got incomming Shib authnRequest');
} catch(Exception $exception) {
- SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST');
+ SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception);
}