diff --git a/docs/simplesamlphp-reference-idp-remote.md b/docs/simplesamlphp-reference-idp-remote.md
index 0859495d56af5809a89ddede4c4e5f59f03a3638..dc96af4e73532cc60682b61f5ea0194042423504 100644
--- a/docs/simplesamlphp-reference-idp-remote.md
+++ b/docs/simplesamlphp-reference-idp-remote.md
@@ -104,6 +104,26 @@ SAML 2.0 options
The following SAML 2.0 options are available:
+`AuthnContextClassRef`
+: The AuthnContextClassRef that will be sent in the login request.
+
+: Note that this option also exists in the SP configuration. This
+ entry in the IdP-remote metadata overrides the option in the
+ [SP configuration](./saml:sp).
+
+`AuthnContextComparison`
+
+: The Comparison attribute of the AuthnContext that will be sent in the login request. This parameter won't be used unless AuthnContextClassRef is set and contains one or more values. Possible values:
+
+ SAML2\Constants::COMPARISON_EXACT (default)
+ SAML2\Constants::COMPARISON_BETTER
+ SAML2\Constants::COMPARISON_MINIMUM
+ SAML2\Constants::COMPARISON_MAXIMUM
+
+: Note that this option also exists in the SP configuration. This
+ entry in the IdP-remote metadata overrides the option in the
+ [SP configuration](./saml:sp).
+
`disable_scoping`
: Whether sending of samlp:Scoping elements in authentication requests should be suppressed. The default value is `FALSE`.
When set to `TRUE`, no scoping elements will be sent. This does not comply with the SAML2 specification, but allows
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 62cf5331e1b3cad865a1400317a54a0fd7b49f92..2c79d6712100774e7ccc4553a9f1ba45d6148093 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -2,8 +2,25 @@
namespace SimpleSAML\Module\saml\Auth\Source;
+use SAML2\AuthnRequest;
+use SAML2\Binding;
+use SAML2\Constants;
+use SAML2\XML\saml\NameID;
+
+use SimpleSAML\Auth\ProcessingChain;
use SimpleSAML\Auth\Source;
use SimpleSAML\Auth\State;
+use SimpleSAML\Configuration;
+use SimpleSAML\IdP;
+use SimpleSAML\Logger;
+use SimpleSAML\Metadata\MetaDataStorageHandler;
+use SimpleSAML\Module;
+use SimpleSAML\Session;
+use SimpleSAML\Store;
+use SimpleSAML\Utils\Arrays;
+use SimpleSAML\Utils\Config\Metadata;
+use SimpleSAML\Utils\Crypto;
+use SimpleSAML\Utils\HTTP;
class SP extends Source
{
@@ -72,7 +89,7 @@ class SP extends Source
* gives the entity id. */
$config['entityid'] = $config['entityID'];
- $this->metadata = \SimpleSAML\Configuration::loadFromArray(
+ $this->metadata = Configuration::loadFromArray(
$config,
'authsources['.var_export($this->authId, true).']'
);
@@ -81,8 +98,8 @@ class SP extends Source
$this->discoURL = $this->metadata->getString('discoURL', null);
$this->disable_scoping = $this->metadata->getBoolean('disable_scoping', false);
- if (empty($this->discoURL) && \SimpleSAML\Module::isModuleEnabled('discojuice')) {
- $this->discoURL = \SimpleSAML\Module::getModuleURL('discojuice/central.php');
+ if (empty($this->discoURL) && Module::isModuleEnabled('discojuice')) {
+ $this->discoURL = Module::getModuleURL('discojuice/central.php');
}
}
@@ -94,7 +111,7 @@ class SP extends Source
*/
public function getMetadataURL()
{
- return \SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/'.urlencode($this->authId));
+ return Module::getModuleURL('saml/sp/metadata.php/'.urlencode($this->authId));
}
@@ -128,9 +145,9 @@ class SP extends Source
if ($this->metadata->hasValue('NameIDValue')) {
$format = $this->metadata->getValue('NameIDPolicy');
if (is_array($format)) {
- $metadata['NameIDFormat'] = \SimpleSAML\Configuration::loadFromArray($format)->getString(
+ $metadata['NameIDFormat'] = Configuration::loadFromArray($format)->getString(
'Format',
- \SAML2\Constants::NAMEID_TRANSIENT
+ Constants::NAMEID_TRANSIENT
);
} elseif (is_string($format)) {
$metadata['NameIDFormat'] = $format;
@@ -178,11 +195,11 @@ class SP extends Source
// add contacts
$contacts = $this->metadata->getArray('contact', []);
foreach ($contacts as $contact) {
- $metadata['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
+ $metadata['contacts'][] = Metadata::getContact($contact);
}
// add technical contact
- $globalConfig = \SimpleSAML\Configuration::getInstance();
+ $globalConfig = Configuration::getInstance();
$email = $globalConfig->getString('technicalcontact_email', 'na@example.org');
if ($email && $email !== 'na@example.org') {
$contact = [
@@ -190,11 +207,11 @@ class SP extends Source
'name' => $globalConfig->getString('technicalcontact_name', null),
'contactType' => 'technical',
];
- $metadata['contacts'][] = \SimpleSAML\Utils\Config\Metadata::getContact($contact);
+ $metadata['contacts'][] = Metadata::getContact($contact);
}
// add certificate(s)
- $certInfo = \SimpleSAML\Utils\Crypto::loadPublicKey($this->metadata, false, 'new_');
+ $certInfo = Crypto::loadPublicKey($this->metadata, false, 'new_');
$hasNewCert = false;
if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
$hasNewCert = true;
@@ -204,7 +221,7 @@ class SP extends Source
'encryption' => true,
'X509Certificate' => $certInfo['certData'],
'prefix' => 'new_',
- 'url' => \SimpleSAML\Module::getModuleURL(
+ 'url' => Module::getModuleURL(
'admin/cert',
[
'sp' => $this->getAuthId(),
@@ -215,7 +232,7 @@ class SP extends Source
];
}
- $certInfo = \SimpleSAML\Utils\Crypto::loadPublicKey($this->metadata);
+ $certInfo = Crypto::loadPublicKey($this->metadata);
if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
$metadata['keys'][] = [
'type' => 'X509Certificate',
@@ -223,7 +240,7 @@ class SP extends Source
'encryption' => $hasNewCert ? false : true,
'X509Certificate' => $certInfo['certData'],
'prefix' => '',
- 'url' => \SimpleSAML\Module::getModuleURL(
+ 'url' => Module::getModuleURL(
'admin/cert',
[
'sp' => $this->getAuthId(),
@@ -278,14 +295,14 @@ class SP extends Source
var_export($entityId, true).' because it isn\'t a valid IdP for this SP.');
}
- $metadataHandler = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+ $metadataHandler = MetaDataStorageHandler::getMetadataHandler();
// First, look in saml20-idp-remote.
try {
return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
} catch (\Exception $e) {
// Metadata wasn't found
- \SimpleSAML\Logger::debug('getIdpMetadata: '.$e->getMessage());
+ Logger::debug('getIdpMetadata: '.$e->getMessage());
}
// Not found in saml20-idp-remote, look in shib13-idp-remote
@@ -293,7 +310,7 @@ class SP extends Source
return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
} catch (\Exception $e) {
// Metadata wasn't found
- \SimpleSAML\Logger::debug('getIdpMetadata: '.$e->getMessage());
+ Logger::debug('getIdpMetadata: '.$e->getMessage());
}
// Not found
@@ -334,50 +351,50 @@ class SP extends Source
{
$endpoints = [];
$default = [
- \SAML2\Constants::BINDING_HTTP_POST,
+ Constants::BINDING_HTTP_POST,
'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
- \SAML2\Constants::BINDING_HTTP_ARTIFACT,
+ Constants::BINDING_HTTP_ARTIFACT,
'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
];
- if ($this->metadata->getString('ProtocolBinding', '') === \SAML2\Constants::BINDING_HOK_SSO) {
- $default[] = \SAML2\Constants::BINDING_HOK_SSO;
+ if ($this->metadata->getString('ProtocolBinding', '') === Constants::BINDING_HOK_SSO) {
+ $default[] = Constants::BINDING_HOK_SSO;
}
$bindings = $this->metadata->getArray('acs.Bindings', $default);
$index = 0;
foreach ($bindings as $service) {
switch ($service) {
- case \SAML2\Constants::BINDING_HTTP_POST:
+ case Constants::BINDING_HTTP_POST:
$acs = [
- 'Binding' => \SAML2\Constants::BINDING_HTTP_POST,
- 'Location' => \SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
+ 'Binding' => Constants::BINDING_HTTP_POST,
+ 'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
];
- if (!in_array(\SAML2\Constants::NS_SAMLP, $this->protocols, true)) {
- $this->protocols[] = \SAML2\Constants::NS_SAMLP;
+ if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
+ $this->protocols[] = Constants::NS_SAMLP;
}
break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
$acs = [
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
- 'Location' => \SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->getAuthId()),
+ 'Location' => Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->getAuthId()),
];
if (!in_array('urn:oasis:names:tc:SAML:1.0:profiles:browser-post', $this->protocols, true)) {
$this->protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
}
break;
- case \SAML2\Constants::BINDING_HTTP_ARTIFACT:
+ case Constants::BINDING_HTTP_ARTIFACT:
$acs = [
- 'Binding' => \SAML2\Constants::BINDING_HTTP_ARTIFACT,
- 'Location' => \SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
+ 'Binding' => Constants::BINDING_HTTP_ARTIFACT,
+ 'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
];
- if (!in_array(\SAML2\Constants::NS_SAMLP, $this->protocols, true)) {
- $this->protocols[] = \SAML2\Constants::NS_SAMLP;
+ if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
+ $this->protocols[] = Constants::NS_SAMLP;
}
break;
case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
$acs = [
'Binding' => 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
- 'Location' => \SimpleSAML\Module::getModuleURL(
+ 'Location' => Module::getModuleURL(
'saml/sp/saml1-acs.php/'.$this->getAuthId().'/artifact'
),
];
@@ -385,14 +402,14 @@ class SP extends Source
$this->protocols[] = 'urn:oasis:names:tc:SAML:1.1:protocol';
}
break;
- case \SAML2\Constants::BINDING_HOK_SSO:
+ case Constants::BINDING_HOK_SSO:
$acs = [
- 'Binding' => \SAML2\Constants::BINDING_HOK_SSO,
- 'Location' => \SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
- 'hoksso:ProtocolBinding' => \SAML2\Constants::BINDING_HTTP_REDIRECT,
+ 'Binding' => Constants::BINDING_HOK_SSO,
+ 'Location' => Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->getAuthId()),
+ 'hoksso:ProtocolBinding' => Constants::BINDING_HTTP_REDIRECT,
];
- if (!in_array(\SAML2\Constants::NS_SAMLP, $this->protocols, true)) {
- $this->protocols[] = \SAML2\Constants::NS_SAMLP;
+ if (!in_array(Constants::NS_SAMLP, $this->protocols, true)) {
+ $this->protocols[] = Constants::NS_SAMLP;
}
break;
}
@@ -412,19 +429,19 @@ class SP extends Source
*/
private function getSLOEndpoints()
{
- $store = \SimpleSAML\Store::getInstance();
+ $store = Store::getInstance();
$bindings = $this->metadata->getArray(
'SingleLogoutServiceBinding',
[
- \SAML2\Constants::BINDING_HTTP_REDIRECT,
- \SAML2\Constants::BINDING_SOAP,
+ Constants::BINDING_HTTP_REDIRECT,
+ Constants::BINDING_SOAP,
]
);
- $location = \SimpleSAML\Module::getModuleURL('saml/sp/saml2-logout.php/'.$this->getAuthId());
+ $location = Module::getModuleURL('saml/sp/saml2-logout.php/'.$this->getAuthId());
$endpoints = [];
foreach ($bindings as $binding) {
- if ($binding == \SAML2\Constants::BINDING_SOAP && !($store instanceof \SimpleSAML\Store\SQL)) {
+ if ($binding == Constants::BINDING_SOAP && !($store instanceof Store\SQL)) {
// we cannot properly support SOAP logout
continue;
}
@@ -444,7 +461,7 @@ class SP extends Source
* @param array $state The state array for the current authentication.
* @return void
*/
- private function startSSO1(\SimpleSAML\Configuration $idpMetadata, array $state)
+ private function startSSO1(Configuration $idpMetadata, array $state)
{
$idpEntityId = $idpMetadata->getString('entityid');
@@ -462,16 +479,16 @@ class SP extends Source
}
if ($useArtifact) {
- $shire = \SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->authId.'/artifact');
+ $shire = Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->authId.'/artifact');
} else {
- $shire = \SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->authId);
+ $shire = Module::getModuleURL('saml/sp/saml1-acs.php/'.$this->authId);
}
$url = $ar->createRedirect($idpEntityId, $shire);
- \SimpleSAML\Logger::debug('Starting SAML 1 SSO to '.var_export($idpEntityId, true).
+ Logger::debug('Starting SAML 1 SSO to '.var_export($idpEntityId, true).
' from '.var_export($this->entityId, true).'.');
- \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
+ HTTP::redirectTrustedURL($url);
}
@@ -482,32 +499,40 @@ class SP extends Source
* @param array $state The state array for the current authentication.
* @return void
*/
- private function startSSO2(\SimpleSAML\Configuration $idpMetadata, array $state)
+ private function startSSO2(Configuration $idpMetadata, array $state)
{
if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
State::throwException(
$state,
- new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
+ new Module\saml\Error\ProxyCountExceeded(Constants::STATUS_RESPONDER)
);
}
- $ar = \SimpleSAML\Module\saml\Message::buildAuthnRequest($this->metadata, $idpMetadata);
+ $ar = Module\saml\Message::buildAuthnRequest($this->metadata, $idpMetadata);
- $ar->setAssertionConsumerServiceURL(\SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->authId));
+ $ar->setAssertionConsumerServiceURL(Module::getModuleURL('saml/sp/saml2-acs.php/'.$this->authId));
if (isset($state['\SimpleSAML\Auth\Source.ReturnURL'])) {
$ar->setRelayState($state['\SimpleSAML\Auth\Source.ReturnURL']);
}
- if (isset($state['saml:AuthnContextClassRef'])) {
- $accr = \SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
- $comp = \SAML2\Constants::COMPARISON_EXACT;
- if (isset($state['saml:AuthnContextComparison'])
+ $accr = null;
+ if ($idpMetadata->getString('AuthnContextClassRef', false)) {
+ $accr = Arrays::arrayize($idpMetadata->getString('AuthnContextClassRef'));
+ } else if (isset($state['saml:AuthnContextClassRef'])) {
+ $accr = Arrays::arrayize($state['saml:AuthnContextClassRef']);
+ }
+
+ if ($accr !== null) {
+ $comp = Constants::COMPARISON_EXACT;
+ if ($idpMetadata->getString('AuthnContextComparison', false)) {
+ $comp = $idpMetadata->getString('AuthnContextComparison');
+ } else if (isset($state['saml:AuthnContextComparison'])
&& in_array($state['AuthnContextComparison'], [
- \SAML2\Constants::COMPARISON_EXACT,
- \SAML2\Constants::COMPARISON_MINIMUM,
- \SAML2\Constants::COMPARISON_MAXIMUM,
- \SAML2\Constants::COMPARISON_BETTER,
+ Constants::COMPARISON_EXACT,
+ Constants::COMPARISON_MINIMUM,
+ Constants::COMPARISON_MAXIMUM,
+ Constants::COMPARISON_BETTER,
], true)) {
$comp = $state['saml:AuthnContextComparison'];
}
@@ -527,12 +552,12 @@ class SP extends Source
}
if (isset($state['saml:NameID'])) {
- if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
+ if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], NameID::class)) {
throw new \SimpleSAML\Error\Exception('Invalid value of $state[\'saml:NameID\'].');
}
$nameId = $state['saml:NameID'];
- $nid = new \SAML2\XML\saml\NameID();
+ $nid = new NameID();
if (!array_key_exists('Value', $nameId)) {
throw new \InvalidArgumentException('Missing "Value" in array, cannot create NameID from it.');
}
@@ -564,7 +589,7 @@ class SP extends Source
} elseif (is_array($state['saml:NameIDPolicy'])) {
$policy = $state['saml:NameIDPolicy'];
} elseif ($state['saml:NameIDPolicy'] === null) {
- $policy = ['Format' => \SAML2\Constants::NAMEID_TRANSIENT];
+ $policy = ['Format' => Constants::NAMEID_TRANSIENT];
}
if ($policy !== null) {
$ar->setNameIdPolicy($policy);
@@ -597,7 +622,7 @@ class SP extends Source
$requesterID[] = $state['core:SP'];
}
} else {
- \SimpleSAML\Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
+ Logger::debug('Disabling samlp:Scoping for '.var_export($idpMetadata->getString('entityid'), true));
}
$ar->setIDPList(
@@ -622,30 +647,30 @@ class SP extends Source
$id = State::saveState($state, 'saml:sp:sso', true);
$ar->setId($id);
- \SimpleSAML\Logger::debug(
+ Logger::debug(
'Sending SAML 2 AuthnRequest to '.var_export($idpMetadata->getString('entityid'), true)
);
// Select appropriate SSO endpoint
- if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
+ if ($ar->getProtocolBinding() === Constants::BINDING_HOK_SSO) {
$dst = $idpMetadata->getDefaultEndpoint(
'SingleSignOnService',
[
- \SAML2\Constants::BINDING_HOK_SSO
+ Constants::BINDING_HOK_SSO
]
);
} else {
$dst = $idpMetadata->getEndpointPrioritizedByBinding(
'SingleSignOnService',
[
- \SAML2\Constants::BINDING_HTTP_REDIRECT,
- \SAML2\Constants::BINDING_HTTP_POST,
+ Constants::BINDING_HTTP_REDIRECT,
+ Constants::BINDING_HTTP_POST,
]
);
}
$ar->setDestination($dst['Location']);
- $b = \SAML2\Binding::getBinding($dst['Binding']);
+ $b = Binding::getBinding($dst['Binding']);
$this->sendSAML2AuthnRequest($state, $b, $ar);
@@ -663,7 +688,7 @@ class SP extends Source
* @param \SAML2\AuthnRequest $ar The authentication request.
* @return void
*/
- public function sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
+ public function sendSAML2AuthnRequest(array &$state, Binding $binding, AuthnRequest $ar)
{
$binding->send($ar);
assert(false);
@@ -711,10 +736,10 @@ class SP extends Source
$discoURL = $this->discoURL;
if ($discoURL === null) {
// Fallback to internal discovery service
- $discoURL = \SimpleSAML\Module::getModuleURL('saml/disco.php');
+ $discoURL = Module::getModuleURL('saml/disco.php');
}
- $returnTo = \SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', ['AuthID' => $id]);
+ $returnTo = Module::getModuleURL('saml/sp/discoresp.php', ['AuthID' => $id]);
$params = [
'entityID' => $this->entityId,
@@ -730,7 +755,7 @@ class SP extends Source
$params['isPassive'] = 'true';
}
- \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
+ HTTP::redirectTrustedURL($discoURL, $params);
}
@@ -757,22 +782,22 @@ class SP extends Source
if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
// we have a SAML IDPList (we are a proxy): filter the list of IdPs available
- $mdh = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+ $mdh = MetaDataStorageHandler::getMetadataHandler();
$known_idps = $mdh->getList();
$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
if (empty($intersection)) {
// all requested IdPs are unknown
- throw new \SimpleSAML\Module\saml\Error\NoSupportedIDP(
- \SAML2\Constants::STATUS_REQUESTER,
+ throw new Module\saml\Error\NoSupportedIDP(
+ Constants::STATUS_REQUESTER,
'None of the IdPs requested are supported by this proxy.'
);
}
if (!is_null($idp) && !in_array($idp, $intersection, true)) {
// the IdP is enforced but not in the IDPList
- throw new \SimpleSAML\Module\saml\Error\NoAvailableIDP(
- \SAML2\Constants::STATUS_REQUESTER,
+ throw new Module\saml\Error\NoAvailableIDP(
+ Constants::STATUS_REQUESTER,
'None of the IdPs requested are available to this proxy.'
);
}
@@ -806,7 +831,7 @@ class SP extends Source
{
assert(is_array($state));
- $session = \SimpleSAML\Session::getSessionFromRequest();
+ $session = Session::getSessionFromRequest();
$data = $session->getAuthState($this->authId);
foreach ($data as $k => $v) {
$state[$k] = $v;
@@ -823,14 +848,14 @@ class SP extends Source
* First, check if we recognize any of the IdPs requested.
*/
- $mdh = \SimpleSAML\Metadata\MetaDataStorageHandler::getMetadataHandler();
+ $mdh = MetaDataStorageHandler::getMetadataHandler();
$known_idps = $mdh->getList();
$intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
if (empty($intersection)) {
// all requested IdPs are unknown
- throw new \SimpleSAML\Module\saml\Error\NoSupportedIDP(
- \SAML2\Constants::STATUS_REQUESTER,
+ throw new Module\saml\Error\NoSupportedIDP(
+ Constants::STATUS_REQUESTER,
'None of the IdPs requested are supported by this proxy.'
);
}
@@ -842,8 +867,8 @@ class SP extends Source
*/
if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) {
// an IdP is enforced but not requested
- throw new \SimpleSAML\Module\saml\Error\NoAvailableIDP(
- \SAML2\Constants::STATUS_REQUESTER,
+ throw new Module\saml\Error\NoAvailableIDP(
+ Constants::STATUS_REQUESTER,
'None of the IdPs requested are available to this proxy.'
);
}
@@ -853,7 +878,7 @@ class SP extends Source
* starting the authentication process again with a different IdP, or
* cancel the current SSO attempt.
*/
- \SimpleSAML\Logger::warning(
+ Logger::warning(
"Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
"provided by the Service Provider '${state['core:SP']}'."
);
@@ -894,16 +919,16 @@ class SP extends Source
if (isset($state['isPassive']) && (bool) $state['isPassive']) {
// passive request, we cannot authenticate the user
- throw new \SimpleSAML\Module\saml\Error\NoPassive(
- \SAML2\Constants::STATUS_REQUESTER,
+ throw new Module\saml\Error\NoPassive(
+ Constants::STATUS_REQUESTER,
'Reauthentication required'
);
}
// save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
$id = State::saveState($state, 'saml:proxy:invalid_idp', true);
- $url = \SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
- \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, ['AuthState' => $id]);
+ $url = Module::getModuleURL('saml/proxy/invalid_session.php');
+ HTTP::redirectTrustedURL($url, ['AuthState' => $id]);
assert(false);
}
@@ -918,14 +943,14 @@ class SP extends Source
*/
public static function reauthLogout(array $state)
{
- \SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
+ Logger::debug('Proxy: logging the user out before re-authentication.');
if (isset($state['Responder'])) {
$state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
}
- $state['Responder'] = ['\SimpleSAML\Module\saml\Auth\Source\SP', 'reauthPostLogout'];
+ $state['Responder'] = [SP::class, 'reauthPostLogout'];
- $idp = \SimpleSAML\IdP::getByState($state);
+ $idp = IdP::getByState($state);
$idp->handleLogoutRequest($state, null);
assert(false);
}
@@ -942,7 +967,7 @@ class SP extends Source
assert(isset($state['ReturnCallback']));
// Update session state
- $session = \SimpleSAML\Session::getSessionFromRequest();
+ $session = Session::getSessionFromRequest();
$authId = $state['saml:sp:AuthId'];
$session->doLogin($authId, State::getPersistentAuthData($state));
@@ -961,19 +986,19 @@ class SP extends Source
* @param array &$state The state array with the state during logout.
* @return void
*/
- public static function reauthPostLogout(\SimpleSAML\IdP $idp, array $state)
+ public static function reauthPostLogout(IdP $idp, array $state)
{
assert(isset($state['saml:sp:AuthId']));
- \SimpleSAML\Logger::debug('Proxy: logout completed.');
+ Logger::debug('Proxy: logout completed.');
if (isset($state['saml:proxy:reauthLogout:PrevResponder'])) {
$state['Responder'] = $state['saml:proxy:reauthLogout:PrevResponder'];
}
- $sp = Source::getById($state['saml:sp:AuthId'], '\SimpleSAML\Module\saml\Auth\Source\SP');
+ $sp = Source::getById($state['saml:sp:AuthId'], Module\saml\Auth\Source\SP::class);
/** @var \SimpleSAML\Module\saml\Auth\Source\SP $authSource */
- \SimpleSAML\Logger::debug('Proxy: logging in again.');
+ Logger::debug('Proxy: logging in again.');
$sp->authenticate($state);
assert(false);
}
@@ -1001,14 +1026,14 @@ class SP extends Source
$idpMetadata = $this->getIdPMetadata($idp);
$endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', [
- \SAML2\Constants::BINDING_HTTP_REDIRECT,
- \SAML2\Constants::BINDING_HTTP_POST], false);
+ Constants::BINDING_HTTP_REDIRECT,
+ Constants::BINDING_HTTP_POST], false);
if ($endpoint === false) {
- \SimpleSAML\Logger::info('No logout endpoint for IdP '.var_export($idp, true).'.');
+ Logger::info('No logout endpoint for IdP '.var_export($idp, true).'.');
return;
}
- $lr = \SimpleSAML\Module\saml\Message::buildLogoutRequest($this->metadata, $idpMetadata);
+ $lr = Module\saml\Message::buildLogoutRequest($this->metadata, $idpMetadata);
$lr->setNameId($nameId);
$lr->setSessionIndex($sessionIndex);
$lr->setRelayState($id);
@@ -1019,10 +1044,10 @@ class SP extends Source
$encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
}
if ($encryptNameId) {
- $lr->encryptNameId(\SimpleSAML\Module\saml\Message::getEncryptionKey($idpMetadata));
+ $lr->encryptNameId(Module\saml\Message::getEncryptionKey($idpMetadata));
}
- $b = \SAML2\Binding::getBinding($endpoint['Binding']);
+ $b = Binding::getBinding($endpoint['Binding']);
$b->send($lr);
assert(false);
@@ -1081,7 +1106,7 @@ class SP extends Source
$authProcState = [
'saml:sp:IdP' => $idp,
'saml:sp:State' => $state,
- 'ReturnCall' => ['\SimpleSAML\Module\saml\Auth\Source\SP', 'onProcessingCompleted'],
+ 'ReturnCall' => [SP::class, 'onProcessingCompleted'],
'Attributes' => $attributes,
'Destination' => $spMetadataArray,
@@ -1095,7 +1120,7 @@ class SP extends Source
$authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
}
- $pc = new \SimpleSAML\Auth\ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
+ $pc = new ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
$pc->processState($authProcState);
self::onProcessingCompleted($authProcState);
@@ -1137,10 +1162,10 @@ class SP extends Source
assert(is_string($authId));
assert(is_string($redirectTo));
- $session = \SimpleSAML\Session::getSessionFromRequest();
+ $session = Session::getSessionFromRequest();
$session->doLogin($authId, State::getPersistentAuthData($state));
- \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
+ HTTP::redirectUntrustedURL($redirectTo);
}