Skip to content
Snippets Groups Projects
Commit f4798cc2 authored by Andreas Åkre Solberg's avatar Andreas Åkre Solberg
Browse files

Cleaning up authentication request code, and saml 2 sp hosted metadata

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@373 44740490-163a-0410-bde0-09ae8108e29a
parent af7cc392
Branches
Tags
No related merge requests found
...@@ -27,7 +27,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA ...@@ -27,7 +27,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA
* have the same clock (as measured by the time()-function). Different clock * have the same clock (as measured by the time()-function). Different clock
* values will lead to incorrect behaviour. * values will lead to incorrect behaviour.
* *
* @author Olav Morken, UNINETT AS. <andreas.solberg@uninett.no> * @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp * @package simpleSAMLphp
* @version $Id$ * @version $Id$
*/ */
......
<?php <?php
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php'); require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php'); require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
/** /**
* The Shibboleth 1.3 Authentication Request. Not part of SAML 1.1, * The Shibboleth 1.3 Authentication Request. Not part of SAML 1.1,
* but an extension using query paramters no XML. * but an extension using query paramters no XML.
* *
* @author Andreas kre Solberg, UNINETT AS. <andreas.solberg@uninett.no> * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
* @package simpleSAMLphp * @package simpleSAMLphp
* @version $Id$ * @version $Id$
*/ */
...@@ -106,58 +107,79 @@ class SimpleSAML_XML_SAML20_AuthnRequest { ...@@ -106,58 +107,79 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
} }
/**
* Generate a new SAML 2.0 Authentication Request
*
* @param $spentityid SP Entity ID
* @param $destination SingleSignOnService endpoint
*/
public function generate($spentityid, $destination) { public function generate($spentityid, $destination) {
$md = $this->metadata->getMetaData($spentityid); $md = $this->metadata->getMetaData($spentityid);
$id = self::generateID(); $id = SimpleSAML_Utilities::generateID();
$issueInstant = self::generateIssueInstant(); $issueInstant = SimpleSAML_Utilities::generateTimestamp();
//$assertionConsumerServiceURL = $md['AssertionConsumerService'];
$assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted'); $assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
$nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; /*
* Process the SAML 2.0 SP hosted metadata parameter: NameIDFormat
$forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'false'; */
$nameidformat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
// TODO: Make an option in the metadata to allow adding a RequestedAuthnContext if (isset($md['NameIDFormat'])) {
$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact"> if (!is_string($md['NameIDFormat'])) {
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> throw new Exception('SAML 2.0 SP hosted metadata parameter [NameIDFormat] must be a string.');
</samlp:RequestedAuthnContext>'; }
$nameidformat = $md['NameIDFormat'];
}
/*
* Process the SAML 2.0 SP hosted metadata parameter: ForceAuthn
*/
$forceauthn = 'false';
if (isset($md['ForceAuthn'])) {
if (is_bool($md['ForceAuthn'])) {
$forceauthn = ($md['ForceAuthn'] ? 'true' : 'false');
} else {
throw new Exception('Illegal format of the ForceAuthn parameter in the SAML 2.0 SP hosted metadata for entity [' . $spentityid . ']. This value should be set to a PHP boolean value.');
}
}
/*
* Process the SAML 2.0 SP hosted metadata parameter: AuthnContextClassRef
*/
$requestauthncontext = '';
if (!empty($md['AuthnContextClassRef'])) {
if (!is_string($md['AuthnContextClassRef'])) {
throw new Exception('SAML 2.0 SP hosted metadata parameter [AuthnContextClassRef] must be a string.');
}
$requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>' . $md['AuthnContextClassRef'] . '</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>';
}
/*
* Create the complete SAML 2.0 Authentication Request
*/
$authnRequest = '<samlp:AuthnRequest $authnRequest = '<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="' . $id . '" Version="2.0" ID="' . $id . '" Version="2.0"
IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '" IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '"
Destination="' . htmlspecialchars($destination) . '" Destination="' . htmlspecialchars($destination) . '"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '"> AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '">
<saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer> <saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer>
<samlp:NameIDPolicy <samlp:NameIDPolicy
Format="' . htmlspecialchars($nameidformat) . '" Format="' . htmlspecialchars($nameidformat) . '"
AllowCreate="true"/> AllowCreate="true"/>
' . ' ' . $requestauthncontext . '
</samlp:AuthnRequest> </samlp:AuthnRequest>
'; ';
return $authnRequest; return $authnRequest;
} }
public static function generateID() {
$length = 42;
$key = "_";
for ( $i=0; $i < $length; $i++ )
{
$key .= dechex( rand(0,15) );
}
return $key;
}
public static function generateIssueInstant() {
return gmdate("Y-m-d\TH:i:s\Z");
}
} }
......
...@@ -35,8 +35,6 @@ ini_set('include_path', $path); ...@@ -35,8 +35,6 @@ ini_set('include_path', $path);
*/ */
//$SIMPLESAML_INCPREFIX = $path_extra . '/'; //$SIMPLESAML_INCPREFIX = $path_extra . '/';
require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php'); require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php');
$configdir = dirname(dirname(__FILE__)) . '/config'; $configdir = dirname(dirname(__FILE__)) . '/config';
......
...@@ -73,7 +73,7 @@ try { ...@@ -73,7 +73,7 @@ try {
$httpredirect->sendMessage($req, $spentityid, $idpentityid, $_GET['RelayState']); $httpredirect->sendMessage($req, $spentityid, $idpentityid, $_GET['RelayState']);
} catch(Exception $exception) { } catch(Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception);
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment