Skip to content
Snippets Groups Projects
Commit ffe87021 authored by Olav Morken's avatar Olav Morken
Browse files

saml: IdP/SAML2: Clarify variable names, fix comments.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2385 44740490-163a-0410-bde0-09ae8108e29a
parent 9e3ec795
No related branches found
No related tags found
No related merge requests found
...@@ -473,24 +473,24 @@ class sspmod_saml_IdP_SAML2 { ...@@ -473,24 +473,24 @@ class sspmod_saml_IdP_SAML2 {
/** /**
* Calculate the NameID value that should be used. * Calculate the NameID value that should be used.
* *
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @param SimpleSAML_Configuration $dstMetadata The metadata of the SP.
* @param array $attributes The attributes of the user * @param array &$state The authentication state of the user.
* @return string The NameID value. * @return string The NameID value.
*/ */
private static function generateNameIdValue(SimpleSAML_Configuration $srcMetadata, private static function generateNameIdValue(SimpleSAML_Configuration $idpMetadata,
SimpleSAML_Configuration $dstMetadata, array &$state) { SimpleSAML_Configuration $spMetadata, array &$state) {
$attribute = $dstMetadata->getString('simplesaml.nameidattribute', NULL); $attribute = $spMetadata->getString('simplesaml.nameidattribute', NULL);
if ($attribute === NULL) { if ($attribute === NULL) {
$attribute = $srcMetadata->getString('simplesaml.nameidattribute', NULL); $attribute = $idpMetadata->getString('simplesaml.nameidattribute', NULL);
if ($attribute === NULL) { if ($attribute === NULL) {
if (!isset($state['UserID'])) { if (!isset($state['UserID'])) {
SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.'); SimpleSAML_Logger::error('Unable to generate NameID. Check the userid.attribute option.');
} }
$attributeValue = $state['UserID']; $attributeValue = $state['UserID'];
$idpEntityId = $srcMetadata->getString('entityid'); $idpEntityId = $idpMetadata->getString('entityid');
$spEntityId = $dstMetadata->getString('entityid'); $spEntityId = $spMetadata->getString('entityid');
$secretSalt = SimpleSAML_Utilities::getSecretSalt(); $secretSalt = SimpleSAML_Utilities::getSecretSalt();
...@@ -518,17 +518,17 @@ class sspmod_saml_IdP_SAML2 { ...@@ -518,17 +518,17 @@ class sspmod_saml_IdP_SAML2 {
/** /**
* Helper function for encoding attributes. * Helper function for encoding attributes.
* *
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param array $attributes The attributes of the user * @param array $attributes The attributes of the user
* @return array The encoded attributes. * @return array The encoded attributes.
*/ */
private static function encodeAttributes(SimpleSAML_Configuration $srcMetadata, private static function encodeAttributes(SimpleSAML_Configuration $idpMetadata,
SimpleSAML_Configuration $dstMetadata, array $attributes) { SimpleSAML_Configuration $spMetadata, array $attributes) {
$base64Attributes = $dstMetadata->getBoolean('base64attributes', NULL); $base64Attributes = $spMetadata->getBoolean('base64attributes', NULL);
if ($base64Attributes === NULL) { if ($base64Attributes === NULL) {
$base64Attributes = $srcMetadata->getBoolean('base64attributes', FALSE); $base64Attributes = $idpMetadata->getBoolean('base64attributes', FALSE);
} }
if ($base64Attributes) { if ($base64Attributes) {
...@@ -537,8 +537,8 @@ class sspmod_saml_IdP_SAML2 { ...@@ -537,8 +537,8 @@ class sspmod_saml_IdP_SAML2 {
$defaultEncoding = 'string'; $defaultEncoding = 'string';
} }
$srcEncodings = $srcMetadata->getArray('attributeencodings', array()); $srcEncodings = $idpMetadata->getArray('attributeencodings', array());
$dstEncodings = $dstMetadata->getArray('attributeencodings', array()); $dstEncodings = $spMetadata->getArray('attributeencodings', array());
/* /*
* Merge the two encoding arrays. Encodings specified in the target metadata * Merge the two encoding arrays. Encodings specified in the target metadata
...@@ -586,37 +586,37 @@ class sspmod_saml_IdP_SAML2 { ...@@ -586,37 +586,37 @@ class sspmod_saml_IdP_SAML2 {
/** /**
* Build an assertion based on information in the metadata. * Build an assertion based on information in the metadata.
* *
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param array &$state The state array with information about the request. * @param array &$state The state array with information about the request.
* @return SAML2_Assertion The assertion. * @return SAML2_Assertion The assertion.
*/ */
private static function buildAssertion(SimpleSAML_Configuration $srcMetadata, private static function buildAssertion(SimpleSAML_Configuration $idpMetadata,
SimpleSAML_Configuration $dstMetadata, array &$state) { SimpleSAML_Configuration $spMetadata, array &$state) {
assert('isset($state["Attributes"])'); assert('isset($state["Attributes"])');
assert('isset($state["saml:ConsumerURL"])'); assert('isset($state["saml:ConsumerURL"])');
$signAssertion = $dstMetadata->getBoolean('saml20.sign.assertion', NULL); $signAssertion = $spMetadata->getBoolean('saml20.sign.assertion', NULL);
if ($signAssertion === NULL) { if ($signAssertion === NULL) {
$signAssertion = $srcMetadata->getBoolean('saml20.sign.assertion', TRUE); $signAssertion = $idpMetadata->getBoolean('saml20.sign.assertion', TRUE);
} }
$config = SimpleSAML_Configuration::getInstance(); $config = SimpleSAML_Configuration::getInstance();
$a = new SAML2_Assertion(); $a = new SAML2_Assertion();
if ($signAssertion) { if ($signAssertion) {
sspmod_saml_Message::addSign($srcMetadata, $dstMetadata, $a); sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $a);
} }
$a->setIssuer($srcMetadata->getString('entityid')); $a->setIssuer($idpMetadata->getString('entityid'));
$a->setDestination($state['saml:ConsumerURL']); $a->setDestination($state['saml:ConsumerURL']);
$a->setValidAudiences(array($dstMetadata->getString('entityid'))); $a->setValidAudiences(array($spMetadata->getString('entityid')));
$a->setNotBefore(time() - 30); $a->setNotBefore(time() - 30);
$assertionLifetime = $dstMetadata->getInteger('assertion.lifetime', NULL); $assertionLifetime = $spMetadata->getInteger('assertion.lifetime', NULL);
if ($assertionLifetime === NULL) { if ($assertionLifetime === NULL) {
$assertionLifetime = $srcMetadata->getInteger('assertion.lifetime', 300); $assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
} }
$a->setNotOnOrAfter(time() + $assertionLifetime); $a->setNotOnOrAfter(time() + $assertionLifetime);
...@@ -633,14 +633,14 @@ class sspmod_saml_IdP_SAML2 { ...@@ -633,14 +633,14 @@ class sspmod_saml_IdP_SAML2 {
/* Add attributes. */ /* Add attributes. */
if ($dstMetadata->getBoolean('simplesaml.attributes', TRUE)) { if ($spMetadata->getBoolean('simplesaml.attributes', TRUE)) {
$attributeNameFormat = $dstMetadata->getString('AttributeNameFormat', NULL); $attributeNameFormat = $spMetadata->getString('AttributeNameFormat', NULL);
if ($attributeNameFormat === NULL) { if ($attributeNameFormat === NULL) {
$attributeNameFormat = $srcMetadata->getString('AttributeNameFormat', $attributeNameFormat = $idpMetadata->getString('AttributeNameFormat',
'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'); 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic');
} }
$a->setAttributeNameFormat($attributeNameFormat); $a->setAttributeNameFormat($attributeNameFormat);
$attributes = self::encodeAttributes($srcMetadata, $dstMetadata, $state['Attributes']); $attributes = self::encodeAttributes($idpMetadata, $spMetadata, $state['Attributes']);
$a->setAttributes($attributes); $a->setAttributes($attributes);
} }
...@@ -655,16 +655,16 @@ class sspmod_saml_IdP_SAML2 { ...@@ -655,16 +655,16 @@ class sspmod_saml_IdP_SAML2 {
if ($nameIdFormat === NULL || !isset($state['saml:NameID'][$nameIdFormat])) { if ($nameIdFormat === NULL || !isset($state['saml:NameID'][$nameIdFormat])) {
/* Either not set in request, or not set to a format we supply. Fall back to old generation method. */ /* Either not set in request, or not set to a format we supply. Fall back to old generation method. */
$nameIdFormat = $dstMetadata->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'); $nameIdFormat = $spMetadata->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
} }
if (isset($state['saml:NameID'][$nameIdFormat])) { if (isset($state['saml:NameID'][$nameIdFormat])) {
$nameId = $state['saml:NameID'][$nameIdFormat]; $nameId = $state['saml:NameID'][$nameIdFormat];
$nameId['Format'] = $nameIdFormat; $nameId['Format'] = $nameIdFormat;
} else { } else {
$spNameQualifier = $dstMetadata->getString('SPNameQualifier', NULL); $spNameQualifier = $spMetadata->getString('SPNameQualifier', NULL);
if ($spNameQualifier === NULL) { if ($spNameQualifier === NULL) {
$spNameQualifier = $dstMetadata->getString('entityid'); $spNameQualifier = $spMetadata->getString('entityid');
} }
if ($nameIdFormat === SAML2_Const::NAMEID_TRANSIENT) { if ($nameIdFormat === SAML2_Const::NAMEID_TRANSIENT) {
...@@ -673,7 +673,7 @@ class sspmod_saml_IdP_SAML2 { ...@@ -673,7 +673,7 @@ class sspmod_saml_IdP_SAML2 {
} else { } else {
/* this code will end up generating either a fixed assigned id (via nameid.attribute) /* this code will end up generating either a fixed assigned id (via nameid.attribute)
or random id if not assigned/configured */ or random id if not assigned/configured */
$nameIdValue = self::generateNameIdValue($srcMetadata, $dstMetadata, $state); $nameIdValue = self::generateNameIdValue($idpMetadata, $spMetadata, $state);
if ($nameIdValue === NULL) { if ($nameIdValue === NULL) {
SimpleSAML_Logger::warning('Falling back to transient NameID.'); SimpleSAML_Logger::warning('Falling back to transient NameID.');
$nameIdFormat = SAML2_Const::NAMEID_TRANSIENT; $nameIdFormat = SAML2_Const::NAMEID_TRANSIENT;
...@@ -700,17 +700,17 @@ class sspmod_saml_IdP_SAML2 { ...@@ -700,17 +700,17 @@ class sspmod_saml_IdP_SAML2 {
* This function takes in a SAML2_Assertion and encrypts it if encryption of * This function takes in a SAML2_Assertion and encrypts it if encryption of
* assertions are enabled in the metadata. * assertions are enabled in the metadata.
* *
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param SAML2_Assertion $assertion The assertion we are encrypting. * @param SAML2_Assertion $assertion The assertion we are encrypting.
* @return SAML2_Assertion|SAML2_EncryptedAssertion The assertion. * @return SAML2_Assertion|SAML2_EncryptedAssertion The assertion.
*/ */
private static function encryptAssertion(SimpleSAML_Configuration $srcMetadata, private static function encryptAssertion(SimpleSAML_Configuration $idpMetadata,
SimpleSAML_Configuration $dstMetadata, SAML2_Assertion $assertion) { SimpleSAML_Configuration $spMetadata, SAML2_Assertion $assertion) {
$encryptAssertion = $dstMetadata->getBoolean('assertion.encryption', NULL); $encryptAssertion = $spMetadata->getBoolean('assertion.encryption', NULL);
if ($encryptAssertion === NULL) { if ($encryptAssertion === NULL) {
$encryptAssertion = $srcMetadata->getBoolean('assertion.encryption', FALSE); $encryptAssertion = $idpMetadata->getBoolean('assertion.encryption', FALSE);
} }
if (!$encryptAssertion) { if (!$encryptAssertion) {
/* We are _not_ encrypting this assertion, and are therefore done. */ /* We are _not_ encrypting this assertion, and are therefore done. */
...@@ -718,16 +718,16 @@ class sspmod_saml_IdP_SAML2 { ...@@ -718,16 +718,16 @@ class sspmod_saml_IdP_SAML2 {
} }
$sharedKey = $dstMetadata->getString('sharedkey', NULL); $sharedKey = $spMetadata->getString('sharedkey', NULL);
if ($sharedKey !== NULL) { if ($sharedKey !== NULL) {
$key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); $key = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
$key->loadKey($sharedKey); $key->loadKey($sharedKey);
} else { } else {
/* Find the certificate that we should use to encrypt messages to this SP. */ /* Find the certificate that we should use to encrypt messages to this SP. */
$certArray = SimpleSAML_Utilities::loadPublicKey($dstMetadata, TRUE); $certArray = SimpleSAML_Utilities::loadPublicKey($spMetadata, TRUE);
if (!array_key_exists('PEM', $certArray)) { if (!array_key_exists('PEM', $certArray)) {
throw new Exception('Unable to locate key we should use to encrypt the assertionst ' . throw new Exception('Unable to locate key we should use to encrypt the assertionst ' .
'to the SP: ' . var_export($dstMetadata->getString('entityid'), TRUE) . '.'); 'to the SP: ' . var_export($spMetadata->getString('entityid'), TRUE) . '.');
} }
$pemCert = $certArray['PEM']; $pemCert = $certArray['PEM'];
...@@ -746,23 +746,24 @@ class sspmod_saml_IdP_SAML2 { ...@@ -746,23 +746,24 @@ class sspmod_saml_IdP_SAML2 {
/** /**
* Build a authentication response based on information in the metadata. * Build a authentication response based on information in the metadata.
* *
* @param SimpleSAML_Configuration $srcMetadata The metadata of the sender (IdP). * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP.
* @param SimpleSAML_Configuration $dstMetadata The metadata of the recipient (SP). * @param SimpleSAML_Configuration $spMetadata The metadata of the SP.
* @param string $consumerURL The Destination URL of the response.
*/ */
private static function buildResponse(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata, $consumerURL) { private static function buildResponse(SimpleSAML_Configuration $idpMetadata, SimpleSAML_Configuration $spMetadata, $consumerURL) {
$signResponse = $dstMetadata->getBoolean('saml20.sign.response', NULL); $signResponse = $spMetadata->getBoolean('saml20.sign.response', NULL);
if ($signResponse === NULL) { if ($signResponse === NULL) {
$signResponse = $srcMetadata->getBoolean('saml20.sign.response', TRUE); $signResponse = $idpMetadata->getBoolean('saml20.sign.response', TRUE);
} }
$r = new SAML2_Response(); $r = new SAML2_Response();
$r->setIssuer($srcMetadata->getString('entityid')); $r->setIssuer($idpMetadata->getString('entityid'));
$r->setDestination($consumerURL); $r->setDestination($consumerURL);
if ($signResponse) { if ($signResponse) {
sspmod_saml_Message::addSign($srcMetadata, $dstMetadata, $r); sspmod_saml_Message::addSign($idpMetadata, $spMetadata, $r);
} }
return $r; return $r;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment