Working toward some of the requested tasks in
https://github.com/simplesamlphp/simplesamlphp/wiki/List-of-tasks

This method allows us to parse a URL and "rebase" it based on the $config['application']['baseURL'] configuration option. Thanks to this, applications will be able to configure a canonical base URL for the application, effectively translating any URL that might be built incorrectly (e.g. not using HTTPS because that is offloaded to a reverse proxy).

It can now be used with \SimpleSAML\Auth\Simple, although the old name still works too.

searchformultiple() will loop over all the configured base dn's to
search in. However, it would break on the first search that does
not return `false`. A search that yields 0 hits is not `false`, however
(it is only false when an error occurred). So when using more than one
base, users would not be found if they were part of the second or later
base, which is contrary to the intention.

This is now changed so the loop breaks when the result is not false, and
the number of found results is > 0.

I have been maintaining the PHP LDAP EXOP patch for a few years,
which include the ldapwhoami() function. This has finally made its
way into PHP distribution and will be available in PHP 7.3, but
with a modified prototype.

This changes adapts to this API change. While there, also update
exception handling on par with recent SimpleSAMLphp code.

This allows us to get rid of SHA-1.

The offset is prepended in clear to the token itself, so that we can subtract it from the current time and get the original time slot. However, the time slot, salt and verification data are authenticated by means of the hash function, but not the offset. This means we can take an expired token and make it valid by simply increasing the prepended offset as much as needed to hit the time slot it was generated on. This is an important security issue as the tokens are therefore not bound to the current time at all.

In order to fix it, the offset itself is added to the hash computation, so that a change in the offset produces a new hash that won't match.

s/generateToken/generate/ && s/validateToken/validate/

With the previous implementation, several methods invoked time() themselves. Under certain conditions (basically, when the clock proceeds to the next second between computing the offset and calculating the token value), this could cause a mismatch that could make tokens expire before they are supposed to. Shouldn't be a big issue unless the system is really, really slow, but better safe than sorry.

bugfix: When obtaining a UserID for the state array prior to running authproc filters, if the source attribute had multiple values a warning was logged but the UserID was still recorded.

For #458

In the LDAP class, the password should only be escaped if it's not null, so that we don't try to bind with an empty password if none was provided. This fixes #366 and closes #370.

If we are asked to load an unknown auth source, we should raise a SimpleSAML_Error_AuthSource exception.

(being respectful with occurences that might change the behaviour, i.e. default database prefixes)

Deprecate the 'userid.attribute' option. We should define specific options for each module using it, in order to avoid confussions.

Fixed to follow PSR-2 coding guidelines, proper indentation and a minor fix in equality operand (== vs ===)

The `makeException` function returns an instantiated object, so the
caller shouldn't also call `new`.

Duplicate the $state['SimpleSAML_Auth_Default.*'] entries to $state['SimpleSAML_Auth_Source.*'] where needed, while we are transitioning to 2.0. Leave those that will be removed in SimpleSAML_Auth_Default. Move the rest of the code to the new entries in the state array.

Take back the migration of SimpleSAML_Auth_Default::initLogout(), initLogoutReturn() and logoutCompleted(), as they are not used anywhere. We'll just deprecate them and remove them in 2.0 then.

Throw an exception in SimpleSAML_Auth_Simple when the auth source cannot be found. This avoids trying to access a method in an object that's actually null.

Move SimpleSAML_Auth_Default::initLogoutReturn() to SimpleSAML_Auth_Source and deprecate the former.

Throw an exception instead of doing nothing if the auth source specified is invalid. This mimics the old behaviour.

Add a check in case the authentication authority specified in SimpleSAML_Auth_Default::initLogin() is not valid.