This resolves #888.

This enables too the implementation of additional contact attributes, as requested in #509 to support the SIRTFI framework.

bugfix: Make sure a persistent NameID is not generated by default when the UserID is missing in the state array.

This allowed misconfigured IdPs (i.e. those without both a PersistenNameID authproc filter, a “userid.attribute” configuration option and no “eduPersonPrincipalName” attribute available after running all the authentication processing filters) to generate a persistent NameID based on “null”, effectively giving all users the same identifier.

The SAML2 IdP should keep the RequestedAuthnContext in the state array, so that authentication sources (or processing filters) can use that information during authentication.

Due to recent changes in the SAML2 library, when an attribute has a value that contains XML, its contents are returned as a DOMNodeList instead of a string. This causes problems when running as a proxy, since the SAML2 IdP will obtain attributes in a format that cannot be cast to string. Regardless of the attribute encoding configured in the IdP for a remote SP, we should handle those cases gracefully, so that the IdP don't end up in an uncaught exception.

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.

When exceptions happen in the context of a SAML transaction, we don't need to log the sspmod_saml_Error exception itself, as that doesn't have any valuable information. We log the exception itself instead. Reword the previous message a bit, too.

(being respectful with occurences that might change the behaviour, i.e. default database prefixes)

When building an assertion, the current time should be obtained once, used many, instead of being obtained every time we are using it (that could lead to clock discrepancies between several timestamps in the same assertion). Additionally, if authentication happened in the past (that is, we got a request that is not the one that triggered authentication, and this is pure SSO), we should calculate the value for SessionNotOnOrAfter relative to the start of the session, not the current time. This resolves #244.

Move SimpleSAML_Utilities:: checkCookie() to SimpleSAML\Utils\HTTP::checkSessionCookie() and deprecate the former.

Move SimpleSAML_Utilities::selfURLNoQuery() to SimpleSAML\Utils\HTTP::getSelfURLNoQuery() and deprecate the former.

Move SimpleSAML_Utilities::selfURL() to SimpleSAML\Utils\HTTP::getSelfURL() and deprecate the former.

Move SimpleSAML_Utilities::addURLparameter() to SimpleSAML\Utils\HTTP::addURLParameters() and deprecate the former.

Move SimpleSAML_Utilities::getSecretSalt() to SimpleSAML_Utils_Config::getSecretSalt(). Deprecate the former and stop using it.

Move SimpleSAML_Utilities::generateID() to SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it for removal in 2.0.