bugfix: When generating a NameID from a multivalued attribute, a warning was logged but the NameID was still generated.

Even though the default "exact" is used by most people, and few products support anything else, there's people asking for this.

Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.

- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.

When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs.

This resolves #84.

The saml:FilterScopes filter was removing values that did not contain a scope. It shouldn't.

The new saml:FilterScopes allows a SAML Service Provider to remove the values from a scoped attribute whose scope is not declared in the IdP metadata and/or does not match with the domain in use by the IdP itself.

This closes #22.

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.

Duplicate the $state['SimpleSAML_Auth_Default.*'] entries to $state['SimpleSAML_Auth_Source.*'] where needed, while we are transitioning to 2.0. Leave those that will be removed in SimpleSAML_Auth_Default. Move the rest of the code to the new entries in the state array.

Refactor SimpleSAML_Auth_State::extractPersistentAuthState() to getPersistentAuthData() to avoid confusions around the behaviour of this method.

The state array should not be modified after extracting (getting) the persistent authentication data. This resolves #247.

Provide config options to allow SQLPersistentNameID to be less conservative about creating entries in the SQL datastore, whilst preserving default behaviour

Move SimpleSAML_Auth_Default::handleUnsolicitedAuth() to sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth() and deprecate the former.

Move SimpleSAML_Auth_Default::extractPersistentAuthState() to SimpleSAML_Auth_State::extractPersistentAuthState() and deprecate the former.

Move SimpleSAML_Utilities:: redirectTrustedURL() to SimpleSAML\Utils\HTTP:: redirectTrustedURL() and deprecate the former.

Move SimpleSAML_Utilities::getSecretSalt() to SimpleSAML_Utils_Config::getSecretSalt(). Deprecate the former and stop using it.

Move SimpleSAML_Utilities::generateID() to SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it for removal in 2.0.

Schedule SimpleSAML_Utilities:: arrayize() for removal.

Rename SimpleSAML_Session::getInstance() to SimpleSAML_Session::getSessionFromRequest(), and leave the former as deprecated.

Fix #82 and #83. Make the checks for an IDPList happen only when we are the IdP authenticating the user, not an intermediate proxy.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3326 44740490-163a-0410-bde0-09ae8108e29a