Mention the change in the way NameIDs are processed inside an eduPersonTargetedID, and offer an example on how to process the value.

This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.

A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.

This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.

The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.

Now that the SAML2 library has been updated to use the new SimpleSAML\Logger, we can update the dependency here. Since both libraries are interdependent, we are pointing to a specific commit in master, aliasing it to 2.2. That way we can keep business as usual for any other package which may depend on 2.2, while getting the changes into SimpleSAMLphp.

Use the recently added SimpleSAML_Configuration::getBasePath() instead. It guarantees the path prepended with a slash, so no need to do that every time when calling the method. As a side effect, we get rid of buggy invocations (calling getBaseUrl() instead of getBaseURL()), and also of old-style convention for the 'baseurlpath' configuration option, allowing a star at the beginning.

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.

The 2.x branch of XMLSecLibs uses namespaces, so we need to make sure we can still load the XMLSec* classes after updating the dependency. We can do that in the autoloader, looking for the classes with namespaces, and creating class aliases.

The code was enforcing this option even if a configuration was passed as a parameter to the constructor. If there is something wrong with a configuration and we are passing it to the constructor, we should know if at least the 'baseurlpath' is correct, and if not, fix it somehow.

This bug was producing a default configuration without 'baseurlpath', when no configuration was passed. In that situation, only the default path (/simplesaml) was working correctly.

This is related to PR #313. The option was in use but not documented.

Added port to the LDAP base filter configuration

PHP 5.3 and HHVM do not include the built-in server (or in the case of HHVM, not with the same syntax).

This test works as a demonstration on how to test our web interface endpoints.

With this script, which will be executed for every request performed to the built-in server, we can preload the configuration from a temporary file, making it possible to configure SimpleSAMLphp dynamically when testing.

With this class we can run PHP's built-in server specifying the document root (defaulting to the www directory) and a "router" file, which the server will execute for every request received. This is useful to allow testing of the web interfaces as part of our unit testing setup.

Removed unnecessary exception

The www/_include.php script, included by all scripts in www/, checks unconditionally for the existence of the config.php file. However, this prevents us from testing the scripts automatically. Instead of checking for the file, we just try to load the configuration, and live with it if it works. That way we can pre-load the configuration using SimpleSAML_Configuration::loadFromArray(), as we are doing in some tests.

Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).

In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.

This resolves #418.

Add a configuration option named 'admin.checkforupdates' to enable or disable this feature.

We shouldn't wait for long when connecting to github's API to check for the latest release. Set a timeout of a couple of seconds. Also, remove commented debugging code.

Now that we have all our releases in github, we can use its API to see of the latest stable release there is newer than the version we are running. In that case, we show a warning in the configuration tab.

YA Merge

This allows for using twig templates, but does not include code for
localizing twig templates.

Both have been migrated to use namespaces.

Revert the change of the signature of SimpleSAML_Session::useTransientSession(). Not needed after all.

Update the authwindowslive:LiveID module to use OAuth 2.0 authorization

Improve the comment around error=user_denied

rather than the discontinued OAuth WRAP. Attributes are now retrieved
from the Microsoft Graph API rather than the Messenger API.

PHP 7 changed the way it handles internal errors. Now, Exception objects inherit from the Throwable interface, as well as the new Error objects. Internal functions throw Error objects now instead of raising an error, so the exception handler would need to handle them as well. Therefore, the exception handler is no longer guaranteed to receive an Exception object. We need now to discern whether the parameter is an exception (and continue our business as usual), or an Error (in case such thing exists, only PHP 7), and in this last case parse it and let the error handler do its stuff.

This should resolve #330.

bugfix: Make sure the PDO and Serialize metadata storage handlers return metadata containing the 'entityid' key.

While investigating issue #393, we noticed that these two handlers don't enforce the entity ID of each entity to be set in the 'entityid' key of the metadata array (the Flatfile and XML handlers to enforce this). Since this is the way we propagate the entity ID (code using metadata won't necessarily have access to the key of the metadata array containing the entity ID, or such a thing might not even exist), we need to make sure the entity ID is set inside the array. Otherwise, if the metadata for an entity does not contain it directly, the 'ExpectedIssuer' would be set to null, an error recorded, and authentication would fail as the entity ID of the IdP issuing an assertion would not match.

Due to recent changes to fix the way we were building URLs (mixing what the 'baseurlpath' configuration option and the current URL, see #396), we introduced another bug by assuming file paths will always use slashes ('/'), which obviously is not true in Windows machines. This commit fixes SimpleSAML_Configuration::getBaseDir() and SimpleSAML\Utils\HTTP::getSelfURL() to take that into account.

This closes #414.