This is needed for the autoloader to work, or code calling class_implements(), among others.

Added checks for Date/Time, JSON, cURL and Session.

For: #454

For: #454

Even though the default "exact" is used by most people, and few products support anything else, there's people asking for this.

Since we have updated the version of the SAML2 library in use, we should use SAML2\Constants now.

Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.

This makes it easier to identify error conditions and return errors to an SP. More known errors should also be added here.

The SAML2 IdP should keep the RequestedAuthnContext in the state array, so that authentication sources (or processing filters) can use that information during authentication.

Removed html extension in Twig files

This is due to the update of the SAML2 library, that caused several other bugs, mainly with attributes like eduPersonTargetedID, which should always be an SAML NameID.

It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.

We don't use the MySQL extension directly, but PDO instead. We should therefore check for the PDO extension.

This resolves #448.

This reverts commit ce040885.

It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.

Update module docs

Remove inline style sheet

- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.

This was due to incorrect use of the SimpleSAML_SessionHandler::setCookie() method to set the cookie, instead of SimpleSAML\Utils\HTTP::setCookie().

Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.

This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.

This changes are backwards-compatible. Old and new configurations will work at the same time.

It's not very useful to log backtraces always as debug, since that implies getting all the log messages, while backtraces would still help debug a particular error.

Due to recent changes in the SAML2 library, when an attribute has a value that contains XML, its contents are returned as a DOMNodeList instead of a string. This causes problems when running as a proxy, since the SAML2 IdP will obtain attributes in a format that cannot be cast to string. Regardless of the attribute encoding configured in the IdP for a remote SP, we should handle those cases gracefully, so that the IdP don't end up in an uncaught exception.

When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs.

This resolves #84.

Basically, phpdoc formatting and fixing some classes not using namespaces.

For some reason, these changes were not applied in the previous commit. Make sure we use the current interface of the SAML2 library instead of abusing the autoloader.

Reformat to comply with our coding guidelines. Migrate all the code to use the newest version of the SAML2 library, using namespaces. Fix some bugs. Move it where it belongs under modules/saml instead of modules/core.

Test for https://github.com/simplesamlphp/simplesamlphp/pull/400