Update module docs

Remove inline style sheet

- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.

This was due to incorrect use of the SimpleSAML_SessionHandler::setCookie() method to set the cookie, instead of SimpleSAML\Utils\HTTP::setCookie().

Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.

This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.

This changes are backwards-compatible. Old and new configurations will work at the same time.

It's not very useful to log backtraces always as debug, since that implies getting all the log messages, while backtraces would still help debug a particular error.

Due to recent changes in the SAML2 library, when an attribute has a value that contains XML, its contents are returned as a DOMNodeList instead of a string. This causes problems when running as a proxy, since the SAML2 IdP will obtain attributes in a format that cannot be cast to string. Regardless of the attribute encoding configured in the IdP for a remote SP, we should handle those cases gracefully, so that the IdP don't end up in an uncaught exception.

When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs.

This resolves #84.

Basically, phpdoc formatting and fixing some classes not using namespaces.

For some reason, these changes were not applied in the previous commit. Make sure we use the current interface of the SAML2 library instead of abusing the autoloader.

Reformat to comply with our coding guidelines. Migrate all the code to use the newest version of the SAML2 library, using namespaces. Fix some bugs. Move it where it belongs under modules/saml instead of modules/core.

Test for https://github.com/simplesamlphp/simplesamlphp/pull/400

Add the existing Afrikaans translation into the list of supported languages

Add the existing Afrikaans translation into the list of supported languages so that South African users don't need to go editing code.

Update module docs to use module enabling/disabling through configuration file rather than touching 'enable'/'disable' files inside module directories

If we want to access the sandbox, we can do that from admin/ or type the URL directly.

The saml:FilterScopes filter was removing values that did not contain a scope. It shouldn't.

The new saml:FilterScopes allows a SAML Service Provider to remove the values from a scoped attribute whose scope is not declared in the IdP metadata and/or does not match with the domain in use by the IdP itself.

This closes #22.

Fix issue with Facebook authentication retrieving only user id and name

Mention the change in the way NameIDs are processed inside an eduPersonTargetedID, and offer an example on how to process the value.

This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.

A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.

This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.

The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.

Now that the SAML2 library has been updated to use the new SimpleSAML\Logger, we can update the dependency here. Since both libraries are interdependent, we are pointing to a specific commit in master, aliasing it to 2.2. That way we can keep business as usual for any other package which may depend on 2.2, while getting the changes into SimpleSAMLphp.

Use the recently added SimpleSAML_Configuration::getBasePath() instead. It guarantees the path prepended with a slash, so no need to do that every time when calling the method. As a side effect, we get rid of buggy invocations (calling getBaseUrl() instead of getBaseURL()), and also of old-style convention for the 'baseurlpath' configuration option, allowing a star at the beginning.

Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.

The 2.x branch of XMLSecLibs uses namespaces, so we need to make sure we can still load the XMLSec* classes after updating the dependency. We can do that in the autoloader, looking for the classes with namespaces, and creating class aliases.

The code was enforcing this option even if a configuration was passed as a parameter to the constructor. If there is something wrong with a configuration and we are passing it to the constructor, we should know if at least the 'baseurlpath' is correct, and if not, fix it somehow.

This bug was producing a default configuration without 'baseurlpath', when no configuration was passed. In that situation, only the default path (/simplesaml) was working correctly.

This is related to PR #313. The option was in use but not documented.

Added port to the LDAP base filter configuration

PHP 5.3 and HHVM do not include the built-in server (or in the case of HHVM, not with the same syntax).

This test works as a demonstration on how to test our web interface endpoints.

With this script, which will be executed for every request performed to the built-in server, we can preload the configuration from a temporary file, making it possible to configure SimpleSAMLphp dynamically when testing.