public generate ( SimpleSAML_Configuration $idp, SimpleSAML_Configuration $sp, string $shire, array | null $attributes ) : string | ||
$idp | SimpleSAML_Configuration | Metadata for the IdP the response is sent from. |
$sp | SimpleSAML_Configuration | Metadata for the SP the response is sent to. |
$shire | string | The endpoint on the SP the response is sent to. |
$attributes | array | null | The attributes which should be included in the response. |
return | string | The response. |
public function generate(SimpleSAML_Configuration $idp, SimpleSAML_Configuration $sp, $shire, $attributes)
{
assert('is_string($shire)');
assert('$attributes === NULL || is_array($attributes)');
if ($sp->hasValue('scopedattributes')) {
$scopedAttributes = $sp->getArray('scopedattributes');
} elseif ($idp->hasValue('scopedattributes')) {
$scopedAttributes = $idp->getArray('scopedattributes');
} else {
$scopedAttributes = array();
}
$id = SimpleSAML\Utils\Random::generateID();
$issueInstant = SimpleSAML\Utils\Time::generateTimestamp();
// 30 seconds timeskew back in time to allow differing clocks
$notBefore = SimpleSAML\Utils\Time::generateTimestamp(time() - 30);
$assertionExpire = SimpleSAML\Utils\Time::generateTimestamp(time() + 60 * 5);
# 5 minutes
$assertionid = SimpleSAML\Utils\Random::generateID();
$spEntityId = $sp->getString('entityid');
$audience = $sp->getString('audience', $spEntityId);
$base64 = $sp->getBoolean('base64attributes', FALSE);
$namequalifier = $sp->getString('NameQualifier', $spEntityId);
$nameid = SimpleSAML\Utils\Random::generateID();
$subjectNode = '<Subject>' . '<NameIdentifier' . ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' . ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' . '>' . htmlspecialchars($nameid) . '</NameIdentifier>' . '<SubjectConfirmation>' . '<ConfirmationMethod>' . 'urn:oasis:names:tc:SAML:1.0:cm:bearer' . '</ConfirmationMethod>' . '</SubjectConfirmation>' . '</Subject>';
$encodedattributes = '';
if (is_array($attributes)) {
$encodedattributes .= '<AttributeStatement>';
$encodedattributes .= $subjectNode;
foreach ($attributes as $name => $value) {
$encodedattributes .= $this->enc_attribute($name, $value, $base64, $scopedAttributes);
}
$encodedattributes .= '</AttributeStatement>';
}
/*
* The SAML 1.1 response message
*/
$response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant . '"
MajorVersion="1" MinorVersion="1"
Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '">
<Status>
<StatusCode Value="samlp:Success" />
</Status>
<Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant . '"
Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1">
<Conditions NotBefore="' . $notBefore . '" NotOnOrAfter="' . $assertionExpire . '">
<AudienceRestrictionCondition>
<Audience>' . htmlspecialchars($audience) . '</Audience>
</AudienceRestrictionCondition>
</Conditions>
<AuthenticationStatement AuthenticationInstant="' . $issueInstant . '"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' . $subjectNode . '
</AuthenticationStatement>
' . $encodedattributes . '
</Assertion>
</Response>';
return $response;
}
/** * Send a response to the SP. * * @param array $state The authentication state. */ public static function sendResponse(array $state) { assert('isset($state["Attributes"])'); assert('isset($state["SPMetadata"])'); assert('isset($state["saml:shire"])'); assert('array_key_exists("saml:target", $state)'); // Can be NULL $spMetadata = $state["SPMetadata"]; $spEntityId = $spMetadata['entityid']; $spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata, '$metadata[' . var_export($spEntityId, TRUE) . ']'); SimpleSAML\Logger::info('Sending SAML 1.1 Response to ' . var_export($spEntityId, TRUE)); $attributes = $state['Attributes']; $shire = $state['saml:shire']; $target = $state['saml:target']; $idp = SimpleSAML_IdP::getByState($state); $idpMetadata = $idp->getConfig(); $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'protocol' => 'saml1'); if (isset($state['saml:AuthnRequestReceivedAt'])) { $statsData['logintime'] = microtime(TRUE) - $state['saml:AuthnRequestReceivedAt']; } SimpleSAML_Stats::log('saml:idp:Response', $statsData); // Generate and send response. $ar = new SimpleSAML_XML_Shib13_AuthnResponse(); $authnResponseXML = $ar->generate($idpMetadata, $spMetadata, $shire, $attributes); $httppost = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $httppost->sendResponse($authnResponseXML, $idpMetadata, $spMetadata, $target, $shire); }