public function validate()
{
assert('$this->dom instanceof DOMDocument');
if ($this->messageValidated) {
// This message was validated externally
return TRUE;
}
// Validate the signature
$this->validator = new SimpleSAML_XML_Validator($this->dom, array('ResponseID', 'AssertionID'));
// Get the issuer of the response
$issuer = $this->getIssuer();
// Get the metadata of the issuer
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
$publicKeys = $md->getPublicKeys('signing');
if ($publicKeys !== NULL) {
$certFingerprints = array();
foreach ($publicKeys as $key) {
if ($key['type'] !== 'X509Certificate') {
continue;
}
$certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
}
$this->validator->validateFingerprint($certFingerprints);
} elseif ($md->hasValue('certFingerprint')) {
$certFingerprints = $md->getArrayizeString('certFingerprint');
// Validate the fingerprint
$this->validator->validateFingerprint($certFingerprints);
} elseif ($md->hasValue('caFile')) {
// Validate against CA
$this->validator->validateCA(\SimpleSAML\Utils\Config::getCertPath($md->getString('caFile')));
} else {
throw new SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
}
return true;
}
$spMetadata = $source->getMetadata(); if (array_key_exists('SAMLart', $_REQUEST)) { if (!isset($state['saml:idp'])) { /* Unsolicited response. */ throw new SimpleSAML_Error_Exception('IdP initiated authentication not supported with the SAML 1.1 SAMLart protocol.'); } $idpMetadata = $source->getIdPMetadata($state['saml:idp']); $responseXML = SimpleSAML_Bindings_Shib13_Artifact::receive($spMetadata, $idpMetadata); $isValidated = TRUE; /* Artifact binding validated with ssl certificate. */ } elseif (array_key_exists('SAMLResponse', $_REQUEST)) { $responseXML = $_REQUEST['SAMLResponse']; $responseXML = base64_decode($responseXML); $isValidated = FALSE; /* Must check signature on response. */ } else { assert('FALSE'); } $response = new SimpleSAML_XML_Shib13_AuthnResponse(); $response->setXML($responseXML); $response->setMessageValidated($isValidated); $response->validate(); $responseIssuer = $response->getIssuer(); $attributes = $response->getAttributes(); if (isset($state['saml:idp']) && $responseIssuer !== $state['saml:idp']) { throw new SimpleSAML_Error_Exception('The issuer of the response wasn\'t the destination of the request.'); } $logoutState = array('saml:logout:Type' => 'saml1'); $state['LogoutState'] = $logoutState; $source->handleResponse($state, $responseIssuer, $attributes); assert('FALSE');