Merge pull request SAML-Toolkits#2 from merlinofchaos/master

Updates per our email

Author: christianbpedersen

README

@@ -0,0 +1,9 @@
+The files index.php, consume.php and settings.php are sample code to help
+demonstrate how this library should work. In order to use them, you can
+unpack this library in your website directory.
+
+You will need to modify the settings.php file to set the proper URLs and
+x509 certificate.
+
+There is more information in this post: 
+http://support.onelogin.com/entries/268420-saml-toolkit-for-php

consume.php

@@ -1,17 +1,28 @@
 <?php
+  /**
+   * SAMPLE Code to demonstrate how to handle a SAML assertion response.
+   *
+   * The URL of this file will have been given during the SAML authorization.
+   * After a successful authorization, the browser will be directed to this
+   * link where it will send a certified response via $_POST.
+   */
 
-  error_reporting(E_ALL); 
+  error_reporting(E_ALL);
 
   require 'settings.php';
 
   require 'lib/onelogin/saml.php';
 
-  $samlresponse = new SamlResponse($_POST['SAMLResponse']);
-  $samlresponse->user_settings = get_user_settings();
-  
-  if ($samlresponse->is_valid())
-    echo "You are: ".$samlresponse->get_nameid();
-  else
-    echo "Invalid SAML response.";
+  $samlresponse = new SamlResponse(saml_get_settings(), $_POST['SAMLResponse']);
+
+  try {
+    if ($samlresponse->is_valid())
+      echo "You are: ".$samlresponse->get_nameid();
+    else
+      echo "Invalid SAML response.";
+  }
+  catch (Exception $e) {
+    echo "Invalid SAML response: " . $e->getMessage();
+  }
 
 ?>

index.php

@@ -1,12 +1,20 @@
 <?php
-  error_reporting(E_ALL); 
-  
+  /**
+   * SAMPLE Code to demonstrate how to initiate a SAML Authorization request
+   *
+   * When the user visits this URL, the browser will be redirected to the SSO
+   * IdP with an authorization request. If successful, it will then be
+   * redirected to the consume URL (specified in settings) with the auth
+   * details.
+   */
+
+  error_reporting(E_ALL);
+
   require 'settings.php';
 
   require 'lib/onelogin/saml.php';
-  
-  $authrequest = new AuthRequest();
-  $authrequest->user_settings = get_user_settings();
+
+  $authrequest = new SamlAuthRequest(saml_get_settings());
   $url = $authrequest->create();
 
   header("Location: $url");

lib/onelogin/saml/authrequest.php

@@ -1,18 +1,39 @@
 <?php
-  class authrequest {
-    public $user_settings;
+  /**
+   * Create a SAML authorization request.
+   */
+  class SamlAuthRequest {
+    /**
+     * A SamlResponse class provided to the constructor.
+     */
+    private $settings;
 
+    /**
+     * Construct the response object.
+     *
+     * @param SamlResponse $settings
+     *   A SamlResponse settings object containing the necessary
+     *   x509 certicate to decode the XML.
+     */
+    function __construct($settings) {
+      $this->settings = $settings;
+    }
+
+    /**
+     * Generate the request.
+     *
+     * @return
+     *   A fully qualified URL that can be redirected to in order to process
+     *   the authorization request.
+     */
     public function create() {
       $id                = $this->generateUniqueID(20);
       $issue_instant     = $this->getTimestamp();
 
-      global $const_assertion_consumer_service_url;
-      global $const_issuer;
-      global $const_name_identifier_format;
       $request =
-        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"$id\" Version=\"2.0\" IssueInstant=\"$issue_instant\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"".$const_assertion_consumer_service_url."\">".
-        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".$const_issuer."</saml:Issuer>\n".
-        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"".$const_name_identifier_format."\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n".
+        "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"$id\" Version=\"2.0\" IssueInstant=\"$issue_instant\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"".$this->settings->assertion_consumer_service_url."\">".
+        "<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">".$this->settings->issuer."</saml:Issuer>\n".
+        "<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"".$this->settings->name_identifier_format."\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n".
         "<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">".
         "<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n".
         "</samlp:AuthnRequest>";
@@ -21,7 +42,7 @@ public function create() {
       $base64_request    = base64_encode($deflated_request);
       $encoded_request   = urlencode($base64_request);
 
-      return $this->user_settings->idp_sso_target_url."?SAMLRequest=".$encoded_request;
+      return $this->settings->idp_sso_target_url."?SAMLRequest=".$encoded_request;
     }
 
     private function generateUniqueID($length) {

lib/onelogin/saml/response.php

@@ -1,32 +1,66 @@
 <?php
   require 'xmlsec.php';
 
+  /**
+   * Parse the SAML response and maintain the XML for it.
+   */
   class SamlResponse {
+    /**
+     * A SamlResponse class provided to the constructor.
+     */
+    private $settings;
+
+    /**
+     * The decoded, unprocessed XML assertion provided to the constructor.
+     */
+    public $assertion;
+
+    /**
+     * A DOMDocument class loaded from the $assertion.
+     */
+    public $xml;
+
+    // At this time these private members are unused.
     private $nameid;
-    private $xml;
     private $xpath;
-    
-    public $user_settings;
-    
-    function __construct($val) {
-      // $this->xml = new SimpleXMLElement(base64_decode($val));
-      $this->xml = new DOMDocument();
 
-      $this->xml->loadXML(base64_decode($val));
+    /**
+     * Construct the response object.
+     *
+     * @param SamlResponse $settings
+     *   A SamlResponse settings object containing the necessary
+     *   x509 certicate to decode the XML.
+     * @param string $assertion
+     *   A UUEncoded SAML assertion from the IdP.
+     */
+    function __construct($settings, $assertion) {
+      $this->settings = $settings;
+      $this->assertion = base64_decode($assertion);
+      $this->xml = new DOMDocument();
+      $this->xml->loadXML($this->assertion);
     }
-    
+
+    /**
+     * Determine if the SAML Response is valid using the certificate.
+     *
+     * @return
+     *   TRUE if the document passes. This could throw a generic Exception
+     *   if the document or key cannot be found.
+     */
     function is_valid() {
-      $xmlsec = new XmlSec($this->xml);
-      $xmlsec->x509certificate = $this->user_settings->x509certificate;
+      $xmlsec = new SamlXmlSec($this->settings, $this->xml);
       return $xmlsec->is_valid();
     }
-    
+
+    /**
+     * Get the NameID provided by the SAML response from the IdP.
+     */
     function get_nameid() {
       $xpath = new DOMXPath($this->xml);
 			$xpath->registerNamespace("samlp","urn:oasis:names:tc:SAML:2.0:protocol");
 			$xpath->registerNamespace("saml","urn:oasis:names:tc:SAML:2.0:assertion");
       $query = "/samlp:Response/saml:Assertion/saml:Subject/saml:NameID";
-      
+
       $entries = $xpath->query($query);
       return $entries->item(0)->nodeValue;
     }

lib/onelogin/saml/settings.php

@@ -1,6 +1,35 @@
 <?php
 
-  class settings {
+  /**
+   * Holds SAML settings for the SamlResponse and SamlAuthRequest classes.
+   *
+   * These settings need to be filled in by the user prior to being used.
+   */
+  class SamlSettings {
+    /**
+     * The URL to submit SAML authentication requests to.
+     */
+    var $idp_sso_target_url = '';
+
+    /**
+     * The x509 certificate used to authenticate the request.
+     */
+    var $x509certificate = '';
+
+    /**
+     * The URL where to the SAML Response/SAML Assertion will be posted.
+     */
+    var $assertion_consumer_service_url = '';
+
+    /**
+     * The name of the application.
+     */
+    var $issuer = "php-saml";
+
+    /**
+     * Specifies what format to return the authentication token, i.e, the email address.
+     */
+    var $name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
   }
 
 ?>

lib/onelogin/saml/xmlsec.php

@@ -1,18 +1,45 @@
 <?php
   require(dirname(__FILE__) . '/../../xmlseclibs/xmlseclibs.php');
 
-  class XmlSec {
-    public $x509certificate;
-    private $doc;
-    
-    function __construct($val) {
-      $this->doc = $val;
+  /**
+   * Determine if the SAML response is valid using a provided x509 certificate.
+   */
+  class SamlXmlSec {
+    /**
+     * A SamlResponse class provided to the constructor.
+     */
+    private $settings;
+
+    /**
+     * The documentument to be tested.
+     */
+    private $document;
+
+    /**
+     * Construct the SamlXmlSec object.
+     *
+     * @param SamlResponse $settings
+     *   A SamlResponse settings object containing the necessary
+     *   x509 certicate to test the document.
+     * @param string $document
+     *   The document to test.
+     */
+    function __construct($settings, $document) {
+      $this->settings = $settings;
+      $this->document = $document;
     }
-    
+
+    /**
+     * Determine if the document passes the security test.
+     *
+     * @return
+     *   TRUE if the document passes. This could throw a generic Exception
+     *   if the document or key cannot be found.
+     */
     function is_valid() {
     	$objXMLSecDSig = new XMLSecurityDSig();
 
-    	$objDSig = $objXMLSecDSig->locateSignature($this->doc);
+    	$objDSig = $objXMLSecDSig->locateSignature($this->document);
     	if (! $objDSig) {
     		throw new Exception("Cannot locate Signature Node");
     	}
@@ -33,8 +60,8 @@ function is_valid() {
 
     	$objKeyInfo = XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig);
 
-      $objKey->loadKey($this->x509certificate, FALSE, true);
-      
+      $objKey->loadKey($this->settings->x509certificate, FALSE, true);
+
     	$result = $objXMLSecDSig->verify($objKey);
     	return $result;
     }

settings.php

@@ -1,21 +1,32 @@
 <?php
-  // these are account wide configuration settings
-
-  // the URL where to the SAML Response/SAML Assertion will be posted
-  $const_assertion_consumer_service_url = "http://localhost/php-saml/consume.php";
-  // name of this application
-  $const_issuer                         = "php-saml";
-  // tells the IdP to return the email address of the current user
-  $const_name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
-
-  function get_user_settings() {
-    // this function should be modified to return the SAML settings for the current user
-
-    $settings                           = new Settings();
-    // when using Service Provider Initiated SSO (starting at index.php), this URL asks the IdP to authenticate the user. 
-    $settings->idp_sso_target_url       = "https://app.onelogin.com/saml/signon/6171";
-    // the certificate for the users account in the IdP
-    $settings->x509certificate          = "-----BEGIN CERTIFICATE-----
+  /**
+   * SAMPLE Code to demonstrate how provide SAML settings.
+   *
+   * The settings are contained within a SamlSettings object. You need to
+   * provide, at a minimum, the following things:
+   *  - idp_sso_target_url: This is the URL to forward to for auth requests.
+   *    It will be provided by your IdP.
+   *  - x509certificate: This is a certificate required to authenticate your
+   *    request. This certificate should be provided by your IdP.
+   *  - assertion_consumer_service_url: The URL that the IdP should redirect
+   *    to once the authorization is complete. You must provide this, and it
+   *    should point to the consume.php script or its equivalent.
+   */
+
+  /**
+   * Return a SamlSettings object with user settings.
+   */
+  function saml_get_settings() {
+    // This function should be modified to return the SAML settings for the current user
+
+    $settings = new SamlSettings();
+
+    // When using Service Provider Initiated SSO (starting at index.php), this URL asks the IdP to authenticate the user.
+    $settings->idp_sso_target_url             = "https://app.onelogin.com/saml/signon/6171";
+
+    // The certificate for the users account in the IdP
+    $settings->x509certificate                = <<<ENDCERTIFICATE
+-----BEGIN CERTIFICATE-----
 MIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD
 YWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxv
 Z2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMDMwOTA5NTgzNFoX
@@ -26,9 +37,20 @@ function get_user_settings() {
 kJNHYAAQ9egLGWQ8/1atkPBye5s9fxROtf8VO3uk/x/X5VSRODIrhFISGmKUnVXa
 UhLFIXkGSCAIVfoR5S2ggdfpINKUWGsWS/lEzLNYMBkURXuVAgMBAAEwAwYBAAMB
 AA==
------END CERTIFICATE-----";
+-----END CERTIFICATE-----
+ENDCERTIFICATE;
+
+    // The URL where to the SAML Response/SAML Assertion will be posted
+    $settings->assertion_consumer_service_url = "http://localhost/php-saml/consume.php";
+
+    // Name of this application
+    $settings->issuer                         = "php-saml";
+
+    // Tells the IdP to return the email address of the current user
+    $settings->name_identifier_format         = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+
 
     return $settings;
   }
-  
+
 ?>