Add support for encrypted name id in encrypted assertion. See SAML-Toolkits#594

Author: pitbulk

lib/Saml2/Response.php

@@ -38,6 +38,13 @@ class OneLogin_Saml2_Response
      */
     public $encrypted = false;
 
+    /**
+     * The response contains an encrypted nameId in the assertion.
+     *
+     * @var bool
+     */
+    public $encryptedNameId = false;
+
     /**
      * After validation, if it fail this var has the cause of the problem
      * @var string
@@ -200,14 +207,12 @@ public function isValid($requestId = null)
                     );
                 }
 
-                if ($security['wantNameIdEncrypted']) {
-                    $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData');
-                    if ($encryptedIdNodes->length != 1) {
-                        throw new OneLogin_Saml2_ValidationError(
-                            "The NameID of the Response is not encrypted and the SP requires it",
-                            OneLogin_Saml2_ValidationError::NO_ENCRYPTED_NAMEID
-                        );
-                    }
+                $this->encryptedNameId = $this->encryptedNameId || $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData')->length > 0;
+                if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) {
+                    throw new OneLogin_Saml2_ValidationError(
+                        "The NameID of the Response is not encrypted and the SP requires it",
+                        OneLogin_Saml2_ValidationError::NO_ENCRYPTED_NAMEID
+                    );
                 }
 
                 // Validate Conditions element exists
@@ -366,17 +371,6 @@ public function isValid($requestId = null)
                 }
             }
 
-            // Detect case not supported
-            if ($this->encrypted) {
-                $encryptedIDNodes = OneLogin_Saml2_Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID');
-                if ($encryptedIDNodes->length > 0) {
-                    throw new OneLogin_Saml2_ValidationError(
-                        'SAML Response that contains a an encrypted Assertion with encrypted nameId is not supported.',
-                        OneLogin_Saml2_ValidationError::NOT_SUPPORTED
-                    );
-                }
-            }
-
             if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) {
                 throw new OneLogin_Saml2_ValidationError(
                     'No Signature found. SAML Response rejected',
@@ -585,9 +579,15 @@ public function getNameIdData()
         if ($encryptedIdDataEntries->length == 1) {
             $encryptedData = $encryptedIdDataEntries->item(0);
 
-            $key = $this->_settings->getSPkey();
+            $pem = $this->_settings->getSPkey();
+            if (empty($pem)) {
+                throw new OneLogin_Saml2_Error(
+                    "No private key available, check settings",
+                    OneLogin_Saml2_Error::PRIVATE_KEY_NOT_FOUND
+                );
+            }
             $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'private'));
-            $seckey->loadKey($key);
+            $seckey->loadKey($pem);
 
             $nameId = OneLogin_Saml2_Utils::decryptElement($encryptedData, $seckey);
 
@@ -1139,6 +1139,17 @@ protected function _decryptAssertion($dom)
         if ($check === false) {
             throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document');
         }
+
+        // check if the decrypted assertion contains an encryptedID
+        $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0);
+        if ($encryptedID) {
+            // decrypt the encryptedID
+            $this->encryptedNameId = true;
+            $encryptedData = $encryptedID->getElementsByTagName('EncryptedData')->item(0);
+            $nameId = $this->decryptNameId($encryptedData, $pem);
+            OneLogin_Saml2_Utils::treeCopyReplace($encryptedID, $nameId);
+        }
+
         if ($encData->parentNode instanceof DOMDocument) {
             return $decrypted;
         } else {
@@ -1171,6 +1182,46 @@ protected function _decryptAssertion($dom)
         }
     }
 
+    /**
+     * Decrypt EncryptedID element
+     *
+     * @param \DOMElement $encryptedData The encrypted data.
+     * @param string     $key            The private key
+     *
+     * @return \DOMElement  The decrypted element.
+     *
+     * @throws OneLogin_Saml2_Error
+     * @throws OneLogin_Saml2_ValidationError
+     */
+    private function decryptNameId(\DOMElement $encryptedData, string $pem)
+    {
+        $objenc = new XMLSecEnc();
+        $encData = $objenc->locateEncryptedData($encryptedData);
+        $objenc->setNode($encData);
+        $objenc->type = $encData->getAttribute("Type");
+        if (!$objKey = $objenc->locateKey()) {
+            throw new OneLogin_Saml2_ValidationError(
+                "Unknown algorithm",
+                ValidationError::KEY_ALGORITHM_ERROR
+            );
+        }
+        $key = null;
+        if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
+            if ($objKeyInfo->isEncrypted) {
+                $objencKey = $objKeyInfo->encryptedCtx;
+                $objKeyInfo->loadKey($pem, false, false);
+                $key = $objencKey->decryptKey($objKeyInfo);
+            } else {
+                // symmetric encryption key support
+                $objKeyInfo->loadKey($pem, false, false);
+            }
+        }
+        if (empty($objKey->key)) {
+            $objKey->loadKey($key);
+        }
+        return OneLogin_Saml2_Utils::decryptElement($encryptedData, $objKey);
+    }
+
     /**
      * After execute a validation process, if fails this method returns the cause
      *

tests/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64

@@ -0,0 +1 @@
+PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8c2FtbHA6UmVzcG9uc2UgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9InBmeDczMzI1MzJjLWQ2MDUtZmVkOS0xNTk2LWVlYTM0YjkyNDY2NiIgVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDItMTlUMDE6Mzc6MDFaIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9waXRidWxrLm5vLWlwLm9yZy9uZXdvbmVsb2dpbi9kZW1vMS9pbmRleC5waHA/YWNzIiBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzVmZTlkNmU0OTliMmYwOTEzMjA2YWFiM2Y3MTkxNzI5MDQ5YmI4MDciPjxzYW1sOklzc3Vlcj5odHRwOi8vaWRwLmV4YW1wbGUuY29tLzwvc2FtbDpJc3N1ZXI+PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+DQogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPg0KICA8ZHM6UmVmZXJlbmNlIFVSST0iI3BmeDczMzI1MzJjLWQ2MDUtZmVkOS0xNTk2LWVlYTM0YjkyNDY2NiI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU+SndSWVdySHdNQ1RKWHJGVXI0cTZRL0g1UWpFPTwvZHM6RGlnZXN0VmFsdWU+PC9kczpSZWZlcmVuY2U+PC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5lOEZYb2xETlA3MnFlZkVrRzExdkkzMVVqTmx2bWdqeStweVROa1FHbVhsME52bHRaVHJFamswVlFYanJUZkhMVzFvNTE4cU5ubWU1Nzl5ZXFnMWJLQU0xd3BCcENodWtIdnlWaXg2c3UyanBZbWQ1NFQ2bXJuTXFpYnUzZ01OZU52U2ZMaHFJQlpBWnVrc3kwZk1YNUpqd3R6elh0ejNHTENYNWFKVCsvRFk9PC9kczpTaWduYXR1cmVWYWx1ZT4NCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNnVENDQWVvQ0NRQ2JPbHJXRGRYN0ZUQU5CZ2txaGtpRzl3MEJBUVVGQURDQmhERUxNQWtHQTFVRUJoTUNUazh4R0RBV0JnTlZCQWdURDBGdVpISmxZWE1nVTI5c1ltVnlaekVNTUFvR0ExVUVCeE1EUm05dk1SQXdEZ1lEVlFRS0V3ZFZUa2xPUlZSVU1SZ3dGZ1lEVlFRREV3OW1aV2xrWlM1bGNteGhibWN1Ym04eElUQWZCZ2txaGtpRzl3MEJDUUVXRW1GdVpISmxZWE5BZFc1cGJtVjBkQzV1YnpBZUZ3MHdOekEyTVRVeE1qQXhNelZhRncwd056QTRNVFF4TWpBeE16VmFNSUdFTVFzd0NRWURWUVFHRXdKT1R6RVlNQllHQTFVRUNCTVBRVzVrY21WaGN5QlRiMnhpWlhKbk1Rd3dDZ1lEVlFRSEV3TkdiMjh4RURBT0JnTlZCQW9UQjFWT1NVNUZWRlF4R0RBV0JnTlZCQU1URDJabGFXUmxMbVZ5YkdGdVp5NXViekVoTUI4R0NTcUdTSWIzRFFFSkFSWVNZVzVrY21WaGMwQjFibWx1WlhSMExtNXZNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUURpdmJoUjdQNTE2eC9TM0JxS3h1cFFlMExPTm9saXVwaUJPZXNDTzNTSGJEcmwzK3E5SWJmbmZtRTA0ck51TWNQc0l4QjE2MVRkRHBJZXNMQ243YzhhUEhJU0tPdFBsQWVUWlNuYjhRQXU3YVJqWnEzK1BiclA1dVczVGNmQ0dQdEtUeXRIT2dlL09sSmJvMDc4ZFZoWFExNGQxRUR3WEpXMXJSWHVVdDRDOFFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0R0JBQ0RWZnA4NkhPYnFZK2U4QlVvV1E5K1ZNUXgxQVNEb2hCandPc2cyV3lrVXFSWEYrZExmY1VIOWRXUjYzQ3RaSUtGRGJTdE5vbVBuUXo3bmJLK29ueWd3QnNwVkVibkh1VWloWnEzWlVkbXVtUXFDdzRVdnMvMVV2cTNvck9vL1dKVmhUeXZMZ0ZWSzJRYXJRNC82N09aZkhkN1IrUE9CWGhvcGhTTXYxWk9vPC9kczpYNTA5Q2VydGlmaWNhdGU+PC9kczpYNTA5RGF0YT48L2RzOktleUluZm8+PC9kczpTaWduYXR1cmU+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjx4ZW5jOkVuY3J5cHRlZERhdGEgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIiB4bWxuczpkc2lnPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIiBUeXBlPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNFbGVtZW50Ij48eGVuYzpFbmNyeXB0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjYWVzMTI4LWNiYyIvPjxkc2lnOktleUluZm8geG1sbnM6ZHNpZz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PHhlbmM6RW5jcnlwdGVkS2V5Pjx4ZW5jOkVuY3J5cHRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNyc2EtMV81Ii8+PHhlbmM6Q2lwaGVyRGF0YT48eGVuYzpDaXBoZXJWYWx1ZT5pSWUyWTlWZFlGTUZLaWd5bUlaU2xGZlZpa09rclNoeE5qUzV2VjVRNEZJSGdYczU3dDVUTjIxMlJlalFCTVkzVzdjV0NFV01RZzZ6NXFVS3QrNEhNZ0lsVVc3V2h2UytDeDBIK1QzczhHYkRycGQxeVU2SE93WVMwclpydkVqaW05WmtMY25FRlZIREpGYWpneUsxZGU1Y3c4S1NBa25hL1F0Mk1aRS9BOWM9PC94ZW5jOkNpcGhlclZhbHVlPjwveGVuYzpDaXBoZXJEYXRhPjwveGVuYzpFbmNyeXB0ZWRLZXk+PC9kc2lnOktleUluZm8+DQogICA8eGVuYzpDaXBoZXJEYXRhPg0KICAgICAgPHhlbmM6Q2lwaGVyVmFsdWU+cHFpOGpRZ1o3YzMwSGVTbGt2M1hpY0JhRU03QkdJY3JqSEF3NkZ4NHpaMS9uTE9SSEtiZ1h2Rnh3REh3ZWljOXdibjZIZkFCalhtK2pBc1p4RnZxNmRHTmRZK2l5Y3VZaGN6QzlVUXYxTEpqclM4a1M1bkJnL2dQQy9WeEN1Vk1rRlVPekIxN0JUM0JaSy9zWjhoYWFjaXI4NlNFU2p1bytUVUJxQzkrc2czMnVGbEs0QnZ6RmJtT3NHMmFXcUo3WGVkODRleUNuV2R4Y3RpeW5ZbWh0MDlzUjRZaU1XWEw1elB2V3JmMXhZdnd5YlE0blVUTkJmditBZmoyMTNTYVJuN3p6bGdjOUtvUWNLWEVlTHFpMGZYb0ZjU2l4VXhDRGFURm54Y0tzNDlOeXl1ZmE5aUdHOE82WmpQUVFjVlVEVURTWVFJQWo3ZkxnZWhnUm1RRW5WUVR3WUFoK3JaWjEzMWc2VUNNcHlZRnlHWGx1TzlZa0NwQUpaTFp0NDk2M1FZREE5UE5KTjVvblhPRmZhVk4zc1hmUUlVaWVjcDdZK0FoNmlISjJBbUc3NnRLbWFqTk55d0VpRVRmWTRLVGVrU2J1RlY2YUo5NEpBcGVYa2RvWlZnajBURGZURHlUY20wTkpoTE1yWmpwOHpPd1g1ajd3MUY0SFJNM2tra1JhQmdRdUVTM2NER1QyaVMzbWNzQTM3S29IWnlFd0hrZHQ0azBuUHhmbHErZ2RlbUI1UkJMZGlEM3QySzdWZjJDOW5weTBIMFNUckR6dkM2TzJRNW5CeGxuU1IyNVd3bWxSaFIzaUhHaVBmOExkK1gwS1I2L1R2WDRzNHlyZDhraWtrK1NaM25GWGxiUEdWaXhxNzZsTnlQOXk4M0E2UE5GM05HL1RKRC81YVBFR1JXZzM1S05aN3ZiU3p6YTh2dXRHOVZUekJKQjBKdnlHbUtJTWlOeWNQbmxrSHFlOXdkTGVQeGw2b1o4UWlEdndzVVM0YjNmaFpwaDZVNE1oMi93TWJ2ZnE0WUIxd29QL0t2ako4eVdlV3FHa1EwbXdjVUNmbUxjTk5FUGpVbW5sOTVTTTlacWUzdldMTXpxaVNpSW5YaFFLUFpkbjV4WmxpRmRNU0kzWEM4L2hOSkI0aTQvRVJ6eXNVdEM3NzZsVkU4OTFmNnNoME9SWm9iR0FNU0J4TGc2bjB5QWZHVUJSU2ZuRDdpc3craWdrQWNxWHBqV0RZQ0diWFIrV2RUMHZaWGRqd3pxMjhReFZqcXhPYnVzWkxvZVBCcnI2bGdPd2NMcCtQSVN6VVlzcW9YSTJJdk1BVURjMGxUMldwNDlKdUwvcnU0Y0F1U0Zla1hRZ0tJcUM2anVGZkpueDBTazd4K2NHekcxK3FLQ1ArSHF0Z01IMkdBUUFOMExJTU9YM08xQ3hYVE5CNGd2K3gvWk5RdFNVZy83dG5KL3BCTEZWMzVSNEp6RFlxWllVVkk4NTRYQ2thZ0dFZ1NyZXNDQWRVc1BQbHFjbGRibCtqMzl2Z0tDN3V4dWtXaXErRzhCYkY2WUdtWVNGQThPa1kwMmFrSjJLMnkrYlppOTc2eE9ucERQWGhLT083eHhUMDEzUTN0VG56b1JaTkRHM0lhekVHblpBY2UrTlNDNDNzVFA0dHZpK0Nyay9sd1IwOEVRVDlOUDZUZ3BxNXpKeEViZEVJUXpoTDVsMDRRSjNKSGdnamV1QkljOXE2Ylp5SXdyc1AxVHQ2M0p6cHdERkxBRzRNRVhHM3VXSzVZTE9QN0l3SjZLcDZFK3poYVpqYUZJWTVKcUkvdi9FdjFUL3pLZ3hOUW9heGNZSDhBRTQwTFJYQWErVk8valU1dk5kdGF2SEFBUDQrU1ppTEtSUjlGYnhXencxd2owR1FLcWRZU2t6bU1QSFFBQU5hS04rdmhwRjZ3VnZFVnZkU0JXc0xKZnVtZi9COHhKbzZZWk5seUpSbUlyTURBTUNxdG5TYlNwbTZnSlJheHhML2Uyc29QbDZ2VXdwZ3N2OEkxbUljS1lmTHRlakt3VjRXREd5amYybHZvK29SdHhyTU9SNE5xNWNwRHBONkRHNlcxN2FqazhzN2ZFR0JPN1cxcFh6MVlXN1Y2TjgvaTV6M05kWExOcjkreExrWVN6a0NTR0tSb2hJQk9iRnIxK3VlbURpajVmZEhkZXpWbTY5aVdQZUR2aDJvK3JaS0NGOVl6Z0tIeGVrK1hmZUxiamVHREZNejBlNk5GZk03bW1lV1JZUzFNc25uK3pQNnI2cHQ3K1dReUYwZjhja2k1anhIM1BrU3B2eXNDK0NlUGFIRThodmVBM3J6Y1UrZ1NlU0FQWFFHY1hCK09GNzkyQThYU21JK2RhbzcxbU4wS2RCVUdGS1N0K2RlMnAzZFRIQTM4YW91VkU2d1Z0UXd1cVFmSmFzd2JjVmNTQU5WVkhiTWxQM0F1aVAxTWdmREFMNDBDU1N1Tjk5WGR2a1ZKMXNMODJhZDlkL1N3SDN6OHMremdIdDZCZTNFWS9aVEYvcjRXVG9kSVArK1JCcm50aEp6RGZwdkhjdmdGZmtuUTJoKzZMVTVwMXhvb21aeU1wUEtOZmdSL01lTk9vd3FrdkZxM2dDSFp0SlJ1QTVMaGVKb3g0ZXI4OXRFQks0Tll2eHp1RnhkaVM5UWRpSERBT1hWWjA3bXBtM1cxUkpybkE1anBNdjBzRHVOUFkvbStlakYwc2N3a3lmNFVjRU9DdjFnTTF2akYreWRPcVM1Y0MybFBEK1JCWll2L05QU3A2WSttMWFCbUVYS3ZuMEU1cE9QSXZ3QlNjSEVjVy9qaFhPcUpsYjNmc2FOOEpWemNUTWliRWlPdjltM3FaMUhyL3luOTN4REZLN1ZnQmg1aHJSNWhHY1M4MEwwMUpMY0JpcklLMGZPWW5GckJSNzhabjhRUW44OGNtMGMxdFE1SkhnenQ1bnVLNTUwWi9tM0hpMldNaDV3bDF6Sno1TkV2TkR3aHpybU94bHNVNEZDN2gzUDQySFV3aFdHZHBndys2Zzc1T1BJbGppc3hwa3N4WmxRYTIveWU1bGd4YWZRYzNaN1RwanpLQ2VMb2Q5Z0RRb20wT2RqNlM1VkZxTGNZaXFqMzRWUjRNRFplRW41TUFpU1BZVW5rQUk4TWtHMVZIT3VhaWJlVXZjVlBtVXRIMmZIcUhUU3BybFVzT3hDUVM3bWxqQUdvYkRyM3RBZEpxY2ZkblBrTVZlU0V2dDBzL1JOZC9jMTY1dnd3cENXV2czdkFmL2NWeEZYRmhQRldhcGpqNW1ub1JveTJIZzh2dmZKaTlIclpiSXhic2g5V1crR2VwZnpCWXhRL0l2RWI5QzQ0NFlreUJGWEF2c3lXaGVxL3J0TVhiTklJMmo0UkF2WEEyc0xkZTZ1cmVSUytmdVBwdHRURlpqd0FtSS9wT3BpSC9nWFVOcVZmbnRMcWV4ZkJWN2dmM0xNMGRHcE5CM1RIU24wMlIrSjVyOGtJMFE2M2JJTmNDMjhrUExDUUhCNk8zUU5OODVFZHlVa0F3TVhOSG45anFwUy9VSVZjdnp5alFBempYTngwd2Y4MUJRS1N1R0p4WS9JdzB0bW8yell3ZitWaWpzKy9iK1Z5NHVxZy92ckhqT0U2V041SllET3dkTnJBVDNIRTNlbHZReXRsazgwZXdCRERoL1QzYm50K0FqS2JtUHExclVzd21lcjJ3MG9aZHErRnpEc1VtclBZaS81UGtqbURMbWd4Rkp5R04weHpBbldwdjI1M2pwa1NCdW5xT3RYRjYrSTJ5aldNaFlHQ3hoN25kR3M5QXI3eHVkSlBNQWp6YVNEbzNYbFNtQXNnbFkxRGsvek50emxrZGMwTjRteVZGaGdDb1ozekIyNmZOVGsyM3RGOWJTSFBuYk44NFpaV05VdWs2MFUwU1BiY2pZUHI2U0tNTnEzOGtCTjVsRFUybTNXQ2owM0gyU29tOFNtWFlGdG9FcGZSb2ZKajltWmUvQUplMktxR3FOSE9RSFU1UldzU2JrWE1IM3VNOTJjU3ZjTmNYMGtuclNudUVFUGVpOEZXS2FnVFJTVm8rdzhEY3p4OVY2Q2JCemFkWWR5c0pFQ3Zrb0lEZ0xRQmJyWFhvVEMzT1FEaUxVdkVDbFBlSU1EMzhLREhxTEplOFVUSS9QSW9ONTFMTTZJVVVvOGJmUTJuTklWMGttZ1gwK1E0SW41UEhPMFlwaEh0OWR5WXVaV3I0cE9wZmVjR1RTRFB4TldxV2xvWVAreFFMWDkwRW5LNm1wTjVYTDFIQ0VqaUxFNjBUcXJsZUFLcmNhSnNzaDdSb3o5cVFWS2syRjcxQ2FLcGhQNkdaR09EZzhlelpFbXhGblVDc29USGREU2M4YzdULzV6UzA2eEZSSVcwSVRiMnJHWmppdnhYU0JjZ3BRSFNBZlZDWUtmVzVBREhWL1FoZVNNWDdtZGtBZ0YvbVZxUldvVGZRcGdsZFUxZUYrT0RTeUdoN083US9MTUh2Y3BxTzdXREpha2pXdjZaa0xMWFpvd3lJRUY3cDlEVmZhQ2ord1h4UWR0TFg4eHlKSFJZTHRybnRBZDNsODArYnlVYmw0SEdtVkNqTkVMMm5Xa1hzQ1Y3eUVsV0xLM2N1ek1MR1FDTWtOZFl0NHRlVHJOYkFOaWpScFVxelBrUExsVGdHanRvUGxzVnh1TkRXUFN1T1FBb2dzdUlYN01Db0wydmFITTB3MERTcjQwdnd6WXNzV2ZWN1FBSGIramVPQ2VwUWtTdWQzckwrcUF6VXZrcUQ3VVFBNUFZQWtMM1ppbVJvRFZCWVlUeDF5RFZOQXEyT1pySzBiUG5FclNGU2ozOG1FNmFwS3V4YWVHWHR0S2NkYVJDWUd5UCtXZit3TnU3alkwZEw1WTYreThjajNRMlZPamY4bytmamo3alZLaDRNc0RSbUtUd0R2VHR1VERma1hsMmZPOXBtemNMQmtWbWxDSzAxczJBcnJ3ck9CUnJmbE0veGNIMm9HUkRyTzNnSU9WK3JhMWNWSzdPNDlGNjdmbytuSm5ZV0s5Qno2aG90Ri9lMXEvdVVSU3d4L1lDN2Y4MGlqa21ieVpSZFk5MkxHM0RZMGFIOGNpS3pIK3hzMmkweld6RWpLWkdPaFREU1pjdWNnZWJuUi8xR0JlRy84RXVEYksxcWppSGhoaGErNVV3QmNwaW9JMFhORXJiTUVOSnZVdEpYcEtmd3FiUXg5MnZuUDJVY1plSUJ5WWE0YS9OUVEySWYrYXlGTFZpdEJiL1FNOGF4dUJyODBUbnIzZzUxVjYwQWRBUUZ3T1Q0K3Zkc0V5UnlzenN5bGgrckhlaEp1RHdncWJIMVBIODIyOVVaWWFqYjBpbEhSZUlKV1gxY0NFaTBzTVhEdTJJT2hCbXpOMzBhRFZSUkdNNHZKdU1ueEhYak1FQ2pvTjhkQUNQSnN2aTdNc0JqMHRkNjdKRDVxRVJjUkZBdk14QkF2Z1VmUmxXQUFtNXdzTUFmSGx0OFV6bkcyTGxXWEczQjcxYkoyUWhrbUpZendiemVjYzRiQ1dPQzBTalhIL3QvSTU5SHd0WlBFVHpITE9XOVpBMk1ZalVYRHpGc2xFbW5sdm9RT0EvcVlMT2dVY05ZVStDWDE0T3BCbjMzSHZEczZTeVBpb0VLdEJlTHp5Q21EWGgrdHlKWTUwZ1ppVVA2d3ovL04wdDBtM1JTTWtFcWVCYU1taWxGZjhIakdja1RXT2RQd1hqUjQvWmU0RUJ2ZG9aTzF0QjQvNHA0SSt2aTFzWTR3Y1JVZFlvbW54bWVaaG9RdnF0UFZmTTdtM1ZVaVM2Yktqd1Jpd2Y4PC94ZW5jOkNpcGhlclZhbHVlPg0KICAgPC94ZW5jOkNpcGhlckRhdGE+DQo8L3hlbmM6RW5jcnlwdGVkRGF0YT48L3NhbWw6RW5jcnlwdGVkQXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+

tests/src/OneLogin/Saml2/ResponseTest.php

@@ -1813,4 +1813,12 @@ public function testIsValidSignUsingX509certMulti()
         $response = new OneLogin_Saml2_Response($settings, $xml);
         $this->assertTrue($response->isValid());
     }
+
+    public function testCanGetEncryptedNameIdInEncryptedAssertion()
+    {
+        $xml = file_get_contents(TEST_ROOT . '/data/responses/response_encrypted_nameid_encrypted_assertion2.xml.base64');
+        $response = new OneLogin_Saml2_Response($this->_settings, $xml);
+        $this->assertTrue($response->isValid());
+        $this->assertEquals('492882615acf31c8096b627245d76ae53036c090', $response->getNameId());
+    }
 }