diff --git a/lib/Saml2/AuthnRequest.php b/lib/Saml2/AuthnRequest.php
index 706a315d..35eff436 100644
--- a/lib/Saml2/AuthnRequest.php
+++ b/lib/Saml2/AuthnRequest.php
@@ -77,12 +77,19 @@ public function __construct(OneLogin_Saml2_Settings $settings)
-
- urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
-
-
AUTHNREQUEST;
+ if (!isset($security['allowedAuthContexts']))
+ $security['allowedAuthContexts'] = array('urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport');
+ if($security['allowedAuthContexts'] && is_array($security['allowedAuthContexts']))
+ {
+ $request .= ''."\n";
+ foreach($security['allowedAuthContexts'] as $authCtx)
+ $request .= ''.$authCtx."\n";
+ $request .= ' '."\n";
+ }
+ $request .= '';
+
$this->_id = $id;
$this->_authnRequest = $request;
}
diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php
index f78720d0..b7754fc5 100644
--- a/lib/Saml2/LogoutRequest.php
+++ b/lib/Saml2/LogoutRequest.php
@@ -305,15 +305,16 @@ public function isValid()
$signAlg = $_GET['SigAlg'];
}
- $signedQuery = 'SAMLRequest='.urlencode($_GET['SAMLRequest']);
- if (isset($_GET['RelayState'])) {
- $signedQuery .= '&RelayState='.urlencode($_GET['RelayState']);
- }
- $signedQuery .= '&SigAlg='.urlencode($signAlg);
-
+ $signedQuery = 'SAMLRequest='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SAMLRequest');
+ if (isset($_GET['RelayState']))
+ $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState');
+
+ $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg');
+
if (!isset($idpData['x509cert']) || empty($idpData['x509cert'])) {
throw new Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required');
}
+
$cert = $idpData['x509cert'];
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public'));
diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php
index fe31ecfe..c2810f8f 100644
--- a/lib/Saml2/Response.php
+++ b/lib/Saml2/Response.php
@@ -108,7 +108,7 @@ public function isValid($requestId = null)
$signNodes = $this->document->getElementsByTagName('Signature');
}
foreach ($signNodes as $signNode) {
- $signedElements[] = $signNode->parentNode->tagName;
+ $signedElements[] = $signNode->parentNode->localName;
}
if (!empty($signedElements)) {
@@ -241,11 +241,11 @@ public function isValid($requestId = null)
throw new Exception("A valid SubjectConfirmation was not found on this Response");
}
- if ($security['wantAssertionsSigned'] && !in_array('saml:Assertion', $signedElements)) {
+ if ($security['wantAssertionsSigned'] && !in_array('Assertion', $signedElements)) {
throw new Exception("The Assertion of the Response is not signed and the SP requires it");
}
-
- if ($security['wantMessagesSigned'] && !in_array('samlp:Response', $signedElements)) {
+
+ if ($security['wantMessagesSigned'] && !in_array('Response', $signedElements)) {
throw new Exception("The Message of the Response is not signed and the SP requires it");
}
}
@@ -255,7 +255,7 @@ public function isValid($requestId = null)
$fingerprint = $idpData['certFingerprint'];
// Only validates the first signed element
- if (in_array('samlp:Response', $signedElements)) {
+ if (in_array('Response', $signedElements)) {
$documentToValidate = $this->document;
} else {
$documentToValidate = $signNodes->item(0)->parentNode;
@@ -463,7 +463,9 @@ public function getAttributes()
$attributeValues = array();
foreach ($entry->childNodes as $childNode) {
- if ($childNode->nodeType == XML_ELEMENT_NODE && $childNode->tagName === $childNode->prefix.':AttributeValue') {
+ $tagName = ($childNode->prefix ? $childNode->prefix.':' : '') . 'AttributeValue';
+ if ($childNode->nodeType == XML_ELEMENT_NODE && $childNode->tagName === $tagName) {
+
$attributeValues[] = $childNode->nodeValue;
}
}
@@ -523,9 +525,9 @@ public function validateSignedElements($signedElements)
return false;
}
$ocurrence = array_count_values($signedElements);
- if ((in_array('samlp:Response', $signedElements) && $ocurrence['samlp:Response'] > 1) ||
- (in_array('saml:Assertion', $signedElements) && $ocurrence['saml:Assertion'] > 1) ||
- !in_array('samlp:Response', $signedElements) && !in_array('saml:Assertion', $signedElements)
+ if ((in_array('Response', $signedElements) && $ocurrence['Response'] > 1) ||
+ (in_array('Assertion', $signedElements) && $ocurrence['Assertion'] > 1) ||
+ !in_array('Response', $signedElements) && !in_array('Assertion', $signedElements)
) {
return false;
}
diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php
index 0342a668..2bc3e993 100644
--- a/lib/Saml2/Utils.php
+++ b/lib/Saml2/Utils.php
@@ -944,7 +944,18 @@ public static function addSign($xml, $key, $cert)
return $signedxml;
}
-
+ /**
+ * Extract a query param - as it was sent - from $_SERVER[QUERY_STRING]
+ *
+ * @param string The param to-be extracted
+ */
+ public static function extractOriginalQueryParam ($name)
+ {
+ $index = strpos($_SERVER['QUERY_STRING'], $name.'=');
+ $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1);
+ $end = strpos($substring, '&');
+ return $end ? substr($substring, 0, strpos($substring, '&')) : $substring;
+ }
/**