From 3831625589b1dab75bc391a839d24e719928f859 Mon Sep 17 00:00:00 2001 From: Thomas Johansen Date: Thu, 23 Oct 2014 12:19:15 +0200 Subject: [PATCH 1/4] https://github.com/onelogin/php-saml/pull/44 --- lib/Saml2/Response.php | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index fe31ecfe..80c4791e 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -108,7 +108,7 @@ public function isValid($requestId = null) $signNodes = $this->document->getElementsByTagName('Signature'); } foreach ($signNodes as $signNode) { - $signedElements[] = $signNode->parentNode->tagName; + $signedElements[] = $signNode->parentNode->localName; } if (!empty($signedElements)) { @@ -241,11 +241,11 @@ public function isValid($requestId = null) throw new Exception("A valid SubjectConfirmation was not found on this Response"); } - if ($security['wantAssertionsSigned'] && !in_array('saml:Assertion', $signedElements)) { + if ($security['wantAssertionsSigned'] && !in_array('Assertion', $signedElements)) { throw new Exception("The Assertion of the Response is not signed and the SP requires it"); } - - if ($security['wantMessagesSigned'] && !in_array('samlp:Response', $signedElements)) { + + if ($security['wantMessagesSigned'] && !in_array('Response', $signedElements)) { throw new Exception("The Message of the Response is not signed and the SP requires it"); } } @@ -255,7 +255,7 @@ public function isValid($requestId = null) $fingerprint = $idpData['certFingerprint']; // Only validates the first signed element - if (in_array('samlp:Response', $signedElements)) { + if (in_array('Response', $signedElements)) { $documentToValidate = $this->document; } else { $documentToValidate = $signNodes->item(0)->parentNode; @@ -523,9 +523,9 @@ public function validateSignedElements($signedElements) return false; } $ocurrence = array_count_values($signedElements); - if ((in_array('samlp:Response', $signedElements) && $ocurrence['samlp:Response'] > 1) || - (in_array('saml:Assertion', $signedElements) && $ocurrence['saml:Assertion'] > 1) || - !in_array('samlp:Response', $signedElements) && !in_array('saml:Assertion', $signedElements) + if ((in_array('Response', $signedElements) && $ocurrence['Response'] > 1) || + (in_array('Assertion', $signedElements) && $ocurrence['Assertion'] > 1) || + !in_array('Response', $signedElements) && !in_array('Assertion', $signedElements) ) { return false; } From bd39fe8b61d0a59154436d0926851cf762aa1de2 Mon Sep 17 00:00:00 2001 From: Thomas Johansen Date: Thu, 23 Oct 2014 12:22:09 +0200 Subject: [PATCH 2/4] https://github.com/steffengy/php-saml/commit/ce3bf78afb9ffa5733c2263a5c1831413d7dd521 --- lib/Saml2/LogoutRequest.php | 13 +++++++------ lib/Saml2/Utils.php | 13 ++++++++++++- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/lib/Saml2/LogoutRequest.php b/lib/Saml2/LogoutRequest.php index f78720d0..b7754fc5 100644 --- a/lib/Saml2/LogoutRequest.php +++ b/lib/Saml2/LogoutRequest.php @@ -305,15 +305,16 @@ public function isValid() $signAlg = $_GET['SigAlg']; } - $signedQuery = 'SAMLRequest='.urlencode($_GET['SAMLRequest']); - if (isset($_GET['RelayState'])) { - $signedQuery .= '&RelayState='.urlencode($_GET['RelayState']); - } - $signedQuery .= '&SigAlg='.urlencode($signAlg); - + $signedQuery = 'SAMLRequest='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SAMLRequest'); + if (isset($_GET['RelayState'])) + $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState'); + + $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg'); + if (!isset($idpData['x509cert']) || empty($idpData['x509cert'])) { throw new Exception('In order to validate the sign on the Logout Request, the x509cert of the IdP is required'); } + $cert = $idpData['x509cert']; $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public')); diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 0342a668..2bc3e993 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -944,7 +944,18 @@ public static function addSign($xml, $key, $cert) return $signedxml; } - + /** + * Extract a query param - as it was sent - from $_SERVER[QUERY_STRING] + * + * @param string The param to-be extracted + */ + public static function extractOriginalQueryParam ($name) + { + $index = strpos($_SERVER['QUERY_STRING'], $name.'='); + $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1); + $end = strpos($substring, '&'); + return $end ? substr($substring, 0, strpos($substring, '&')) : $substring; + } /** From a28993914ddc6548c4094d09213c61d4ebf6736e Mon Sep 17 00:00:00 2001 From: Thomas Johansen Date: Thu, 23 Oct 2014 12:23:20 +0200 Subject: [PATCH 3/4] https://github.com/steffengy/php-saml/commit/9c4781a897a4e9128dc4e13803c204842873b1d1 --- lib/Saml2/AuthnRequest.php | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lib/Saml2/AuthnRequest.php b/lib/Saml2/AuthnRequest.php index 706a315d..35eff436 100644 --- a/lib/Saml2/AuthnRequest.php +++ b/lib/Saml2/AuthnRequest.php @@ -77,12 +77,19 @@ public function __construct(OneLogin_Saml2_Settings $settings) - - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - - AUTHNREQUEST; + if (!isset($security['allowedAuthContexts'])) + $security['allowedAuthContexts'] = array('urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'); + if($security['allowedAuthContexts'] && is_array($security['allowedAuthContexts'])) + { + $request .= ''."\n"; + foreach($security['allowedAuthContexts'] as $authCtx) + $request .= ''.$authCtx."\n"; + $request .= ' '."\n"; + } + $request .= ''; + $this->_id = $id; $this->_authnRequest = $request; } From 2d215423f5de7b999328fedc5adbf520744178b3 Mon Sep 17 00:00:00 2001 From: Thomas Johansen Date: Thu, 23 Oct 2014 12:24:47 +0200 Subject: [PATCH 4/4] https://github.com/steffengy/php-saml/commit/199be191fc6a40312ef806876ed28885f093d4d3 --- lib/Saml2/Response.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/Saml2/Response.php b/lib/Saml2/Response.php index 80c4791e..c2810f8f 100644 --- a/lib/Saml2/Response.php +++ b/lib/Saml2/Response.php @@ -463,7 +463,9 @@ public function getAttributes() $attributeValues = array(); foreach ($entry->childNodes as $childNode) { - if ($childNode->nodeType == XML_ELEMENT_NODE && $childNode->tagName === $childNode->prefix.':AttributeValue') { + $tagName = ($childNode->prefix ? $childNode->prefix.':' : '') . 'AttributeValue'; + if ($childNode->nodeType == XML_ELEMENT_NODE && $childNode->tagName === $tagName) { + $attributeValues[] = $childNode->nodeValue; } }