From 51d4b69b1e689aecb9c8ca25ddb4a87d23c1f668 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 22 May 2025 01:33:31 +0200 Subject: [PATCH 1/8] Fix typo in ignoreValidUntil that breaks metadata, See #603. Add parameter to exclude validUntil on Settings getSPMetadata, See #568 --- lib/Saml2/Metadata.php | 2 +- lib/Saml2/Settings.php | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Metadata.php b/lib/Saml2/Metadata.php index 303184b3..3f63a093 100644 --- a/lib/Saml2/Metadata.php +++ b/lib/Saml2/Metadata.php @@ -155,7 +155,7 @@ public static function builder($sp, $authnsign = false, $wsign = false, $validUn if ($ignoreValidUntil) { $timeStr = <<_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization()); + $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization(), [], $ignoreValidUntil); $certNew = $this->getSPcertNew(); if (!empty($certNew)) { From 01190d375bf1f74306e14cfaf46a5e450851c6f6 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Thu, 22 May 2025 01:57:47 +0200 Subject: [PATCH 2/8] Fix typo --- lib/Saml2/Settings.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php index c46ea532..bec377e8 100644 --- a/lib/Saml2/Settings.php +++ b/lib/Saml2/Settings.php @@ -895,9 +895,9 @@ public function getIdPSLOResponseUrl() * @throws Exception * @throws OneLogin_Saml2_Error */ - public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null) + public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null, $ignoreValidUntil = false) { - $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization(), [], $ignoreValidUntil); + $metadata = OneLogin_Saml2_Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization(), array(), $ignoreValidUntil); $certNew = $this->getSPcertNew(); if (!empty($certNew)) { From 0342f0f34ab6e06aabff15931e65b079282699f9 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 12:49:00 +0200 Subject: [PATCH 3/8] Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773 fix. Add test coverage for validateBinarySign --- lib/Saml2/Error.php | 1 + lib/Saml2/Utils.php | 33 ++ tests/src/OneLogin/Saml2/UtilsTest.php | 427 +++++++++++++++++++++++++ 3 files changed, 461 insertions(+) diff --git a/lib/Saml2/Error.php b/lib/Saml2/Error.php index 7afc8ddd..ae0c2e55 100644 --- a/lib/Saml2/Error.php +++ b/lib/Saml2/Error.php @@ -25,6 +25,7 @@ class OneLogin_Saml2_Error extends Exception const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12; const PRIVATE_KEY_NOT_FOUND = 13; const UNSUPPORTED_SETTINGS_OBJECT = 14; + const INVALID_PARAMETER = 15; /** * Constructor diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 521cb3f0..7fbd14ac 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -730,6 +730,10 @@ protected static function buildWithBaseURLPath($info) */ public static function extractOriginalQueryParam($name) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + return ''; + } + $index = strpos($_SERVER['QUERY_STRING'], $name.'='); $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1); $end = strpos($substring, '&'); @@ -1511,12 +1515,41 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret } if ($retrieveParametersFromServer) { + if (!isset($_SERVER['QUERY_STRING']) || empty($_SERVER['QUERY_STRING'])) { + throw new OneLogin_Saml2_Error( + "No query string provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $keys = ["SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"]; + foreach ($keys as $key) { + if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) { + throw new OneLogin_Saml2_Error( + "Duplicate parameter in query string", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + } + if (substr_count($_SERVER['QUERY_STRING'], "SAMLRequest") > 0 && substr_count($_SERVER['QUERY_STRING'], "SAMLResponse") > 0) { + throw new OneLogin_Saml2_Error( + "Both SAMLRequest and SAMLResponse provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.OneLogin_Saml2_Utils::extractOriginalQueryParam($messageType); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.OneLogin_Saml2_Utils::extractOriginalQueryParam('RelayState'); } $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg'); } else { + if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) { + throw new Error( + "Both SAMLRequest and SAMLResponse provided", + OneLogin_Saml2_Error::INVALID_PARAMETER + ); + } + $signedQuery = $messageType.'='.urlencode($getData[$messageType]); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.urlencode($getData['RelayState']); diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php index c91c71a8..4f1d9b4b 100644 --- a/tests/src/OneLogin/Saml2/UtilsTest.php +++ b/tests/src/OneLogin/Saml2/UtilsTest.php @@ -1337,4 +1337,431 @@ public function testValidateSign() $this->assertContains('Reference validation failed', $e->getMessage()); } } + + /** + * Tests the validateBinarySign method of the Utils + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignIsValid() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + unset($_SERVER['QUERY_STRING']); + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignIsValidx509certMulti() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings6.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + unset($_SERVER['QUERY_STRING']); + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + $this->assertTrue(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case where the signature is wrong + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignSignatureWrong() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'WRONGL2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'WRONGvfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $retrieveParametersFromServer = false; + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case where the cert is wrong + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignCertWrong() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settingsInfo['idp']['x509cert'] = 'MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEUMBIGA1UECAwLZXhhbXBsZS5jb20xFDASBgNVBAoMC2V4YW1wbGUuY29tMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNTA1MjQyMjUyNTlaFw0zNTA1MjIyMjUyNTlaME8xCzAJBgNVBAYTAnVzMRQwEgYDVQQIDAtleGFtcGxlLmNvbTEUMBIGA1UECgwLZXhhbXBsZS5jb20xFDASBgNVBAMMC2V4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD4pXDtSHXYCBA7j5Rc5v+Eh1QigIN2BPXcLtzvaQL5ajifXoQsXuSkcO3Rg7kcTVFcSjhtvM7/NUDq8yEq5g6cYCbdJHXCPH2xkotS57YWkY8zYohOuSa8LNLNeBVTcngQqLbprjgUAXjyXq8rlXu80lNgMw8eo7MbQCQpgC4VqwIDAQABo1AwTjAdBgNVHQ4EFgQUmPov0WxzvYUtCluz0AEFFWIx/NYwHwYDVR0jBBgwFoAUmPov0WxzvYUtCluz0AEFFWIx/NYwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOBgQCHTsdA7LbSeDRiqqOHw+50ncIFCC2s4m6qBaxNrwSSyhoZKWhyUNxfnKIB4s/jaQxITn6U8hvuEv6e3Ews+07j4yIISF2SWefStAf8P/7Rt+qHQiV2zcE/RzxW4Trvav1dIfjqF26hOPQqGVnAKGP8wcjsEhwxUVOLP6EUTIoH3A=='; + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case removed element, ex RelayState + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignRemovedParam() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + unset($getData['RelayState']); + $messageType = 'SAMLRequest'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer)); + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + unset($getData2['RelayState']); + $messageType = 'SAMLResponse'; + $this->assertFalse(OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer)); + } + + /** + * Tests the validateBinarySign method of the Utils + * Case No Query String + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignNoQueryString() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = true; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + unset($getData['RelayState']); + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "No query string provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + unset($getData2['RelayState']); + $messageType = 'SAMLResponse'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "No query string provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case No Cert + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignNoCert() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + unset($idpData['x509cert']); + + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "In order to validate the sign on the Logout Request, the x509cert of the IdP is required"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + $messageType = 'SAMLResponse'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "In order to validate the sign on the Logout Response, the x509cert of the IdP is required"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case Invalid Parameters: Ex. SAMLRequest and SAMLResponse present at the same time + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignReqAndRes() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings1.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + + $idpData = $settings->getIdPData(); + $retrieveParametersFromServer = false; + + unset($_SERVER['QUERY_STRING']); + $getData = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => '_1037fbc88ec82ce8e770b2bed1119747bb812a07e6', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrcTsSFlYYbcqr/g5Kdcgg=' + ); + + $messageType = 'SAMLRequest'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest=' . urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE='). '&RelayState='.urlencode('_1037fbc88ec82ce8e770b2bed1119747bb812a07e6') . '%SAMLResponse=' . urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A') . '&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature=' . urlencode('L2YrP7Ngms1ew8va4drALt9bjK4ZInIS8V6W3HUSlvW/Hw2VD93vy1jPdDBsrRt8cLIuAkkHatemiq1bbgWyrGqlbX5VA/klRYJvHVowfUh2vuf8s17bdFWUOlsTWXxKaA2lJl93MnzJQsZrfVeCqJrc'); + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $getData2 = array( + 'SAMLRequest' => 'fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=', + 'SAMLResponse' => 'fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A', + 'RelayState' => 'https://pitbulk.no-ip.org/newonelogin/demo1/index.php', + 'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + 'Signature' => 'vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA=' + ); + + $messageType = 'SAMLResponse'; + $retrieveParametersFromServer = false; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $retrieveParametersFromServer = true; + $_SERVER['QUERY_STRING'] = 'SAMLRequest='. urlencode('fZJNa+MwEIb/ivHdiTyyZEskhkJYCPQDtmUPvQRZHm8NtqRKMuTnr2J3IbuHXsQwM887My86BDVPTj7a33aJP/FzwRCz6zyZINfKMV+8kVaFMUijZgwyavn68PQoYUek8zZabaf8DvmeUCGgj6M1eXY+HfOLILwHVQ+MK1ozrBG7itQcKzpQ3pQCdDU0DdQIefYLfUjkMU9CCQ9hwbMJUZmYUqSsCkILIG8ll8Alg/c8O6VrRqPiSn3E6OR+H+IyDDtt5z2a3tnRxHAXhSns3IfLs2cbX8yLfxgi+iQvBC2IKKB8g1JWm3x7uN0r10V8+yU/9m6HVzW7Cdchh/1900Y8J1vOp+yH9bOK3/t1y4x9MaytMnplwogm5u1l6KDrgUHFGeVEU92xUlCkrOZMNITr9LIUdvprhW3qtoKTrxhuZp5Nj9f2gn0D0IPQyfnkPlOEQpO0uko1DDSBqqtEl+aITew//m/yn2/U/gE=') . '&SAMLResponse='.urlencode('fZJva8IwEMa/Ssl7TZrW/gnqGHMMwSlM8cXeyLU9NaxNQi9lfvxVZczB5ptwSe733MPdjQma2qmFPdjOvyE5awiDU1MbUpevCetaoyyQJmWgQVK+VOvH14WSQ6Fca70tbc1ukPsEEGHrtTUsmM8mbDfKUhnFci8gliGINI/yXIAAiYnsw6JIRgWWAKlkwRZb6skJ64V6nKjDuSEPxvdPIowHIhpIsQkTFaYqSt9ZMEPy2oC/UEfvHSnOnfZFV38MjR1oN7TtgRv8tAZre9CGV9jYkGtT4Wnoju6Bauprme/ebOyErZbPi9XLfLnDoohwhHGc5WVSVhjCKM6rBMpYQpWJrIizfZ4IZNPxuTPqYrmd/m+EdONqPOfy8yG5rhxv0EMFHs52xvxWaHyd3tqD7+j37clWGGyh7vD+POiSrdZdWSIR49NrhR9R/teGTL8A').'&RelayState='.urlencode('https://pitbulk.no-ip.org/newonelogin/demo1/index.php').'&SigAlg='.urlencode('http://www.w3.org/2000/09/xmldsig#rsa-sha1').'&Signature='.urlencode('vfWbbc47PkP3ejx4bjKsRX7lo9Ml1WRoE5J5owF/0mnyKHfSY6XbhO1wwjBV5vWdrUVX+xp6slHyAf4YoAsXFS0qhan6txDiZY4Oec6yE+l10iZbzvie06I4GPak4QrQ4gAyXOSzwCrRmJu4gnpeUxZ6IqKtdrKfAYRAcVfNKGA='); + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData2, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Both SAMLRequest and SAMLResponse provided"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } + + /** + * Tests the validateBinarySign method of the Utils + * Case Invalid Parameters: Ex. Duplicated Parameters + * + * @covers OneLogin_Saml2_Utils::validateSign + */ + public function testValidateBinarySignDuplicatedParameters() + { + $settingsDir = TEST_ROOT .'/settings/'; + include $settingsDir.'settings6.php'; + + $settings = new OneLogin_Saml2_Settings($settingsInfo); + $idpData = $settings->getIdPData(); + + $getData = array(); + $retrieveParametersFromServer = true; + $messageType = 'SAMLRequest'; + + $_SERVER['QUERY_STRING'] = 'SAMLRequest=xxx&SAMLRequest=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'SAMLResponse=xxx&SAMLResponse=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'RelayState=xxx&RelayState=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + + $_SERVER['QUERY_STRING'] = 'SigAlg=xxx&SigAlg=yyy'; + try { + OneLogin_Saml2_Utils::validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer); + $this->fail('Error was not raised'); + } catch (Exception $e) { + $expectedMessage = "Duplicate parameter in query string"; + $this->assertEquals($expectedMessage, $e->getMessage()); + } + } } From d42321174e1185704e5b8b36cde6d79b131e2985 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 13:09:35 +0200 Subject: [PATCH 4/8] Fix typo and compatibility --- lib/Saml2/Utils.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 7fbd14ac..5c36a485 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -1521,7 +1521,7 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret OneLogin_Saml2_Error::INVALID_PARAMETER ); } - $keys = ["SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"]; + $keys = array("SAMLRequest", "SAMLResponse", "RelayState", "SigAlg", "Signature"); foreach ($keys as $key) { if (substr_count($_SERVER['QUERY_STRING'], $key) > 1) { throw new OneLogin_Saml2_Error( @@ -1544,7 +1544,7 @@ public static function validateBinarySign($messageType, $getData, $idpData, $ret $signedQuery .= '&SigAlg='.OneLogin_Saml2_Utils::extractOriginalQueryParam('SigAlg'); } else { if (isset($getData['SAMLRequest']) && isset($getData['SAMLResponse'])) { - throw new Error( + throw new OneLogin_Saml2_Error( "Both SAMLRequest and SAMLResponse provided", OneLogin_Saml2_Error::INVALID_PARAMETER ); From 9c42c47a35a2217cbfaab1094f3f6514ffaa34f6 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 16:08:01 +0200 Subject: [PATCH 5/8] Fix buildWithBaseURLPath, See #581 --- lib/Saml2/Utils.php | 8 ++++++-- lib/Saml2/version.json | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/Saml2/Utils.php b/lib/Saml2/Utils.php index 5c36a485..6ace614d 100644 --- a/lib/Saml2/Utils.php +++ b/lib/Saml2/Utils.php @@ -709,8 +709,12 @@ protected static function buildWithBaseURLPath($info) if (!empty($baseURLPath)) { $result = $baseURLPath; if (!empty($info)) { - // Remove base path from the path info. - $extractedInfo = str_replace($baseURLPath, '', $info); + $extractedInfo = $info; + if ($baseURLPath != '/') { + // Remove base path from the path info. + $extractedInfo = str_replace($baseURLPath, '', $info); + } + // Remove starting and ending slash. $extractedInfo = trim($extractedInfo, '/'); if (!empty($extractedInfo)) { diff --git a/lib/Saml2/version.json b/lib/Saml2/version.json index 1beb2b6e..52c3af78 100644 --- a/lib/Saml2/version.json +++ b/lib/Saml2/version.json @@ -1,6 +1,6 @@ { "php-saml": { - "version": "2.20.0", - "released": "30/05/2024" + "version": "2.21.0", + "released": "25/05/2025" } } From de758ec92ba56e4a6295e1a67d8e8c4aaf7b06ea Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 16:11:05 +0200 Subject: [PATCH 6/8] Prepare release 2.21.0 --- CHANGELOG | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 8ab526fa..8ddb5764 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,13 @@ CHANGELOG ========= +v.2.21.0 +* [#619](https://github.com/SAML-Toolkits/php-saml/pull/619) Add Parameter checking on validateBinarySign, inspired on CVE-2025-27773 +* [#603](https://github.com/SAML-Toolkits/php-saml/issues/603) Fix typo in ignoreValidUntil that breaks metadata. Add parameter to exclude validUntil on Settings getSPMetadata +* [#594](https://github.com/SAML-Toolkits/php-saml/pull/594) Add support for encrypted name id in encrypted assertion +* Fix buildWithBaseURLPath +* Doc fix typo +* Remove Travis CI references v.2.20.0 * [#586](https://github.com/SAML-Toolkits/php-saml/pull/586) IdPMetadataParser::parseRemoteXML - Add argument for setting whether to validate peer SSL certificate From 3678f2c02887e6da74f23294c7f5673dd88d0902 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Sun, 25 May 2025 16:15:26 +0200 Subject: [PATCH 7/8] Add tests --- tests/src/OneLogin/Saml2/UtilsTest.php | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/tests/src/OneLogin/Saml2/UtilsTest.php b/tests/src/OneLogin/Saml2/UtilsTest.php index 4f1d9b4b..9e9f803f 100644 --- a/tests/src/OneLogin/Saml2/UtilsTest.php +++ b/tests/src/OneLogin/Saml2/UtilsTest.php @@ -547,6 +547,47 @@ public function testSetBaseURL() $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath()); } + /** + * @covers OneLogin_Saml2_Utils::setBaseURL + */ + public function testSetBaseURL2() + { + $_SERVER['HTTP_HOST'] = 'sp.example.com'; + $_SERVER['HTTPS'] = 'https'; + $_SERVER['REQUEST_URI'] = null; + $_SERVER['QUERY_STRING'] = null; + $_SERVER['SCRIPT_NAME'] = '/'; + unset($_SERVER['PATH_INFO']); + + OneLogin_Saml2_Utils::setBaseURL('https://sp.example.com/'); + $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURLNoQuery()); + $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery()); + $this->assertEquals("https://sp.example.com/", OneLogin_Saml2_Utils::getSelfURL()); + $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath()); + + $_SERVER['REQUEST_URI'] = '/example1/path/route.php?x=test'; + $_SERVER['QUERY_STRING'] = '?x=test'; + $_SERVER['SCRIPT_NAME'] = '/example1/path/route.php'; + $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route.php?x=test", OneLogin_Saml2_Utils::getSelfURL()); + $this->assertEquals('/', OneLogin_Saml2_Utils::getBaseURLPath()); + + OneLogin_Saml2_Utils::setBaseURLPath('/example1/path/'); + $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route.php", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route.php?x=test", OneLogin_Saml2_Utils::getSelfURL()); + $this->assertEquals('/example1/path/', OneLogin_Saml2_Utils::getBaseURLPath()); + + $_SERVER['REQUEST_URI'] = '/example1/path/route/?x=test'; + $_SERVER['QUERY_STRING'] = '?x=test'; + $_SERVER['SCRIPT_NAME'] = '/example1/path/route'; + $this->assertEquals("https://sp.example.com/example1/path/route", OneLogin_Saml2_Utils::getSelfURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route", OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery()); + $this->assertEquals("https://sp.example.com/example1/path/route/?x=test", OneLogin_Saml2_Utils::getSelfURL()); + $this->assertEquals('/example1/path/', OneLogin_Saml2_Utils::getBaseURLPath()); + } + /** * Tests the getSelfURLhost method of the OneLogin_Saml2_Utils * From 67000da38c57fe625cd747580602a40a9bec71ea Mon Sep 17 00:00:00 2001 From: Kieran-Hyphen <149680184+Kieran-Hyphen@users.noreply.github.com> Date: Thu, 2 Oct 2025 09:40:06 +0100 Subject: [PATCH 8/8] Correct variable name in logout comment Fix typo in variable name 'paramters' to 'parameters'. --- demo1/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo1/index.php b/demo1/index.php index d1d8bbcb..4ec511f3 100644 --- a/demo1/index.php +++ b/demo1/index.php @@ -53,7 +53,7 @@ $auth->logout($returnTo, $parameters, $nameId, $sessionIndex, false, $nameIdFormat, $samlNameIdNameQualifier, $samlNameIdSPNameQualifier); # If LogoutRequest ID need to be saved in order to later validate it, do instead - # $sloBuiltUrl = $auth->logout(null, $paramters, $nameId, $sessionIndex, true); + # $sloBuiltUrl = $auth->logout(null, $parameters, $nameId, $sessionIndex, true); # $_SESSION['LogoutRequestID'] = $auth->getLastRequestID(); # header('Pragma: no-cache'); # header('Cache-Control: no-cache, must-revalidate');