芝麻web文件管理V1.00

编辑当前文件:/home/mgatv524/public_html/avenida/views/onelogin.zip
PK�������sqY��4�d��d����php-saml/settings_example.phpnu��[���
��������<?php $settings = array( // If 'strict' is True, then the PHP Toolkit will reject unsigned // or unencrypted messages if it expects them signed or encrypted // Also will reject the messages if not strictly follow the SAML // standard: Destination, NameId, Conditions ... are validated too. 'strict' => true, // Enable debug mode (to print errors) 'debug' => false, // Set a BaseURL to be used instead of try to guess // the BaseURL of the view that process the SAML Message. // Ex. http://sp.example.com/ // http://example.com/sp/ 'baseurl' => null, // Service Provider Data that we are deploying 'sp' => array( // Identifier of the SP entity (must be a URI) 'entityId' => '', // Specifies info about where and how the <AuthnResponse> message MUST be // returned to the requester, in this case our SP. 'assertionConsumerService' => array( // URL Location where the <Response> from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-POST binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', ), // If you need to specify requested attributes, set a // attributeConsumingService. nameFormat, attributeValue and // friendlyName can be omitted. Otherwise remove this section. "attributeConsumingService"=> array( "serviceName" => "SP test", "serviceDescription" => "Test Service", "requestedAttributes" => array( array( "name" => "", "isRequired" => false, "nameFormat" => "", "friendlyName" => "", "attributeValue" => "" ) ) ), // Specifies info about where and how the <Logout Response> message MUST be // returned to the requester, in this case our SP. 'singleLogoutService' => array( // URL Location where the <Response> from the IdP will be returned 'url' => '', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Specifies constraints on the name identifier to be used to // represent the requested subject. // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters 'x509cert' => '', 'privateKey' => '', /* * Key rollover * If you plan to update the SP x509cert and privateKey * you can define here the new x509cert and it will be * published on the SP metadata so Identity Providers can * read them and get ready for rollover. */ // 'x509certNew' => '', ), // Identity Provider Data that we want connect with our SP 'idp' => array( // Identifier of the IdP entity (must be a URI) 'entityId' => '', // SSO endpoint info of the IdP. (Authentication Request protocol) 'singleSignOnService' => array( // URL Target of the IdP where the SP will send the Authentication Request Message 'url' => '', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // SLO endpoint info of the IdP. 'singleLogoutService' => array( // URL Location of the IdP where the SP will send the SLO Request 'url' => '', // URL location of the IdP where the SP SLO Response will be sent (ResponseLocation) // if not set, url for the SLO Request will be used 'responseUrl' => '', // SAML protocol binding to be used when returning the <Response> // message. Onelogin Toolkit supports for this endpoint the // HTTP-Redirect binding only 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', ), // Public x509 certificate of the IdP 'x509cert' => '', /* * Instead of use the whole x509cert you can use a fingerprint in * order to validate the SAMLResponse, but we don't recommend to use * that method on production since is exploitable by a collision * attack. * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, * or add for example the -sha256 , -sha384 or -sha512 parameter) * * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 * 'sha1' is the default value. */ // 'certFingerprint' => '', // 'certFingerprintAlgorithm' => 'sha1', /* In some scenarios the IdP uses different certificates for * signing/encryption, or is under key rollover phase and more * than one certificate is published on IdP metadata. * In order to handle that the toolkit offers that parameter. * (when used, 'x509cert' and 'certFingerprint' values are * ignored). */ // 'x509certMulti' => array( // 'signing' => array( // 0 => '<cert1-string>', // ), // 'encryption' => array( // 0 => '<cert2-string>', // ) // ), ), ); PK�������sqY��=��������php-saml/composer.jsonnu��[���
��������{ "name": "onelogin/php-saml", "description": "OneLogin PHP SAML Toolkit", "license": "MIT", "homepage": "https://developers.onelogin.com/saml/php", "keywords": ["saml", "saml2", "onelogin"], "autoload": { "psr-4": { "OneLogin\\": "src/" } }, "support": { "email": "sixto.garcia@onelogin.com", "issues": "https://github.com/onelogin/php-saml/issues", "source": "https://github.com/onelogin/php-saml/" }, "require": { "php": ">=5.4", "robrichards/xmlseclibs": ">=3.0.4" }, "require-dev": { "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", "phploc/phploc": "^2.1 || ^3.0 || ^4.0", "pdepend/pdepend": "^2.5.0", "squizlabs/php_codesniffer": "^3.1.1" }, "suggest": { "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", "ext-gettext": "Install gettext and php5-gettext libs to handle translations" } } PK�������sqY5�Ce(��(����php-saml/LICENSEnu��[���
��������Copyright (c) 2010-2016 OneLogin, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. PK�������sqYS:h�C��C��&��php-saml/advanced_settings_example.phpnu��[���
��������<?php $advancedSettings = array( // Compression settings // Handle if the getRequest/getResponse methods will return the Request/Response deflated. // But if we provide a $deflate boolean parameter to the getRequest or getResponse // method it will have priority over the compression settings. 'compress' => array( 'requests' => true, 'responses' => true ), // Security settings 'security' => array( /** signatures and encryptions offered */ // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP // will be encrypted. 'nameIdEncrypted' => false, // Indicates whether the <samlp:AuthnRequest> messages sent by this SP // will be signed. [The Metadata of the SP will offer this info] 'authnRequestsSigned' => false, // Indicates whether the <samlp:logoutRequest> messages sent by this SP // will be signed. 'logoutRequestSigned' => false, // Indicates whether the <samlp:logoutResponse> messages sent by this SP // will be signed. 'logoutResponseSigned' => false, /* Sign the Metadata False || True (use sp certs) || array ( 'keyFileName' => 'metadata.key', 'certFileName' => 'metadata.crt' ) || array ( 'x509cert' => '', 'privateKey' => '' ) */ 'signMetadata' => false, /** signatures and encryptions required **/ // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and // <samlp:LogoutResponse> elements received by this SP to be signed. 'wantMessagesSigned' => false, // Indicates a requirement for the <saml:Assertion> elements received by // this SP to be encrypted. 'wantAssertionsEncrypted' => false, // Indicates a requirement for the <saml:Assertion> elements received by // this SP to be signed. [The Metadata of the SP will offer this info] 'wantAssertionsSigned' => false, // Indicates a requirement for the NameID element on the SAMLResponse received // by this SP to be present. 'wantNameId' => true, // Indicates a requirement for the NameID received by // this SP to be encrypted. 'wantNameIdEncrypted' => false, // Authentication context. // Set to false and no AuthContext will be sent in the AuthNRequest, // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), 'requestedAuthnContext' => false, // Allows the authn comparison parameter to be set, defaults to 'exact' if // the setting is not present. 'requestedAuthnContextComparison' => 'exact', // Indicates if the SP will validate all received xmls. // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). 'wantXMLValidation' => true, // If true, SAMLResponses with an empty value at its Destination // attribute will not be rejected for this fact. 'relaxDestinationValidation' => false, // Algorithm that the toolkit will use on signing process. Options: // 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' // 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' // Notice that rsa-sha1 is a deprecated algorithm and should not be used 'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', // Algorithm that the toolkit will use on digest process. Options: // 'http://www.w3.org/2000/09/xmldsig#sha1' // 'http://www.w3.org/2001/04/xmlenc#sha256' // 'http://www.w3.org/2001/04/xmldsig-more#sha384' // 'http://www.w3.org/2001/04/xmlenc#sha512' // Notice that sha1 is a deprecated algorithm and should not be used 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses // uppercase. Turn it True for ADFS compatibility on signature verification 'lowercaseUrlencoding' => false, ), // Contact information template, it is recommended to suply a technical and support contacts 'contactPerson' => array( 'technical' => array( 'givenName' => '', 'emailAddress' => '' ), 'support' => array( 'givenName' => '', 'emailAddress' => '' ), ), // Organization information template, the info in en_US lang is recomended, add more if required 'organization' => array( 'en-US' => array( 'name' => '', 'displayname' => '', 'url' => '' ), ), ); /* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current 'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>, // MUST NOT assume that the IdP validates the sign 'wantAssertionsSigned' => true, 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled 'wantNameIdEncrypted' => false, */ PK�������sqYHz��������php-saml/_toolkit_loader.phpnu��[���
��������<?php // Create an __autoload function // (can conflicts other autoloaders) // http://php.net/manual/en/language.oop5.autoload.php // Load composer vendor folder if any if (file_exists(__DIR__ . '/vendor/autoload.php')) { require __DIR__ . '/vendor/autoload.php'; } /* // Load xmlseclibs $xmlseclibsSrcDir = ''; include_once $xmlseclibsSrcDir.'/XMLSecEnc.php'; include_once $xmlseclibsSrcDir.'/XMLSecurityDSig.php'; include_once $xmlseclibsSrcDir.'/XMLSecurityKey.php'; include_once $xmlseclibsSrcDir.'/Utils/XPath.php'; */ // Load php-saml $libDir = __DIR__ . '/src/Saml2/'; $folderInfo = scandir($libDir); foreach ($folderInfo as $element) { if (is_file($libDir.$element) && (substr($element, -4) === '.php')) { include_once $libDir.$element; } } PK�������sqYPH�~)��~)����php-saml/src/Saml2/Metadata.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use RobRichards\XMLSecLibs\XMLSecurityDSig; use DOMDocument; use Exception; /** * Metadata lib of OneLogin PHP Toolkit */ class Metadata { const TIME_VALID = 172800; // 2 days const TIME_CACHED = 604800; // 1 week /** * Generates the metadata of the SP based on the settings * * @param array $sp The SP data * @param bool|string $authnsign authnRequestsSigned attribute * @param bool|string $wsign wantAssertionsSigned attribute * @param int|null $validUntil Metadata's valid time * @param int|null $cacheDuration Duration of the cache in seconds * @param array $contacts Contacts info * @param array $organization Organization ingo * @param array $attributes * * @return string SAML Metadata XML */ public static function builder($sp, $authnsign = false, $wsign = false, $validUntil = null, $cacheDuration = null, $contacts = array(), $organization = array(), $attributes = array()) { if (!isset($validUntil)) { $validUntil = time() + self::TIME_VALID; } $validUntilTime = Utils::parseTime2SAML($validUntil); if (!isset($cacheDuration)) { $cacheDuration = self::TIME_CACHED; } $sls = ''; if (isset($sp['singleLogoutService'])) { $slsUrl = htmlspecialchars($sp['singleLogoutService']['url'], ENT_QUOTES); $sls = <<<SLS_TEMPLATE <md:SingleLogoutService Binding="{$sp['singleLogoutService']['binding']}" Location="{$slsUrl}" /> SLS_TEMPLATE; } if ($authnsign) { $strAuthnsign = 'true'; } else { $strAuthnsign = 'false'; } if ($wsign) { $strWsign = 'true'; } else { $strWsign = 'false'; } $strOrganization = ''; if (!empty($organization)) { $organizationInfoNames = array(); $organizationInfoDisplaynames = array(); $organizationInfoUrls = array(); foreach ($organization as $lang => $info) { $organizationInfoNames[] = <<<ORGANIZATION_NAME <md:OrganizationName xml:lang="{$lang}">{$info['name']}</md:OrganizationName> ORGANIZATION_NAME; $organizationInfoDisplaynames[] = <<<ORGANIZATION_DISPLAY <md:OrganizationDisplayName xml:lang="{$lang}">{$info['displayname']}</md:OrganizationDisplayName> ORGANIZATION_DISPLAY; $organizationInfoUrls[] = <<<ORGANIZATION_URL <md:OrganizationURL xml:lang="{$lang}">{$info['url']}</md:OrganizationURL> ORGANIZATION_URL; } $orgData = implode("\n", $organizationInfoNames)."\n".implode("\n", $organizationInfoDisplaynames)."\n".implode("\n", $organizationInfoUrls); $strOrganization = <<<ORGANIZATIONSTR <md:Organization> {$orgData} </md:Organization> ORGANIZATIONSTR; } $strContacts = ''; if (!empty($contacts)) { $contactsInfo = array(); foreach ($contacts as $type => $info) { $contactsInfo[] = <<<CONTACT <md:ContactPerson contactType="{$type}"> <md:GivenName>{$info['givenName']}</md:GivenName> <md:EmailAddress>{$info['emailAddress']}</md:EmailAddress> </md:ContactPerson> CONTACT; } $strContacts = "\n".implode("\n", $contactsInfo); } $strAttributeConsumingService = ''; if (isset($sp['attributeConsumingService'])) { $attrCsDesc = ''; if (isset($sp['attributeConsumingService']['serviceDescription'])) { $attrCsDesc = sprintf( ' <md:ServiceDescription xml:lang="en">%s</md:ServiceDescription>' . PHP_EOL, $sp['attributeConsumingService']['serviceDescription'] ); } if (!isset($sp['attributeConsumingService']['serviceName'])) { $sp['attributeConsumingService']['serviceName'] = 'Service'; } $requestedAttributeData = array(); foreach ($sp['attributeConsumingService']['requestedAttributes'] as $attribute) { $requestedAttributeStr = sprintf(' <md:RequestedAttribute Name="%s"', $attribute['name']); if (isset($attribute['nameFormat'])) { $requestedAttributeStr .= sprintf(' NameFormat="%s"', $attribute['nameFormat']); } if (isset($attribute['friendlyName'])) { $requestedAttributeStr .= sprintf(' FriendlyName="%s"', $attribute['friendlyName']); } if (isset($attribute['isRequired'])) { $requestedAttributeStr .= sprintf(' isRequired="%s"', $attribute['isRequired'] === true ? 'true' : 'false'); } $reqAttrAuxStr = " />"; if (isset($attribute['attributeValue']) && !empty($attribute['attributeValue'])) { $reqAttrAuxStr = '>'; if (is_string($attribute['attributeValue'])) { $attribute['attributeValue'] = array($attribute['attributeValue']); } foreach ($attribute['attributeValue'] as $attrValue) { $reqAttrAuxStr .=<<<ATTRIBUTEVALUE <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{$attrValue}</saml:AttributeValue> ATTRIBUTEVALUE; } $reqAttrAuxStr .= "\n </md:RequestedAttribute>"; } $requestedAttributeData[] = $requestedAttributeStr . $reqAttrAuxStr; } $requestedAttributeStr = implode(PHP_EOL, $requestedAttributeData); $strAttributeConsumingService = <<<METADATA_TEMPLATE <md:AttributeConsumingService index="1"> <md:ServiceName xml:lang="en">{$sp['attributeConsumingService']['serviceName']}</md:ServiceName> {$attrCsDesc}{$requestedAttributeStr} </md:AttributeConsumingService> METADATA_TEMPLATE; } $spEntityId = htmlspecialchars($sp['entityId'], ENT_QUOTES); $acsUrl = htmlspecialchars($sp['assertionConsumerService']['url'], ENT_QUOTES); $metadata = <<<METADATA_TEMPLATE <?xml version="1.0"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="{$validUntilTime}" cacheDuration="PT{$cacheDuration}S" entityID="{$spEntityId}"> <md:SPSSODescriptor AuthnRequestsSigned="{$strAuthnsign}" WantAssertionsSigned="{$strWsign}" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> {$sls} <md:NameIDFormat>{$sp['NameIDFormat']}</md:NameIDFormat> <md:AssertionConsumerService Binding="{$sp['assertionConsumerService']['binding']}" Location="{$acsUrl}" index="1" /> {$strAttributeConsumingService} </md:SPSSODescriptor>{$strOrganization}{$strContacts} </md:EntityDescriptor> METADATA_TEMPLATE; return $metadata; } /** * Signs the metadata with the key/cert provided * * @param string $metadata SAML Metadata XML * @param string $key x509 key * @param string $cert x509 cert * @param string $signAlgorithm Signature algorithm method * @param string $digestAlgorithm Digest algorithm method * * @return string Signed Metadata * * @throws Exception */ public static function signMetadata($metadata, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256) { return Utils::addSign($metadata, $key, $cert, $signAlgorithm, $digestAlgorithm); } /** * Adds the x509 descriptors (sign/encryption) to the metadata * The same cert will be used for sign/encrypt * * @param string $metadata SAML Metadata XML * @param string $cert x509 cert * @param bool $wantsEncrypted Whether to include the KeyDescriptor for encryption * * @return string Metadata with KeyDescriptors * * @throws Exception */ public static function addX509KeyDescriptors($metadata, $cert, $wantsEncrypted = true) { $xml = new DOMDocument(); $xml->preserveWhiteSpace = false; $xml->formatOutput = true; try { $xml = Utils::loadXML($xml, $metadata); if (!$xml) { throw new Exception('Error parsing metadata'); } } catch (Exception $e) { throw new Exception('Error parsing metadata. '.$e->getMessage()); } $formatedCert = Utils::formatCert($cert, false); $x509Certificate = $xml->createElementNS(Constants::NS_DS, 'X509Certificate', $formatedCert); $keyData = $xml->createElementNS(Constants::NS_DS, 'ds:X509Data'); $keyData->appendChild($x509Certificate); $keyInfo = $xml->createElementNS(Constants::NS_DS, 'ds:KeyInfo'); $keyInfo->appendChild($keyData); $keyDescriptor = $xml->createElementNS(Constants::NS_MD, "md:KeyDescriptor"); $SPSSODescriptor = $xml->getElementsByTagName('SPSSODescriptor')->item(0); $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild); if ($wantsEncrypted === true) { $SPSSODescriptor->insertBefore($keyDescriptor->cloneNode(), $SPSSODescriptor->firstChild); } $signing = $xml->getElementsByTagName('KeyDescriptor')->item(0); $signing->setAttribute('use', 'signing'); $signing->appendChild($keyInfo); if ($wantsEncrypted === true) { $encryption = $xml->getElementsByTagName('KeyDescriptor')->item(1); $encryption->setAttribute('use', 'encryption'); $encryption->appendChild($keyInfo->cloneNode(true)); } return $xml->saveXML(); } } PK�������sqY��W�"���"��"��php-saml/src/Saml2/schemas/xml.xsdnu��[���
��������<?xml version='1.0'?> <?xml-stylesheet href="../2008/09/xsd.xsl" type="text/xsl"?> <xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns ="http://www.w3.org/1999/xhtml" xml:lang="en"> <xs:annotation> <xs:documentation> <div> <h1>About the XML namespace</h1> <div class="bodytext"> <p> This schema document describes the XML namespace, in a form suitable for import by other schema documents. </p> <p> See <a href="http://www.w3.org/XML/1998/namespace.html"> http://www.w3.org/XML/1998/namespace.html</a> and <a href="http://www.w3.org/TR/REC-xml"> http://www.w3.org/TR/REC-xml</a> for information about this namespace. </p> <p> Note that local names in this namespace are intended to be defined only by the World Wide Web Consortium or its subgroups. The names currently defined in this namespace are listed below. They should not be used with conflicting semantics by any Working Group, specification, or document instance. </p> <p> See further below in this document for more information about <a href="#usage">how to refer to this schema document from your own XSD schema documents</a> and about <a href="#nsversioning">the namespace-versioning policy governing this schema document</a>. </p> </div> </div> </xs:documentation> </xs:annotation> <xs:attribute name="lang"> <xs:annotation> <xs:documentation> <div> <h3>lang (as an attribute name)</h3> <p> denotes an attribute whose value is a language code for the natural language of the content of any element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p> </div> <div> <h4>Notes</h4> <p> Attempting to install the relevant ISO 2- and 3-letter codes as the enumerated possible values is probably never going to be a realistic possibility. </p> <p> See BCP 47 at <a href="http://www.rfc-editor.org/rfc/bcp/bcp47.txt"> http://www.rfc-editor.org/rfc/bcp/bcp47.txt</a> and the IANA language subtag registry at <a href="http://www.iana.org/assignments/language-subtag-registry"> http://www.iana.org/assignments/language-subtag-registry</a> for further information. </p> <p> The union allows for the 'un-declaration' of xml:lang with the empty string. </p> </div> </xs:documentation> </xs:annotation> <xs:simpleType> <xs:union memberTypes="xs:language"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value=""/> </xs:restriction> </xs:simpleType> </xs:union> </xs:simpleType> </xs:attribute> <xs:attribute name="space"> <xs:annotation> <xs:documentation> <div> <h3>space (as an attribute name)</h3> <p> denotes an attribute whose value is a keyword indicating what whitespace processing discipline is intended for the content of the element; its value is inherited. This name is reserved by virtue of its definition in the XML specification.</p> </div> </xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:NCName"> <xs:enumeration value="default"/> <xs:enumeration value="preserve"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="base" type="xs:anyURI"> <xs:annotation> <xs:documentation> <div> <h3>base (as an attribute name)</h3> <p> denotes an attribute whose value provides a URI to be used as the base for interpreting any relative URIs in the scope of the element on which it appears; its value is inherited. This name is reserved by virtue of its definition in the XML Base specification.</p> <p> See <a href="http://www.w3.org/TR/xmlbase/">http://www.w3.org/TR/xmlbase/</a> for information about this attribute. </p> </div> </xs:documentation> </xs:annotation> </xs:attribute> <xs:attribute name="id" type="xs:ID"> <xs:annotation> <xs:documentation> <div> <h3>id (as an attribute name)</h3> <p> denotes an attribute whose value should be interpreted as if declared to be of type ID. This name is reserved by virtue of its definition in the xml:id specification.</p> <p> See <a href="http://www.w3.org/TR/xml-id/">http://www.w3.org/TR/xml-id/</a> for information about this attribute. </p> </div> </xs:documentation> </xs:annotation> </xs:attribute> <xs:attributeGroup name="specialAttrs"> <xs:attribute ref="xml:base"/> <xs:attribute ref="xml:lang"/> <xs:attribute ref="xml:space"/> <xs:attribute ref="xml:id"/> </xs:attributeGroup> <xs:annotation> <xs:documentation> <div> <h3>Father (in any context at all)</h3> <div class="bodytext"> <p> denotes Jon Bosak, the chair of the original XML Working Group. This name is reserved by the following decision of the W3C XML Plenary and XML Coordination groups: </p> <blockquote> <p> In appreciation for his vision, leadership and dedication the W3C XML Plenary on this 10th day of February, 2000, reserves for Jon Bosak in perpetuity the XML name "xml:Father". </p> </blockquote> </div> </div> </xs:documentation> </xs:annotation> <xs:annotation> <xs:documentation> <div xml:id="usage" id="usage"> <h2><a name="usage">About this schema document</a></h2> <div class="bodytext"> <p> This schema defines attributes and an attribute group suitable for use by schemas wishing to allow <code>xml:base</code>, <code>xml:lang</code>, <code>xml:space</code> or <code>xml:id</code> attributes on elements they define. </p> <p> To enable this, such a schema must import this schema for the XML namespace, e.g. as follows: </p> <pre> <schema . . .> . . . <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/> </pre> <p> or </p> <pre> <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2009/01/xml.xsd"/> </pre> <p> Subsequently, qualified reference to any of the attributes or the group defined below will have the desired effect, e.g. </p> <pre> <type . . .> . . . <attributeGroup ref="xml:specialAttrs"/> </pre> <p> will define a type which will schema-validate an instance element with any of those attributes. </p> </div> </div> </xs:documentation> </xs:annotation> <xs:annotation> <xs:documentation> <div id="nsversioning" xml:id="nsversioning"> <h2><a name="nsversioning">Versioning policy for this schema document</a></h2> <div class="bodytext"> <p> In keeping with the XML Schema WG's standard versioning policy, this schema document will persist at <a href="http://www.w3.org/2009/01/xml.xsd"> http://www.w3.org/2009/01/xml.xsd</a>. </p> <p> At the date of issue it can also be found at <a href="http://www.w3.org/2001/xml.xsd"> http://www.w3.org/2001/xml.xsd</a>. </p> <p> The schema document at that URI may however change in the future, in order to remain compatible with the latest version of XML Schema itself, or with the XML namespace itself. In other words, if the XML Schema or XML namespaces change, the version of this document at <a href="http://www.w3.org/2001/xml.xsd"> http://www.w3.org/2001/xml.xsd </a> will change accordingly; the version at <a href="http://www.w3.org/2009/01/xml.xsd"> http://www.w3.org/2009/01/xml.xsd </a> will not change. </p> <p> Previous dated (and unchanging) versions of this schema document are at: </p> <ul> <li><a href="http://www.w3.org/2009/01/xml.xsd"> http://www.w3.org/2009/01/xml.xsd</a></li> <li><a href="http://www.w3.org/2007/08/xml.xsd"> http://www.w3.org/2007/08/xml.xsd</a></li> <li><a href="http://www.w3.org/2004/10/xml.xsd"> http://www.w3.org/2004/10/xml.xsd</a></li> <li><a href="http://www.w3.org/2001/03/xml.xsd"> http://www.w3.org/2001/03/xml.xsd</a></li> </ul> </div> </div> </xs:documentation> </xs:annotation> </xs:schema> PK�������sqY�G'E����9��php-saml/src/Saml2/schemas/sstc-saml-metadata-ui-v1.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:metadata:ui" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="1.0"> <annotation> <documentation> Document title: Metadata Extension Schema for SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0 Document identifier: sstc-saml-metadata-ui-v1.0.xsd Location: http://docs.oasis-open.org/security/saml/Post2.0/ Revision history: 16 November 2010: Added Keywords element/type. 01 November 2010 Changed filename. September 2010: Initial version. </documentation> </annotation> <import namespace="urn:oasis:names:tc:SAML:2.0:metadata" schemaLocation="saml-schema-metadata-2.0.xsd"/> <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/> <element name="UIInfo" type="mdui:UIInfoType" /> <complexType name="UIInfoType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="mdui:DisplayName"/> <element ref="mdui:Description"/> <element ref="mdui:Keywords"/> <element ref="mdui:Logo"/> <element ref="mdui:InformationURL"/> <element ref="mdui:PrivacyStatementURL"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="DisplayName" type="md:localizedNameType"/> <element name="Description" type="md:localizedNameType"/> <element name="InformationURL" type="md:localizedURIType"/> <element name="PrivacyStatementURL" type="md:localizedURIType"/> <element name="Keywords" type="mdui:KeywordsType"/> <complexType name="KeywordsType"> <simpleContent> <extension base="mdui:listOfStrings"> <attribute ref="xml:lang" use="required"/> </extension> </simpleContent> </complexType> <simpleType name="listOfStrings"> <list itemType="string"/> </simpleType> <element name="Logo" type="mdui:LogoType"/> <complexType name="LogoType"> <simpleContent> <extension base="anyURI"> <attribute name="height" type="positiveInteger" use="required"/> <attribute name="width" type="positiveInteger" use="required"/> <attribute ref="xml:lang"/> </extension> </simpleContent> </complexType> <element name="DiscoHints" type="mdui:DiscoHintsType"/> <complexType name="DiscoHintsType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="mdui:IPHint"/> <element ref="mdui:DomainHint"/> <element ref="mdui:GeolocationHint"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="IPHint" type="string"/> <element name="DomainHint" type="string"/> <element name="GeolocationHint" type="anyURI"/> </schema> PK�������sqY�8�_s��s��1��php-saml/src/Saml2/schemas/sstc-metadata-attr.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:metadata:attribute" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="2.0"> <annotation> <documentation> Document title: SAML V2.0 Metadata Extention for Entity Attributes Schema Document identifier: sstc-metadata-attr.xsd Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security Revision history: V1.0 (November 2008): Initial version. </documentation> </annotation> <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/> <element name="EntityAttributes" type="mdattr:EntityAttributesType"/> <complexType name="EntityAttributesType"> <choice maxOccurs="unbounded"> <element ref="saml:Attribute"/> <element ref="saml:Assertion"/> </choice> </complexType> </schema> PK�������sqY[x���1���1��8��php-saml/src/Saml2/schemas/saml-schema-assertion-2.0.xsdnu��[���
��������<?xml version="1.0" encoding="US-ASCII"?> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="2.0"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <import namespace="http://www.w3.org/2001/04/xmlenc#" schemaLocation="xenc-schema.xsd"/> <annotation> <documentation> Document identifier: saml-schema-assertion-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V1.0 (November, 2002): Initial Standard Schema. V1.1 (September, 2003): Updates within the same V1.0 namespace. V2.0 (March, 2005): New assertion schema for SAML V2.0 namespace. </documentation> </annotation> <attributeGroup name="IDNameQualifiers"> <attribute name="NameQualifier" type="string" use="optional"/> <attribute name="SPNameQualifier" type="string" use="optional"/> </attributeGroup> <element name="BaseID" type="saml:BaseIDAbstractType"/> <complexType name="BaseIDAbstractType" abstract="true"> <attributeGroup ref="saml:IDNameQualifiers"/> </complexType> <element name="NameID" type="saml:NameIDType"/> <complexType name="NameIDType"> <simpleContent> <extension base="string"> <attributeGroup ref="saml:IDNameQualifiers"/> <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPProvidedID" type="string" use="optional"/> </extension> </simpleContent> </complexType> <complexType name="EncryptedElementType"> <sequence> <element ref="xenc:EncryptedData"/> <element ref="xenc:EncryptedKey" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="EncryptedID" type="saml:EncryptedElementType"/> <element name="Issuer" type="saml:NameIDType"/> <element name="AssertionIDRef" type="NCName"/> <element name="AssertionURIRef" type="anyURI"/> <element name="Assertion" type="saml:AssertionType"/> <complexType name="AssertionType"> <sequence> <element ref="saml:Issuer"/> <element ref="ds:Signature" minOccurs="0"/> <element ref="saml:Subject" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <element ref="saml:Advice" minOccurs="0"/> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Statement"/> <element ref="saml:AuthnStatement"/> <element ref="saml:AuthzDecisionStatement"/> <element ref="saml:AttributeStatement"/> </choice> </sequence> <attribute name="Version" type="string" use="required"/> <attribute name="ID" type="ID" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType> <element name="Subject" type="saml:SubjectType"/> <complexType name="SubjectType"> <choice> <sequence> <choice> <element ref="saml:BaseID"/> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> <element ref="saml:SubjectConfirmation" minOccurs="0" maxOccurs="unbounded"/> </sequence> <element ref="saml:SubjectConfirmation" maxOccurs="unbounded"/> </choice> </complexType> <element name="SubjectConfirmation" type="saml:SubjectConfirmationType"/> <complexType name="SubjectConfirmationType"> <sequence> <choice minOccurs="0"> <element ref="saml:BaseID"/> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> <element ref="saml:SubjectConfirmationData" minOccurs="0"/> </sequence> <attribute name="Method" type="anyURI" use="required"/> </complexType> <element name="SubjectConfirmationData" type="saml:SubjectConfirmationDataType"/> <complexType name="SubjectConfirmationDataType" mixed="true"> <complexContent> <restriction base="anyType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="NotBefore" type="dateTime" use="optional"/> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> <attribute name="Recipient" type="anyURI" use="optional"/> <attribute name="InResponseTo" type="NCName" use="optional"/> <attribute name="Address" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </restriction> </complexContent> </complexType> <complexType name="KeyInfoConfirmationDataType" mixed="false"> <complexContent> <restriction base="saml:SubjectConfirmationDataType"> <sequence> <element ref="ds:KeyInfo" maxOccurs="unbounded"/> </sequence> </restriction> </complexContent> </complexType> <element name="Conditions" type="saml:ConditionsType"/> <complexType name="ConditionsType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Condition"/> <element ref="saml:AudienceRestriction"/> <element ref="saml:OneTimeUse"/> <element ref="saml:ProxyRestriction"/> </choice> <attribute name="NotBefore" type="dateTime" use="optional"/> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> </complexType> <element name="Condition" type="saml:ConditionAbstractType"/> <complexType name="ConditionAbstractType" abstract="true"/> <element name="AudienceRestriction" type="saml:AudienceRestrictionType"/> <complexType name="AudienceRestrictionType"> <complexContent> <extension base="saml:ConditionAbstractType"> <sequence> <element ref="saml:Audience" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="Audience" type="anyURI"/> <element name="OneTimeUse" type="saml:OneTimeUseType" /> <complexType name="OneTimeUseType"> <complexContent> <extension base="saml:ConditionAbstractType"/> </complexContent> </complexType> <element name="ProxyRestriction" type="saml:ProxyRestrictionType"/> <complexType name="ProxyRestrictionType"> <complexContent> <extension base="saml:ConditionAbstractType"> <sequence> <element ref="saml:Audience" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Count" type="nonNegativeInteger" use="optional"/> </extension> </complexContent> </complexType> <element name="Advice" type="saml:AdviceType"/> <complexType name="AdviceType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:AssertionIDRef"/> <element ref="saml:AssertionURIRef"/> <element ref="saml:Assertion"/> <element ref="saml:EncryptedAssertion"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="EncryptedAssertion" type="saml:EncryptedElementType"/> <element name="Statement" type="saml:StatementAbstractType"/> <complexType name="StatementAbstractType" abstract="true"/> <element name="AuthnStatement" type="saml:AuthnStatementType"/> <complexType name="AuthnStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="saml:SubjectLocality" minOccurs="0"/> <element ref="saml:AuthnContext"/> </sequence> <attribute name="AuthnInstant" type="dateTime" use="required"/> <attribute name="SessionIndex" type="string" use="optional"/> <attribute name="SessionNotOnOrAfter" type="dateTime" use="optional"/> </extension> </complexContent> </complexType> <element name="SubjectLocality" type="saml:SubjectLocalityType"/> <complexType name="SubjectLocalityType"> <attribute name="Address" type="string" use="optional"/> <attribute name="DNSName" type="string" use="optional"/> </complexType> <element name="AuthnContext" type="saml:AuthnContextType"/> <complexType name="AuthnContextType"> <sequence> <choice> <sequence> <element ref="saml:AuthnContextClassRef"/> <choice minOccurs="0"> <element ref="saml:AuthnContextDecl"/> <element ref="saml:AuthnContextDeclRef"/> </choice> </sequence> <choice> <element ref="saml:AuthnContextDecl"/> <element ref="saml:AuthnContextDeclRef"/> </choice> </choice> <element ref="saml:AuthenticatingAuthority" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="AuthnContextClassRef" type="anyURI"/> <element name="AuthnContextDeclRef" type="anyURI"/> <element name="AuthnContextDecl" type="anyType"/> <element name="AuthenticatingAuthority" type="anyURI"/> <element name="AuthzDecisionStatement" type="saml:AuthzDecisionStatementType"/> <complexType name="AuthzDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> <attribute name="Decision" type="saml:DecisionType" use="required"/> </extension> </complexContent> </complexType> <simpleType name="DecisionType"> <restriction base="string"> <enumeration value="Permit"/> <enumeration value="Deny"/> <enumeration value="Indeterminate"/> </restriction> </simpleType> <element name="Action" type="saml:ActionType"/> <complexType name="ActionType"> <simpleContent> <extension base="string"> <attribute name="Namespace" type="anyURI" use="required"/> </extension> </simpleContent> </complexType> <element name="Evidence" type="saml:EvidenceType"/> <complexType name="EvidenceType"> <choice maxOccurs="unbounded"> <element ref="saml:AssertionIDRef"/> <element ref="saml:AssertionURIRef"/> <element ref="saml:Assertion"/> <element ref="saml:EncryptedAssertion"/> </choice> </complexType> <element name="AttributeStatement" type="saml:AttributeStatementType"/> <complexType name="AttributeStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <choice maxOccurs="unbounded"> <element ref="saml:Attribute"/> <element ref="saml:EncryptedAttribute"/> </choice> </extension> </complexContent> </complexType> <element name="Attribute" type="saml:AttributeType"/> <complexType name="AttributeType"> <sequence> <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Name" type="string" use="required"/> <attribute name="NameFormat" type="anyURI" use="optional"/> <attribute name="FriendlyName" type="string" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <element name="AttributeValue" type="anyType" nillable="true"/> <element name="EncryptedAttribute" type="saml:EncryptedElementType"/> </schema> PK�������sqY���B������6��php-saml/src/Saml2/schemas/sstc-saml-attribute-ext.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:attribute:ext" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="2.0"> <annotation> <documentation> Document title: SAML V2.0 Attribute Extension Schema Document identifier: sstc-saml-attribute-ext.xsd Location: http://www.oasis-open.org/committees/documents.php?wg_abbrev=security Revision history: V1.0 (October 2008): Initial version. </documentation> </annotation> <attribute name="OriginalIssuer" type="anyURI"/> <attribute name="LastModified" type="dateTime"/> </schema> PK�������sqY@߲�'��'��2��php-saml/src/Saml2/schemas/xmldsig-core-schema.xsdnu��[���
��������<?xml version="1.0" encoding="utf-8"?> <!-- Schema for XML Signatures http://www.w3.org/2000/09/xmldsig# $Revision: 1.1 $ on $Date: 2002/02/08 20:32:26 $ by $Author: reagle $ Copyright 2001 The Internet Society and W3C (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University). All Rights Reserved. http://www.w3.org/Consortium/Legal/ This document is governed by the W3C Software License [1] as described in the FAQ [2]. [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720 [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD --> <schema xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" targetNamespace="http://www.w3.org/2000/09/xmldsig#" version="0.1" elementFormDefault="qualified"> <!-- Basic Types Defined for Signatures --> <simpleType name="CryptoBinary"> <restriction base="base64Binary"> </restriction> </simpleType> <!-- Start Signature --> <element name="Signature" type="ds:SignatureType"/> <complexType name="SignatureType"> <sequence> <element ref="ds:SignedInfo"/> <element ref="ds:SignatureValue"/> <element ref="ds:KeyInfo" minOccurs="0"/> <element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Id" type="ID" use="optional"/> </complexType> <element name="SignatureValue" type="ds:SignatureValueType"/> <complexType name="SignatureValueType"> <simpleContent> <extension base="base64Binary"> <attribute name="Id" type="ID" use="optional"/> </extension> </simpleContent> </complexType> <!-- Start SignedInfo --> <element name="SignedInfo" type="ds:SignedInfoType"/> <complexType name="SignedInfoType"> <sequence> <element ref="ds:CanonicalizationMethod"/> <element ref="ds:SignatureMethod"/> <element ref="ds:Reference" maxOccurs="unbounded"/> </sequence> <attribute name="Id" type="ID" use="optional"/> </complexType> <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/> <complexType name="CanonicalizationMethodType" mixed="true"> <sequence> <any namespace="##any" minOccurs="0" maxOccurs="unbounded"/> <!-- (0,unbounded) elements from (1,1) namespace --> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <element name="SignatureMethod" type="ds:SignatureMethodType"/> <complexType name="SignatureMethodType" mixed="true"> <sequence> <element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/> <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> <!-- (0,unbounded) elements from (1,1) external namespace --> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <!-- Start Reference --> <element name="Reference" type="ds:ReferenceType"/> <complexType name="ReferenceType"> <sequence> <element ref="ds:Transforms" minOccurs="0"/> <element ref="ds:DigestMethod"/> <element ref="ds:DigestValue"/> </sequence> <attribute name="Id" type="ID" use="optional"/> <attribute name="URI" type="anyURI" use="optional"/> <attribute name="Type" type="anyURI" use="optional"/> </complexType> <element name="Transforms" type="ds:TransformsType"/> <complexType name="TransformsType"> <sequence> <element ref="ds:Transform" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Transform" type="ds:TransformType"/> <complexType name="TransformType" mixed="true"> <choice minOccurs="0" maxOccurs="unbounded"> <any namespace="##other" processContents="lax"/> <!-- (1,1) elements from (0,unbounded) namespaces --> <element name="XPath" type="string"/> </choice> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <!-- End Reference --> <element name="DigestMethod" type="ds:DigestMethodType"/> <complexType name="DigestMethodType" mixed="true"> <sequence> <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <element name="DigestValue" type="ds:DigestValueType"/> <simpleType name="DigestValueType"> <restriction base="base64Binary"/> </simpleType> <!-- End SignedInfo --> <!-- Start KeyInfo --> <element name="KeyInfo" type="ds:KeyInfoType"/> <complexType name="KeyInfoType" mixed="true"> <choice maxOccurs="unbounded"> <element ref="ds:KeyName"/> <element ref="ds:KeyValue"/> <element ref="ds:RetrievalMethod"/> <element ref="ds:X509Data"/> <element ref="ds:PGPData"/> <element ref="ds:SPKIData"/> <element ref="ds:MgmtData"/> <any processContents="lax" namespace="##other"/> <!-- (1,1) elements from (0,unbounded) namespaces --> </choice> <attribute name="Id" type="ID" use="optional"/> </complexType> <element name="KeyName" type="string"/> <element name="MgmtData" type="string"/> <element name="KeyValue" type="ds:KeyValueType"/> <complexType name="KeyValueType" mixed="true"> <choice> <element ref="ds:DSAKeyValue"/> <element ref="ds:RSAKeyValue"/> <any namespace="##other" processContents="lax"/> </choice> </complexType> <element name="RetrievalMethod" type="ds:RetrievalMethodType"/> <complexType name="RetrievalMethodType"> <sequence> <element ref="ds:Transforms" minOccurs="0"/> </sequence> <attribute name="URI" type="anyURI"/> <attribute name="Type" type="anyURI" use="optional"/> </complexType> <!-- Start X509Data --> <element name="X509Data" type="ds:X509DataType"/> <complexType name="X509DataType"> <sequence maxOccurs="unbounded"> <choice> <element name="X509IssuerSerial" type="ds:X509IssuerSerialType"/> <element name="X509SKI" type="base64Binary"/> <element name="X509SubjectName" type="string"/> <element name="X509Certificate" type="base64Binary"/> <element name="X509CRL" type="base64Binary"/> <any namespace="##other" processContents="lax"/> </choice> </sequence> </complexType> <complexType name="X509IssuerSerialType"> <sequence> <element name="X509IssuerName" type="string"/> <element name="X509SerialNumber" type="string"/> </sequence> </complexType> <!-- End X509Data --> <!-- Begin PGPData --> <element name="PGPData" type="ds:PGPDataType"/> <complexType name="PGPDataType"> <choice> <sequence> <element name="PGPKeyID" type="base64Binary"/> <element name="PGPKeyPacket" type="base64Binary" minOccurs="0"/> <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <sequence> <element name="PGPKeyPacket" type="base64Binary"/> <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> </choice> </complexType> <!-- End PGPData --> <!-- Begin SPKIData --> <element name="SPKIData" type="ds:SPKIDataType"/> <complexType name="SPKIDataType"> <sequence maxOccurs="unbounded"> <element name="SPKISexp" type="base64Binary"/> <any namespace="##other" processContents="lax" minOccurs="0"/> </sequence> </complexType> <!-- End SPKIData --> <!-- End KeyInfo --> <!-- Start Object (Manifest, SignatureProperty) --> <element name="Object" type="ds:ObjectType"/> <complexType name="ObjectType" mixed="true"> <sequence minOccurs="0" maxOccurs="unbounded"> <any namespace="##any" processContents="lax"/> </sequence> <attribute name="Id" type="ID" use="optional"/> <attribute name="MimeType" type="string" use="optional"/> <!-- add a grep facet --> <attribute name="Encoding" type="anyURI" use="optional"/> </complexType> <element name="Manifest" type="ds:ManifestType"/> <complexType name="ManifestType"> <sequence> <element ref="ds:Reference" maxOccurs="unbounded"/> </sequence> <attribute name="Id" type="ID" use="optional"/> </complexType> <element name="SignatureProperties" type="ds:SignaturePropertiesType"/> <complexType name="SignaturePropertiesType"> <sequence> <element ref="ds:SignatureProperty" maxOccurs="unbounded"/> </sequence> <attribute name="Id" type="ID" use="optional"/> </complexType> <element name="SignatureProperty" type="ds:SignaturePropertyType"/> <complexType name="SignaturePropertyType" mixed="true"> <choice maxOccurs="unbounded"> <any namespace="##other" processContents="lax"/> <!-- (1,1) elements from (1,unbounded) namespaces --> </choice> <attribute name="Target" type="anyURI" use="required"/> <attribute name="Id" type="ID" use="optional"/> </complexType> <!-- End Object (Manifest, SignatureProperty) --> <!-- Start Algorithm Parameters --> <simpleType name="HMACOutputLengthType"> <restriction base="integer"/> </simpleType> <!-- Start KeyValue Element-types --> <element name="DSAKeyValue" type="ds:DSAKeyValueType"/> <complexType name="DSAKeyValueType"> <sequence> <sequence minOccurs="0"> <element name="P" type="ds:CryptoBinary"/> <element name="Q" type="ds:CryptoBinary"/> </sequence> <element name="G" type="ds:CryptoBinary" minOccurs="0"/> <element name="Y" type="ds:CryptoBinary"/> <element name="J" type="ds:CryptoBinary" minOccurs="0"/> <sequence minOccurs="0"> <element name="Seed" type="ds:CryptoBinary"/> <element name="PgenCounter" type="ds:CryptoBinary"/> </sequence> </sequence> </complexType> <element name="RSAKeyValue" type="ds:RSAKeyValueType"/> <complexType name="RSAKeyValueType"> <sequence> <element name="Modulus" type="ds:CryptoBinary"/> <element name="Exponent" type="ds:CryptoBinary"/> </sequence> </complexType> <!-- End KeyValue Element-types --> <!-- End Signature --> </schema> PK�������sqY�|e�[r��[r��B��php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" version="2.0"> <xs:annotation> <xs:documentation> Document identifier: saml-schema-authn-context-types-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New core authentication context schema types for SAML V2.0. </xs:documentation> </xs:annotation> <xs:element name="AuthenticationContextDeclaration" type="AuthnContextDeclarationBaseType"> <xs:annotation> <xs:documentation> A particular assertion on an identity provider's part with respect to the authentication context associated with an authentication assertion. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Identification" type="IdentificationType"> <xs:annotation> <xs:documentation> Refers to those characteristics that describe the processes and mechanisms the Authentication Authority uses to initially create an association between a Principal and the identity (or name) by which the Principal will be known </xs:documentation> </xs:annotation> </xs:element> <xs:element name="PhysicalVerification"> <xs:annotation> <xs:documentation> This element indicates that identification has been performed in a physical face-to-face meeting with the principal and not in an online manner. </xs:documentation> </xs:annotation> <xs:complexType> <xs:attribute name="credentialLevel"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="primary"/> <xs:enumeration value="secondary"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="WrittenConsent" type="ExtensionOnlyType"/> <xs:element name="TechnicalProtection" type="TechnicalProtectionBaseType"> <xs:annotation> <xs:documentation> Refers to those characterstics that describe how the 'secret' (the knowledge or possession of which allows the Principal to authenticate to the Authentication Authority) is kept secure </xs:documentation> </xs:annotation> </xs:element> <xs:element name="SecretKeyProtection" type="SecretKeyProtectionType"> <xs:annotation> <xs:documentation> This element indicates the types and strengths of facilities of a UA used to protect a shared secret key from unauthorized access and/or use. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="PrivateKeyProtection" type="PrivateKeyProtectionType"> <xs:annotation> <xs:documentation> This element indicates the types and strengths of facilities of a UA used to protect a private key from unauthorized access and/or use. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="KeyActivation" type="KeyActivationType"> <xs:annotation> <xs:documentation>The actions that must be performed before the private key can be used. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="KeySharing" type="KeySharingType"> <xs:annotation> <xs:documentation>Whether or not the private key is shared with the certificate authority.</xs:documentation> </xs:annotation> </xs:element> <xs:element name="KeyStorage" type="KeyStorageType"> <xs:annotation> <xs:documentation> In which medium is the key stored. memory - the key is stored in memory. smartcard - the key is stored in a smartcard. token - the key is stored in a hardware token. MobileDevice - the key is stored in a mobile device. MobileAuthCard - the key is stored in a mobile authentication card. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="SubscriberLineNumber" type="ExtensionOnlyType"/> <xs:element name="UserSuffix" type="ExtensionOnlyType"/> <xs:element name="Password" type="PasswordType"> <xs:annotation> <xs:documentation> This element indicates that a password (or passphrase) has been used to authenticate the Principal to a remote system. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationPin" type="ActivationPinType"> <xs:annotation> <xs:documentation> This element indicates that a Pin (Personal Identification Number) has been used to authenticate the Principal to some local system in order to activate a key. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Token" type="TokenType"> <xs:annotation> <xs:documentation> This element indicates that a hardware or software token is used as a method of identifying the Principal. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="TimeSyncToken" type="TimeSyncTokenType"> <xs:annotation> <xs:documentation> This element indicates that a time synchronization token is used to identify the Principal. hardware - the time synchonization token has been implemented in hardware. software - the time synchronization token has been implemented in software. SeedLength - the length, in bits, of the random seed used in the time synchronization token. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Smartcard" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that a smartcard is used to identity the Principal. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Length" type="LengthType"> <xs:annotation> <xs:documentation> This element indicates the minimum and/or maximum ASCII length of the password which is enforced (by the UA or the IdP). In other words, this is the minimum and/or maximum number of ASCII characters required to represent a valid password. min - the minimum number of ASCII characters required in a valid password, as enforced by the UA or the IdP. max - the maximum number of ASCII characters required in a valid password, as enforced by the UA or the IdP. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationLimit" type="ActivationLimitType"> <xs:annotation> <xs:documentation> This element indicates the length of time for which an PIN-based authentication is valid. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Generation"> <xs:annotation> <xs:documentation> Indicates whether the password was chosen by the Principal or auto-supplied by the Authentication Authority. principalchosen - the Principal is allowed to choose the value of the password. This is true even if the initial password is chosen at random by the UA or the IdP and the Principal is then free to change the password. automatic - the password is chosen by the UA or the IdP to be cryptographically strong in some sense, or to satisfy certain password rules, and that the Principal is not free to change it or to choose a new password. </xs:documentation> </xs:annotation> <xs:complexType> <xs:attribute name="mechanism" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="principalchosen"/> <xs:enumeration value="automatic"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <xs:element name="AuthnMethod" type="AuthnMethodBaseType"> <xs:annotation> <xs:documentation> Refers to those characteristics that define the mechanisms by which the Principal authenticates to the Authentication Authority. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="PrincipalAuthenticationMechanism" type="PrincipalAuthenticationMechanismType"> <xs:annotation> <xs:documentation> The method that a Principal employs to perform authentication to local system components. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="Authenticator" type="AuthenticatorBaseType"> <xs:annotation> <xs:documentation> The method applied to validate a principal's authentication across a network </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ComplexAuthenticator" type="ComplexAuthenticatorType"> <xs:annotation> <xs:documentation> Supports Authenticators with nested combinations of additional complexity. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="PreviousSession" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> Indicates that the Principal has been strongly authenticated in a previous session during which the IdP has set a cookie in the UA. During the present session the Principal has only been authenticated by the UA returning the cookie to the IdP. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ResumeSession" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> Rather like PreviousSession but using stronger security. A secret that was established in a previous session with the Authentication Authority has been cached by the local system and is now re-used (e.g. a Master Secret is used to derive new session keys in TLS, SSL, WTLS). </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ZeroKnowledge" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a zero knowledge technique as specified in ISO/IEC 9798-5. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="SharedSecretChallengeResponse" type="SharedSecretChallengeResponseType"/> <xs:complexType name="SharedSecretChallengeResponseType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared secret keys and symmetric cryptography. </xs:documentation> </xs:annotation> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="method" type="xs:anyURI" use="optional"/> </xs:complexType> <xs:element name="DigSig" type="PublicKeyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated by a mechanism which involves the Principal computing a digital signature over at least challenge data provided by the IdP. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="AsymmetricDecryption" type="PublicKeyType"> <xs:annotation> <xs:documentation> The local system has a private key but it is used in decryption mode, rather than signature mode. For example, the Authentication Authority generates a secret and encrypts it using the local system's public key: the local system then proves it has decrypted the secret. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="AsymmetricKeyAgreement" type="PublicKeyType"> <xs:annotation> <xs:documentation> The local system has a private key and uses it for shared secret key agreement with the Authentication Authority (e.g. via Diffie Helman). </xs:documentation> </xs:annotation> </xs:element> <xs:complexType name="PublicKeyType"> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="keyValidation" use="optional"/> </xs:complexType> <xs:element name="IPAddress" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Principal has been authenticated through connection from a particular IP address. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="SharedSecretDynamicPlaintext" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> The local system and Authentication Authority share a secret key. The local system uses this to encrypt a randomised string to pass to the Authentication Authority. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="AuthenticatorTransportProtocol" type="AuthenticatorTransportProtocolType"> <xs:annotation> <xs:documentation> The protocol across which Authenticator information is transferred to an Authentication Authority verifier. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="HTTP" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using bare HTTP utilizing no additional security protocols. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="IPSec" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechanism protected by an IPSEC session. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="WTLS" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechanism protected by a WTLS session. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="MobileNetworkNoEncryption" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted solely across a mobile network using no additional security mechanism. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="MobileNetworkRadioEncryption" type="ExtensionOnlyType"/> <xs:element name="MobileNetworkEndToEndEncryption" type="ExtensionOnlyType"/> <xs:element name="SSL" type="ExtensionOnlyType"> <xs:annotation> <xs:documentation> This element indicates that the Authenticator has been transmitted using a transport mechnanism protected by an SSL or TLS session. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="PSTN" type="ExtensionOnlyType"/> <xs:element name="ISDN" type="ExtensionOnlyType"/> <xs:element name="ADSL" type="ExtensionOnlyType"/> <xs:element name="OperationalProtection" type="OperationalProtectionType"> <xs:annotation> <xs:documentation> Refers to those characteristics that describe procedural security controls employed by the Authentication Authority. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="SecurityAudit" type="SecurityAuditType"/> <xs:element name="SwitchAudit" type="ExtensionOnlyType"/> <xs:element name="DeactivationCallCenter" type="ExtensionOnlyType"/> <xs:element name="GoverningAgreements" type="GoverningAgreementsType"> <xs:annotation> <xs:documentation> Provides a mechanism for linking to external (likely human readable) documents in which additional business agreements, (e.g. liability constraints, obligations, etc) can be placed. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="GoverningAgreementRef" type="GoverningAgreementRefType"/> <xs:simpleType name="nymType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="anonymity"/> <xs:enumeration value="verinymity"/> <xs:enumeration value="pseudonymity"/> </xs:restriction> </xs:simpleType> <xs:complexType name="AuthnContextDeclarationBaseType"> <xs:sequence> <xs:element ref="Identification" minOccurs="0"/> <xs:element ref="TechnicalProtection" minOccurs="0"/> <xs:element ref="OperationalProtection" minOccurs="0"/> <xs:element ref="AuthnMethod" minOccurs="0"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> </xs:complexType> <xs:complexType name="IdentificationType"> <xs:sequence> <xs:element ref="PhysicalVerification" minOccurs="0"/> <xs:element ref="WrittenConsent" minOccurs="0"/> <xs:element ref="GoverningAgreements" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="nym" type="nymType"> <xs:annotation> <xs:documentation> This attribute indicates whether or not the Identification mechanisms allow the actions of the Principal to be linked to an actual end user. </xs:documentation> </xs:annotation> </xs:attribute> </xs:complexType> <xs:complexType name="TechnicalProtectionBaseType"> <xs:sequence> <xs:choice minOccurs="0"> <xs:element ref="PrivateKeyProtection"/> <xs:element ref="SecretKeyProtection"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="OperationalProtectionType"> <xs:sequence> <xs:element ref="SecurityAudit" minOccurs="0"/> <xs:element ref="DeactivationCallCenter" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="AuthnMethodBaseType"> <xs:sequence> <xs:element ref="PrincipalAuthenticationMechanism" minOccurs="0"/> <xs:element ref="Authenticator" minOccurs="0"/> <xs:element ref="AuthenticatorTransportProtocol" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="GoverningAgreementsType"> <xs:sequence> <xs:element ref="GoverningAgreementRef" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="GoverningAgreementRefType"> <xs:attribute name="governingAgreementRef" type="xs:anyURI" use="required"/> </xs:complexType> <xs:complexType name="PrincipalAuthenticationMechanismType"> <xs:sequence> <xs:element ref="Password" minOccurs="0"/> <xs:element ref="RestrictedPassword" minOccurs="0"/> <xs:element ref="Token" minOccurs="0"/> <xs:element ref="Smartcard" minOccurs="0"/> <xs:element ref="ActivationPin" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="preauth" type="xs:integer" use="optional"/> </xs:complexType> <xs:group name="AuthenticatorChoiceGroup"> <xs:choice> <xs:element ref="PreviousSession"/> <xs:element ref="ResumeSession"/> <xs:element ref="DigSig"/> <xs:element ref="Password"/> <xs:element ref="RestrictedPassword"/> <xs:element ref="ZeroKnowledge"/> <xs:element ref="SharedSecretChallengeResponse"/> <xs:element ref="SharedSecretDynamicPlaintext"/> <xs:element ref="IPAddress"/> <xs:element ref="AsymmetricDecryption"/> <xs:element ref="AsymmetricKeyAgreement"/> <xs:element ref="SubscriberLineNumber"/> <xs:element ref="UserSuffix"/> <xs:element ref="ComplexAuthenticator"/> </xs:choice> </xs:group> <xs:group name="AuthenticatorSequenceGroup"> <xs:sequence> <xs:element ref="PreviousSession" minOccurs="0"/> <xs:element ref="ResumeSession" minOccurs="0"/> <xs:element ref="DigSig" minOccurs="0"/> <xs:element ref="Password" minOccurs="0"/> <xs:element ref="RestrictedPassword" minOccurs="0"/> <xs:element ref="ZeroKnowledge" minOccurs="0"/> <xs:element ref="SharedSecretChallengeResponse" minOccurs="0"/> <xs:element ref="SharedSecretDynamicPlaintext" minOccurs="0"/> <xs:element ref="IPAddress" minOccurs="0"/> <xs:element ref="AsymmetricDecryption" minOccurs="0"/> <xs:element ref="AsymmetricKeyAgreement" minOccurs="0"/> <xs:element ref="SubscriberLineNumber" minOccurs="0"/> <xs:element ref="UserSuffix" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:group> <xs:complexType name="AuthenticatorBaseType"> <xs:sequence> <xs:group ref="AuthenticatorChoiceGroup"/> <xs:group ref="AuthenticatorSequenceGroup"/> </xs:sequence> </xs:complexType> <xs:complexType name="ComplexAuthenticatorType"> <xs:sequence> <xs:group ref="AuthenticatorChoiceGroup"/> <xs:group ref="AuthenticatorSequenceGroup"/> </xs:sequence> </xs:complexType> <xs:complexType name="AuthenticatorTransportProtocolType"> <xs:sequence> <xs:choice minOccurs="0"> <xs:element ref="HTTP"/> <xs:element ref="SSL"/> <xs:element ref="MobileNetworkNoEncryption"/> <xs:element ref="MobileNetworkRadioEncryption"/> <xs:element ref="MobileNetworkEndToEndEncryption"/> <xs:element ref="WTLS"/> <xs:element ref="IPSec"/> <xs:element ref="PSTN"/> <xs:element ref="ISDN"/> <xs:element ref="ADSL"/> </xs:choice> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="KeyActivationType"> <xs:sequence> <xs:element ref="ActivationPin" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="KeySharingType"> <xs:attribute name="sharing" type="xs:boolean" use="required"/> </xs:complexType> <xs:complexType name="PrivateKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation" minOccurs="0"/> <xs:element ref="KeyStorage" minOccurs="0"/> <xs:element ref="KeySharing" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="PasswordType"> <xs:sequence> <xs:element ref="Length" minOccurs="0"/> <xs:element ref="Alphabet" minOccurs="0"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/> </xs:complexType> <xs:element name="RestrictedPassword" type="RestrictedPasswordType"/> <xs:complexType name="RestrictedPasswordType"> <xs:complexContent> <xs:restriction base="PasswordType"> <xs:sequence> <xs:element name="Length" type="RestrictedLengthType" minOccurs="1"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ExternalVerification" type="xs:anyURI" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="RestrictedLengthType"> <xs:complexContent> <xs:restriction base="LengthType"> <xs:attribute name="min" use="required"> <xs:simpleType> <xs:restriction base="xs:integer"> <xs:minInclusive value="3"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="max" type="xs:integer" use="optional"/> </xs:restriction> </xs:complexContent> </xs:complexType> <xs:complexType name="ActivationPinType"> <xs:sequence> <xs:element ref="Length" minOccurs="0"/> <xs:element ref="Alphabet" minOccurs="0"/> <xs:element ref="Generation" minOccurs="0"/> <xs:element ref="ActivationLimit" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="Alphabet" type="AlphabetType"/> <xs:complexType name="AlphabetType"> <xs:attribute name="requiredChars" type="xs:string" use="required"/> <xs:attribute name="excludedChars" type="xs:string" use="optional"/> <xs:attribute name="case" type="xs:string" use="optional"/> </xs:complexType> <xs:complexType name="TokenType"> <xs:sequence> <xs:element ref="TimeSyncToken"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:simpleType name="DeviceTypeType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="hardware"/> <xs:enumeration value="software"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="booleanType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="true"/> <xs:enumeration value="false"/> </xs:restriction> </xs:simpleType> <xs:complexType name="TimeSyncTokenType"> <xs:attribute name="DeviceType" type="DeviceTypeType" use="required"/> <xs:attribute name="SeedLength" type="xs:integer" use="required"/> <xs:attribute name="DeviceInHand" type="booleanType" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitType"> <xs:choice> <xs:element ref="ActivationLimitDuration"/> <xs:element ref="ActivationLimitUsages"/> <xs:element ref="ActivationLimitSession"/> </xs:choice> </xs:complexType> <xs:element name="ActivationLimitDuration" type="ActivationLimitDurationType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is defined as a specific duration of time. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationLimitUsages" type="ActivationLimitUsagesType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is defined as a number of usages. </xs:documentation> </xs:annotation> </xs:element> <xs:element name="ActivationLimitSession" type="ActivationLimitSessionType"> <xs:annotation> <xs:documentation> This element indicates that the Key Activation Limit is the session. </xs:documentation> </xs:annotation> </xs:element> <xs:complexType name="ActivationLimitDurationType"> <xs:attribute name="duration" type="xs:duration" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitUsagesType"> <xs:attribute name="number" type="xs:integer" use="required"/> </xs:complexType> <xs:complexType name="ActivationLimitSessionType"/> <xs:complexType name="LengthType"> <xs:attribute name="min" type="xs:integer" use="required"/> <xs:attribute name="max" type="xs:integer" use="optional"/> </xs:complexType> <xs:simpleType name="mediumType"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="memory"/> <xs:enumeration value="smartcard"/> <xs:enumeration value="token"/> <xs:enumeration value="MobileDevice"/> <xs:enumeration value="MobileAuthCard"/> </xs:restriction> </xs:simpleType> <xs:complexType name="KeyStorageType"> <xs:attribute name="medium" type="mediumType" use="required"/> </xs:complexType> <xs:complexType name="SecretKeyProtectionType"> <xs:sequence> <xs:element ref="KeyActivation" minOccurs="0"/> <xs:element ref="KeyStorage" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="SecurityAuditType"> <xs:sequence> <xs:element ref="SwitchAudit" minOccurs="0"/> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:complexType name="ExtensionOnlyType"> <xs:sequence> <xs:element ref="Extension" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <xs:element name="Extension" type="ExtensionType"/> <xs:complexType name="ExtensionType"> <xs:sequence> <xs:any namespace="##other" processContents="lax" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:schema> PK�������sqY�Un��4���4��7��php-saml/src/Saml2/schemas/saml-schema-protocol-2.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="2.0"> <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <annotation> <documentation> Document identifier: saml-schema-protocol-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V1.0 (November, 2002): Initial Standard Schema. V1.1 (September, 2003): Updates within the same V1.0 namespace. V2.0 (March, 2005): New protocol schema based in a SAML V2.0 namespace. </documentation> </annotation> <complexType name="RequestAbstractType" abstract="true"> <sequence> <element ref="saml:Issuer" minOccurs="0"/> <element ref="ds:Signature" minOccurs="0"/> <element ref="samlp:Extensions" minOccurs="0"/> </sequence> <attribute name="ID" type="ID" use="required"/> <attribute name="Version" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> <attribute name="Destination" type="anyURI" use="optional"/> <attribute name="Consent" type="anyURI" use="optional"/> </complexType> <element name="Extensions" type="samlp:ExtensionsType"/> <complexType name="ExtensionsType"> <sequence> <any namespace="##other" processContents="lax" maxOccurs="unbounded"/> </sequence> </complexType> <complexType name="StatusResponseType"> <sequence> <element ref="saml:Issuer" minOccurs="0"/> <element ref="ds:Signature" minOccurs="0"/> <element ref="samlp:Extensions" minOccurs="0"/> <element ref="samlp:Status"/> </sequence> <attribute name="ID" type="ID" use="required"/> <attribute name="InResponseTo" type="NCName" use="optional"/> <attribute name="Version" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/> <attribute name="Destination" type="anyURI" use="optional"/> <attribute name="Consent" type="anyURI" use="optional"/> </complexType> <element name="Status" type="samlp:StatusType"/> <complexType name="StatusType"> <sequence> <element ref="samlp:StatusCode"/> <element ref="samlp:StatusMessage" minOccurs="0"/> <element ref="samlp:StatusDetail" minOccurs="0"/> </sequence> </complexType> <element name="StatusCode" type="samlp:StatusCodeType"/> <complexType name="StatusCodeType"> <sequence> <element ref="samlp:StatusCode" minOccurs="0"/> </sequence> <attribute name="Value" type="anyURI" use="required"/> </complexType> <element name="StatusMessage" type="string"/> <element name="StatusDetail" type="samlp:StatusDetailType"/> <complexType name="StatusDetailType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="AssertionIDRequest" type="samlp:AssertionIDRequestType"/> <complexType name="AssertionIDRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="saml:AssertionIDRef" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="SubjectQuery" type="samlp:SubjectQueryAbstractType"/> <complexType name="SubjectQueryAbstractType" abstract="true"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="saml:Subject"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthnQuery" type="samlp:AuthnQueryType"/> <complexType name="AuthnQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="samlp:RequestedAuthnContext" minOccurs="0"/> </sequence> <attribute name="SessionIndex" type="string" use="optional"/> </extension> </complexContent> </complexType> <element name="RequestedAuthnContext" type="samlp:RequestedAuthnContextType"/> <complexType name="RequestedAuthnContextType"> <choice> <element ref="saml:AuthnContextClassRef" maxOccurs="unbounded"/> <element ref="saml:AuthnContextDeclRef" maxOccurs="unbounded"/> </choice> <attribute name="Comparison" type="samlp:AuthnContextComparisonType" use="optional"/> </complexType> <simpleType name="AuthnContextComparisonType"> <restriction base="string"> <enumeration value="exact"/> <enumeration value="minimum"/> <enumeration value="maximum"/> <enumeration value="better"/> </restriction> </simpleType> <element name="AttributeQuery" type="samlp:AttributeQueryType"/> <complexType name="AttributeQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthzDecisionQuery" type="samlp:AuthzDecisionQueryType"/> <complexType name="AuthzDecisionQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType"> <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence> <attribute name="Resource" type="anyURI" use="required"/> </extension> </complexContent> </complexType> <element name="AuthnRequest" type="samlp:AuthnRequestType"/> <complexType name="AuthnRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="saml:Subject" minOccurs="0"/> <element ref="samlp:NameIDPolicy" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <element ref="samlp:RequestedAuthnContext" minOccurs="0"/> <element ref="samlp:Scoping" minOccurs="0"/> </sequence> <attribute name="ForceAuthn" type="boolean" use="optional"/> <attribute name="IsPassive" type="boolean" use="optional"/> <attribute name="ProtocolBinding" type="anyURI" use="optional"/> <attribute name="AssertionConsumerServiceIndex" type="unsignedShort" use="optional"/> <attribute name="AssertionConsumerServiceURL" type="anyURI" use="optional"/> <attribute name="AttributeConsumingServiceIndex" type="unsignedShort" use="optional"/> <attribute name="ProviderName" type="string" use="optional"/> </extension> </complexContent> </complexType> <element name="NameIDPolicy" type="samlp:NameIDPolicyType"/> <complexType name="NameIDPolicyType"> <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPNameQualifier" type="string" use="optional"/> <attribute name="AllowCreate" type="boolean" use="optional"/> </complexType> <element name="Scoping" type="samlp:ScopingType"/> <complexType name="ScopingType"> <sequence> <element ref="samlp:IDPList" minOccurs="0"/> <element ref="samlp:RequesterID" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="ProxyCount" type="nonNegativeInteger" use="optional"/> </complexType> <element name="RequesterID" type="anyURI"/> <element name="IDPList" type="samlp:IDPListType"/> <complexType name="IDPListType"> <sequence> <element ref="samlp:IDPEntry" maxOccurs="unbounded"/> <element ref="samlp:GetComplete" minOccurs="0"/> </sequence> </complexType> <element name="IDPEntry" type="samlp:IDPEntryType"/> <complexType name="IDPEntryType"> <attribute name="ProviderID" type="anyURI" use="required"/> <attribute name="Name" type="string" use="optional"/> <attribute name="Loc" type="anyURI" use="optional"/> </complexType> <element name="GetComplete" type="anyURI"/> <element name="Response" type="samlp:ResponseType"/> <complexType name="ResponseType"> <complexContent> <extension base="samlp:StatusResponseType"> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Assertion"/> <element ref="saml:EncryptedAssertion"/> </choice> </extension> </complexContent> </complexType> <element name="ArtifactResolve" type="samlp:ArtifactResolveType"/> <complexType name="ArtifactResolveType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <element ref="samlp:Artifact"/> </sequence> </extension> </complexContent> </complexType> <element name="Artifact" type="string"/> <element name="ArtifactResponse" type="samlp:ArtifactResponseType"/> <complexType name="ArtifactResponseType"> <complexContent> <extension base="samlp:StatusResponseType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> <element name="ManageNameIDRequest" type="samlp:ManageNameIDRequestType"/> <complexType name="ManageNameIDRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <choice> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> <choice> <element ref="samlp:NewID"/> <element ref="samlp:NewEncryptedID"/> <element ref="samlp:Terminate"/> </choice> </sequence> </extension> </complexContent> </complexType> <element name="NewID" type="string"/> <element name="NewEncryptedID" type="saml:EncryptedElementType"/> <element name="Terminate" type="samlp:TerminateType"/> <complexType name="TerminateType"/> <element name="ManageNameIDResponse" type="samlp:StatusResponseType"/> <element name="LogoutRequest" type="samlp:LogoutRequestType"/> <complexType name="LogoutRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <choice> <element ref="saml:BaseID"/> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> <element ref="samlp:SessionIndex" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Reason" type="string" use="optional"/> <attribute name="NotOnOrAfter" type="dateTime" use="optional"/> </extension> </complexContent> </complexType> <element name="SessionIndex" type="string"/> <element name="LogoutResponse" type="samlp:StatusResponseType"/> <element name="NameIDMappingRequest" type="samlp:NameIDMappingRequestType"/> <complexType name="NameIDMappingRequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <sequence> <choice> <element ref="saml:BaseID"/> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> <element ref="samlp:NameIDPolicy"/> </sequence> </extension> </complexContent> </complexType> <element name="NameIDMappingResponse" type="samlp:NameIDMappingResponseType"/> <complexType name="NameIDMappingResponseType"> <complexContent> <extension base="samlp:StatusResponseType"> <choice> <element ref="saml:NameID"/> <element ref="saml:EncryptedID"/> </choice> </extension> </complexContent> </complexType> </schema> PK�������sqYv�G>��>��7��php-saml/src/Saml2/schemas/saml-schema-metadata-2.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="http://www.w3.org/2001/XMLSchema" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="2.0"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <import namespace="http://www.w3.org/2001/04/xmlenc#" schemaLocation="xenc-schema.xsd"/> <import namespace="urn:oasis:names:tc:SAML:2.0:assertion" schemaLocation="saml-schema-assertion-2.0.xsd"/> <import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/> <annotation> <documentation> Document identifier: saml-schema-metadata-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): Schema for SAML metadata, first published in SAML 2.0. </documentation> </annotation> <simpleType name="entityIDType"> <restriction base="anyURI"> <maxLength value="1024"/> </restriction> </simpleType> <complexType name="localizedNameType"> <simpleContent> <extension base="string"> <attribute ref="xml:lang" use="required"/> </extension> </simpleContent> </complexType> <complexType name="localizedURIType"> <simpleContent> <extension base="anyURI"> <attribute ref="xml:lang" use="required"/> </extension> </simpleContent> </complexType> <element name="Extensions" type="md:ExtensionsType"/> <complexType final="#all" name="ExtensionsType"> <sequence> <any namespace="##other" processContents="lax" maxOccurs="unbounded"/> </sequence> </complexType> <complexType name="EndpointType"> <sequence> <any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Binding" type="anyURI" use="required"/> <attribute name="Location" type="anyURI" use="required"/> <attribute name="ResponseLocation" type="anyURI" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <complexType name="IndexedEndpointType"> <complexContent> <extension base="md:EndpointType"> <attribute name="index" type="unsignedShort" use="required"/> <attribute name="isDefault" type="boolean" use="optional"/> </extension> </complexContent> </complexType> <element name="EntitiesDescriptor" type="md:EntitiesDescriptorType"/> <complexType name="EntitiesDescriptorType"> <sequence> <element ref="ds:Signature" minOccurs="0"/> <element ref="md:Extensions" minOccurs="0"/> <choice minOccurs="1" maxOccurs="unbounded"> <element ref="md:EntityDescriptor"/> <element ref="md:EntitiesDescriptor"/> </choice> </sequence> <attribute name="validUntil" type="dateTime" use="optional"/> <attribute name="cacheDuration" type="duration" use="optional"/> <attribute name="ID" type="ID" use="optional"/> <attribute name="Name" type="string" use="optional"/> </complexType> <element name="EntityDescriptor" type="md:EntityDescriptorType"/> <complexType name="EntityDescriptorType"> <sequence> <element ref="ds:Signature" minOccurs="0"/> <element ref="md:Extensions" minOccurs="0"/> <choice> <choice maxOccurs="unbounded"> <element ref="md:RoleDescriptor"/> <element ref="md:IDPSSODescriptor"/> <element ref="md:SPSSODescriptor"/> <element ref="md:AuthnAuthorityDescriptor"/> <element ref="md:AttributeAuthorityDescriptor"/> <element ref="md:PDPDescriptor"/> </choice> <element ref="md:AffiliationDescriptor"/> </choice> <element ref="md:Organization" minOccurs="0"/> <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:AdditionalMetadataLocation" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="entityID" type="md:entityIDType" use="required"/> <attribute name="validUntil" type="dateTime" use="optional"/> <attribute name="cacheDuration" type="duration" use="optional"/> <attribute name="ID" type="ID" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <element name="Organization" type="md:OrganizationType"/> <complexType name="OrganizationType"> <sequence> <element ref="md:Extensions" minOccurs="0"/> <element ref="md:OrganizationName" maxOccurs="unbounded"/> <element ref="md:OrganizationDisplayName" maxOccurs="unbounded"/> <element ref="md:OrganizationURL" maxOccurs="unbounded"/> </sequence> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <element name="OrganizationName" type="md:localizedNameType"/> <element name="OrganizationDisplayName" type="md:localizedNameType"/> <element name="OrganizationURL" type="md:localizedURIType"/> <element name="ContactPerson" type="md:ContactType"/> <complexType name="ContactType"> <sequence> <element ref="md:Extensions" minOccurs="0"/> <element ref="md:Company" minOccurs="0"/> <element ref="md:GivenName" minOccurs="0"/> <element ref="md:SurName" minOccurs="0"/> <element ref="md:EmailAddress" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:TelephoneNumber" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="contactType" type="md:ContactTypeType" use="required"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <element name="Company" type="string"/> <element name="GivenName" type="string"/> <element name="SurName" type="string"/> <element name="EmailAddress" type="anyURI"/> <element name="TelephoneNumber" type="string"/> <simpleType name="ContactTypeType"> <restriction base="string"> <enumeration value="technical"/> <enumeration value="support"/> <enumeration value="administrative"/> <enumeration value="billing"/> <enumeration value="other"/> </restriction> </simpleType> <element name="AdditionalMetadataLocation" type="md:AdditionalMetadataLocationType"/> <complexType name="AdditionalMetadataLocationType"> <simpleContent> <extension base="anyURI"> <attribute name="namespace" type="anyURI" use="required"/> </extension> </simpleContent> </complexType> <element name="RoleDescriptor" type="md:RoleDescriptorType"/> <complexType name="RoleDescriptorType" abstract="true"> <sequence> <element ref="ds:Signature" minOccurs="0"/> <element ref="md:Extensions" minOccurs="0"/> <element ref="md:KeyDescriptor" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:Organization" minOccurs="0"/> <element ref="md:ContactPerson" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="ID" type="ID" use="optional"/> <attribute name="validUntil" type="dateTime" use="optional"/> <attribute name="cacheDuration" type="duration" use="optional"/> <attribute name="protocolSupportEnumeration" type="md:anyURIListType" use="required"/> <attribute name="errorURL" type="anyURI" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <simpleType name="anyURIListType"> <list itemType="anyURI"/> </simpleType> <element name="KeyDescriptor" type="md:KeyDescriptorType"/> <complexType name="KeyDescriptorType"> <sequence> <element ref="ds:KeyInfo"/> <element ref="md:EncryptionMethod" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="use" type="md:KeyTypes" use="optional"/> </complexType> <simpleType name="KeyTypes"> <restriction base="string"> <enumeration value="encryption"/> <enumeration value="signing"/> </restriction> </simpleType> <element name="EncryptionMethod" type="xenc:EncryptionMethodType"/> <complexType name="SSODescriptorType" abstract="true"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:ArtifactResolutionService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:SingleLogoutService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:ManageNameIDService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="ArtifactResolutionService" type="md:IndexedEndpointType"/> <element name="SingleLogoutService" type="md:EndpointType"/> <element name="ManageNameIDService" type="md:EndpointType"/> <element name="NameIDFormat" type="anyURI"/> <element name="IDPSSODescriptor" type="md:IDPSSODescriptorType"/> <complexType name="IDPSSODescriptorType"> <complexContent> <extension base="md:SSODescriptorType"> <sequence> <element ref="md:SingleSignOnService" maxOccurs="unbounded"/> <element ref="md:NameIDMappingService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="WantAuthnRequestsSigned" type="boolean" use="optional"/> </extension> </complexContent> </complexType> <element name="SingleSignOnService" type="md:EndpointType"/> <element name="NameIDMappingService" type="md:EndpointType"/> <element name="AssertionIDRequestService" type="md:EndpointType"/> <element name="AttributeProfile" type="anyURI"/> <element name="SPSSODescriptor" type="md:SPSSODescriptorType"/> <complexType name="SPSSODescriptorType"> <complexContent> <extension base="md:SSODescriptorType"> <sequence> <element ref="md:AssertionConsumerService" maxOccurs="unbounded"/> <element ref="md:AttributeConsumingService" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="AuthnRequestsSigned" type="boolean" use="optional"/> <attribute name="WantAssertionsSigned" type="boolean" use="optional"/> </extension> </complexContent> </complexType> <element name="AssertionConsumerService" type="md:IndexedEndpointType"/> <element name="AttributeConsumingService" type="md:AttributeConsumingServiceType"/> <complexType name="AttributeConsumingServiceType"> <sequence> <element ref="md:ServiceName" maxOccurs="unbounded"/> <element ref="md:ServiceDescription" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:RequestedAttribute" maxOccurs="unbounded"/> </sequence> <attribute name="index" type="unsignedShort" use="required"/> <attribute name="isDefault" type="boolean" use="optional"/> </complexType> <element name="ServiceName" type="md:localizedNameType"/> <element name="ServiceDescription" type="md:localizedNameType"/> <element name="RequestedAttribute" type="md:RequestedAttributeType"/> <complexType name="RequestedAttributeType"> <complexContent> <extension base="saml:AttributeType"> <attribute name="isRequired" type="boolean" use="optional"/> </extension> </complexContent> </complexType> <element name="AuthnAuthorityDescriptor" type="md:AuthnAuthorityDescriptorType"/> <complexType name="AuthnAuthorityDescriptorType"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:AuthnQueryService" maxOccurs="unbounded"/> <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthnQueryService" type="md:EndpointType"/> <element name="PDPDescriptor" type="md:PDPDescriptorType"/> <complexType name="PDPDescriptorType"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:AuthzService" maxOccurs="unbounded"/> <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AuthzService" type="md:EndpointType"/> <element name="AttributeAuthorityDescriptor" type="md:AttributeAuthorityDescriptorType"/> <complexType name="AttributeAuthorityDescriptorType"> <complexContent> <extension base="md:RoleDescriptorType"> <sequence> <element ref="md:AttributeService" maxOccurs="unbounded"/> <element ref="md:AssertionIDRequestService" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:NameIDFormat" minOccurs="0" maxOccurs="unbounded"/> <element ref="md:AttributeProfile" minOccurs="0" maxOccurs="unbounded"/> <element ref="saml:Attribute" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension> </complexContent> </complexType> <element name="AttributeService" type="md:EndpointType"/> <element name="AffiliationDescriptor" type="md:AffiliationDescriptorType"/> <complexType name="AffiliationDescriptorType"> <sequence> <element ref="ds:Signature" minOccurs="0"/> <element ref="md:Extensions" minOccurs="0"/> <element ref="md:AffiliateMember" maxOccurs="unbounded"/> </sequence> <attribute name="affiliationOwnerID" type="md:entityIDType" use="required"/> <attribute name="validUntil" type="dateTime" use="optional"/> <attribute name="cacheDuration" type="duration" use="optional"/> <attribute name="ID" type="ID" use="optional"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> <element name="AffiliateMember" type="md:entityIDType"/> </schema> PK�������sqY��E������*��php-saml/src/Saml2/schemas/xenc-schema.xsdnu��[���
��������<?xml version="1.0" encoding="utf-8"?> <schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0' xmlns:xenc='http://www.w3.org/2001/04/xmlenc#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#' targetNamespace='http://www.w3.org/2001/04/xmlenc#' elementFormDefault='qualified'> <import namespace='http://www.w3.org/2000/09/xmldsig#' schemaLocation='xmldsig-core-schema.xsd'/> <complexType name='EncryptedType' abstract='true'> <sequence> <element name='EncryptionMethod' type='xenc:EncryptionMethodType' minOccurs='0'/> <element ref='ds:KeyInfo' minOccurs='0'/> <element ref='xenc:CipherData'/> <element ref='xenc:EncryptionProperties' minOccurs='0'/> </sequence> <attribute name='Id' type='ID' use='optional'/> <attribute name='Type' type='anyURI' use='optional'/> <attribute name='MimeType' type='string' use='optional'/> <attribute name='Encoding' type='anyURI' use='optional'/> </complexType> <complexType name='EncryptionMethodType' mixed='true'> <sequence> <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/> <element name='OAEPparams' minOccurs='0' type='base64Binary'/> <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> </sequence> <attribute name='Algorithm' type='anyURI' use='required'/> </complexType> <simpleType name='KeySizeType'> <restriction base="integer"/> </simpleType> <element name='CipherData' type='xenc:CipherDataType'/> <complexType name='CipherDataType'> <choice> <element name='CipherValue' type='base64Binary'/> <element ref='xenc:CipherReference'/> </choice> </complexType> <element name='CipherReference' type='xenc:CipherReferenceType'/> <complexType name='CipherReferenceType'> <choice> <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/> </choice> <attribute name='URI' type='anyURI' use='required'/> </complexType> <complexType name='TransformsType'> <sequence> <element ref='ds:Transform' maxOccurs='unbounded'/> </sequence> </complexType> <element name='EncryptedData' type='xenc:EncryptedDataType'/> <complexType name='EncryptedDataType'> <complexContent> <extension base='xenc:EncryptedType'> </extension> </complexContent> </complexType> <!-- Children of ds:KeyInfo --> <element name='EncryptedKey' type='xenc:EncryptedKeyType'/> <complexType name='EncryptedKeyType'> <complexContent> <extension base='xenc:EncryptedType'> <sequence> <element ref='xenc:ReferenceList' minOccurs='0'/> <element name='CarriedKeyName' type='string' minOccurs='0'/> </sequence> <attribute name='Recipient' type='string' use='optional'/> </extension> </complexContent> </complexType> <element name="AgreementMethod" type="xenc:AgreementMethodType"/> <complexType name="AgreementMethodType" mixed="true"> <sequence> <element name="KA-Nonce" minOccurs="0" type="base64Binary"/> <!-- <element ref="ds:DigestMethod" minOccurs="0"/> --> <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <!-- End Children of ds:KeyInfo --> <element name='ReferenceList'> <complexType> <choice minOccurs='1' maxOccurs='unbounded'> <element name='DataReference' type='xenc:ReferenceType'/> <element name='KeyReference' type='xenc:ReferenceType'/> </choice> </complexType> </element> <complexType name='ReferenceType'> <sequence> <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> </sequence> <attribute name='URI' type='anyURI' use='required'/> </complexType> <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/> <complexType name='EncryptionPropertiesType'> <sequence> <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/> </sequence> <attribute name='Id' type='ID' use='optional'/> </complexType> <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/> <complexType name='EncryptionPropertyType' mixed='true'> <choice maxOccurs='unbounded'> <any namespace='##other' processContents='lax'/> </choice> <attribute name='Target' type='anyURI' use='optional'/> <attribute name='Id' type='ID' use='optional'/> <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/> </complexType> </schema> PK�������sqY9챉������A��php-saml/src/Saml2/schemas/sstc-saml-metadata-algsupport-v1.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <schema targetNamespace="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" elementFormDefault="unqualified" attributeFormDefault="unqualified" blockDefault="substitution" version="1.0"> <annotation> <documentation> Document title: Metadata Extension Schema for SAML V2.0 Metadata Profile for Algorithm Support Version 1.0 Document identifier: sstc-saml-metadata-algsupport.xsd Location: http://docs.oasis-open.org/security/saml/Post2.0/ Revision history: V1.0 (June 2010): Initial version. </documentation> </annotation> <element name="DigestMethod" type="alg:DigestMethodType"/> <complexType name="DigestMethodType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType> <element name="SigningMethod" type="alg:SigningMethodType"/> <complexType name="SigningMethodType"> <sequence> <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> <attribute name="MinKeySize" type="positiveInteger"/> <attribute name="MaxKeySize" type="positiveInteger"/> </complexType> </schema> PK�������sqY&�������<��php-saml/src/Saml2/schemas/saml-schema-authn-context-2.0.xsdnu��[���
��������<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:oasis:names:tc:SAML:2.0:ac" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="urn:oasis:names:tc:SAML:2.0:ac" blockDefault="substitution" version="2.0"> <xs:annotation> <xs:documentation> Document identifier: saml-schema-authn-context-2.0 Location: http://docs.oasis-open.org/security/saml/v2.0/ Revision history: V2.0 (March, 2005): New core authentication context schema for SAML V2.0. This is just an include of all types from the schema referred to in the include statement below. </xs:documentation> </xs:annotation> <xs:include schemaLocation="saml-schema-authn-context-types-2.0.xsd"/> </xs:schema>PK�������sqY7/dIo��o�� ��php-saml/src/Saml2/Constants.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; /** * Constants of OneLogin PHP Toolkit * * Defines all required constants */ class Constants { // Value added to the current time in time condition validations const ALLOWED_CLOCK_DRIFT = 180; // 3 min in seconds // NameID Formats const NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'; const NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'; const NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'; const NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'; const NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'; const NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'; const NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; const NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'; const NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'; // Attribute Name Formats const ATTRNAME_FORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'; const ATTRNAME_FORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; const ATTRNAME_FORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'; // Namespaces const NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'; const NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'; const NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'; const NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'; const NS_XS = 'http://www.w3.org/2001/XMLSchema'; const NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'; const NS_XENC = 'http://www.w3.org/2001/04/xmlenc#'; const NS_DS = 'http://www.w3.org/2000/09/xmldsig#'; // Bindings const BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; const BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'; const BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'; const BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'; const BINDING_DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE'; // Auth Context Class const AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; const AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; const AC_PASSWORD_PROTECTED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'; const AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'; const AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'; const AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'; const AC_WINDOWS = 'urn:federation:authentication:windows'; const AC_TLS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient'; // Subject Confirmation const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'; const CM_HOLDER_KEY = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'; const CM_SENDER_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'; // Status Codes const STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'; const STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'; const STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'; const STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'; const STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'; const STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'; const STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'; } PK�������sqY�4a����������php-saml/src/Saml2/Settings.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use RobRichards\XMLSecLibs\XMLSecurityDSig; use DOMDocument; use Exception; /** * Configuration of the OneLogin PHP Toolkit */ class Settings { /** * List of paths. * * @var array */ private $_paths = array(); /** * @var string */ private $_baseurl; /** * Strict. If active, PHP Toolkit will reject unsigned or unencrypted messages * if it expects them signed or encrypted. If not, the messages will be accepted * and some security issues will be also relaxed. * * @var bool */ private $_strict = true; /** * Activate debug mode * * @var bool */ private $_debug = false; /** * SP data. * * @var array */ private $_sp = array(); /** * IdP data. * * @var array */ private $_idp = array(); /** * Compression settings that determine * whether gzip compression should be used. * * @var array */ private $_compress = array(); /** * Security Info related to the SP. * * @var array */ private $_security = array(); /** * Setting contacts. * * @var array */ private $_contacts = array(); /** * Setting organization. * * @var array */ private $_organization = array(); /** * Setting errors. * * @var array */ private $_errors = array(); /** * Valitate SP data only flag * * @var bool */ private $_spValidationOnly = false; /** * Initializes the settings: * - Sets the paths of the different folders * - Loads settings info from settings file or array/object provided * * @param array|null $settings SAML Toolkit Settings * @param bool $spValidationOnly Validate or not the IdP data * * @throws Error If any settings parameter is invalid * @throws Exception If Settings is incorrectly supplied */ public function __construct(array $settings = null, $spValidationOnly = false) { $this->_spValidationOnly = $spValidationOnly; $this->_loadPaths(); if (!isset($settings)) { if (!$this->_loadSettingsFromFile()) { throw new Error( 'Invalid file settings: %s', Error::SETTINGS_INVALID, array(implode(', ', $this->_errors)) ); } $this->_addDefaultValues(); } else { if (!$this->_loadSettingsFromArray($settings)) { throw new Error( 'Invalid array settings: %s', Error::SETTINGS_INVALID, array(implode(', ', $this->_errors)) ); } } $this->formatIdPCert(); $this->formatSPCert(); $this->formatSPKey(); $this->formatSPCertNew(); $this->formatIdPCertMulti(); } /** * Sets the paths of the different folders * @suppress PhanUndeclaredConstant */ private function _loadPaths() { $basePath = dirname(dirname(__DIR__)) . '/'; $this->_paths = array( 'base' => $basePath, 'config' => $basePath, 'cert' => $basePath.'certs/', 'lib' => $basePath.'src/' ); if (defined('ONELOGIN_CUSTOMPATH')) { $this->_paths['config'] = ONELOGIN_CUSTOMPATH; $this->_paths['cert'] = ONELOGIN_CUSTOMPATH . 'certs/'; } } /** * Returns base path. * * @return string The base toolkit folder path */ public function getBasePath() { return $this->_paths['base']; } /** * Returns cert path. * * @return string The cert folder path */ public function getCertPath() { return $this->_paths['cert']; } /** * Returns config path. * * @return string The config folder path */ public function getConfigPath() { return $this->_paths['config']; } /** * Returns lib path. * * @return string The library folder path */ public function getLibPath() { return $this->_paths['lib']; } /** * Returns schema path. * * @return string The external library folder path */ public function getSchemasPath() { return $this->_paths['lib'].'schemas/'; } /** * Loads settings info from a settings Array * * @param array $settings SAML Toolkit Settings * * @return bool True if the settings info is valid */ private function _loadSettingsFromArray(array $settings) { if (isset($settings['sp'])) { $this->_sp = $settings['sp']; } if (isset($settings['idp'])) { $this->_idp = $settings['idp']; } $errors = $this->checkSettings($settings); if (empty($errors)) { $this->_errors = array(); if (isset($settings['strict'])) { $this->_strict = $settings['strict']; } if (isset($settings['debug'])) { $this->_debug = $settings['debug']; } if (isset($settings['baseurl'])) { $this->_baseurl = $settings['baseurl']; } if (isset($settings['compress'])) { $this->_compress = $settings['compress']; } if (isset($settings['security'])) { $this->_security = $settings['security']; } if (isset($settings['contactPerson'])) { $this->_contacts = $settings['contactPerson']; } if (isset($settings['organization'])) { $this->_organization = $settings['organization']; } $this->_addDefaultValues(); return true; } else { $this->_errors = $errors; return false; } } /** * Loads settings info from the settings file * * @return bool True if the settings info is valid * * @throws Error * * @suppress PhanUndeclaredVariable */ private function _loadSettingsFromFile() { $filename = $this->getConfigPath().'settings.php'; if (!file_exists($filename)) { throw new Error( 'Settings file not found: %s', Error::SETTINGS_FILE_NOT_FOUND, array($filename) ); } /** @var array $settings */ include $filename; // Add advance_settings if exists $advancedFilename = $this->getConfigPath().'advanced_settings.php'; if (file_exists($advancedFilename)) { /** @var array $advancedSettings */ include $advancedFilename; $settings = array_merge($settings, $advancedSettings); } return $this->_loadSettingsFromArray($settings); } /** * Add default values if the settings info is not complete */ private function _addDefaultValues() { if (!isset($this->_sp['assertionConsumerService']['binding'])) { $this->_sp['assertionConsumerService']['binding'] = Constants::BINDING_HTTP_POST; } if (isset($this->_sp['singleLogoutService']) && !isset($this->_sp['singleLogoutService']['binding'])) { $this->_sp['singleLogoutService']['binding'] = Constants::BINDING_HTTP_REDIRECT; } if (!isset($this->_compress['requests'])) { $this->_compress['requests'] = true; } if (!isset($this->_compress['responses'])) { $this->_compress['responses'] = true; } // Related to nameID if (!isset($this->_sp['NameIDFormat'])) { $this->_sp['NameIDFormat'] = Constants::NAMEID_UNSPECIFIED; } if (!isset($this->_security['nameIdEncrypted'])) { $this->_security['nameIdEncrypted'] = false; } if (!isset($this->_security['requestedAuthnContext'])) { $this->_security['requestedAuthnContext'] = true; } // sign provided if (!isset($this->_security['authnRequestsSigned'])) { $this->_security['authnRequestsSigned'] = false; } if (!isset($this->_security['logoutRequestSigned'])) { $this->_security['logoutRequestSigned'] = false; } if (!isset($this->_security['logoutResponseSigned'])) { $this->_security['logoutResponseSigned'] = false; } if (!isset($this->_security['signMetadata'])) { $this->_security['signMetadata'] = false; } // sign expected if (!isset($this->_security['wantMessagesSigned'])) { $this->_security['wantMessagesSigned'] = false; } if (!isset($this->_security['wantAssertionsSigned'])) { $this->_security['wantAssertionsSigned'] = false; } // NameID element expected if (!isset($this->_security['wantNameId'])) { $this->_security['wantNameId'] = true; } // Relax Destination validation if (!isset($this->_security['relaxDestinationValidation'])) { $this->_security['relaxDestinationValidation'] = false; } // encrypt expected if (!isset($this->_security['wantAssertionsEncrypted'])) { $this->_security['wantAssertionsEncrypted'] = false; } if (!isset($this->_security['wantNameIdEncrypted'])) { $this->_security['wantNameIdEncrypted'] = false; } // XML validation if (!isset($this->_security['wantXMLValidation'])) { $this->_security['wantXMLValidation'] = true; } // SignatureAlgorithm if (!isset($this->_security['signatureAlgorithm'])) { $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA256; } // DigestAlgorithm if (!isset($this->_security['digestAlgorithm'])) { $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256; } if (!isset($this->_security['lowercaseUrlencoding'])) { $this->_security['lowercaseUrlencoding'] = false; } // Certificates / Private key /Fingerprint if (!isset($this->_idp['x509cert'])) { $this->_idp['x509cert'] = ''; } if (!isset($this->_idp['certFingerprint'])) { $this->_idp['certFingerprint'] = ''; } if (!isset($this->_idp['certFingerprintAlgorithm'])) { $this->_idp['certFingerprintAlgorithm'] = 'sha1'; } if (!isset($this->_sp['x509cert'])) { $this->_sp['x509cert'] = ''; } if (!isset($this->_sp['privateKey'])) { $this->_sp['privateKey'] = ''; } } /** * Checks the settings info. * * @param array $settings Array with settings data * * @return array $errors Errors found on the settings data */ public function checkSettings(array $settings) { if (empty($settings)) { $errors = array('invalid_syntax'); } else { $errors = array(); if (!$this->_spValidationOnly) { $idpErrors = $this->checkIdPSettings($settings); $errors = array_merge($idpErrors, $errors); } $spErrors = $this->checkSPSettings($settings); $errors = array_merge($spErrors, $errors); $compressErrors = $this->checkCompressionSettings($settings); $errors = array_merge($compressErrors, $errors); } return $errors; } /** * Checks the compression settings info. * * @param array $settings Array with settings data * * @return array $errors Errors found on the settings data */ public function checkCompressionSettings($settings) { $errors = array(); if (isset($settings['compress'])) { if (!is_array($settings['compress'])) { $errors[] = "invalid_syntax"; } else if (isset($settings['compress']['requests']) && $settings['compress']['requests'] !== true && $settings['compress']['requests'] !== false ) { $errors[] = "'compress'=>'requests' values must be true or false."; } else if (isset($settings['compress']['responses']) && $settings['compress']['responses'] !== true && $settings['compress']['responses'] !== false ) { $errors[] = "'compress'=>'responses' values must be true or false."; } } return $errors; } /** * Checks the IdP settings info. * * @param array $settings Array with settings data * * @return array $errors Errors found on the IdP settings data */ public function checkIdPSettings(array $settings) { if (empty($settings)) { return array('invalid_syntax'); } $errors = array(); if (!isset($settings['idp']) || empty($settings['idp'])) { $errors[] = 'idp_not_found'; } else { $idp = $settings['idp']; if (!isset($idp['entityId']) || empty($idp['entityId'])) { $errors[] = 'idp_entityId_not_found'; } if (!isset($idp['singleSignOnService']) || !isset($idp['singleSignOnService']['url']) || empty($idp['singleSignOnService']['url']) ) { $errors[] = 'idp_sso_not_found'; } else if (!filter_var($idp['singleSignOnService']['url'], FILTER_VALIDATE_URL)) { $errors[] = 'idp_sso_url_invalid'; } if (isset($idp['singleLogoutService']) && isset($idp['singleLogoutService']['url']) && !empty($idp['singleLogoutService']['url']) && !filter_var($idp['singleLogoutService']['url'], FILTER_VALIDATE_URL) ) { $errors[] = 'idp_slo_url_invalid'; } if (isset($idp['singleLogoutService']) && isset($idp['singleLogoutService']['responseUrl']) && !empty($idp['singleLogoutService']['responseUrl']) && !filter_var($idp['singleLogoutService']['responseUrl'], FILTER_VALIDATE_URL) ) { $errors[] = 'idp_slo_response_url_invalid'; } if (isset($settings['security'])) { $security = $settings['security']; $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']); $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']); $existsMultiX509Enc = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['encryption']) && !empty($idp['x509certMulti']['encryption']); $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']); if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign) ) { $errors[] = 'idp_cert_or_fingerprint_not_found_and_required'; } if ((isset($security['nameIdEncrypted']) && $security['nameIdEncrypted'] == true) && !($existsX509 || $existsMultiX509Enc) ) { $errors[] = 'idp_cert_not_found_and_required'; } } } return $errors; } /** * Checks the SP settings info. * * @param array $settings Array with settings data * * @return array $errors Errors found on the SP settings data */ public function checkSPSettings(array $settings) { if (empty($settings)) { return array('invalid_syntax'); } $errors = array(); if (!isset($settings['sp']) || empty($settings['sp'])) { $errors[] = 'sp_not_found'; } else { $sp = $settings['sp']; $security = array(); if (isset($settings['security'])) { $security = $settings['security']; } if (!isset($sp['entityId']) || empty($sp['entityId'])) { $errors[] = 'sp_entityId_not_found'; } if (!isset($sp['assertionConsumerService']) || !isset($sp['assertionConsumerService']['url']) || empty($sp['assertionConsumerService']['url']) ) { $errors[] = 'sp_acs_not_found'; } else if (!filter_var($sp['assertionConsumerService']['url'], FILTER_VALIDATE_URL)) { $errors[] = 'sp_acs_url_invalid'; } if (isset($sp['singleLogoutService']) && isset($sp['singleLogoutService']['url']) && !filter_var($sp['singleLogoutService']['url'], FILTER_VALIDATE_URL) ) { $errors[] = 'sp_sls_url_invalid'; } if (isset($security['signMetadata']) && is_array($security['signMetadata'])) { if ((!isset($security['signMetadata']['keyFileName']) || !isset($security['signMetadata']['certFileName'])) && (!isset($security['signMetadata']['privateKey']) || !isset($security['signMetadata']['x509cert'])) ) { $errors[] = 'sp_signMetadata_invalid'; } } if (((isset($security['authnRequestsSigned']) && $security['authnRequestsSigned'] == true) || (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned'] == true) || (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned'] == true) || (isset($security['wantAssertionsEncrypted']) && $security['wantAssertionsEncrypted'] == true) || (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted'] == true)) && !$this->checkSPCerts() ) { $errors[] = 'sp_certs_not_found_and_required'; } } if (isset($settings['contactPerson'])) { $types = array_keys($settings['contactPerson']); $validTypes = array('technical', 'support', 'administrative', 'billing', 'other'); foreach ($types as $type) { if (!in_array($type, $validTypes)) { $errors[] = 'contact_type_invalid'; break; } } foreach ($settings['contactPerson'] as $type => $contact) { if (!isset($contact['givenName']) || empty($contact['givenName']) || !isset($contact['emailAddress']) || empty($contact['emailAddress']) ) { $errors[] = 'contact_not_enought_data'; break; } } } if (isset($settings['organization'])) { foreach ($settings['organization'] as $organization) { if (!isset($organization['name']) || empty($organization['name']) || !isset($organization['displayname']) || empty($organization['displayname']) || !isset($organization['url']) || empty($organization['url']) ) { $errors[] = 'organization_not_enought_data'; break; } } } return $errors; } /** * Checks if the x509 certs of the SP exists and are valid. * * @return bool */ public function checkSPCerts() { $key = $this->getSPkey(); $cert = $this->getSPcert(); return (!empty($key) && !empty($cert)); } /** * Returns the x509 private key of the SP. * * @return string SP private key */ public function getSPkey() { $key = null; if (isset($this->_sp['privateKey']) && !empty($this->_sp['privateKey'])) { $key = $this->_sp['privateKey']; } else { $keyFile = $this->_paths['cert'].'sp.key'; if (file_exists($keyFile)) { $key = file_get_contents($keyFile); } } return $key; } /** * Returns the x509 public cert of the SP. * * @return string SP public cert */ public function getSPcert() { $cert = null; if (isset($this->_sp['x509cert']) && !empty($this->_sp['x509cert'])) { $cert = $this->_sp['x509cert']; } else { $certFile = $this->_paths['cert'].'sp.crt'; if (file_exists($certFile)) { $cert = file_get_contents($certFile); } } return $cert; } /** * Returns the x509 public of the SP that is * planed to be used soon instead the other * public cert * * @return string SP public cert New */ public function getSPcertNew() { $cert = null; if (isset($this->_sp['x509certNew']) && !empty($this->_sp['x509certNew'])) { $cert = $this->_sp['x509certNew']; } else { $certFile = $this->_paths['cert'].'sp_new.crt'; if (file_exists($certFile)) { $cert = file_get_contents($certFile); } } return $cert; } /** * Gets the IdP data. * * @return array IdP info */ public function getIdPData() { return $this->_idp; } /** * Gets the SP data. * * @return array SP info */ public function getSPData() { return $this->_sp; } /** * Gets security data. * * @return array SP info */ public function getSecurityData() { return $this->_security; } /** * Gets contact data. * * @return array SP info */ public function getContacts() { return $this->_contacts; } /** * Gets organization data. * * @return array SP info */ public function getOrganization() { return $this->_organization; } /** * Should SAML requests be compressed? * * @return bool Yes/No as True/False */ public function shouldCompressRequests() { return $this->_compress['requests']; } /** * Should SAML responses be compressed? * * @return bool Yes/No as True/False */ public function shouldCompressResponses() { return $this->_compress['responses']; } /** * Gets the SP metadata. The XML representation. * * @param bool $alwaysPublishEncryptionCert When 'true', the returned * metadata will always include an 'encryption' KeyDescriptor. Otherwise, * the 'encryption' KeyDescriptor will only be included if * $advancedSettings['security']['wantNameIdEncrypted'] or * $advancedSettings['security']['wantAssertionsEncrypted'] are enabled. * @param int|null $validUntil Metadata's valid time * @param int|null $cacheDuration Duration of the cache in seconds * * @return string SP metadata (xml) * @throws Exception * @throws Error */ public function getSPMetadata($alwaysPublishEncryptionCert = false, $validUntil = null, $cacheDuration = null) { $metadata = Metadata::builder($this->_sp, $this->_security['authnRequestsSigned'], $this->_security['wantAssertionsSigned'], $validUntil, $cacheDuration, $this->getContacts(), $this->getOrganization()); $certNew = $this->getSPcertNew(); if (!empty($certNew)) { $metadata = Metadata::addX509KeyDescriptors( $metadata, $certNew, $alwaysPublishEncryptionCert || $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted'] ); } $cert = $this->getSPcert(); if (!empty($cert)) { $metadata = Metadata::addX509KeyDescriptors( $metadata, $cert, $alwaysPublishEncryptionCert || $this->_security['wantNameIdEncrypted'] || $this->_security['wantAssertionsEncrypted'] ); } //Sign Metadata if (isset($this->_security['signMetadata']) && $this->_security['signMetadata'] != false) { if ($this->_security['signMetadata'] === true) { $keyMetadata = $this->getSPkey(); $certMetadata = $cert; if (!$keyMetadata) { throw new Error( 'SP Private key not found.', Error::PRIVATE_KEY_FILE_NOT_FOUND ); } if (!$certMetadata) { throw new Error( 'SP Public cert not found.', Error::PUBLIC_CERT_FILE_NOT_FOUND ); } } else if (isset($this->_security['signMetadata']['keyFileName']) && isset($this->_security['signMetadata']['certFileName'])) { $keyFileName = $this->_security['signMetadata']['keyFileName']; $certFileName = $this->_security['signMetadata']['certFileName']; $keyMetadataFile = $this->_paths['cert'].$keyFileName; $certMetadataFile = $this->_paths['cert'].$certFileName; if (!file_exists($keyMetadataFile)) { throw new Error( 'SP Private key file not found: %s', Error::PRIVATE_KEY_FILE_NOT_FOUND, array($keyMetadataFile) ); } if (!file_exists($certMetadataFile)) { throw new Error( 'SP Public cert file not found: %s', Error::PUBLIC_CERT_FILE_NOT_FOUND, array($certMetadataFile) ); } $keyMetadata = file_get_contents($keyMetadataFile); $certMetadata = file_get_contents($certMetadataFile); } else if (isset($this->_security['signMetadata']['privateKey']) && isset($this->_security['signMetadata']['x509cert'])) { $keyMetadata = Utils::formatPrivateKey($this->_security['signMetadata']['privateKey']); $certMetadata = Utils::formatCert($this->_security['signMetadata']['x509cert']); if (!$keyMetadata) { throw new Error( 'Private key not found.', Error::PRIVATE_KEY_FILE_NOT_FOUND ); } if (!$certMetadata) { throw new Error( 'Public cert not found.', Error::PUBLIC_CERT_FILE_NOT_FOUND ); } } else { throw new Error( 'Invalid Setting: signMetadata value of the sp is not valid', Error::SETTINGS_INVALID_SYNTAX ); } $signatureAlgorithm = $this->_security['signatureAlgorithm']; $digestAlgorithm = $this->_security['digestAlgorithm']; $metadata = Metadata::signMetadata($metadata, $keyMetadata, $certMetadata, $signatureAlgorithm, $digestAlgorithm); } return $metadata; } /** * Validates an XML SP Metadata. * * @param string $xml Metadata's XML that will be validate * * @return array The list of found errors * * @throws Exception */ public function validateMetadata($xml) { assert(is_string($xml)); $errors = array(); $res = Utils::validateXML($xml, 'saml-schema-metadata-2.0.xsd', $this->_debug); if (!$res instanceof DOMDocument) { $errors[] = $res; } else { $dom = $res; $element = $dom->documentElement; if ($element->tagName !== 'md:EntityDescriptor') { $errors[] = 'noEntityDescriptor_xml'; } else { $validUntil = $cacheDuration = $expireTime = null; if ($element->hasAttribute('validUntil')) { $validUntil = Utils::parseSAML2Time($element->getAttribute('validUntil')); } if ($element->hasAttribute('cacheDuration')) { $cacheDuration = $element->getAttribute('cacheDuration'); } $expireTime = Utils::getExpireTime($cacheDuration, $validUntil); if (isset($expireTime) && time() > $expireTime) { $errors[] = 'expired_xml'; } } } // TODO: Support Metadata Sign Validation return $errors; } /** * Formats the IdP cert. */ public function formatIdPCert() { if (isset($this->_idp['x509cert'])) { $this->_idp['x509cert'] = Utils::formatCert($this->_idp['x509cert']); } } /** * Formats the Multple IdP certs. */ public function formatIdPCertMulti() { if (isset($this->_idp['x509certMulti'])) { if (isset($this->_idp['x509certMulti']['signing'])) { foreach ($this->_idp['x509certMulti']['signing'] as $i => $cert) { $this->_idp['x509certMulti']['signing'][$i] = Utils::formatCert($cert); } } if (isset($this->_idp['x509certMulti']['encryption'])) { foreach ($this->_idp['x509certMulti']['encryption'] as $i => $cert) { $this->_idp['x509certMulti']['encryption'][$i] = Utils::formatCert($cert); } } } } /** * Formats the SP cert. */ public function formatSPCert() { if (isset($this->_sp['x509cert'])) { $this->_sp['x509cert'] = Utils::formatCert($this->_sp['x509cert']); } } /** * Formats the SP cert. */ public function formatSPCertNew() { if (isset($this->_sp['x509certNew'])) { $this->_sp['x509certNew'] = Utils::formatCert($this->_sp['x509certNew']); } } /** * Formats the SP private key. */ public function formatSPKey() { if (isset($this->_sp['privateKey'])) { $this->_sp['privateKey'] = Utils::formatPrivateKey($this->_sp['privateKey']); } } /** * Returns an array with the errors, the array is empty when the settings is ok. * * @return array Errors */ public function getErrors() { return $this->_errors; } /** * Activates or deactivates the strict mode. * * @param bool $value Strict parameter * * @throws Exception */ public function setStrict($value) { if (!is_bool($value)) { throw new Exception('Invalid value passed to setStrict()'); } $this->_strict = $value; } /** * Returns if the 'strict' mode is active. * * @return bool Strict parameter */ public function isStrict() { return $this->_strict; } /** * Returns if the debug is active. * * @return bool Debug parameter */ public function isDebugActive() { return $this->_debug; } /** * Set a baseurl value. * * @param string $baseurl Base URL. */ public function setBaseURL($baseurl) { $this->_baseurl = $baseurl; } /** * Returns the baseurl set on the settings if any. * * @return null|string The baseurl */ public function getBaseURL() { return $this->_baseurl; } /** * Sets the IdP certificate. * * @param string $cert IdP certificate */ public function setIdPCert($cert) { $this->_idp['x509cert'] = $cert; $this->formatIdPCert(); } } PK�������sqY �G#��������php-saml/src/Saml2/Response.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use RobRichards\XMLSecLibs\XMLSecEnc; use DOMDocument; use DOMNodeList; use DOMXPath; use Exception; /** * SAML 2 Authentication Response */ class Response { /** * Settings * * @var Settings */ protected $_settings; /** * The decoded, unprocessed XML response provided to the constructor. * * @var string */ public $response; /** * A DOMDocument class loaded from the SAML Response. * * @var DOMDocument */ public $document; /** * A DOMDocument class loaded from the SAML Response (Decrypted). * * @var DOMDocument */ public $decryptedDocument; /** * The response contains an encrypted assertion. * * @var bool */ public $encrypted = false; /** * After validation, if it fail this var has the cause of the problem * * @var Exception|null */ private $_error; /** * NotOnOrAfter value of a valid SubjectConfirmationData node * * @var int */ private $_validSCDNotOnOrAfter; /** * Constructs the SAML Response object. * * @param Settings $settings Settings. * @param string $response A UUEncoded SAML response from the IdP. * * @throws Exception * @throws ValidationError */ public function __construct(\OneLogin\Saml2\Settings $settings, $response) { $this->_settings = $settings; $baseURL = $this->_settings->getBaseURL(); if (!empty($baseURL)) { Utils::setBaseURL($baseURL); } $this->response = base64_decode($response); $this->document = new DOMDocument(); $this->document = Utils::loadXML($this->document, $this->response); if (!$this->document) { throw new ValidationError( "SAML Response could not be processed", ValidationError::INVALID_XML_FORMAT ); } // Quick check for the presence of EncryptedAssertion $encryptedAssertionNodes = $this->document->getElementsByTagName('EncryptedAssertion'); if ($encryptedAssertionNodes->length !== 0) { $this->decryptedDocument = clone $this->document; $this->encrypted = true; $this->decryptedDocument = $this->decryptAssertion($this->decryptedDocument); } } /** * Determines if the SAML Response is valid using the certificate. * * @param string|null $requestId The ID of the AuthNRequest sent by this SP to the IdP * * @return bool Validate the document * * @throws Exception * @throws ValidationError */ public function isValid($requestId = null) { $this->_error = null; try { // Check SAML version if ($this->document->documentElement->getAttribute('Version') != '2.0') { throw new ValidationError( "Unsupported SAML version", ValidationError::UNSUPPORTED_SAML_VERSION ); } if (!$this->document->documentElement->hasAttribute('ID')) { throw new ValidationError( "Missing ID attribute on SAML Response", ValidationError::MISSING_ID ); } $this->checkStatus(); $singleAssertion = $this->validateNumAssertions(); if (!$singleAssertion) { throw new ValidationError( "SAML Response must contain 1 assertion", ValidationError::WRONG_NUMBER_OF_ASSERTIONS ); } $idpData = $this->_settings->getIdPData(); $idPEntityId = $idpData['entityId']; $spData = $this->_settings->getSPData(); $spEntityId = $spData['entityId']; $signedElements = $this->processSignedElements(); $responseTag = '{'.Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.Constants::NS_SAML.'}Assertion'; $hasSignedResponse = in_array($responseTag, $signedElements); $hasSignedAssertion = in_array($assertionTag, $signedElements); if ($this->_settings->isStrict()) { $security = $this->_settings->getSecurityData(); if ($security['wantXMLValidation']) { $errorXmlMsg = "Invalid SAML Response. Not match the saml-schema-protocol-2.0.xsd"; $res = Utils::validateXML($this->document, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive()); if (!$res instanceof DOMDocument) { throw new ValidationError( $errorXmlMsg, ValidationError::INVALID_XML_FORMAT ); } // If encrypted, check also the decrypted document if ($this->encrypted) { $res = Utils::validateXML($this->decryptedDocument, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive()); if (!$res instanceof DOMDocument) { throw new ValidationError( $errorXmlMsg, ValidationError::INVALID_XML_FORMAT ); } } } $currentURL = Utils::getSelfRoutedURLNoQuery(); if ($this->document->documentElement->hasAttribute('InResponseTo')) { $responseInResponseTo = $this->document->documentElement->getAttribute('InResponseTo'); } // Check if the InResponseTo of the Response matchs the ID of the AuthNRequest (requestId) if provided if (isset($requestId) && isset($responseInResponseTo) && $requestId != $responseInResponseTo) { throw new ValidationError( "The InResponseTo of the Response: $responseInResponseTo, does not match the ID of the AuthNRequest sent by the SP: $requestId", ValidationError::WRONG_INRESPONSETO ); } if (!$this->encrypted && $security['wantAssertionsEncrypted']) { throw new ValidationError( "The assertion of the Response is not encrypted and the SP requires it", ValidationError::NO_ENCRYPTED_ASSERTION ); } if ($security['wantNameIdEncrypted']) { $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData'); if ($encryptedIdNodes->length != 1) { throw new ValidationError( "The NameID of the Response is not encrypted and the SP requires it", ValidationError::NO_ENCRYPTED_NAMEID ); } } // Validate Conditions element exists if (!$this->checkOneCondition()) { throw new ValidationError( "The Assertion must include a Conditions element", ValidationError::MISSING_CONDITIONS ); } // Validate Asserion timestamps $this->validateTimestamps(); // Validate AuthnStatement element exists and is unique if (!$this->checkOneAuthnStatement()) { throw new ValidationError( "The Assertion must include an AuthnStatement element", ValidationError::WRONG_NUMBER_OF_AUTHSTATEMENTS ); } // EncryptedAttributes are not supported $encryptedAttributeNodes = $this->_queryAssertion('/saml:AttributeStatement/saml:EncryptedAttribute'); if ($encryptedAttributeNodes->length > 0) { throw new ValidationError( "There is an EncryptedAttribute in the Response and this SP not support them", ValidationError::ENCRYPTED_ATTRIBUTES ); } // Check destination if ($this->document->documentElement->hasAttribute('Destination')) { $destination = trim($this->document->documentElement->getAttribute('Destination')); if (empty($destination)) { if (!$security['relaxDestinationValidation']) { throw new ValidationError( "The response has an empty Destination value", ValidationError::EMPTY_DESTINATION ); } } else { if (strpos($destination, $currentURL) !== 0) { $currentURLNoRouted = Utils::getSelfURLNoQuery(); if (strpos($destination, $currentURLNoRouted) !== 0) { throw new ValidationError( "The response was received at $currentURL instead of $destination", ValidationError::WRONG_DESTINATION ); } } } } // Check audience $validAudiences = $this->getAudiences(); if (!empty($validAudiences) && !in_array($spEntityId, $validAudiences, true)) { throw new ValidationError( sprintf( "Invalid audience for this Response (expected '%s', got '%s')", $spEntityId, implode(',', $validAudiences) ), ValidationError::WRONG_AUDIENCE ); } // Check the issuers $issuers = $this->getIssuers(); foreach ($issuers as $issuer) { $trimmedIssuer = trim($issuer); if (empty($trimmedIssuer) || $trimmedIssuer !== $idPEntityId) { throw new ValidationError( "Invalid issuer in the Assertion/Response (expected '$idPEntityId', got '$trimmedIssuer')", ValidationError::WRONG_ISSUER ); } } // Check the session Expiration $sessionExpiration = $this->getSessionNotOnOrAfter(); if (!empty($sessionExpiration) && $sessionExpiration + Constants::ALLOWED_CLOCK_DRIFT <= time()) { throw new ValidationError( "The attributes have expired, based on the SessionNotOnOrAfter of the AttributeStatement of this Response", ValidationError::SESSION_EXPIRED ); } // Check the SubjectConfirmation, at least one SubjectConfirmation must be valid $anySubjectConfirmation = false; $subjectConfirmationNodes = $this->_queryAssertion('/saml:Subject/saml:SubjectConfirmation'); foreach ($subjectConfirmationNodes as $scn) { if ($scn->hasAttribute('Method') && $scn->getAttribute('Method') != Constants::CM_BEARER) { continue; } $subjectConfirmationDataNodes = $scn->getElementsByTagName('SubjectConfirmationData'); if ($subjectConfirmationDataNodes->length == 0) { continue; } else { $scnData = $subjectConfirmationDataNodes->item(0); if ($scnData->hasAttribute('InResponseTo')) { $inResponseTo = $scnData->getAttribute('InResponseTo'); if (isset($responseInResponseTo) && $responseInResponseTo != $inResponseTo) { continue; } } if ($scnData->hasAttribute('Recipient')) { $recipient = $scnData->getAttribute('Recipient'); if (!empty($recipient) && strpos($recipient, $currentURL) === false) { continue; } } if ($scnData->hasAttribute('NotOnOrAfter')) { $noa = Utils::parseSAML2Time($scnData->getAttribute('NotOnOrAfter')); if ($noa + Constants::ALLOWED_CLOCK_DRIFT <= time()) { continue; } } if ($scnData->hasAttribute('NotBefore')) { $nb = Utils::parseSAML2Time($scnData->getAttribute('NotBefore')); if ($nb > time() + Constants::ALLOWED_CLOCK_DRIFT) { continue; } } // Save NotOnOrAfter value if ($scnData->hasAttribute('NotOnOrAfter')) { $this->_validSCDNotOnOrAfter = $noa; } $anySubjectConfirmation = true; break; } } if (!$anySubjectConfirmation) { throw new ValidationError( "A valid SubjectConfirmation was not found on this Response", ValidationError::WRONG_SUBJECTCONFIRMATION ); } if ($security['wantAssertionsSigned'] && !$hasSignedAssertion) { throw new ValidationError( "The Assertion of the Response is not signed and the SP requires it", ValidationError::NO_SIGNED_ASSERTION ); } if ($security['wantMessagesSigned'] && !$hasSignedResponse) { throw new ValidationError( "The Message of the Response is not signed and the SP requires it", ValidationError::NO_SIGNED_MESSAGE ); } } // Detect case not supported if ($this->encrypted) { $encryptedIDNodes = Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID'); if ($encryptedIDNodes->length > 0) { throw new ValidationError( 'Unsigned SAML Response that contains a signed and encrypted Assertion with encrypted nameId is not supported.', ValidationError::NOT_SUPPORTED ); } } if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) { throw new ValidationError( 'No Signature found. SAML Response rejected', ValidationError::NO_SIGNATURE_FOUND ); } else { $cert = $idpData['x509cert']; $fingerprint = $idpData['certFingerprint']; $fingerprintalg = $idpData['certFingerprintAlgorithm']; $multiCerts = null; $existsMultiX509Sign = isset($idpData['x509certMulti']) && isset($idpData['x509certMulti']['signing']) && !empty($idpData['x509certMulti']['signing']); if ($existsMultiX509Sign) { $multiCerts = $idpData['x509certMulti']['signing']; } // If find a Signature on the Response, validates it checking the original response if ($hasSignedResponse && !Utils::validateSign($this->document, $cert, $fingerprint, $fingerprintalg, Utils::RESPONSE_SIGNATURE_XPATH, $multiCerts)) { throw new ValidationError( "Signature validation failed. SAML Response rejected", ValidationError::INVALID_SIGNATURE ); } // If find a Signature on the Assertion (decrypted assertion if was encrypted) $documentToCheckAssertion = $this->encrypted ? $this->decryptedDocument : $this->document; if ($hasSignedAssertion && !Utils::validateSign($documentToCheckAssertion, $cert, $fingerprint, $fingerprintalg, Utils::ASSERTION_SIGNATURE_XPATH, $multiCerts)) { throw new ValidationError( "Signature validation failed. SAML Response rejected", ValidationError::INVALID_SIGNATURE ); } } return true; } catch (Exception $e) { $this->_error = $e; $debug = $this->_settings->isDebugActive(); if ($debug) { echo htmlentities($e->getMessage()); } return false; } } /** * @return string|null the ID of the Response */ public function getId() { $id = null; if ($this->document->documentElement->hasAttribute('ID')) { $id = $this->document->documentElement->getAttribute('ID'); } return $id; } /** * @return string|null the ID of the assertion in the Response * * @throws ValidationError */ public function getAssertionId() { if (!$this->validateNumAssertions()) { throw new ValidationError("SAML Response must contain 1 Assertion.", ValidationError::WRONG_NUMBER_OF_ASSERTIONS); } $assertionNodes = $this->_queryAssertion(""); $id = null; if ($assertionNodes->length == 1 && $assertionNodes->item(0)->hasAttribute('ID')) { $id = $assertionNodes->item(0)->getAttribute('ID'); } return $id; } /** * @return int the NotOnOrAfter value of the valid SubjectConfirmationData * node if any */ public function getAssertionNotOnOrAfter() { return $this->_validSCDNotOnOrAfter; } /** * Checks if the Status is success * * @throws ValidationError If status is not success */ public function checkStatus() { $status = Utils::getStatus($this->document); if (isset($status['code']) && $status['code'] !== Constants::STATUS_SUCCESS) { $explodedCode = explode(':', $status['code']); $printableCode = array_pop($explodedCode); $statusExceptionMsg = 'The status code of the Response was not Success, was '.$printableCode; if (!empty($status['msg'])) { $statusExceptionMsg .= ' -> '.$status['msg']; } throw new ValidationError( $statusExceptionMsg, ValidationError::STATUS_CODE_IS_NOT_SUCCESS ); } } /** * Checks that the samlp:Response/saml:Assertion/saml:Conditions element exists and is unique. * * @return boolean true if the Conditions element exists and is unique */ public function checkOneCondition() { $entries = $this->_queryAssertion("/saml:Conditions"); if ($entries->length == 1) { return true; } else { return false; } } /** * Checks that the samlp:Response/saml:Assertion/saml:AuthnStatement element exists and is unique. * * @return boolean true if the AuthnStatement element exists and is unique */ public function checkOneAuthnStatement() { $entries = $this->_queryAssertion("/saml:AuthnStatement"); if ($entries->length == 1) { return true; } else { return false; } } /** * Gets the audiences. * * @return array @audience The valid audiences of the response */ public function getAudiences() { $audiences = array(); $entries = $this->_queryAssertion('/saml:Conditions/saml:AudienceRestriction/saml:Audience'); foreach ($entries as $entry) { $value = trim($entry->textContent); if (!empty($value)) { $audiences[] = $value; } } return array_unique($audiences); } /** * Gets the Issuers (from Response and Assertion). * * @return array @issuers The issuers of the assertion/response * * @throws ValidationError */ public function getIssuers() { $issuers = array(); $responseIssuer = Utils::query($this->document, '/samlp:Response/saml:Issuer'); if ($responseIssuer->length > 0) { if ($responseIssuer->length == 1) { $issuers[] = $responseIssuer->item(0)->textContent; } else { throw new ValidationError( "Issuer of the Response is multiple.", ValidationError::ISSUER_MULTIPLE_IN_RESPONSE ); } } $assertionIssuer = $this->_queryAssertion('/saml:Issuer'); if ($assertionIssuer->length == 1) { $issuers[] = $assertionIssuer->item(0)->textContent; } else { throw new ValidationError( "Issuer of the Assertion not found or multiple.", ValidationError::ISSUER_NOT_FOUND_IN_ASSERTION ); } return array_unique($issuers); } /** * Gets the NameID Data provided by the SAML response from the IdP. * * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier) * * @throws ValidationError */ public function getNameIdData() { $encryptedIdDataEntries = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData'); if ($encryptedIdDataEntries->length == 1) { $encryptedData = $encryptedIdDataEntries->item(0); $key = $this->_settings->getSPkey(); $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'private')); $seckey->loadKey($key); $nameId = Utils::decryptElement($encryptedData, $seckey); } else { $entries = $this->_queryAssertion('/saml:Subject/saml:NameID'); if ($entries->length == 1) { $nameId = $entries->item(0); } } $nameIdData = array(); if (!isset($nameId)) { $security = $this->_settings->getSecurityData(); if ($security['wantNameId']) { throw new ValidationError( "NameID not found in the assertion of the Response", ValidationError::NO_NAMEID ); } } else { if ($this->_settings->isStrict() && empty($nameId->nodeValue)) { throw new ValidationError( "An empty NameID value found", ValidationError::EMPTY_NAMEID ); } $nameIdData['Value'] = $nameId->nodeValue; foreach (array('Format', 'SPNameQualifier', 'NameQualifier') as $attr) { if ($nameId->hasAttribute($attr)) { if ($this->_settings->isStrict() && $attr == 'SPNameQualifier') { $spData = $this->_settings->getSPData(); $spEntityId = $spData['entityId']; if ($spEntityId != $nameId->getAttribute($attr)) { throw new ValidationError( "The SPNameQualifier value mistmatch the SP entityID value.", ValidationError::SP_NAME_QUALIFIER_NAME_MISMATCH ); } } $nameIdData[$attr] = $nameId->getAttribute($attr); } } } return $nameIdData; } /** * Gets the NameID provided by the SAML response from the IdP. * * @return string|null Name ID Value * * @throws ValidationError */ public function getNameId() { $nameIdvalue = null; $nameIdData = $this->getNameIdData(); if (!empty($nameIdData) && isset($nameIdData['Value'])) { $nameIdvalue = $nameIdData['Value']; } return $nameIdvalue; } /** * Gets the NameID Format provided by the SAML response from the IdP. * * @return string|null Name ID Format * * @throws ValidationError */ public function getNameIdFormat() { $nameIdFormat = null; $nameIdData = $this->getNameIdData(); if (!empty($nameIdData) && isset($nameIdData['Format'])) { $nameIdFormat = $nameIdData['Format']; } return $nameIdFormat; } /** * Gets the NameID NameQualifier provided by the SAML response from the IdP. * * @return string|null Name ID NameQualifier * * @throws ValidationError */ public function getNameIdNameQualifier() { $nameIdNameQualifier = null; $nameIdData = $this->getNameIdData(); if (!empty($nameIdData) && isset($nameIdData['NameQualifier'])) { $nameIdNameQualifier = $nameIdData['NameQualifier']; } return $nameIdNameQualifier; } /** * Gets the NameID SP NameQualifier provided by the SAML response from the IdP. * * @return string|null NameID SP NameQualifier * * @throws ValidationError */ public function getNameIdSPNameQualifier() { $nameIdSPNameQualifier = null; $nameIdData = $this->getNameIdData(); if (!empty($nameIdData) && isset($nameIdData['SPNameQualifier'])) { $nameIdSPNameQualifier = $nameIdData['SPNameQualifier']; } return $nameIdSPNameQualifier; } /** * Gets the SessionNotOnOrAfter from the AuthnStatement. * Could be used to set the local session expiration * * @return int|null The SessionNotOnOrAfter value * * @throws Exception */ public function getSessionNotOnOrAfter() { $notOnOrAfter = null; $entries = $this->_queryAssertion('/saml:AuthnStatement[@SessionNotOnOrAfter]'); if ($entries->length !== 0) { $notOnOrAfter = Utils::parseSAML2Time($entries->item(0)->getAttribute('SessionNotOnOrAfter')); } return $notOnOrAfter; } /** * Gets the SessionIndex from the AuthnStatement. * Could be used to be stored in the local session in order * to be used in a future Logout Request that the SP could * send to the SP, to set what specific session must be deleted * * @return string|null The SessionIndex value */ public function getSessionIndex() { $sessionIndex = null; $entries = $this->_queryAssertion('/saml:AuthnStatement[@SessionIndex]'); if ($entries->length !== 0) { $sessionIndex = $entries->item(0)->getAttribute('SessionIndex'); } return $sessionIndex; } /** * Gets the Attributes from the AttributeStatement element. * * @return array The attributes of the SAML Assertion * * @throws ValidationError */ public function getAttributes() { return $this->_getAttributesByKeyName('Name'); } /** * Gets the Attributes from the AttributeStatement element using their FriendlyName. * * @return array The attributes of the SAML Assertion * * @throws ValidationError */ public function getAttributesWithFriendlyName() { return $this->_getAttributesByKeyName('FriendlyName'); } /** * @param string $keyName * * @return array * * @throws ValidationError */ private function _getAttributesByKeyName($keyName = "Name") { $attributes = array(); $entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute'); /** @var $entry DOMNode */ foreach ($entries as $entry) { $attributeKeyNode = $entry->attributes->getNamedItem($keyName); if ($attributeKeyNode === null) { continue; } $attributeKeyName = $attributeKeyNode->nodeValue; if (in_array($attributeKeyName, array_keys($attributes))) { throw new ValidationError( "Found an Attribute element with duplicated ".$keyName, ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND ); } $attributeValues = array(); foreach ($entry->childNodes as $childNode) { $tagName = ($childNode->prefix ? $childNode->prefix.':' : '') . 'AttributeValue'; if ($childNode->nodeType == XML_ELEMENT_NODE && $childNode->tagName === $tagName) { $attributeValues[] = $childNode->nodeValue; } } $attributes[$attributeKeyName] = $attributeValues; } return $attributes; } /** * Verifies that the document only contains a single Assertion (encrypted or not). * * @return bool TRUE if the document passes. */ public function validateNumAssertions() { $encryptedAssertionNodes = $this->document->getElementsByTagName('EncryptedAssertion'); $assertionNodes = $this->document->getElementsByTagName('Assertion'); $valid = $assertionNodes->length + $encryptedAssertionNodes->length == 1; if ($this->encrypted) { $assertionNodes = $this->decryptedDocument->getElementsByTagName('Assertion'); $valid = $valid && $assertionNodes->length == 1; } return $valid; } /** * Verifies the signature nodes: * - Checks that are Response or Assertion * - Check that IDs and reference URI are unique and consistent. * * @return array Signed element tags * * @throws ValidationError */ public function processSignedElements() { $signedElements = array(); $verifiedSeis = array(); $verifiedIds = array(); if ($this->encrypted) { $signNodes = $this->decryptedDocument->getElementsByTagName('Signature'); } else { $signNodes = $this->document->getElementsByTagName('Signature'); } foreach ($signNodes as $signNode) { $responseTag = '{'.Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.Constants::NS_SAML.'}Assertion'; $signedElement = '{'.$signNode->parentNode->namespaceURI.'}'.$signNode->parentNode->localName; if ($signedElement != $responseTag && $signedElement != $assertionTag) { throw new ValidationError( "Invalid Signature Element $signedElement SAML Response rejected", ValidationError::WRONG_SIGNED_ELEMENT ); } // Check that reference URI matches the parent ID and no duplicate References or IDs $idValue = $signNode->parentNode->getAttribute('ID'); if (empty($idValue)) { throw new ValidationError( 'Signed Element must contain an ID. SAML Response rejected', ValidationError::ID_NOT_FOUND_IN_SIGNED_ELEMENT ); } if (in_array($idValue, $verifiedIds)) { throw new ValidationError( 'Duplicated ID. SAML Response rejected', ValidationError::DUPLICATED_ID_IN_SIGNED_ELEMENTS ); } $verifiedIds[] = $idValue; $ref = $signNode->getElementsByTagName('Reference'); if ($ref->length == 1) { $ref = $ref->item(0); $sei = $ref->getAttribute('URI'); if (!empty($sei)) { $sei = substr($sei, 1); if ($sei != $idValue) { throw new ValidationError( 'Found an invalid Signed Element. SAML Response rejected', ValidationError::INVALID_SIGNED_ELEMENT ); } if (in_array($sei, $verifiedSeis)) { throw new ValidationError( 'Duplicated Reference URI. SAML Response rejected', ValidationError::DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS ); } $verifiedSeis[] = $sei; } } else { throw new ValidationError( 'Unexpected number of Reference nodes found for signature. SAML Response rejected.', ValidationError::UNEXPECTED_REFERENCE ); } $signedElements[] = $signedElement; } // Check SignedElements if (!empty($signedElements) && !$this->validateSignedElements($signedElements)) { throw new ValidationError( 'Found an unexpected Signature Element. SAML Response rejected', ValidationError::UNEXPECTED_SIGNED_ELEMENTS ); } return $signedElements; } /** * Verifies that the document is still valid according Conditions Element. * * @return bool * * @throws Exception * @throws ValidationError */ public function validateTimestamps() { if ($this->encrypted) { $document = $this->decryptedDocument; } else { $document = $this->document; } $timestampNodes = $document->getElementsByTagName('Conditions'); for ($i = 0; $i < $timestampNodes->length; $i++) { $nbAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotBefore"); $naAttribute = $timestampNodes->item($i)->attributes->getNamedItem("NotOnOrAfter"); if ($nbAttribute && Utils::parseSAML2Time($nbAttribute->textContent) > time() + Constants::ALLOWED_CLOCK_DRIFT) { throw new ValidationError( 'Could not validate timestamp: not yet valid. Check system clock.', ValidationError::ASSERTION_TOO_EARLY ); } if ($naAttribute && Utils::parseSAML2Time($naAttribute->textContent) + Constants::ALLOWED_CLOCK_DRIFT <= time()) { throw new ValidationError( 'Could not validate timestamp: expired. Check system clock.', ValidationError::ASSERTION_EXPIRED ); } } return true; } /** * Verifies that the document has the expected signed nodes. * * @param array $signedElements Signed elements * * @return bool * * @throws ValidationError */ public function validateSignedElements($signedElements) { if (count($signedElements) > 2) { return false; } $responseTag = '{'.Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.Constants::NS_SAML.'}Assertion'; $ocurrence = array_count_values($signedElements); if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1) || (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1) || !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements) ) { return false; } // Check that the signed elements found here, are the ones that will be verified // by Utils->validateSign() if (in_array($responseTag, $signedElements)) { $expectedSignatureNodes = Utils::query($this->document, Utils::RESPONSE_SIGNATURE_XPATH); if ($expectedSignatureNodes->length != 1) { throw new ValidationError( "Unexpected number of Response signatures found. SAML Response rejected.", ValidationError::WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE ); } } if (in_array($assertionTag, $signedElements)) { $expectedSignatureNodes = $this->_query(Utils::ASSERTION_SIGNATURE_XPATH); if ($expectedSignatureNodes->length != 1) { throw new ValidationError( "Unexpected number of Assertion signatures found. SAML Response rejected.", ValidationError::WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION ); } } return true; } /** * Extracts a node from the DOMDocument (Assertion). * * @param string $assertionXpath Xpath Expression * * @return DOMNodeList The queried node */ protected function _queryAssertion($assertionXpath) { if ($this->encrypted) { $xpath = new DOMXPath($this->decryptedDocument); } else { $xpath = new DOMXPath($this->document); } $xpath->registerNamespace('samlp', Constants::NS_SAMLP); $xpath->registerNamespace('saml', Constants::NS_SAML); $xpath->registerNamespace('ds', Constants::NS_DS); $xpath->registerNamespace('xenc', Constants::NS_XENC); $assertionNode = '/samlp:Response/saml:Assertion'; $signatureQuery = $assertionNode . '/ds:Signature/ds:SignedInfo/ds:Reference'; $assertionReferenceNode = $xpath->query($signatureQuery)->item(0); if (!$assertionReferenceNode) { // is the response signed as a whole? $signatureQuery = '/samlp:Response/ds:Signature/ds:SignedInfo/ds:Reference'; $responseReferenceNode = $xpath->query($signatureQuery)->item(0); if ($responseReferenceNode) { $uri = $responseReferenceNode->attributes->getNamedItem('URI')->nodeValue; if (empty($uri)) { $id = $responseReferenceNode->parentNode->parentNode->parentNode->attributes->getNamedItem('ID')->nodeValue; } else { $id = substr($responseReferenceNode->attributes->getNamedItem('URI')->nodeValue, 1); } $nameQuery = "/samlp:Response[@ID='$id']/saml:Assertion" . $assertionXpath; } else { $nameQuery = "/samlp:Response/saml:Assertion" . $assertionXpath; } } else { $uri = $assertionReferenceNode->attributes->getNamedItem('URI')->nodeValue; if (empty($uri)) { $id = $assertionReferenceNode->parentNode->parentNode->parentNode->attributes->getNamedItem('ID')->nodeValue; } else { $id = substr($assertionReferenceNode->attributes->getNamedItem('URI')->nodeValue, 1); } $nameQuery = $assertionNode."[@ID='$id']" . $assertionXpath; } return $xpath->query($nameQuery); } /** * Extracts nodes that match the query from the DOMDocument (Response Menssage) * * @param string $query Xpath Expression * * @return DOMNodeList The queried nodes */ private function _query($query) { if ($this->encrypted) { return Utils::query($this->decryptedDocument, $query); } else { return Utils::query($this->document, $query); } } /** * Decrypts the Assertion (DOMDocument) * * @param \DomNode $dom DomDocument * * @return DOMDocument Decrypted Assertion * * @throws Exception * @throws ValidationError */ protected function decryptAssertion(\DomNode $dom) { $pem = $this->_settings->getSPkey(); if (empty($pem)) { throw new Error( "No private key available, check settings", Error::PRIVATE_KEY_NOT_FOUND ); } $objenc = new XMLSecEnc(); $encData = $objenc->locateEncryptedData($dom); if (!$encData) { throw new ValidationError( "Cannot locate encrypted assertion", ValidationError::MISSING_ENCRYPTED_ELEMENT ); } $objenc->setNode($encData); $objenc->type = $encData->getAttribute("Type"); if (!$objKey = $objenc->locateKey()) { throw new ValidationError( "Unknown algorithm", ValidationError::KEY_ALGORITHM_ERROR ); } $key = null; if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) { if ($objKeyInfo->isEncrypted) { $objencKey = $objKeyInfo->encryptedCtx; $objKeyInfo->loadKey($pem, false, false); $key = $objencKey->decryptKey($objKeyInfo); } else { // symmetric encryption key support $objKeyInfo->loadKey($pem, false, false); } } if (empty($objKey->key)) { $objKey->loadKey($key); } $decryptedXML = $objenc->decryptNode($objKey, false); $decrypted = new DOMDocument(); $check = Utils::loadXML($decrypted, $decryptedXML); if ($check === false) { throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document'); } if ($encData->parentNode instanceof DOMDocument) { return $decrypted; } else { $decrypted = $decrypted->documentElement; $encryptedAssertion = $encData->parentNode; $container = $encryptedAssertion->parentNode; // Fix possible issue with saml namespace if (!$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml') && !$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml2') && !$decrypted->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns') && !$container->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml') && !$container->hasAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:saml2') ) { if (strpos($encryptedAssertion->tagName, 'saml2:') !== false) { $ns = 'xmlns:saml2'; } else if (strpos($encryptedAssertion->tagName, 'saml:') !== false) { $ns = 'xmlns:saml'; } else { $ns = 'xmlns'; } $decrypted->setAttributeNS('http://www.w3.org/2000/xmlns/', $ns, Constants::NS_SAML); } Utils::treeCopyReplace($encryptedAssertion, $decrypted); // Rebuild the DOM will fix issues with namespaces as well $dom = new DOMDocument(); return Utils::loadXML($dom, $container->ownerDocument->saveXML()); } } /** * After execute a validation process, if fails this method returns the cause * * @return Exception|null Cause */ public function getErrorException() { return $this->_error; } /** * After execute a validation process, if fails this method returns the cause * * @return null|string Error reason */ public function getError() { $errorMsg = null; if (isset($this->_error)) { $errorMsg = htmlentities($this->_error->getMessage()); } return $errorMsg; } /** * Returns the SAML Response document (If contains an encrypted assertion, decrypts it) * * @return DomDocument SAML Response */ public function getXMLDocument() { if ($this->encrypted) { return $this->decryptedDocument; } else { return $this->document; } } } PK�������sqY���Z���Z�����php-saml/src/Saml2/version.jsonnu��[���
��������{ "php-saml": { "version": "3.3.1", "released": "06/11/2019" } } PK�������sqY�t�e��e����php-saml/src/Saml2/Error.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use Exception; /** * Error class of OneLogin PHP Toolkit * * Defines the Error class */ class Error extends Exception { // Errors const SETTINGS_FILE_NOT_FOUND = 0; const SETTINGS_INVALID_SYNTAX = 1; const SETTINGS_INVALID = 2; const METADATA_SP_INVALID = 3; const SP_CERTS_NOT_FOUND = 4; // SP_CERTS_NOT_FOUND is deprecated, use CERT_NOT_FOUND instead const CERT_NOT_FOUND = 4; const REDIRECT_INVALID_URL = 5; const PUBLIC_CERT_FILE_NOT_FOUND = 6; const PRIVATE_KEY_FILE_NOT_FOUND = 7; const SAML_RESPONSE_NOT_FOUND = 8; const SAML_LOGOUTMESSAGE_NOT_FOUND = 9; const SAML_LOGOUTREQUEST_INVALID = 10; const SAML_LOGOUTRESPONSE_INVALID = 11; const SAML_SINGLE_LOGOUT_NOT_SUPPORTED = 12; const PRIVATE_KEY_NOT_FOUND = 13; const UNSUPPORTED_SETTINGS_OBJECT = 14; /** * Constructor * * @param string $msg Describes the error. * @param int $code The code error (defined in the error class). * @param array|null $args Arguments used in the message that describes the error. */ public function __construct($msg, $code = 0, $args = array()) { assert(is_string($msg)); assert(is_int($code)); if (!isset($args)) { $args = array(); } $params = array_merge(array($msg), $args); $message = call_user_func_array('sprintf', $params); parent::__construct($message, $code); } } PK�������sqYsF��������&��php-saml/src/Saml2/ValidationError.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use Exception; /** * ValidationError class of OneLogin PHP Toolkit * * This class implements another custom Exception handler, * related to exceptions that happens during validation process. */ class ValidationError extends Exception { // Validation Errors const UNSUPPORTED_SAML_VERSION = 0; const MISSING_ID = 1; const WRONG_NUMBER_OF_ASSERTIONS = 2; const MISSING_STATUS = 3; const MISSING_STATUS_CODE = 4; const STATUS_CODE_IS_NOT_SUCCESS = 5; const WRONG_SIGNED_ELEMENT = 6; const ID_NOT_FOUND_IN_SIGNED_ELEMENT = 7; const DUPLICATED_ID_IN_SIGNED_ELEMENTS = 8; const INVALID_SIGNED_ELEMENT = 9; const DUPLICATED_REFERENCE_IN_SIGNED_ELEMENTS = 10; const UNEXPECTED_SIGNED_ELEMENTS = 11; const WRONG_NUMBER_OF_SIGNATURES_IN_RESPONSE = 12; const WRONG_NUMBER_OF_SIGNATURES_IN_ASSERTION = 13; const INVALID_XML_FORMAT = 14; const WRONG_INRESPONSETO = 15; const NO_ENCRYPTED_ASSERTION = 16; const NO_ENCRYPTED_NAMEID = 17; const MISSING_CONDITIONS = 18; const ASSERTION_TOO_EARLY = 19; const ASSERTION_EXPIRED = 20; const WRONG_NUMBER_OF_AUTHSTATEMENTS = 21; const NO_ATTRIBUTESTATEMENT = 22; const ENCRYPTED_ATTRIBUTES = 23; const WRONG_DESTINATION = 24; const EMPTY_DESTINATION = 25; const WRONG_AUDIENCE = 26; const ISSUER_MULTIPLE_IN_RESPONSE = 27; const ISSUER_NOT_FOUND_IN_ASSERTION = 28; const WRONG_ISSUER = 29; const SESSION_EXPIRED = 30; const WRONG_SUBJECTCONFIRMATION = 31; const NO_SIGNED_MESSAGE = 32; const NO_SIGNED_ASSERTION = 33; const NO_SIGNATURE_FOUND = 34; const KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA = 35; const CHILDREN_NODE_NOT_FOUND_IN_KEYINFO = 36; const UNSUPPORTED_RETRIEVAL_METHOD = 37; const NO_NAMEID = 38; const EMPTY_NAMEID = 39; const SP_NAME_QUALIFIER_NAME_MISMATCH = 40; const DUPLICATED_ATTRIBUTE_NAME_FOUND = 41; const INVALID_SIGNATURE = 42; const WRONG_NUMBER_OF_SIGNATURES = 43; const RESPONSE_EXPIRED = 44; const UNEXPECTED_REFERENCE = 45; const NOT_SUPPORTED = 46; const KEY_ALGORITHM_ERROR = 47; const MISSING_ENCRYPTED_ELEMENT = 48; /** * Constructor * * @param string $msg Describes the error. * @param int $code The code error (defined in the error class). * @param array|null $args Arguments used in the message that describes the error. */ public function __construct($msg, $code = 0, $args = array()) { assert(is_string($msg)); assert(is_int($code)); if (!isset($args)) { $args = array(); } $params = array_merge(array($msg), $args); $message = call_user_func_array('sprintf', $params); parent::__construct($message, $code); } } PK�������sqY����������#��php-saml/src/Saml2/AuthnRequest.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; /** * SAML 2 Authentication Request */ class AuthnRequest { /** * Object that represents the setting info * * @var Settings */ protected $_settings; /** * SAML AuthNRequest string * * @var string */ private $_authnRequest; /** * SAML AuthNRequest ID. * * @var string */ private $_id; /** * Constructs the AuthnRequest object. * * @param Settings $settings SAML Toolkit Settings * @param bool $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true' * @param bool $isPassive When true the AuthNReuqest will set the Ispassive='true' * @param bool $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated */ public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = false, $isPassive = false, $setNameIdPolicy = true, $nameIdValueReq = null) { $this->_settings = $settings; $spData = $this->_settings->getSPData(); $idpData = $this->_settings->getIdPData(); $security = $this->_settings->getSecurityData(); $id = Utils::generateUniqueID(); $issueInstant = Utils::parseTime2SAML(time()); $subjectStr = ""; if (isset($nameIdValueReq)) { $subjectStr = <<<SUBJECT <saml:Subject> <saml:NameID Format="{$spData['NameIDFormat']}">{$nameIdValueReq}</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml:SubjectConfirmation> </saml:Subject> SUBJECT; } $nameIdPolicyStr = ''; if ($setNameIdPolicy) { $nameIDPolicyFormat = $spData['NameIDFormat']; if (isset($security['wantNameIdEncrypted']) && $security['wantNameIdEncrypted']) { $nameIDPolicyFormat = Constants::NAMEID_ENCRYPTED; } $nameIdPolicyStr = <<<NAMEIDPOLICY <samlp:NameIDPolicy Format="{$nameIDPolicyFormat}" AllowCreate="true" /> NAMEIDPOLICY; } $providerNameStr = ''; $organizationData = $settings->getOrganization(); if (!empty($organizationData)) { $langs = array_keys($organizationData); if (in_array('en-US', $langs)) { $lang = 'en-US'; } else { $lang = $langs[0]; } if (isset($organizationData[$lang]['displayname']) && !empty($organizationData[$lang]['displayname'])) { $providerNameStr = <<<PROVIDERNAME ProviderName="{$organizationData[$lang]['displayname']}" PROVIDERNAME; } } $forceAuthnStr = ''; if ($forceAuthn) { $forceAuthnStr = <<<FORCEAUTHN ForceAuthn="true" FORCEAUTHN; } $isPassiveStr = ''; if ($isPassive) { $isPassiveStr = <<<ISPASSIVE IsPassive="true" ISPASSIVE; } $requestedAuthnStr = ''; if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) { $authnComparison = 'exact'; if (isset($security['requestedAuthnContextComparison'])) { $authnComparison = $security['requestedAuthnContextComparison']; } $authnComparisonAttr = ''; if (!empty($authnComparison)) { $authnComparisonAttr = sprintf('Comparison="%s"', $authnComparison); } if ($security['requestedAuthnContext'] === true) { $requestedAuthnStr = <<<REQUESTEDAUTHN <samlp:RequestedAuthnContext $authnComparisonAttr> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> REQUESTEDAUTHN; } else { $requestedAuthnStr .= " <samlp:RequestedAuthnContext $authnComparisonAttr>\n"; foreach ($security['requestedAuthnContext'] as $contextValue) { $requestedAuthnStr .= " <saml:AuthnContextClassRef>".$contextValue."</saml:AuthnContextClassRef>\n"; } $requestedAuthnStr .= ' </samlp:RequestedAuthnContext>'; } } $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); $acsUrl = htmlspecialchars($spData['assertionConsumerService']['url'], ENT_QUOTES); $request = <<<AUTHNREQUEST <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="$id" Version="2.0" {$providerNameStr}{$forceAuthnStr}{$isPassiveStr} IssueInstant="$issueInstant" Destination="{$idpData['singleSignOnService']['url']}" ProtocolBinding="{$spData['assertionConsumerService']['binding']}" AssertionConsumerServiceURL="{$acsUrl}"> <saml:Issuer>{$spEntityId}</saml:Issuer>{$subjectStr}{$nameIdPolicyStr}{$requestedAuthnStr} </samlp:AuthnRequest> AUTHNREQUEST; $this->_id = $id; $this->_authnRequest = $request; } /** * Returns deflated, base64 encoded, unsigned AuthnRequest. * * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it. * * @return string */ public function getRequest($deflate = null) { $subject = $this->_authnRequest; if (is_null($deflate)) { $deflate = $this->_settings->shouldCompressRequests(); } if ($deflate) { $subject = gzdeflate($this->_authnRequest); } $base64Request = base64_encode($subject); return $base64Request; } /** * Returns the AuthNRequest ID. * * @return string */ public function getId() { return $this->_id; } /** * Returns the XML that will be sent as part of the request * * @return string */ public function getXML() { return $this->_authnRequest; } } PK�������sqY�ԎjRe��Re����php-saml/src/Saml2/Auth.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use Exception; /** * Main class of OneLogin's PHP Toolkit */ class Auth { /** * Settings data. * * @var Settings */ private $_settings; /** * User attributes data. * * @var array */ private $_attributes = array(); /** * User attributes data with FriendlyName index. * * @var array */ private $_attributesWithFriendlyName = array(); /** * NameID * * @var string */ private $_nameid; /** * NameID Format * * @var string */ private $_nameidFormat; /** * NameID NameQualifier * * @var string */ private $_nameidNameQualifier; /** * NameID SP NameQualifier * * @var string */ private $_nameidSPNameQualifier; /** * If user is authenticated. * * @var bool */ private $_authenticated = false; /** * SessionIndex. When the user is logged, this stored it * from the AuthnStatement of the SAML Response * * @var string */ private $_sessionIndex; /** * SessionNotOnOrAfter. When the user is logged, this stored it * from the AuthnStatement of the SAML Response * * @var int|null */ private $_sessionExpiration; /** * The ID of the last message processed * * @var string */ private $_lastMessageId; /** * The ID of the last assertion processed * * @var string */ private $_lastAssertionId; /** * The NotOnOrAfter value of the valid SubjectConfirmationData * node (if any) of the last assertion processed * * @var int */ private $_lastAssertionNotOnOrAfter; /** * If any error. * * @var array */ private $_errors = array(); /** * Last error object. * * @var Error|null */ private $_lastErrorException; /** * Last error. * * @var string|null */ private $_lastError; /** * Last AuthNRequest ID or LogoutRequest ID generated by this Service Provider * * @var string */ private $_lastRequestID; /** * The most recently-constructed/processed XML SAML request * (AuthNRequest, LogoutRequest) * * @var string */ private $_lastRequest; /** * The most recently-constructed/processed XML SAML response * (SAMLResponse, LogoutResponse). If the SAMLResponse was * encrypted, by default tries to return the decrypted XML * * @var string|\DomDocument|null */ private $_lastResponse; /** * Initializes the SP SAML instance. * * @param array|null $settings Setting data * * @throws Exception * @throws Error */ public function __construct(array $settings = null) { $this->_settings = new Settings($settings); } /** * Returns the settings info * * @return Settings The settings data. */ public function getSettings() { return $this->_settings; } /** * Set the strict mode active/disable * * @param bool $value Strict parameter * * @throws Error */ public function setStrict($value) { if (!is_bool($value)) { throw new Error( 'Invalid value passed to setStrict()', Error::SETTINGS_INVALID_SYNTAX ); } $this->_settings->setStrict($value); } /** * Process the SAML Response sent by the IdP. * * @param string|null $requestId The ID of the AuthNRequest sent by this SP to the IdP * * @throws Error * @throws ValidationError */ public function processResponse($requestId = null) { $this->_errors = array(); $this->_lastError = $this->_lastErrorException = null; if (isset($_POST['SAMLResponse'])) { // AuthnResponse -- HTTP_POST Binding $response = new Response($this->_settings, $_POST['SAMLResponse']); $this->_lastResponse = $response->getXMLDocument(); if ($response->isValid($requestId)) { $this->_attributes = $response->getAttributes(); $this->_attributesWithFriendlyName = $response->getAttributesWithFriendlyName(); $this->_nameid = $response->getNameId(); $this->_nameidFormat = $response->getNameIdFormat(); $this->_nameidNameQualifier = $response->getNameIdNameQualifier(); $this->_nameidSPNameQualifier = $response->getNameIdSPNameQualifier(); $this->_authenticated = true; $this->_sessionIndex = $response->getSessionIndex(); $this->_sessionExpiration = $response->getSessionNotOnOrAfter(); $this->_lastMessageId = $response->getId(); $this->_lastAssertionId = $response->getAssertionId(); $this->_lastAssertionNotOnOrAfter = $response->getAssertionNotOnOrAfter(); } else { $this->_errors[] = 'invalid_response'; $this->_lastErrorException = $response->getErrorException(); $this->_lastError = $response->getError(); } } else { $this->_errors[] = 'invalid_binding'; throw new Error( 'SAML Response not found, Only supported HTTP_POST Binding', Error::SAML_RESPONSE_NOT_FOUND ); } } /** * Process the SAML Logout Response / Logout Request sent by the IdP. * * @param bool $keepLocalSession When false will destroy the local session, otherwise will keep it * @param string|null $requestId The ID of the LogoutRequest sent by this SP to the IdP * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature * @param callable $cbDeleteSession Callback to be executed to delete session * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null * * @throws Error */ public function processSLO($keepLocalSession = false, $requestId = null, $retrieveParametersFromServer = false, $cbDeleteSession = null, $stay = false) { $this->_errors = array(); $this->_lastError = $this->_lastErrorException = null; if (isset($_GET['SAMLResponse'])) { $logoutResponse = new LogoutResponse($this->_settings, $_GET['SAMLResponse']); $this->_lastResponse = $logoutResponse->getXML(); if (!$logoutResponse->isValid($requestId, $retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_response'; $this->_lastErrorException = $logoutResponse->getErrorException(); $this->_lastError = $logoutResponse->getError(); } else if ($logoutResponse->getStatus() !== Constants::STATUS_SUCCESS) { $this->_errors[] = 'logout_not_success'; } else { $this->_lastMessageId = $logoutResponse->id; if (!$keepLocalSession) { if ($cbDeleteSession === null) { Utils::deleteLocalSession(); } else { call_user_func($cbDeleteSession); } } } } else if (isset($_GET['SAMLRequest'])) { $logoutRequest = new LogoutRequest($this->_settings, $_GET['SAMLRequest']); $this->_lastRequest = $logoutRequest->getXML(); if (!$logoutRequest->isValid($retrieveParametersFromServer)) { $this->_errors[] = 'invalid_logout_request'; $this->_lastErrorException = $logoutRequest->getErrorException(); $this->_lastError = $logoutRequest->getError(); } else { if (!$keepLocalSession) { if ($cbDeleteSession === null) { Utils::deleteLocalSession(); } else { call_user_func($cbDeleteSession); } } $inResponseTo = $logoutRequest->id; $this->_lastMessageId = $logoutRequest->id; $responseBuilder = new LogoutResponse($this->_settings); $responseBuilder->build($inResponseTo); $this->_lastResponse = $responseBuilder->getXML(); $logoutResponse = $responseBuilder->getResponse(); $parameters = array('SAMLResponse' => $logoutResponse); if (isset($_GET['RelayState'])) { $parameters['RelayState'] = $_GET['RelayState']; } $security = $this->_settings->getSecurityData(); if (isset($security['logoutResponseSigned']) && $security['logoutResponseSigned']) { $signature = $this->buildResponseSignature($logoutResponse, isset($parameters['RelayState'])? $parameters['RelayState']: null, $security['signatureAlgorithm']); $parameters['SigAlg'] = $security['signatureAlgorithm']; $parameters['Signature'] = $signature; } return $this->redirectTo($this->getSLOResponseUrl(), $parameters, $stay); } } else { $this->_errors[] = 'invalid_binding'; throw new Error( 'SAML LogoutRequest/LogoutResponse not found. Only supported HTTP_REDIRECT Binding', Error::SAML_LOGOUTMESSAGE_NOT_FOUND ); } } /** * Redirects the user to the url past by parameter * or to the url that we defined in our SSO Request. * * @param string $url The target URL to redirect the user. * @param array $parameters Extra parameters to be passed as part of the url * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null */ public function redirectTo($url = '', array $parameters = array(), $stay = false) { assert(is_string($url)); if (empty($url) && isset($_REQUEST['RelayState'])) { $url = $_REQUEST['RelayState']; } return Utils::redirect($url, $parameters, $stay); } /** * Checks if the user is authenticated or not. * * @return bool True if the user is authenticated */ public function isAuthenticated() { return $this->_authenticated; } /** * Returns the set of SAML attributes. * * @return array Attributes of the user. */ public function getAttributes() { return $this->_attributes; } /** * Returns the set of SAML attributes indexed by FriendlyName * * @return array Attributes of the user. */ public function getAttributesWithFriendlyName() { return $this->_attributesWithFriendlyName; } /** * Returns the nameID * * @return string The nameID of the assertion */ public function getNameId() { return $this->_nameid; } /** * Returns the nameID Format * * @return string The nameID Format of the assertion */ public function getNameIdFormat() { return $this->_nameidFormat; } /** * Returns the nameID NameQualifier * * @return string The nameID NameQualifier of the assertion */ public function getNameIdNameQualifier() { return $this->_nameidNameQualifier; } /** * Returns the nameID SP NameQualifier * * @return string The nameID SP NameQualifier of the assertion */ public function getNameIdSPNameQualifier() { return $this->_nameidSPNameQualifier; } /** * Returns the SessionIndex * * @return string|null The SessionIndex of the assertion */ public function getSessionIndex() { return $this->_sessionIndex; } /** * Returns the SessionNotOnOrAfter * * @return int|null The SessionNotOnOrAfter of the assertion */ public function getSessionExpiration() { return $this->_sessionExpiration; } /** * Returns if there were any error * * @return array Errors */ public function getErrors() { return $this->_errors; } /** * Returns the reason for the last error * * @return string|null Error reason */ public function getLastErrorReason() { return $this->_lastError; } /** * Returns the last error * * @return Exception|null Error */ public function getLastErrorException() { return $this->_lastErrorException; } /** * Returns the requested SAML attribute * * @param string $name The requested attribute of the user. * * @return array|null Requested SAML attribute ($name). */ public function getAttribute($name) { assert(is_string($name)); $value = null; if (isset($this->_attributes[$name])) { return $this->_attributes[$name]; } return $value; } /** * Returns the requested SAML attribute indexed by FriendlyName * * @param string $friendlyName The requested attribute of the user. * * @return array|null Requested SAML attribute ($friendlyName). */ public function getAttributeWithFriendlyName($friendlyName) { assert(is_string($friendlyName)); $value = null; if (isset($this->_attributesWithFriendlyName[$friendlyName])) { return $this->_attributesWithFriendlyName[$friendlyName]; } return $value; } /** * Initiates the SSO process. * * @param string|null $returnTo The target URL the user should be returned to after login. * @param array $parameters Extra parameters to be added to the GET * @param bool $forceAuthn When true the AuthNRequest will set the ForceAuthn='true' * @param bool $isPassive When true the AuthNRequest will set the Ispassive='true' * @param bool $stay True if we want to stay (returns the url string) False to redirect * @param bool $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters * * @throws Error */ public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true, $nameIdValueReq = null) { $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq); $this->_lastRequest = $authnRequest->getXML(); $this->_lastRequestID = $authnRequest->getId(); $samlRequest = $authnRequest->getRequest(); $parameters['SAMLRequest'] = $samlRequest; if (!empty($returnTo)) { $parameters['RelayState'] = $returnTo; } else { $parameters['RelayState'] = Utils::getSelfRoutedURLNoQuery(); } $security = $this->_settings->getSecurityData(); if (isset($security['authnRequestsSigned']) && $security['authnRequestsSigned']) { $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']); $parameters['SigAlg'] = $security['signatureAlgorithm']; $parameters['Signature'] = $signature; } return $this->redirectTo($this->getSSOurl(), $parameters, $stay); } /** * Initiates the SLO process. * * @param string|null $returnTo The target URL the user should be returned to after logout. * @param array $parameters Extra parameters to be added to the GET * @param string|null $nameId The NameID that will be set in the LogoutRequest. * @param string|null $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process). * @param bool $stay True if we want to stay (returns the url string) False to redirect * @param string|null $nameIdFormat The NameID Format will be set in the LogoutRequest. * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest. * * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters * * @throws Error */ public function logout($returnTo = null, array $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null, $nameIdNameQualifier = null, $nameIdSPNameQualifier = null) { $sloUrl = $this->getSLOurl(); if (empty($sloUrl)) { throw new Error( 'The IdP does not support Single Log Out', Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED ); } if (empty($nameId) && !empty($this->_nameid)) { $nameId = $this->_nameid; } if (empty($nameIdFormat) && !empty($this->_nameidFormat)) { $nameIdFormat = $this->_nameidFormat; } $logoutRequest = new LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier, $nameIdSPNameQualifier); $this->_lastRequest = $logoutRequest->getXML(); $this->_lastRequestID = $logoutRequest->id; $samlRequest = $logoutRequest->getRequest(); $parameters['SAMLRequest'] = $samlRequest; if (!empty($returnTo)) { $parameters['RelayState'] = $returnTo; } else { $parameters['RelayState'] = Utils::getSelfRoutedURLNoQuery(); } $security = $this->_settings->getSecurityData(); if (isset($security['logoutRequestSigned']) && $security['logoutRequestSigned']) { $signature = $this->buildRequestSignature($samlRequest, $parameters['RelayState'], $security['signatureAlgorithm']); $parameters['SigAlg'] = $security['signatureAlgorithm']; $parameters['Signature'] = $signature; } return $this->redirectTo($sloUrl, $parameters, $stay); } /** * Gets the SSO url. * * @return string The url of the Single Sign On Service */ public function getSSOurl() { $idpData = $this->_settings->getIdPData(); return $idpData['singleSignOnService']['url']; } /** * Gets the SLO url. * * @return string|null The url of the Single Logout Service */ public function getSLOurl() { $url = null; $idpData = $this->_settings->getIdPData(); if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) { $url = $idpData['singleLogoutService']['url']; } return $url; } /** * Gets the SLO response url. * * @return string|null The response url of the Single Logout Service */ public function getSLOResponseUrl() { $idpData = $this->_settings->getIdPData(); if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['responseUrl'])) { return $idpData['singleLogoutService']['responseUrl']; } return $this->getSLOurl(); } /** * Gets the ID of the last AuthNRequest or LogoutRequest generated by the Service Provider. * * @return string The ID of the Request SAML message. */ public function getLastRequestID() { return $this->_lastRequestID; } /** * Creates an AuthnRequest * * @param Settings $settings Setting data * @param bool $forceAuthn When true the AuthNRequest will set the ForceAuthn='true' * @param bool $isPassive When true the AuthNRequest will set the Ispassive='true' * @param bool $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated * * @return AuthnRequest The AuthnRequest object */ public function buildAuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq = null) { return new AuthnRequest($settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq); } /** * Generates the Signature for a SAML Request * * @param string $samlRequest The SAML Request * @param string $relayState The RelayState * @param string $signAlgorithm Signature algorithm method * * @return string A base64 encoded signature * * @throws Exception * @throws Error */ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256) { return $this->buildMessageSignature($samlRequest, $relayState, $signAlgorithm, "SAMLRequest"); } /** * Generates the Signature for a SAML Response * * @param string $samlResponse The SAML Response * @param string $relayState The RelayState * @param string $signAlgorithm Signature algorithm method * * @return string A base64 encoded signature * * @throws Exception * @throws Error */ public function buildResponseSignature($samlResponse, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256) { return $this->buildMessageSignature($samlResponse, $relayState, $signAlgorithm, "SAMLResponse"); } /** * Generates the Signature for a SAML Message * * @param string $samlMessage The SAML Message * @param string $relayState The RelayState * @param string $signAlgorithm Signature algorithm method * @param string $type "SAMLRequest" or "SAMLResponse" * * @return string A base64 encoded signature * * @throws Exception * @throws Error */ private function buildMessageSignature($samlMessage, $relayState, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $type = "SAMLRequest") { $key = $this->_settings->getSPkey(); if (empty($key)) { if ($type == "SAMLRequest") { $errorMsg = "Trying to sign the SAML Request but can't load the SP private key"; } else { $errorMsg = "Trying to sign the SAML Response but can't load the SP private key"; } throw new Error($errorMsg, Error::PRIVATE_KEY_NOT_FOUND); } $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private')); $objKey->loadKey($key, false); $security = $this->_settings->getSecurityData(); if ($security['lowercaseUrlencoding']) { $msg = $type.'='.rawurlencode($samlMessage); if (isset($relayState)) { $msg .= '&RelayState='.rawurlencode($relayState); } $msg .= '&SigAlg=' . rawurlencode($signAlgorithm); } else { $msg = $type.'='.urlencode($samlMessage); if (isset($relayState)) { $msg .= '&RelayState='.urlencode($relayState); } $msg .= '&SigAlg=' . urlencode($signAlgorithm); } $signature = $objKey->signData($msg); return base64_encode($signature); } /** * @return string The ID of the last message processed */ public function getLastMessageId() { return $this->_lastMessageId; } /** * @return string The ID of the last assertion processed */ public function getLastAssertionId() { return $this->_lastAssertionId; } /** * @return int The NotOnOrAfter value of the valid * SubjectConfirmationData node (if any) * of the last assertion processed */ public function getLastAssertionNotOnOrAfter() { return $this->_lastAssertionNotOnOrAfter; } /** * Returns the most recently-constructed/processed * XML SAML request (AuthNRequest, LogoutRequest) * * @return string|null The Request XML */ public function getLastRequestXML() { return $this->_lastRequest; } /** * Returns the most recently-constructed/processed * XML SAML response (SAMLResponse, LogoutResponse). * If the SAMLResponse was encrypted, by default tries * to return the decrypted XML. * * @return string|null The Response XML */ public function getLastResponseXML() { $response = null; if (isset($this->_lastResponse)) { if (is_string($this->_lastResponse)) { $response = $this->_lastResponse; } else { $response = $this->_lastResponse->saveXML(); } } return $response; } } PK�������sqYq��B�,���,��(��php-saml/src/Saml2/IdPMetadataParser.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use DOMDocument; use Exception; /** * IdP Metadata Parser of OneLogin PHP Toolkit */ class IdPMetadataParser { /** * Get IdP Metadata Info from URL * * @param string $url URL where the IdP metadata is published * @param string $entityId Entity Id of the desired IdP, if no * entity Id is provided and the XML * metadata contains more than one * IDPSSODescriptor, the first is returned * @param string $desiredNameIdFormat If available on IdP metadata, use that nameIdFormat * @param string $desiredSSOBinding Parse specific binding SSO endpoint * @param string $desiredSLOBinding Parse specific binding SLO endpoint * * @return array metadata info in php-saml settings format */ public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT) { $metadataInfo = array(); try { $ch = curl_init($url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_FAILONERROR, 1); $xml = curl_exec($ch); if ($xml !== false) { $metadataInfo = self::parseXML($xml, $entityId, $desiredNameIdFormat, $desiredSSOBinding, $desiredSLOBinding); } else { throw new Exception(curl_error($ch), curl_errno($ch)); } } catch (Exception $e) { throw new Exception('Error on parseRemoteXML. '.$e->getMessage()); } return $metadataInfo; } /** * Get IdP Metadata Info from File * * @param string $filepath File path * @param string $entityId Entity Id of the desired IdP, if no * entity Id is provided and the XML * metadata contains more than one * IDPSSODescriptor, the first is returned * @param string $desiredNameIdFormat If available on IdP metadata, use that nameIdFormat * @param string $desiredSSOBinding Parse specific binding SSO endpoint * @param string $desiredSLOBinding Parse specific binding SLO endpoint * * @return array metadata info in php-saml settings format */ public static function parseFileXML($filepath, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT) { $metadataInfo = array(); try { if (file_exists($filepath)) { $data = file_get_contents($filepath); $metadataInfo = self::parseXML($data, $entityId, $desiredNameIdFormat, $desiredSSOBinding, $desiredSLOBinding); } } catch (Exception $e) { throw new Exception('Error on parseFileXML. '.$e->getMessage()); } return $metadataInfo; } /** * Get IdP Metadata Info from URL * * @param string $xml XML that contains IdP metadata * @param string $entityId Entity Id of the desired IdP, if no * entity Id is provided and the XML * metadata contains more than one * IDPSSODescriptor, the first is returned * @param string $desiredNameIdFormat If available on IdP metadata, use that nameIdFormat * @param string $desiredSSOBinding Parse specific binding SSO endpoint * @param string $desiredSLOBinding Parse specific binding SLO endpoint * * @return array metadata info in php-saml settings format * * @throws Exception */ public static function parseXML($xml, $entityId = null, $desiredNameIdFormat = null, $desiredSSOBinding = Constants::BINDING_HTTP_REDIRECT, $desiredSLOBinding = Constants::BINDING_HTTP_REDIRECT) { $metadataInfo = array(); $dom = new DOMDocument(); $dom->preserveWhiteSpace = false; $dom->formatOutput = true; try { $dom = Utils::loadXML($dom, $xml); if (!$dom) { throw new Exception('Error parsing metadata'); } $customIdPStr = ''; if (!empty($entityId)) { $customIdPStr = '[@entityID="' . $entityId . '"]'; } $idpDescryptorXPath = '//md:EntityDescriptor' . $customIdPStr . '/md:IDPSSODescriptor'; $idpDescriptorNodes = Utils::query($dom, $idpDescryptorXPath); if (isset($idpDescriptorNodes) && $idpDescriptorNodes->length > 0) { $metadataInfo['idp'] = array(); $idpDescriptor = $idpDescriptorNodes->item(0); if (empty($entityId) && $idpDescriptor->parentNode->hasAttribute('entityID')) { $entityId = $idpDescriptor->parentNode->getAttribute('entityID'); } if (!empty($entityId)) { $metadataInfo['idp']['entityId'] = $entityId; } $ssoNodes = Utils::query($dom, './md:SingleSignOnService[@Binding="'.$desiredSSOBinding.'"]', $idpDescriptor); if ($ssoNodes->length < 1) { $ssoNodes = Utils::query($dom, './md:SingleSignOnService', $idpDescriptor); } if ($ssoNodes->length > 0) { $metadataInfo['idp']['singleSignOnService'] = array( 'url' => $ssoNodes->item(0)->getAttribute('Location'), 'binding' => $ssoNodes->item(0)->getAttribute('Binding') ); } $sloNodes = Utils::query($dom, './md:SingleLogoutService[@Binding="'.$desiredSLOBinding.'"]', $idpDescriptor); if ($sloNodes->length < 1) { $sloNodes = Utils::query($dom, './md:SingleLogoutService', $idpDescriptor); } if ($sloNodes->length > 0) { $metadataInfo['idp']['singleLogoutService'] = array( 'url' => $sloNodes->item(0)->getAttribute('Location'), 'responseUrl' => $sloNodes->item(0)->getAttribute('ResponseLocation'), 'binding' => $sloNodes->item(0)->getAttribute('Binding') ); } $keyDescriptorCertSigningNodes = Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "encryption"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor); $keyDescriptorCertEncryptionNodes = Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "signing"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor); if (!empty($keyDescriptorCertSigningNodes) || !empty($keyDescriptorCertEncryptionNodes)) { $metadataInfo['idp']['x509certMulti'] = array(); if (!empty($keyDescriptorCertSigningNodes)) { $idpInfo['x509certMulti']['signing'] = array(); foreach ($keyDescriptorCertSigningNodes as $keyDescriptorCertSigningNode) { $metadataInfo['idp']['x509certMulti']['signing'][] = Utils::formatCert($keyDescriptorCertSigningNode->nodeValue, false); } } if (!empty($keyDescriptorCertEncryptionNodes)) { $idpInfo['x509certMulti']['encryption'] = array(); foreach ($keyDescriptorCertEncryptionNodes as $keyDescriptorCertEncryptionNode) { $metadataInfo['idp']['x509certMulti']['encryption'][] = Utils::formatCert($keyDescriptorCertEncryptionNode->nodeValue, false); } } $idpCertdata = $metadataInfo['idp']['x509certMulti']; if ((count($idpCertdata) == 1 and ((isset($idpCertdata['signing']) and count($idpCertdata['signing']) == 1) or (isset($idpCertdata['encryption']) and count($idpCertdata['encryption']) == 1))) or ((isset($idpCertdata['signing']) && count($idpCertdata['signing']) == 1) && isset($idpCertdata['encryption']) && count($idpCertdata['encryption']) == 1 && strcmp($idpCertdata['signing'][0], $idpCertdata['encryption'][0]) == 0)) { if (isset($metadataInfo['idp']['x509certMulti']['signing'][0])) { $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['signing'][0]; } else { $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['encryption'][0]; } unset($metadataInfo['idp']['x509certMulti']); } } $nameIdFormatNodes = Utils::query($dom, './md:NameIDFormat', $idpDescriptor); if ($nameIdFormatNodes->length > 0) { $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNodes->item(0)->nodeValue; if (!empty($desiredNameIdFormat)) { foreach ($nameIdFormatNodes as $nameIdFormatNode) { if (strcmp($nameIdFormatNode->nodeValue, $desiredNameIdFormat) == 0) { $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNode->nodeValue; break; } } } } } } catch (Exception $e) { throw new Exception('Error parsing metadata. '.$e->getMessage()); } return $metadataInfo; } /** * Inject metadata info into php-saml settings array * * @param array $settings php-saml settings array * @param array $metadataInfo array metadata info * * @return array settings */ public static function injectIntoSettings($settings, $metadataInfo) { if (isset($metadataInfo['idp']) && isset($settings['idp'])) { if (isset($metadataInfo['idp']['x509certMulti']) && !empty($metadataInfo['idp']['x509certMulti']) && isset($settings['idp']['x509cert'])) { unset($settings['idp']['x509cert']); } if (isset($metadataInfo['idp']['x509cert']) && !empty($metadataInfo['idp']['x509cert']) && isset($settings['idp']['x509certMulti'])) { unset($settings['idp']['x509certMulti']); } } return array_replace_recursive($settings, $metadataInfo); } } PK�������sqY"�/�����������php-saml/src/Saml2/Utils.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use RobRichards\XMLSecLibs\XMLSecurityDSig; use RobRichards\XMLSecLibs\XMLSecEnc; use DOMDocument; use DOMElement; use DOMNodeList; use DomNode; use DOMXPath; use Exception; /** * Utils of OneLogin PHP Toolkit * * Defines several often used methods */ class Utils { const RESPONSE_SIGNATURE_XPATH = "/samlp:Response/ds:Signature"; const ASSERTION_SIGNATURE_XPATH = "/samlp:Response/saml:Assertion/ds:Signature"; /** * @var bool Control if the `Forwarded-For-*` headers are used */ private static $_proxyVars = false; /** * @var string|null */ private static $_host; /** * @var string|null */ private static $_protocol; /** * @var string */ private static $_protocolRegex = '@^https?://@i'; /** * @var int|null */ private static $_port; /** * @var string|null */ private static $_baseurlpath; /** * This function load an XML string in a save way. * Prevent XEE/XXE Attacks * * @param DOMDocument $dom The document where load the xml. * @param string $xml The XML string to be loaded. * * @return DOMDocument|false $dom The result of load the XML at the DOMDocument * * @throws Exception */ public static function loadXML(DOMDocument $dom, $xml) { assert($dom instanceof DOMDocument); assert(is_string($xml)); $oldEntityLoader = libxml_disable_entity_loader(true); $res = $dom->loadXML($xml); libxml_disable_entity_loader($oldEntityLoader); foreach ($dom->childNodes as $child) { if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { throw new Exception( 'Detected use of DOCTYPE/ENTITY in XML, disabled to prevent XXE/XEE attacks' ); } } if (!$res) { return false; } else { return $dom; } } /** * This function attempts to validate an XML string against the specified schema. * * It will parse the string into a DOMDocument and validate this document against the schema. * * @param string|DOMDocument $xml The XML string or document which should be validated. * @param string $schema The schema filename which should be used. * @param bool $debug To disable/enable the debug mode * * @return string|DOMDocument $dom string that explains the problem or the DOMDocument * * @throws Exception */ public static function validateXML($xml, $schema, $debug = false) { assert(is_string($xml) || $xml instanceof DOMDocument); assert(is_string($schema)); libxml_clear_errors(); libxml_use_internal_errors(true); if ($xml instanceof DOMDocument) { $dom = $xml; } else { $dom = new DOMDocument; $dom = self::loadXML($dom, $xml); if (!$dom) { return 'unloaded_xml'; } } $schemaFile = __DIR__ . '/schemas/' . $schema; $oldEntityLoader = libxml_disable_entity_loader(false); $res = $dom->schemaValidate($schemaFile); libxml_disable_entity_loader($oldEntityLoader); if (!$res) { $xmlErrors = libxml_get_errors(); syslog(LOG_INFO, 'Error validating the metadata: '.var_export($xmlErrors, true)); if ($debug) { foreach ($xmlErrors as $error) { echo htmlentities($error->message)."\n"; } } return 'invalid_xml'; } return $dom; } /** * Import a node tree into a target document * Copy it before a reference node as a sibling * and at the end of the copy remove * the reference node in the target document * As it were 'replacing' it * Leaving nested default namespaces alone * (Standard importNode with deep copy * mangles nested default namespaces) * * The reference node must not be a DomDocument * It CAN be the top element of a document * Returns the copied node in the target document * * @param DomNode $targetNode * @param DomNode $sourceNode * @param bool $recurse * @return DOMNode * @throws Exception */ public static function treeCopyReplace(DomNode $targetNode, DomNode $sourceNode, $recurse = false) { if ($targetNode->parentNode === null) { throw new Exception('Illegal argument targetNode. It has no parentNode.'); } $clonedNode = $targetNode->ownerDocument->importNode($sourceNode, false); if ($recurse) { $resultNode = $targetNode->appendChild($clonedNode); } else { $resultNode = $targetNode->parentNode->insertBefore($clonedNode, $targetNode); } if ($sourceNode->childNodes !== null) { foreach ($sourceNode->childNodes as $child) { self::treeCopyReplace($resultNode, $child, true); } } if (!$recurse) { $targetNode->parentNode->removeChild($targetNode); } return $resultNode; } /** * Returns a x509 cert (adding header & footer if required). * * @param string $cert A x509 unformated cert * @param bool $heads True if we want to include head and footer * * @return string $x509 Formatted cert */ public static function formatCert($cert, $heads = true) { $x509cert = str_replace(array("\x0D", "\r", "\n"), "", $cert); if (!empty($x509cert)) { $x509cert = str_replace('-----BEGIN CERTIFICATE-----', "", $x509cert); $x509cert = str_replace('-----END CERTIFICATE-----', "", $x509cert); $x509cert = str_replace(' ', '', $x509cert); if ($heads) { $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n"; } } return $x509cert; } /** * Returns a private key (adding header & footer if required). * * @param string $key A private key * @param bool $heads True if we want to include head and footer * * @return string $rsaKey Formatted private key */ public static function formatPrivateKey($key, $heads = true) { $key = str_replace(array("\x0D", "\r", "\n"), "", $key); if (!empty($key)) { if (strpos($key, '-----BEGIN PRIVATE KEY-----') !== false) { $key = Utils::getStringBetween($key, '-----BEGIN PRIVATE KEY-----', '-----END PRIVATE KEY-----'); $key = str_replace(' ', '', $key); if ($heads) { $key = "-----BEGIN PRIVATE KEY-----\n".chunk_split($key, 64, "\n")."-----END PRIVATE KEY-----\n"; } } else if (strpos($key, '-----BEGIN RSA PRIVATE KEY-----') !== false) { $key = Utils::getStringBetween($key, '-----BEGIN RSA PRIVATE KEY-----', '-----END RSA PRIVATE KEY-----'); $key = str_replace(' ', '', $key); if ($heads) { $key = "-----BEGIN RSA PRIVATE KEY-----\n".chunk_split($key, 64, "\n")."-----END RSA PRIVATE KEY-----\n"; } } else { $key = str_replace(' ', '', $key); if ($heads) { $key = "-----BEGIN RSA PRIVATE KEY-----\n".chunk_split($key, 64, "\n")."-----END RSA PRIVATE KEY-----\n"; } } } return $key; } /** * Extracts a substring between 2 marks * * @param string $str The target string * @param string $start The initial mark * @param string $end The end mark * * @return string A substring or an empty string if is not able to find the marks * or if there is no string between the marks */ public static function getStringBetween($str, $start, $end) { $str = ' ' . $str; $ini = strpos($str, $start); if ($ini == 0) { return ''; } $ini += strlen($start); $len = strpos($str, $end, $ini) - $ini; return substr($str, $ini, $len); } /** * Executes a redirection to the provided url (or return the target url). * * @param string $url The target url * @param array $parameters Extra parameters to be passed as part of the url * @param bool $stay True if we want to stay (returns the url string) False to redirect * * @return string|null $url * * @throws Error */ public static function redirect($url, array $parameters = array(), $stay = false) { assert(is_string($url)); if (substr($url, 0, 1) === '/') { $url = self::getSelfURLhost() . $url; } /** * Verify that the URL matches the regex for the protocol. * By default this will check for http and https */ $wrongProtocol = !preg_match(self::$_protocolRegex, $url); $url = filter_var($url, FILTER_VALIDATE_URL); if ($wrongProtocol || empty($url)) { throw new Error( 'Redirect to invalid URL: ' . $url, Error::REDIRECT_INVALID_URL ); } /* Add encoded parameters */ if (strpos($url, '?') === false) { $paramPrefix = '?'; } else { $paramPrefix = '&'; } foreach ($parameters as $name => $value) { if ($value === null) { $param = urlencode($name); } else if (is_array($value)) { $param = ""; foreach ($value as $val) { $param .= urlencode($name) . "[]=" . urlencode($val). '&'; } if (!empty($param)) { $param = substr($param, 0, -1); } } else { $param = urlencode($name) . '=' . urlencode($value); } if (!empty($param)) { $url .= $paramPrefix . $param; $paramPrefix = '&'; } } if ($stay) { return $url; } header('Pragma: no-cache'); header('Cache-Control: no-cache, must-revalidate'); header('Location: ' . $url); exit(); } /** * @param $protocolRegex string */ public static function setProtocolRegex($protocolRegex) { if (!empty($protocolRegex)) { self::$_protocolRegex = $protocolRegex; } } /** * Set the Base URL value. * * @param string $baseurl The base url to be used when constructing URLs */ public static function setBaseURL($baseurl) { if (!empty($baseurl)) { $baseurlpath = '/'; $matches = array(); if (preg_match('#^https?://([^/]*)/?(.*)#i', $baseurl, $matches)) { if (strpos($baseurl, 'https://') === false) { self::setSelfProtocol('http'); $port = '80'; } else { self::setSelfProtocol('https'); $port = '443'; } $currentHost = $matches[1]; if (false !== strpos($currentHost, ':')) { list($currentHost, $possiblePort) = explode(':', $matches[1], 2); if (is_numeric($possiblePort)) { $port = $possiblePort; } } if (isset($matches[2]) && !empty($matches[2])) { $baseurlpath = $matches[2]; } self::setSelfHost($currentHost); self::setSelfPort($port); self::setBaseURLPath($baseurlpath); } } else { self::$_host = null; self::$_protocol = null; self::$_port = null; self::$_baseurlpath = null; } } /** * @param bool $proxyVars Whether to use `X-Forwarded-*` headers to determine port/domain/protocol */ public static function setProxyVars($proxyVars) { self::$_proxyVars = (bool)$proxyVars; } /** * @return bool */ public static function getProxyVars() { return self::$_proxyVars; } /** * Returns the protocol + the current host + the port (if different than * common ports). * * @return string The URL */ public static function getSelfURLhost() { $currenthost = self::getSelfHost(); $port = ''; if (self::isHTTPS()) { $protocol = 'https'; } else { $protocol = 'http'; } $portnumber = self::getSelfPort(); if (isset($portnumber) && ($portnumber != '80') && ($portnumber != '443')) { $port = ':' . $portnumber; } return $protocol."://" . $currenthost . $port; } /** * @param string $host The host to use when constructing URLs */ public static function setSelfHost($host) { self::$_host = $host; } /** * @param string $baseurlpath The baseurl path to use when constructing URLs */ public static function setBaseURLPath($baseurlpath) { if (empty($baseurlpath)) { self::$_baseurlpath = null; } else if ($baseurlpath == '/') { self::$_baseurlpath = '/'; } else { self::$_baseurlpath = '/' . trim($baseurlpath, '/') . '/'; } } /** * @return string The baseurlpath to be used when constructing URLs */ public static function getBaseURLPath() { return self::$_baseurlpath; } /** * @return string The raw host name */ protected static function getRawHost() { if (self::$_host) { $currentHost = self::$_host; } elseif (self::getProxyVars() && array_key_exists('HTTP_X_FORWARDED_HOST', $_SERVER)) { $currentHost = $_SERVER['HTTP_X_FORWARDED_HOST']; } elseif (array_key_exists('HTTP_HOST', $_SERVER)) { $currentHost = $_SERVER['HTTP_HOST']; } elseif (array_key_exists('SERVER_NAME', $_SERVER)) { $currentHost = $_SERVER['SERVER_NAME']; } else { if (function_exists('gethostname')) { $currentHost = gethostname(); } else { $currentHost = php_uname("n"); } } return $currentHost; } /** * @param int $port The port number to use when constructing URLs */ public static function setSelfPort($port) { self::$_port = $port; } /** * @param string $protocol The protocol to identify as using, usually http or https */ public static function setSelfProtocol($protocol) { self::$_protocol = $protocol; } /** * @return string http|https */ public static function getSelfProtocol() { $protocol = 'http'; if (self::$_protocol) { $protocol = self::$_protocol; } elseif (self::getSelfPort() == 443) { $protocol = 'https'; } elseif (self::getProxyVars() && isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) { $protocol = $_SERVER['HTTP_X_FORWARDED_PROTO']; } elseif (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { $protocol = 'https'; } return $protocol; } /** * Returns the current host. * * @return string $currentHost The current host */ public static function getSelfHost() { $currentHost = self::getRawHost(); // strip the port if (false !== strpos($currentHost, ':')) { list($currentHost, $port) = explode(':', $currentHost, 2); } return $currentHost; } /** * @return null|string The port number used for the request */ public static function getSelfPort() { $portnumber = null; if (self::$_port) { $portnumber = self::$_port; } else if (self::getProxyVars() && isset($_SERVER["HTTP_X_FORWARDED_PORT"])) { $portnumber = $_SERVER["HTTP_X_FORWARDED_PORT"]; } else if (isset($_SERVER["SERVER_PORT"])) { $portnumber = $_SERVER["SERVER_PORT"]; } else { $currentHost = self::getRawHost(); // strip the port if (false !== strpos($currentHost, ':')) { list($currentHost, $port) = explode(':', $currentHost, 2); if (is_numeric($port)) { $portnumber = $port; } } } return $portnumber; } /** * Checks if https or http. * * @return bool $isHttps False if https is not active */ public static function isHTTPS() { return self::getSelfProtocol() == 'https'; } /** * Returns the URL of the current host + current view. * * @return string */ public static function getSelfURLNoQuery() { $selfURLNoQuery = self::getSelfURLhost(); $infoWithBaseURLPath = self::buildWithBaseURLPath($_SERVER['SCRIPT_NAME']); if (!empty($infoWithBaseURLPath)) { $selfURLNoQuery .= $infoWithBaseURLPath; } else { $selfURLNoQuery .= $_SERVER['SCRIPT_NAME']; } if (isset($_SERVER['PATH_INFO'])) { $selfURLNoQuery .= $_SERVER['PATH_INFO']; } return $selfURLNoQuery; } /** * Returns the routed URL of the current host + current view. * * @return string */ public static function getSelfRoutedURLNoQuery() { $selfURLhost = self::getSelfURLhost(); $route = ''; if (!empty($_SERVER['REQUEST_URI'])) { $route = $_SERVER['REQUEST_URI']; if (!empty($_SERVER['QUERY_STRING'])) { $route = str_replace($_SERVER['QUERY_STRING'], '', $route); if (substr($route, -1) == '?') { $route = substr($route, 0, -1); } } } $infoWithBaseURLPath = self::buildWithBaseURLPath($route); if (!empty($infoWithBaseURLPath)) { $route = $infoWithBaseURLPath; } $selfRoutedURLNoQuery = $selfURLhost . $route; return $selfRoutedURLNoQuery; } /** * Returns the URL of the current host + current view + query. * * @return string */ public static function getSelfURL() { $selfURLhost = self::getSelfURLhost(); $requestURI = ''; if (!empty($_SERVER['REQUEST_URI'])) { $requestURI = $_SERVER['REQUEST_URI']; $matches = array(); if ($requestURI[0] !== '/' && preg_match('#^https?://[^/]*(/.*)#i', $requestURI, $matches)) { $requestURI = $matches[1]; } } $infoWithBaseURLPath = self::buildWithBaseURLPath($requestURI); if (!empty($infoWithBaseURLPath)) { $requestURI = $infoWithBaseURLPath; } return $selfURLhost . $requestURI; } /** * Returns the part of the URL with the BaseURLPath. * * @param string $info Contains path info * * @return string */ protected static function buildWithBaseURLPath($info) { $result = ''; $baseURLPath = self::getBaseURLPath(); if (!empty($baseURLPath)) { $result = $baseURLPath; if (!empty($info)) { $path = explode('/', $info); $extractedInfo = array_pop($path); if (!empty($extractedInfo)) { $result .= $extractedInfo; } } } return $result; } /** * Extract a query param - as it was sent - from $_SERVER[QUERY_STRING] * * @param string $name The param to-be extracted * * @return string */ public static function extractOriginalQueryParam($name) { $index = strpos($_SERVER['QUERY_STRING'], $name.'='); $substring = substr($_SERVER['QUERY_STRING'], $index + strlen($name) + 1); $end = strpos($substring, '&'); return $end ? substr($substring, 0, strpos($substring, '&')) : $substring; } /** * Generates an unique string (used for example as ID for assertions). * * @return string A unique string */ public static function generateUniqueID() { return 'ONELOGIN_' . sha1(uniqid((string)mt_rand(), true)); } /** * Converts a UNIX timestamp to SAML2 timestamp on the form * yyyy-mm-ddThh:mm:ss(\.s+)?Z. * * @param string|int $time The time we should convert (DateTime). * * @return string $timestamp SAML2 timestamp. */ public static function parseTime2SAML($time) { $date = new \DateTime("@$time", new \DateTimeZone('UTC')); $timestamp = $date->format("Y-m-d\TH:i:s\Z"); return $timestamp; } /** * Converts a SAML2 timestamp on the form yyyy-mm-ddThh:mm:ss(\.s+)?Z * to a UNIX timestamp. The sub-second part is ignored. * * @param string $time The time we should convert (SAML Timestamp). * * @return int $timestamp Converted to a unix timestamp. * * @throws Exception */ public static function parseSAML2Time($time) { $matches = array(); /* We use a very strict regex to parse the timestamp. */ $exp1 = '/^(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)'; $exp2 = 'T(\\d\\d):(\\d\\d):(\\d\\d)(?:\\.\\d+)?Z$/D'; if (preg_match($exp1 . $exp2, $time, $matches) == 0) { throw new Exception( 'Invalid SAML2 timestamp passed to' . ' parseSAML2Time: ' . $time ); } /* Extract the different components of the time from the * matches in the regex. int cast will ignore leading zeroes * in the string. */ $year = (int) $matches[1]; $month = (int) $matches[2]; $day = (int) $matches[3]; $hour = (int) $matches[4]; $minute = (int) $matches[5]; $second = (int) $matches[6]; /* We use gmmktime because the timestamp will always be given * in UTC. */ $ts = gmmktime($hour, $minute, $second, $month, $day, $year); return $ts; } /** * Interprets a ISO8601 duration value relative to a given timestamp. * * @param string $duration The duration, as a string. * @param int|null $timestamp The unix timestamp we should apply the * duration to. Optional, default to the * current time. * * @return int The new timestamp, after the duration is applied. * * @throws Exception */ public static function parseDuration($duration, $timestamp = null) { assert(is_string($duration)); assert(is_null($timestamp) || is_int($timestamp)); $matches = array(); /* Parse the duration. We use a very strict pattern. */ $durationRegEx = '#^(-?)P(?:(?:(?:(\\d+)Y)?(?:(\\d+)M)?(?:(\\d+)D)?(?:T(?:(\\d+)H)?(?:(\\d+)M)?(?:(\\d+)S)?)?)|(?:(\\d+)W))$#D'; if (!preg_match($durationRegEx, $duration, $matches)) { throw new Exception('Invalid ISO 8601 duration: ' . $duration); } $durYears = (empty($matches[2]) ? 0 : (int)$matches[2]); $durMonths = (empty($matches[3]) ? 0 : (int)$matches[3]); $durDays = (empty($matches[4]) ? 0 : (int)$matches[4]); $durHours = (empty($matches[5]) ? 0 : (int)$matches[5]); $durMinutes = (empty($matches[6]) ? 0 : (int)$matches[6]); $durSeconds = (empty($matches[7]) ? 0 : (int)$matches[7]); $durWeeks = (empty($matches[8]) ? 0 : (int)$matches[8]); if (!empty($matches[1])) { /* Negative */ $durYears = -$durYears; $durMonths = -$durMonths; $durDays = -$durDays; $durHours = -$durHours; $durMinutes = -$durMinutes; $durSeconds = -$durSeconds; $durWeeks = -$durWeeks; } if ($timestamp === null) { $timestamp = time(); } if ($durYears !== 0 || $durMonths !== 0) { /* Special handling of months and years, since they aren't a specific interval, but * instead depend on the current time. */ /* We need the year and month from the timestamp. Unfortunately, PHP doesn't have the * gmtime function. Instead we use the gmdate function, and split the result. */ $yearmonth = explode(':', gmdate('Y:n', $timestamp)); $year = (int)$yearmonth[0]; $month = (int)$yearmonth[1]; /* Remove the year and month from the timestamp. */ $timestamp -= gmmktime(0, 0, 0, $month, 1, $year); /* Add years and months, and normalize the numbers afterwards. */ $year += $durYears; $month += $durMonths; while ($month > 12) { $year += 1; $month -= 12; } while ($month < 1) { $year -= 1; $month += 12; } /* Add year and month back into timestamp. */ $timestamp += gmmktime(0, 0, 0, $month, 1, $year); } /* Add the other elements. */ $timestamp += $durWeeks * 7 * 24 * 60 * 60; $timestamp += $durDays * 24 * 60 * 60; $timestamp += $durHours * 60 * 60; $timestamp += $durMinutes * 60; $timestamp += $durSeconds; return $timestamp; } /** * Compares 2 dates and returns the earliest. * * @param string|null $cacheDuration The duration, as a string. * @param string|int|null $validUntil The valid until date, as a string or as a timestamp * * @return int|null $expireTime The expiration time. * * @throws Exception */ public static function getExpireTime($cacheDuration = null, $validUntil = null) { $expireTime = null; if ($cacheDuration !== null) { $expireTime = self::parseDuration($cacheDuration, time()); } if ($validUntil !== null) { if (is_int($validUntil)) { $validUntilTime = $validUntil; } else { $validUntilTime = self::parseSAML2Time($validUntil); } if ($expireTime === null || $expireTime > $validUntilTime) { $expireTime = $validUntilTime; } } return $expireTime; } /** * Extracts nodes from the DOMDocument. * * @param DOMDocument $dom The DOMDocument * @param string $query \Xpath Expression * @param DOMElement|null $context Context Node (DOMElement) * * @return DOMNodeList The queried nodes */ public static function query(DOMDocument $dom, $query, DOMElement $context = null) { $xpath = new DOMXPath($dom); $xpath->registerNamespace('samlp', Constants::NS_SAMLP); $xpath->registerNamespace('saml', Constants::NS_SAML); $xpath->registerNamespace('ds', Constants::NS_DS); $xpath->registerNamespace('xenc', Constants::NS_XENC); $xpath->registerNamespace('xsi', Constants::NS_XSI); $xpath->registerNamespace('xs', Constants::NS_XS); $xpath->registerNamespace('md', Constants::NS_MD); if (isset($context)) { $res = $xpath->query($query, $context); } else { $res = $xpath->query($query); } return $res; } /** * Checks if the session is started or not. * * @return bool true if the sessíon is started */ public static function isSessionStarted() { if (PHP_VERSION_ID >= 50400) { return session_status() === PHP_SESSION_ACTIVE ? true : false; } else { return session_id() === '' ? false : true; } } /** * Deletes the local session. */ public static function deleteLocalSession() { if (Utils::isSessionStarted()) { session_destroy(); } unset($_SESSION); } /** * Calculates the fingerprint of a x509cert. * * @param string $x509cert x509 cert formatted * @param string $alg Algorithm to be used in order to calculate the fingerprint * * @return null|string Formatted fingerprint */ public static function calculateX509Fingerprint($x509cert, $alg = 'sha1') { assert(is_string($x509cert)); $arCert = explode("\n", $x509cert); $data = ''; $inData = false; foreach ($arCert as $curData) { if (! $inData) { if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) { $inData = true; } elseif ((strncmp($curData, '-----BEGIN PUBLIC KEY', 21) == 0) || (strncmp($curData, '-----BEGIN RSA PRIVATE KEY', 26) == 0)) { /* This isn't an X509 certificate. */ return null; } } else { if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) { break; } $data .= trim($curData); } } if (empty($data)) { return null; } $decodedData = base64_decode($data); switch ($alg) { case 'sha512': case 'sha384': case 'sha256': $fingerprint = hash($alg, $decodedData, false); break; case 'sha1': default: $fingerprint = strtolower(sha1($decodedData)); break; } return $fingerprint; } /** * Formates a fingerprint. * * @param string $fingerprint fingerprint * * @return string Formatted fingerprint */ public static function formatFingerPrint($fingerprint) { $formatedFingerprint = str_replace(':', '', $fingerprint); $formatedFingerprint = strtolower($formatedFingerprint); return $formatedFingerprint; } /** * Generates a nameID. * * @param string $value fingerprint * @param string $spnq SP Name Qualifier * @param string|null $format SP Format * @param string|null $cert IdP Public cert to encrypt the nameID * @param string|null $nq IdP Name Qualifier * * @return string $nameIDElement DOMElement | XMLSec nameID * * @throws Exception */ public static function generateNameId($value, $spnq, $format = null, $cert = null, $nq = null) { $doc = new DOMDocument(); $nameId = $doc->createElement('saml:NameID'); if (isset($spnq)) { $nameId->setAttribute('SPNameQualifier', $spnq); } if (isset($nq)) { $nameId->setAttribute('NameQualifier', $nq); } if (isset($format)) { $nameId->setAttribute('Format', $format); } $nameId->appendChild($doc->createTextNode($value)); $doc->appendChild($nameId); if (!empty($cert)) { $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'public')); $seckey->loadKey($cert); $enc = new XMLSecEnc(); $enc->setNode($nameId); $enc->type = XMLSecEnc::Element; $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); $symmetricKey->generateSessionKey(); $enc->encryptKey($seckey, $symmetricKey); $encryptedData = $enc->encryptNode($symmetricKey); $newdoc = new DOMDocument(); $encryptedID = $newdoc->createElement('saml:EncryptedID'); $newdoc->appendChild($encryptedID); $encryptedID->appendChild($encryptedID->ownerDocument->importNode($encryptedData, true)); return $newdoc->saveXML($encryptedID); } else { return $doc->saveXML($nameId); } } /** * Gets Status from a Response. * * @param DOMDocument $dom The Response as XML * * @return array $status The Status, an array with the code and a message. * * @throws ValidationError */ public static function getStatus(DOMDocument $dom) { $status = array(); $statusEntry = self::query($dom, '/samlp:Response/samlp:Status'); if ($statusEntry->length != 1) { throw new ValidationError( "Missing Status on response", ValidationError::MISSING_STATUS ); } $codeEntry = self::query($dom, '/samlp:Response/samlp:Status/samlp:StatusCode', $statusEntry->item(0)); if ($codeEntry->length != 1) { throw new ValidationError( "Missing Status Code on response", ValidationError::MISSING_STATUS_CODE ); } $code = $codeEntry->item(0)->getAttribute('Value'); $status['code'] = $code; $status['msg'] = ''; $messageEntry = self::query($dom, '/samlp:Response/samlp:Status/samlp:StatusMessage', $statusEntry->item(0)); if ($messageEntry->length == 0) { $subCodeEntry = self::query($dom, '/samlp:Response/samlp:Status/samlp:StatusCode/samlp:StatusCode', $statusEntry->item(0)); if ($subCodeEntry->length == 1) { $status['msg'] = $subCodeEntry->item(0)->getAttribute('Value'); } } else if ($messageEntry->length == 1) { $msg = $messageEntry->item(0)->textContent; $status['msg'] = $msg; } return $status; } /** * Decrypts an encrypted element. * * @param DOMElement $encryptedData The encrypted data. * @param XMLSecurityKey $inputKey The decryption key. * @param bool $formatOutput Format or not the output. * * @return DOMElement The decrypted element. * * @throws ValidationError */ public static function decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey, $formatOutput = true) { $enc = new XMLSecEnc(); $enc->setNode($encryptedData); $enc->type = $encryptedData->getAttribute("Type"); $symmetricKey = $enc->locateKey($encryptedData); if (!$symmetricKey) { throw new ValidationError( 'Could not locate key algorithm in encrypted data.', ValidationError::KEY_ALGORITHM_ERROR ); } $symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey); if (!$symmetricKeyInfo) { throw new ValidationError( "Could not locate <dsig:KeyInfo> for the encrypted key.", ValidationError::KEYINFO_NOT_FOUND_IN_ENCRYPTED_DATA ); } $inputKeyAlgo = $inputKey->getAlgorithm(); if ($symmetricKeyInfo->isEncrypted) { $symKeyInfoAlgo = $symmetricKeyInfo->getAlgorithm(); if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) { $inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P; } if ($inputKeyAlgo !== $symKeyInfoAlgo) { throw new ValidationError( 'Algorithm mismatch between input key and key used to encrypt ' . ' the symmetric key for the message. Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyInfoAlgo, true), ValidationError::KEY_ALGORITHM_ERROR ); } $encKey = $symmetricKeyInfo->encryptedCtx; $symmetricKeyInfo->key = $inputKey->key; $keySize = $symmetricKey->getSymmetricKeySize(); if ($keySize === null) { // To protect against "key oracle" attacks throw new ValidationError( 'Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, true), ValidationError::KEY_ALGORITHM_ERROR ); } $key = $encKey->decryptKey($symmetricKeyInfo); if (strlen($key) != $keySize) { $encryptedKey = $encKey->getCipherValue(); $pkey = openssl_pkey_get_details($symmetricKeyInfo->key); $pkey = sha1(serialize($pkey), true); $key = sha1($encryptedKey . $pkey, true); /* Make sure that the key has the correct length. */ if (strlen($key) > $keySize) { $key = substr($key, 0, $keySize); } elseif (strlen($key) < $keySize) { $key = str_pad($key, $keySize); } } $symmetricKey->loadKey($key); } else { $symKeyAlgo = $symmetricKey->getAlgorithm(); if ($inputKeyAlgo !== $symKeyAlgo) { throw new ValidationError( 'Algorithm mismatch between input key and key in message. ' . 'Key was: ' . var_export($inputKeyAlgo, true) . '; message was: ' . var_export($symKeyAlgo, true), ValidationError::KEY_ALGORITHM_ERROR ); } $symmetricKey = $inputKey; } $decrypted = $enc->decryptNode($symmetricKey, false); $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'.$decrypted.'</root>'; $newDoc = new DOMDocument(); if ($formatOutput) { $newDoc->preserveWhiteSpace = false; $newDoc->formatOutput = true; } $newDoc = self::loadXML($newDoc, $xml); if (!$newDoc) { throw new ValidationError( 'Failed to parse decrypted XML.', ValidationError::INVALID_XML_FORMAT ); } $decryptedElement = $newDoc->firstChild->firstChild; if ($decryptedElement === null) { throw new ValidationError( 'Missing encrypted element.', ValidationError::MISSING_ENCRYPTED_ELEMENT ); } return $decryptedElement; } /** * Converts a XMLSecurityKey to the correct algorithm. * * @param XMLSecurityKey $key The key. * @param string $algorithm The desired algorithm. * @param string $type Public or private key, defaults to public. * * @return XMLSecurityKey The new key. * * @throws Exception */ public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public') { assert(is_string($algorithm)); assert($type === 'public' || $type === 'private'); // do nothing if algorithm is already the type of the key if ($key->type === $algorithm) { return $key; } if (!Utils::isSupportedSigningAlgorithm($algorithm)) { throw new Exception('Unsupported signing algorithm.'); } $keyInfo = openssl_pkey_get_details($key->key); if ($keyInfo === false) { throw new Exception('Unable to get key details from XMLSecurityKey.'); } if (!isset($keyInfo['key'])) { throw new Exception('Missing key in public key details.'); } $newKey = new XMLSecurityKey($algorithm, array('type'=>$type)); $newKey->loadKey($keyInfo['key']); return $newKey; } /** * @param $algorithm * * @return bool */ public static function isSupportedSigningAlgorithm($algorithm) { return in_array( $algorithm, array( XMLSecurityKey::RSA_1_5, XMLSecurityKey::RSA_SHA1, XMLSecurityKey::RSA_SHA256, XMLSecurityKey::RSA_SHA384, XMLSecurityKey::RSA_SHA512 ) ); } /** * Adds signature key and senders certificate to an element (Message or Assertion). * * @param string|DOMDocument $xml The element we should sign * @param string $key The private key * @param string $cert The public * @param string $signAlgorithm Signature algorithm method * @param string $digestAlgorithm Digest algorithm method * * @return string * * @throws Exception */ public static function addSign($xml, $key, $cert, $signAlgorithm = XMLSecurityKey::RSA_SHA256, $digestAlgorithm = XMLSecurityDSig::SHA256) { if ($xml instanceof DOMDocument) { $dom = $xml; } else { $dom = new DOMDocument(); $dom = self::loadXML($dom, $xml); if (!$dom) { throw new Exception('Error parsing xml string'); } } /* Load the private key. */ $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private')); $objKey->loadKey($key, false); /* Get the EntityDescriptor node we should sign. */ $rootNode = $dom->firstChild; /* Sign the metadata with our private key. */ $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N); $objXMLSecDSig->addReferenceList( array($rootNode), $digestAlgorithm, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N), array('id_name' => 'ID') ); $objXMLSecDSig->sign($objKey); /* Add the certificate to the signature. */ $objXMLSecDSig->add509Cert($cert, true); $insertBefore = $rootNode->firstChild; $messageTypes = array('AuthnRequest', 'Response', 'LogoutRequest','LogoutResponse'); if (in_array($rootNode->localName, $messageTypes)) { $issuerNodes = self::query($dom, '/'.$rootNode->tagName.'/saml:Issuer'); if ($issuerNodes->length == 1) { $insertBefore = $issuerNodes->item(0)->nextSibling; } } /* Add the signature. */ $objXMLSecDSig->insertSignature($rootNode, $insertBefore); /* Return the DOM tree as a string. */ $signedxml = $dom->saveXML(); return $signedxml; } /** * Validates a signature (Message or Assertion). * * @param string|\DomNode $xml The element we should validate * @param string|null $cert The pubic cert * @param string|null $fingerprint The fingerprint of the public cert * @param string|null $fingerprintalg The algorithm used to get the fingerprint * @param string|null $xpath The xpath of the signed element * @param array|null $multiCerts Multiple public certs * * @return bool * * @throws Exception */ public static function validateSign($xml, $cert = null, $fingerprint = null, $fingerprintalg = 'sha1', $xpath = null, $multiCerts = null) { if ($xml instanceof DOMDocument) { $dom = clone $xml; } else if ($xml instanceof DOMElement) { $dom = clone $xml->ownerDocument; } else { $dom = new DOMDocument(); $dom = self::loadXML($dom, $xml); } $objXMLSecDSig = new XMLSecurityDSig(); $objXMLSecDSig->idKeys = array('ID'); if ($xpath) { $nodeset = Utils::query($dom, $xpath); $objDSig = $nodeset->item(0); $objXMLSecDSig->sigNode = $objDSig; } else { $objDSig = $objXMLSecDSig->locateSignature($dom); } if (!$objDSig) { throw new Exception('Cannot locate Signature Node'); } $objKey = $objXMLSecDSig->locateKey(); if (!$objKey) { throw new Exception('We have no idea about the key'); } if (!Utils::isSupportedSigningAlgorithm($objKey->type)) { throw new Exception('Unsupported signing algorithm.'); } $objXMLSecDSig->canonicalizeSignedInfo(); try { $retVal = $objXMLSecDSig->validateReference(); } catch (Exception $e) { throw $e; } XMLSecEnc::staticLocateKeyInfo($objKey, $objDSig); if (!empty($multiCerts)) { // If multiple certs are provided, I may ignore $cert and // $fingerprint provided by the method and just check the // certs on the array $fingerprint = null; } else { // else I add the cert to the array in order to check // validate signatures with it and the with it and the // $fingerprint value $multiCerts = array($cert); } $valid = false; foreach ($multiCerts as $cert) { if (!empty($cert)) { $objKey->loadKey($cert, false, true); if ($objXMLSecDSig->verify($objKey) === 1) { $valid = true; break; } } else { if (!empty($fingerprint)) { $domCert = $objKey->getX509Certificate(); $domCertFingerprint = Utils::calculateX509Fingerprint($domCert, $fingerprintalg); if (Utils::formatFingerPrint($fingerprint) == $domCertFingerprint) { $objKey->loadKey($domCert, false, true); if ($objXMLSecDSig->verify($objKey) === 1) { $valid = true; break; } } } } } return $valid; } /** * Validates a binary signature * * @param string $messageType Type of SAML Message * @param array $getData HTTP GET array * @param array $idpData IdP setting data * @param bool $retrieveParametersFromServer Indicates where to get the values in order to validate the Sign, from getData or from $_SERVER * * @return bool * * @throws Exception */ public static function validateBinarySign($messageType, $getData, $idpData, $retrieveParametersFromServer = false) { if (!isset($getData['SigAlg'])) { $signAlg = XMLSecurityKey::RSA_SHA1; } else { $signAlg = $getData['SigAlg']; } if ($retrieveParametersFromServer) { $signedQuery = $messageType.'='.Utils::extractOriginalQueryParam($messageType); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.Utils::extractOriginalQueryParam('RelayState'); } $signedQuery .= '&SigAlg='.Utils::extractOriginalQueryParam('SigAlg'); } else { $signedQuery = $messageType.'='.urlencode($getData[$messageType]); if (isset($getData['RelayState'])) { $signedQuery .= '&RelayState='.urlencode($getData['RelayState']); } $signedQuery .= '&SigAlg='.urlencode($signAlg); } if ($messageType == "SAMLRequest") { $strMessageType = "Logout Request"; } else { $strMessageType = "Logout Response"; } $existsMultiX509Sign = isset($idpData['x509certMulti']) && isset($idpData['x509certMulti']['signing']) && !empty($idpData['x509certMulti']['signing']); if ((!isset($idpData['x509cert']) || empty($idpData['x509cert'])) && !$existsMultiX509Sign) { throw new Error( "In order to validate the sign on the ".$strMessageType.", the x509cert of the IdP is required", Error::CERT_NOT_FOUND ); } if ($existsMultiX509Sign) { $multiCerts = $idpData['x509certMulti']['signing']; } else { $multiCerts = array($idpData['x509cert']); } $signatureValid = false; foreach ($multiCerts as $cert) { $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type' => 'public')); $objKey->loadKey($cert, false, true); if ($signAlg != XMLSecurityKey::RSA_SHA1) { try { $objKey = Utils::castKey($objKey, $signAlg, 'public'); } catch (Exception $e) { $ex = new ValidationError( "Invalid signAlg in the recieved ".$strMessageType, ValidationError::INVALID_SIGNATURE ); if (count($multiCerts) == 1) { throw $ex; } } } if ($objKey->verifySignature($signedQuery, base64_decode($_GET['Signature'])) === 1) { $signatureValid = true; break; } } return $signatureValid; } } PK�������sqYkܕE=��E=��$��php-saml/src/Saml2/LogoutRequest.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use RobRichards\XMLSecLibs\XMLSecurityKey; use DOMDocument; use Exception; /** * SAML 2 Logout Request */ class LogoutRequest { /** * Contains the ID of the Logout Request * * @var string */ public $id; /** * Object that represents the setting info * * @var Settings */ protected $_settings; /** * SAML Logout Request * * @var string */ protected $_logoutRequest; /** * After execute a validation process, this var contains the cause * * @var Exception */ private $_error; /** * Constructs the Logout Request object. * * @param Settings $settings Settings * @param string|null $request A UUEncoded Logout Request. * @param string|null $nameId The NameID that will be set in the LogoutRequest. * @param string|null $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process). * @param string|null $nameIdFormat The NameID Format will be set in the LogoutRequest. * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest. * @param string|null $nameIdSPNameQualifier The NameID SP NameQualifier will be set in the LogoutRequest. */ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null, $nameId = null, $sessionIndex = null, $nameIdFormat = null, $nameIdNameQualifier = null, $nameIdSPNameQualifier = null) { $this->_settings = $settings; $baseURL = $this->_settings->getBaseURL(); if (!empty($baseURL)) { Utils::setBaseURL($baseURL); } if (!isset($request) || empty($request)) { $spData = $this->_settings->getSPData(); $idpData = $this->_settings->getIdPData(); $security = $this->_settings->getSecurityData(); $id = Utils::generateUniqueID(); $this->id = $id; $issueInstant = Utils::parseTime2SAML(time()); $cert = null; if (isset($security['nameIdEncrypted']) && $security['nameIdEncrypted']) { $existsMultiX509Enc = isset($idpData['x509certMulti']) && isset($idpData['x509certMulti']['encryption']) && !empty($idpData['x509certMulti']['encryption']); if ($existsMultiX509Enc) { $cert = $idpData['x509certMulti']['encryption'][0]; } else { $cert = $idpData['x509cert']; } } if (!empty($nameId)) { if (empty($nameIdFormat) && $spData['NameIDFormat'] != Constants::NAMEID_UNSPECIFIED) { $nameIdFormat = $spData['NameIDFormat']; } } else { $nameId = $idpData['entityId']; $nameIdFormat = Constants::NAMEID_ENTITY; } /* From saml-core-2.0-os 8.3.6, when the entity Format is used: "The NameQualifier, SPNameQualifier, and SPProvidedID attributes MUST be omitted. */ if (!empty($nameIdFormat) && $nameIdFormat == Constants::NAMEID_ENTITY) { $nameIdNameQualifier = null; $nameIdSPNameQualifier = null; } // NameID Format UNSPECIFIED omitted if (!empty($nameIdFormat) && $nameIdFormat == Constants::NAMEID_UNSPECIFIED) { $nameIdFormat = null; } $nameIdObj = Utils::generateNameId( $nameId, $nameIdSPNameQualifier, $nameIdFormat, $cert, $nameIdNameQualifier ); $sessionIndexStr = isset($sessionIndex) ? "<samlp:SessionIndex>{$sessionIndex}</samlp:SessionIndex>" : ""; $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); $logoutRequest = <<<LOGOUTREQUEST <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{$id}" Version="2.0" IssueInstant="{$issueInstant}" Destination="{$idpData['singleLogoutService']['url']}"> <saml:Issuer>{$spEntityId}</saml:Issuer> {$nameIdObj} {$sessionIndexStr} </samlp:LogoutRequest> LOGOUTREQUEST; } else { $decoded = base64_decode($request); // We try to inflate $inflated = @gzinflate($decoded); if ($inflated != false) { $logoutRequest = $inflated; } else { $logoutRequest = $decoded; } $this->id = static::getID($logoutRequest); } $this->_logoutRequest = $logoutRequest; } /** * Returns the Logout Request defated, base64encoded, unsigned * * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it. * * @return string Deflated base64 encoded Logout Request */ public function getRequest($deflate = null) { $subject = $this->_logoutRequest; if (is_null($deflate)) { $deflate = $this->_settings->shouldCompressRequests(); } if ($deflate) { $subject = gzdeflate($this->_logoutRequest); } return base64_encode($subject); } /** * Returns the ID of the Logout Request. * * @param string|DOMDocument $request Logout Request Message * * @return string ID * * @throws Error */ public static function getID($request) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = Utils::loadXML($dom, $request); } if (false === $dom) { throw new Error( "LogoutRequest could not be processed", Error::SAML_LOGOUTREQUEST_INVALID ); } $id = $dom->documentElement->getAttribute('ID'); return $id; } /** * Gets the NameID Data of the the Logout Request. * * @param string|DOMDocument $request Logout Request Message * @param string|null $key The SP key * * @return array Name ID Data (Value, Format, NameQualifier, SPNameQualifier) * * @throws Error * @throws Exception * @throws ValidationError */ public static function getNameIdData($request, $key = null) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = Utils::loadXML($dom, $request); } $encryptedEntries = Utils::query($dom, '/samlp:LogoutRequest/saml:EncryptedID'); if ($encryptedEntries->length == 1) { $encryptedDataNodes = $encryptedEntries->item(0)->getElementsByTagName('EncryptedData'); $encryptedData = $encryptedDataNodes->item(0); if (empty($key)) { throw new Error( "Private Key is required in order to decrypt the NameID, check settings", Error::PRIVATE_KEY_NOT_FOUND ); } $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'private')); $seckey->loadKey($key); $nameId = Utils::decryptElement($encryptedData, $seckey); } else { $entries = Utils::query($dom, '/samlp:LogoutRequest/saml:NameID'); if ($entries->length == 1) { $nameId = $entries->item(0); } } if (!isset($nameId)) { throw new ValidationError( "NameID not found in the Logout Request", ValidationError::NO_NAMEID ); } $nameIdData = array(); $nameIdData['Value'] = $nameId->nodeValue; foreach (array('Format', 'SPNameQualifier', 'NameQualifier') as $attr) { if ($nameId->hasAttribute($attr)) { $nameIdData[$attr] = $nameId->getAttribute($attr); } } return $nameIdData; } /** * Gets the NameID of the Logout Request. * * @param string|DOMDocument $request Logout Request Message * @param string|null $key The SP key * * @return string Name ID Value * * @throws Error * @throws Exception * @throws ValidationError */ public static function getNameId($request, $key = null) { $nameId = self::getNameIdData($request, $key); return $nameId['Value']; } /** * Gets the Issuer of the Logout Request. * * @param string|DOMDocument $request Logout Request Message * * @return string|null $issuer The Issuer * * @throws Exception */ public static function getIssuer($request) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = Utils::loadXML($dom, $request); } $issuer = null; $issuerNodes = Utils::query($dom, '/samlp:LogoutRequest/saml:Issuer'); if ($issuerNodes->length == 1) { $issuer = $issuerNodes->item(0)->textContent; } return $issuer; } /** * Gets the SessionIndexes from the Logout Request. * Notice: Our Constructor only support 1 SessionIndex but this parser * extracts an array of all the SessionIndex found on a * Logout Request, that could be many. * * @param string|DOMDocument $request Logout Request Message * * @return array The SessionIndex value * * @throws Exception */ public static function getSessionIndexes($request) { if ($request instanceof DOMDocument) { $dom = $request; } else { $dom = new DOMDocument(); $dom = Utils::loadXML($dom, $request); } $sessionIndexes = array(); $sessionIndexNodes = Utils::query($dom, '/samlp:LogoutRequest/samlp:SessionIndex'); foreach ($sessionIndexNodes as $sessionIndexNode) { $sessionIndexes[] = $sessionIndexNode->textContent; } return $sessionIndexes; } /** * Checks if the Logout Request recieved is valid. * * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature * * @return bool If the Logout Request is or not valid * * @throws Exception * @throws ValidationError */ public function isValid($retrieveParametersFromServer = false) { $this->_error = null; try { $dom = new DOMDocument(); $dom = Utils::loadXML($dom, $this->_logoutRequest); $idpData = $this->_settings->getIdPData(); $idPEntityId = $idpData['entityId']; if ($this->_settings->isStrict()) { $security = $this->_settings->getSecurityData(); if ($security['wantXMLValidation']) { $res = Utils::validateXML($dom, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive()); if (!$res instanceof DOMDocument) { throw new ValidationError( "Invalid SAML Logout Request. Not match the saml-schema-protocol-2.0.xsd", ValidationError::INVALID_XML_FORMAT ); } } $currentURL = Utils::getSelfRoutedURLNoQuery(); // Check NotOnOrAfter if ($dom->documentElement->hasAttribute('NotOnOrAfter')) { $na = Utils::parseSAML2Time($dom->documentElement->getAttribute('NotOnOrAfter')); if ($na <= time()) { throw new ValidationError( "Could not validate timestamp: expired. Check system clock.", ValidationError::RESPONSE_EXPIRED ); } } // Check destination if ($dom->documentElement->hasAttribute('Destination')) { $destination = $dom->documentElement->getAttribute('Destination'); if (!empty($destination) && strpos($destination, $currentURL) === false) { throw new ValidationError( "The LogoutRequest was received at $currentURL instead of $destination", ValidationError::WRONG_DESTINATION ); } } $nameId = static::getNameId($dom, $this->_settings->getSPkey()); // Check issuer $issuer = static::getIssuer($dom); if (!empty($issuer) && $issuer != $idPEntityId) { throw new ValidationError( "Invalid issuer in the Logout Request", ValidationError::WRONG_ISSUER ); } if ($security['wantMessagesSigned'] && !isset($_GET['Signature'])) { throw new ValidationError( "The Message of the Logout Request is not signed and the SP require it", ValidationError::NO_SIGNED_MESSAGE ); } } if (isset($_GET['Signature'])) { $signatureValid = Utils::validateBinarySign("SAMLRequest", $_GET, $idpData, $retrieveParametersFromServer); if (!$signatureValid) { throw new ValidationError( "Signature validation failed. Logout Request rejected", ValidationError::INVALID_SIGNATURE ); } } return true; } catch (Exception $e) { $this->_error = $e; $debug = $this->_settings->isDebugActive(); if ($debug) { echo htmlentities($this->_error->getMessage()); } return false; } } /** * After execute a validation process, if fails this method returns the Exception of the cause * * @return Exception Cause */ public function getErrorException() { return $this->_error; } /** * After execute a validation process, if fails this method returns the cause * * @return null|string Error reason */ public function getError() { $errorMsg = null; if (isset($this->_error)) { $errorMsg = htmlentities($this->_error->getMessage()); } return $errorMsg; } /** * Returns the XML that will be sent as part of the request * or that was received at the SP * * @return string */ public function getXML() { return $this->_logoutRequest; } } PK�������sqY��܋)���)��%��php-saml/src/Saml2/LogoutResponse.phpnu��[���
��������<?php /** * This file is part of php-saml. * * (c) OneLogin Inc * * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. * * @package OneLogin * @author OneLogin Inc <saml-info@onelogin.com> * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE * @link https://github.com/onelogin/php-saml */ namespace OneLogin\Saml2; use DOMDocument; use DOMNodeList; use Exception; /** * SAML 2 Logout Response */ class LogoutResponse { /** * Contains the ID of the Logout Response * * @var string */ public $id; /** * Object that represents the setting info * * @var Settings */ protected $_settings; /** * The decoded, unprocessed XML response provided to the constructor. * * @var string|null */ protected $_logoutResponse; /** * A DOMDocument class loaded from the SAML LogoutResponse. * * @var DOMDocument */ public $document; /** * After execute a validation process, if it fails, this var contains the cause * * @var Exception|null */ private $_error; /** * Constructs a Logout Response object (Initialize params from settings and if provided * load the Logout Response. * * @param Settings $settings Settings. * @param string|null $response An UUEncoded SAML Logout response from the IdP. * * @throws Error * @throws Exception * */ public function __construct(\OneLogin\Saml2\Settings $settings, $response = null) { $this->_settings = $settings; $baseURL = $this->_settings->getBaseURL(); if (!empty($baseURL)) { Utils::setBaseURL($baseURL); } if ($response) { $decoded = base64_decode($response); $inflated = @gzinflate($decoded); if ($inflated != false) { $this->_logoutResponse = $inflated; } else { $this->_logoutResponse = $decoded; } $this->document = new DOMDocument(); $this->document = Utils::loadXML($this->document, $this->_logoutResponse); if (false === $this->document) { throw new Error( "LogoutResponse could not be processed", Error::SAML_LOGOUTRESPONSE_INVALID ); } if ($this->document->documentElement->hasAttribute('ID')) { $this->id = $this->document->documentElement->getAttribute('ID'); } } } /** * Gets the Issuer of the Logout Response. * * @return string|null $issuer The Issuer */ public function getIssuer() { $issuer = null; $issuerNodes = $this->_query('/samlp:LogoutResponse/saml:Issuer'); if ($issuerNodes->length == 1) { $issuer = $issuerNodes->item(0)->textContent; } return $issuer; } /** * Gets the Status of the Logout Response. * * @return string|null The Status */ public function getStatus() { $entries = $this->_query('/samlp:LogoutResponse/samlp:Status/samlp:StatusCode'); if ($entries->length != 1) { return null; } $status = $entries->item(0)->getAttribute('Value'); return $status; } /** * Determines if the SAML LogoutResponse is valid * * @param string|null $requestId The ID of the LogoutRequest sent by this SP to the IdP * @param bool $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature * * @return bool Returns if the SAML LogoutResponse is or not valid * * @throws ValidationError */ public function isValid($requestId = null, $retrieveParametersFromServer = false) { $this->_error = null; try { $idpData = $this->_settings->getIdPData(); $idPEntityId = $idpData['entityId']; if ($this->_settings->isStrict()) { $security = $this->_settings->getSecurityData(); if ($security['wantXMLValidation']) { $res = Utils::validateXML($this->document, 'saml-schema-protocol-2.0.xsd', $this->_settings->isDebugActive()); if (!$res instanceof DOMDocument) { throw new ValidationError( "Invalid SAML Logout Response. Not match the saml-schema-protocol-2.0.xsd", ValidationError::INVALID_XML_FORMAT ); } } // Check if the InResponseTo of the Logout Response matchs the ID of the Logout Request (requestId) if provided if (isset($requestId) && $this->document->documentElement->hasAttribute('InResponseTo')) { $inResponseTo = $this->document->documentElement->getAttribute('InResponseTo'); if ($requestId != $inResponseTo) { throw new ValidationError( "The InResponseTo of the Logout Response: $inResponseTo, does not match the ID of the Logout request sent by the SP: $requestId", ValidationError::WRONG_INRESPONSETO ); } } // Check issuer $issuer = $this->getIssuer(); if (!empty($issuer) && $issuer != $idPEntityId) { throw new ValidationError( "Invalid issuer in the Logout Response", ValidationError::WRONG_ISSUER ); } $currentURL = Utils::getSelfRoutedURLNoQuery(); // Check destination if ($this->document->documentElement->hasAttribute('Destination')) { $destination = $this->document->documentElement->getAttribute('Destination'); if (!empty($destination) && strpos($destination, $currentURL) === false) { throw new ValidationError( "The LogoutResponse was received at $currentURL instead of $destination", ValidationError::WRONG_DESTINATION ); } } if ($security['wantMessagesSigned'] && !isset($_GET['Signature'])) { throw new ValidationError( "The Message of the Logout Response is not signed and the SP requires it", ValidationError::NO_SIGNED_MESSAGE ); } } if (isset($_GET['Signature'])) { $signatureValid = Utils::validateBinarySign("SAMLResponse", $_GET, $idpData, $retrieveParametersFromServer); if (!$signatureValid) { throw new ValidationError( "Signature validation failed. Logout Response rejected", ValidationError::INVALID_SIGNATURE ); } } return true; } catch (Exception $e) { $this->_error = $e; $debug = $this->_settings->isDebugActive(); if ($debug) { echo htmlentities($this->_error->getMessage()); } return false; } } /** * Extracts a node from the DOMDocument (Logout Response Menssage) * * @param string $query Xpath Expression * * @return DOMNodeList The queried node */ private function _query($query) { return Utils::query($this->document, $query); } /** * Generates a Logout Response object. * * @param string $inResponseTo InResponseTo value for the Logout Response. */ public function build($inResponseTo) { $spData = $this->_settings->getSPData(); $idpData = $this->_settings->getIdPData(); $this->id = Utils::generateUniqueID(); $issueInstant = Utils::parseTime2SAML(time()); $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); $logoutResponse = <<<LOGOUTRESPONSE <samlp:LogoutResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="{$this->id}" Version="2.0" IssueInstant="{$issueInstant}" Destination="{$idpData['singleLogoutService']['url']}" InResponseTo="{$inResponseTo}" > <saml:Issuer>{$spEntityId}</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> </samlp:LogoutResponse> LOGOUTRESPONSE; $this->_logoutResponse = $logoutResponse; } /** * Returns a Logout Response object. * * @param bool|null $deflate Whether or not we should 'gzdeflate' the response body before we return it. * * @return string Logout Response deflated and base64 encoded */ public function getResponse($deflate = null) { $logoutResponse = $this->_logoutResponse; if (is_null($deflate)) { $deflate = $this->_settings->shouldCompressResponses(); } if ($deflate) { $logoutResponse = gzdeflate($this->_logoutResponse); } return base64_encode($logoutResponse); } /** * After execute a validation process, if fails this method returns the cause. * * @return Exception|null Cause */ public function getErrorException() { return $this->_error; } /** * After execute a validation process, if fails this method returns the cause * * @return null|string Error reason */ public function getError() { $errorMsg = null; if (isset($this->_error)) { $errorMsg = htmlentities($this->_error->getMessage()); } return $errorMsg; } /** * @return string the ID of the Response */ public function getId() { return $this->id; } /** * Returns the XML that will be sent as part of the response * or that was received at the SP * * @return string|null */ public function getXML() { return $this->_logoutResponse; } } PK�������sqY�WZ�6���6����php-saml/CHANGELOGnu��[���
��������CHANGELOG ========= v.3.3.1 * Update xmlseclibs to 3.0.4 * Remove Comparison atribute from RequestedAuthnContext when setting has empty value v.3.3.0 * Set true as the default value for strict setting * Relax comparision of false on SignMetadata * Fix CI v.3.2.1 * Add missed nameIdValueReq parameter to buildAuthnRequest method v.3.2.0 * Add support for Subjects on AuthNRequests by the new parameter nameIdValueReq * Support SLO ResponseLocation * [#344](https://github.com/onelogin/php-saml/issues/344) Raise errors on IdPMetadataParser::parseRemoteXML and IdPMetadataParser::parseFileXML * [#356](https://github.com/onelogin/php-saml/issues/356) Support 'x509cert' and 'privateKey' on signMetadata security setting v.3.1.1 * Force to use at least xmlseclibs 3.0.3 for security reasons * [#367](https://github.com/onelogin/php-saml/pull/367) Move the creation of the AuthnRequest to separate function * Set strict=true on config examples * Move phpunit.xml v.3.1.0 * Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE) * Fix setting_example.php servicename parameter v.3.0.0 * Remove mcrypt dependency. Compatible with PHP 7.2 * xmlseclibs now is not part of the toolkit and need to be installed from original source v.2.17.1 * Update xmlseclibs to 3.0.4 * Remove Comparison atribute from RequestedAuthnContext when setting has empty value v.2.17.0 * Set true as the default value for strict setting * Support 'x509cert' and 'privateKey' on signMetadata security settings * Relax comparision of false on SignMetadata * Fix CI v.2.16.0 * Support SLO ResponseLocation * [#344](https://github.com/onelogin/php-saml/issues/344) Raise errors on IdPMetadataParser::parseRemoteXML and IdPMetadataParser::parseFileXML * Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs * Add support for Subjects on AuthNRequests by the new parameter * Set strict=true on config examples v.2.15.0 * Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE) * Fix bug on settings_example.php v.2.14.0 * Add parameter to the decryptElement method to make optional the formatting * [#283](https://github.com/onelogin/php-saml/pull/283) New method of importing a decrypted assertion into the XML document to replace the EncryptedAssertion. Fix signature issues on Signed Encrypted Assertions with default namespace * Allow the getSPMetadata() method to always include the encryption Key Descriptor * Change some Fatal Error to Exceptions * [#265](https://github.com/onelogin/php-saml/issues/265) Support parameters at getSPMetadata method * Avoid calling static method using this v.2.13.0 * Update xmlseclibs with some fixes. * Add extra protection verifying the Signature algorithm used on SignedInfo element, not only rely on the xmlseclibs verify / verifySignature methods. * Add getAttributesWithFriendlyName method which returns the set of SAML attributes indexed by FriendlyName * Fix bug on parseRemoteXML and parseFileXML. Internal calls to parseXML missed the desiredNameIdFormat parameter v.2.12.0 * Improve Time management. Use DateTime/DateTimeZone classes. * Escape error messages in debug mode * Improve phpdoc * Add an extra filter to the url to be used on redirection * [#242](https://github.com/onelogin/php-saml/pull/242) Document that SHA-1 must not be used * [#250](https://github.com/onelogin/php-saml/pull/250) Fixed issue with IdPMetadataParser only keeping 1 certificate when multiple certificates of a single type were provided. * [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest. v.2.11.0 * [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads * [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request * Improve logout documentation on Readme. * Improve multi-certificate support v.2.10.7 * Fix IdPMetadataParser. The SingleLogoutService retrieved method was wrong * [#201](https://github.com/onelogin/php-saml/issues/201) Fix issues with SP entity_id, acs url and sls url that contains & v.2.10.6 * [#206](https://github.com/onelogin/php-saml/pull/206)Be able to register future SP x509cert on the settings and publish it on SP metadata * [#206](https://github.com/onelogin/php-saml/pull/206) Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption) * [#206](https://github.com/onelogin/php-saml/pull/206) Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings. v.2.10.5 * Be able to get at the auth object the last processed ID * Improve NameID Format support * Reset errorReason attribute of the auth object after each Process method * Validate serial number as string to work around libxml2 limitation * Make the Issuer on the Response Optional v.2.10.4 * [+](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1) Security update for signature validation on LogoutRequest/LogoutResponse * [#192](https://github.com/onelogin/php-saml/pull/192) Added ability to configure DigestAlgorithm in settings * [#183](https://github.com/onelogin/php-saml/pull/183) Fix strpos bug when decrypting assertions * [#186](https://github.com/onelogin/php-saml/pull/186) Improve info on entityId validation Exception * [#188](https://github.com/onelogin/php-saml/pull/188) Fixed issue with undefined constant of UNEXPECTED_SIGNED_ELEMENT * Read ACS binding on AuthNRequest builder from settings * Be able to relax Destination validation on SAMLResponses and let this attribute to be empty with the 'relaxDestinationValidation' setting v.2.10.3 * Implement a more specific exception class for handling some validation errors * Minor changes on time validation/exceptions * Add hooks to retrieve last-sent and last-received requests and responses * Improve/Fix tests * Add DigestAlgorithm support on addSign * [#177](https://github.com/onelogin/php-saml/pull/177) Add error message for bad OneLogin_Saml2_Settings argument v.2.10.2 * [#175](https://github.com/onelogin/php-saml/pull/175) Allow overriding of host, port, protocol and url path for URL building * [#173](https://github.com/onelogin/php-saml/pull/173) Provide better support to NameIdFormat * Fix another issue on Assertion Signature validation when the assertion contains no namespace, container has saml2 namespace and it was encrypted v.2.10.1 * Fix error message on SignMetadata process * Fix issue on Assertion Signature validation when the assertion contains no namespace and it was encrypted v.2.10.0 * Several security improvements: * Conditions element required and unique. * AuthnStatement element required and unique. * SPNameQualifier must math the SP EntityID * Reject saml:Attribute element with same “Name” attribute * Reject empty nameID * Require Issuer element. (Must match IdP EntityID). * Destination value can't be blank (if present must match ACS URL). * Check that the EncryptedAssertion element only contains 1 Assertion element. * Improve Signature validation process * AttributeConsumingService support * Support lowercase Urlencoding (ADFS compatibility). * [#154](https://github.com/onelogin/php-saml/pull/154) getSelfHost no longer returns a port number * [#156](https://github.com/onelogin/php-saml/pull/156) Use correct host on response destination fallback check * [#158](https://github.com/onelogin/php-saml/pull/158) NEW Control usage of X-Forwarded-* headers * Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null. * Add Signature Wrapping prevention Test * Improve _decryptAssertion in order to take care of Assertions with problems with namespaces * Improve documentation v.2.9.1 ....... * [134](https://github.com/onelogin/php-saml/pull/134) PHP7 production settings compiles out assert(), throw an exception explicitly * [132](https://github.com/onelogin/php-saml/pull/132) Add note for "wantAssertionsEncrypted" * Update copyright on LICENSE v.2.9.0 ------- * Change the decrypt assertion process. * Add 2 extra validations to prevent Signature wrapping attacks. * Remove reference to wrong NameIDFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified should be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified * [128](https://github.com/onelogin/php-saml/pull/128) Test php7 and upgrade phpunit * Update Readme with more descriptive requestedAuthnContext description and Security Guidelines v.2.8.0 ------- * Make NameIDPolicy of AuthNRequest optional * Make nameID requirement on SAMLResponse optional * Fix empty URI support * Symmetric encryption key support * Add more Auth Context options to the constant class * Fix DSA_SHA1 constant on xmlseclibs * Set none requestedAuthnContext as default behaviour * Update xmlseclibs lib * Improve formatPrivateKey method * Fix bug when signing metadata, the SignatureMethod was not provided * Fix getter for lastRequestID parameter in OneLogin_Saml2_Auth class * Add $wantEncrypted parameter on addX509KeyDescriptors method that will allow to set KeyDescriptor[use='encryption'] if wantNameIdEncrypted or wantAssertionsEncrypted enabled * Add $stay parameter on redirectTo method. (login/logout supports $stay but I forgot add this on previous 2.7.0 version) * Improve code style v.2.7.0 ------- * Trim acs, slo and issuer urls. * Fix PHP 7 error (used continue outside a loop/switch). * Fix bug on organization element of the SP metadata builder. * Fix typos on documentation. Fix ALOWED Misspell. * Be able to extract RequestID. Add RequestID validation on demo1. * Add $stay parameter to login, logout and processSLO method. v.2.6.1 ------- * Fix bug on cacheDuration of the Metadata XML generated. * Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder. * Allows the authn comparsion attribute to be set via config. * Retrieve Session Timeout after processResponse with getSessionExpiration(). * Improve readme readability. * Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO. v.2.6.0 ------- * Set NAMEID_UNSPECIFIED as default NameIDFormat to prevent conflicts with IdPs that don't support NAMEID_PERSISTENT. * Now the SP is able to select the algorithm to be used on signatures (DSA_SHA1, RSA_SHA1, RSA_SHA256, RSA_SHA384, RSA_SHA512). * Change visibility of _decryptAssertion to protected. * Update xmlseclibs library. * Handle valid but uncommon dsig block with no URI in the reference. * login, logout and processSLO now return ->redirectTo instead of just call it. * Split the setting check methods. Now 1 method for IdP settings and other for SP settings. * Let the setting object to avoid the IdP setting check. required if we want to publish SP SAML Metadata when the IdP data is still not provided. v.2.5.0 ------- * Do accesible the ID of the object Logout Request (id attribute). * Add note about the fact that PHP 5.3 is unssuported. * Add fingerprint algorithm support. * Add dependences to composer. v.2.4.0 ------- * Fix wrong element order in generated metadata. * Added SLO with nameID and SessionIndex in demo1. * Improve isHTTPS method in order to support HTTP_X_FORWARDED_PORT. * Set optional the XMLvalidation (enable/disable it with wantXMLValidation security setting). v.2.3.0 ------- * Resolve namespace problem. Some IdPs uses saml2p:Response and saml2:Assertion instead of samlp:Response saml:Assertion. * Improve test and documentation. * Improve ADFS compatibility. * Remove unnecessary XSDs files. * Make available the reason for the saml message invalidation. * Adding ability to set idp cert once the Setting object initialized. * Fix status info issue. * Reject SAML Response if not signed and strict = false. * Support NameId and SessionIndex in LogoutRequest. * Add ForceAuh and IsPassive support. v.2.2.0 ------- * Fix bug with Encrypted nameID on LogoutRequest. * Fixed usability bug. SP will inform about AuthFail status after process a Response. * Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class. * LogoutRequest and LogoutResponse classes now accept non deflated xml. * Improved the XML metadata/ Decrypted Assertion output. (prettyprint). * Fix bug in formatPrivateKey method, the key could be not RSA. * Explicit warning message for signed element problem. * Decrypt method improved. * Support more algorithm at the SigAlg in the Signed LogoutRequests and LogoutResponses * AuthNRequest now stores ID (it can be retrieved later). * Fixed a typo on the 'NameIdPolicy' attribute that appeared at the README and settings_example file. v.2.1.0 ------- * The isValid method of the Logout Request is now non-static. (affects processSLO method of Auth.php). * Logout Request constructor now accepts encoded logout requests. * Now after validate a message, if fails a method getError of the object will return the cause. * Fix typos. * Added extra parameters option to login and logout methods. * Improve Test (new test, use the new getError method for testing). * Bugfix namespace problem when getting Attributes. v.2.0.0 ------- * New PHP SAML Toolkit (SLO, Sign, Encryptation). v.1.0.0 ------- * Old PHP SAML Toolkit. PK�������sqY��<q�
���
����php-saml/certs/READMEnu��[���
��������Take care of this folder that could contain private key. Be sure that this folder never is published. Onelogin PHP Toolkit expects certs for the SP stored at: * sp.key Private Key * sp.crt Public cert * sp_new.crt Future Public cert Also you can use other cert to sign the metadata of the SP using the: * metadata.key * metadata.crt If you are using composer to install the php-saml toolkit, You should move the certs folder to vendor/onelogin/php-saml/certs PK
���������sqY��4�d��d������������������php-saml/settings_example.phpnu��[���
��������PK
���������sqY��=���������������������php-saml/composer.jsonnu��[���
��������PK
���������sqY5�Ce(��(�����������������php-saml/LICENSEnu��[���
��������PK
���������sqYS:h�C��C��&������������C"��php-saml/advanced_settings_example.phpnu��[���
��������PK
���������sqYHz�������������������9��php-saml/_toolkit_loader.phpnu��[���
��������PK
���������sqYPH�~)��~)��������������3=��php-saml/src/Saml2/Metadata.phpnu��[���
��������PK
���������sqY��W�"���"��"�������������g��php-saml/src/Saml2/schemas/xml.xsdnu��[���
��������PK
���������sqY�G'E����9������������։��php-saml/src/Saml2/schemas/sstc-saml-metadata-ui-v1.0.xsdnu��[���
��������PK
���������sqY�8�_s��s��1������������Y���php-saml/src/Saml2/schemas/sstc-metadata-attr.xsdnu��[���
��������PK
���������sqY[x���1���1��8������������-���php-saml/src/Saml2/schemas/saml-schema-assertion-2.0.xsdnu��[���
��������PK
���������sqY���B������6������������{���php-saml/src/Saml2/schemas/sstc-saml-attribute-ext.xsdnu��[���
��������PK
���������sqY@߲�'��'��2����������������php-saml/src/Saml2/schemas/xmldsig-core-schema.xsdnu��[���
��������PK
���������sqY�|e�[r��[r��B������������2���php-saml/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsdnu��[���
��������PK
���������sqY�Un��4���4��7�������������j
�php-saml/src/Saml2/schemas/saml-schema-protocol-2.0.xsdnu��[���
��������PK
���������sqYv�G>��>��7��������������
�php-saml/src/Saml2/schemas/saml-schema-metadata-2.0.xsdnu��[���
��������PK
���������sqY��E������*������������~�
�php-saml/src/Saml2/schemas/xenc-schema.xsdnu��[���
��������PK
���������sqY9챉������A��������������
�php-saml/src/Saml2/schemas/sstc-saml-metadata-algsupport-v1.0.xsdnu��[���
��������PK
���������sqY&�������<��������������
�php-saml/src/Saml2/schemas/saml-schema-authn-context-2.0.xsdnu��[���
��������PK
���������sqY7/dIo��o�� ������������:�
�php-saml/src/Saml2/Constants.phpnu��[���
��������PK
���������sqY�4a����������������������php-saml/src/Saml2/Settings.phpnu��[���
��������PK
���������sqY �G#������������������(��php-saml/src/Saml2/Response.phpnu��[���
��������PK
���������sqY���Z���Z����������������=�php-saml/src/Saml2/version.jsonnu��[���
��������PK
���������sqY�t�e��e��������������,>�php-saml/src/Saml2/Error.phpnu��[���
��������PK
���������sqYsF��������&�������������E�php-saml/src/Saml2/ValidationError.phpnu��[���
��������PK
���������sqY����������#�������������R�php-saml/src/Saml2/AuthnRequest.phpnu��[���
��������PK
���������sqY�ԎjRe��Re���������������l�php-saml/src/Saml2/Auth.phpnu��[���
��������PK
���������sqYq��B�,���,��(������������^��php-saml/src/Saml2/IdPMetadataParser.phpnu��[���
��������PK
���������sqY"�/������������������������php-saml/src/Saml2/Utils.phpnu��[���
��������PK
���������sqYkܕE=��E=��$���������������php-saml/src/Saml2/LogoutRequest.phpnu��[���
��������PK
���������sqY��܋)���)��%������������6�php-saml/src/Saml2/LogoutResponse.phpnu��[���
��������PK
���������sqY�WZ�6���6��������������,�php-saml/CHANGELOGnu��[���
��������PK
���������sqY��<q�
���
���������������b�php-saml/certs/READMEnu��[���
��������PK���� � ����e���