-
-
Notifications
You must be signed in to change notification settings - Fork 468
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Rewrite php-saml to use ZF naming conventions, PSR-0 structure, impro…
…ve repo layout, add Metadata generation, improve tests
- Loading branch information
Boy Baukema
committed
Apr 6, 2012
1 parent
ef5e154
commit 3eee672
Showing
13 changed files
with
417 additions
and
223 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,17 @@ | ||
<?php | ||
/** | ||
* Created by JetBrains PhpStorm. | ||
* User: boy | ||
* Date: 4/6/12 | ||
* Time: 9:31 AM | ||
* To change this template use File | Settings | File Templates. | ||
*/ | ||
* SAMPLE Code to demonstrate how to handle a SAML assertion response. | ||
* | ||
* Your IdP will usually want your metadata, you can use this code to generate it once, | ||
* or expose it on a URL so your IdP can check it periodically. | ||
*/ | ||
|
||
error_reporting(E_ALL); | ||
|
||
$settings = NULL; | ||
require 'settings.php'; | ||
|
||
header('Content-Type: text/xml'); | ||
|
||
$samlMetadata = new OneLogin_Saml_Metadata($settings); | ||
echo $samlMetadata->getXml(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,58 @@ | ||
<?php | ||
|
||
/** | ||
* Created by JetBrains PhpStorm. | ||
* User: boy | ||
* Date: 4/6/12 | ||
* Time: 9:22 AM | ||
* To change this template use File | Settings | File Templates. | ||
*/ | ||
* Create SAML2 Metadata documents | ||
*/ | ||
class OneLogin_Saml_Metadata | ||
{ | ||
/** | ||
* How long should the metadata be valid? | ||
*/ | ||
const VALIDITY_SECONDS = 604800; // 1 week | ||
|
||
/** | ||
* Service settings | ||
* @var OneLogin_Saml_Settings | ||
*/ | ||
private $_settings; | ||
|
||
/** | ||
* Create a new Metadata document | ||
* @param OneLogin_Saml_Settings $settings | ||
*/ | ||
public function __construct(OneLogin_Saml_Settings $settings) | ||
{ | ||
$this->_settings = $settings; | ||
} | ||
|
||
/** | ||
* @return string | ||
*/ | ||
public function getXml() | ||
{ | ||
$validUntil = $this->_getMetadataValidTimestamp(); | ||
|
||
return <<<METADATA_TEMPLATE | ||
<?xml version="1.0"?> | ||
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
validUntil="$validUntil" | ||
entityID="{$this->_settings->spIssuer}"> | ||
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | ||
<md:NameIDFormat>{$this->_settings->requestedNameIdFormat}</md:NameIDFormat> | ||
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | ||
Location="{$this->_settings->spReturnUrl}" | ||
index="1"/> | ||
</md:SPSSODescriptor> | ||
</md:EntityDescriptor> | ||
METADATA_TEMPLATE; | ||
} | ||
|
||
private function _getMetadataValidTimestamp() | ||
{ | ||
$timeZone = date_default_timezone_get(); | ||
date_default_timezone_set('UTC'); | ||
$time = strftime("%Y-%m-%dT%H:%M:%SZ", time() + self::VALIDITY_SECONDS); | ||
date_default_timezone_set($timeZone); | ||
return $time; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,68 +1,76 @@ | ||
<?php | ||
|
||
/** | ||
* Create a SAML authorization request. | ||
*/ | ||
class SamlAuthRequest | ||
class OneLogin_Saml_AuthRequest | ||
{ | ||
const ID_PREFIX = 'ONELOGIN'; | ||
|
||
/** | ||
* A SamlResponse class provided to the constructor. | ||
* @var OneLogin_Saml_Settings | ||
*/ | ||
private $settings; | ||
private $_settings; | ||
|
||
/** | ||
* Construct the response object. | ||
* | ||
* @param SamlResponse $settings | ||
* @param OneLogin_Saml_Settings $settings | ||
* A SamlResponse settings object containing the necessary | ||
* x509 certicate to decode the XML. | ||
*/ | ||
function __construct($settings) | ||
public function __construct(OneLogin_Saml_Settings $settings) | ||
{ | ||
$this->settings = $settings; | ||
$this->_settings = $settings; | ||
} | ||
|
||
/** | ||
* Generate the request. | ||
* | ||
* @return | ||
* A fully qualified URL that can be redirected to in order to process | ||
* the authorization request. | ||
* @return string A fully qualified URL that can be redirected to in order to process the authorization request. | ||
*/ | ||
public function create() | ||
public function getRedirectUrl() | ||
{ | ||
$id = $this->generateUniqueID(20); | ||
$issue_instant = $this->getTimestamp(); | ||
$id = $this->_generateUniqueID(); | ||
$issueInstant = $this->_getTimestamp(); | ||
|
||
$request = | ||
"<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"$id\" Version=\"2.0\" IssueInstant=\"$issue_instant\" ProtocolBinding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" AssertionConsumerServiceURL=\"" . $this->settings->assertion_consumer_service_url . "\">" . | ||
"<saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" . $this->settings->issuer . "</saml:Issuer>\n" . | ||
"<samlp:NameIDPolicy xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Format=\"" . $this->settings->name_identifier_format . "\" AllowCreate=\"true\"></samlp:NameIDPolicy>\n" . | ||
"<samlp:RequestedAuthnContext xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" Comparison=\"exact\">" . | ||
"<saml:AuthnContextClassRef xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>\n" . | ||
"</samlp:AuthnRequest>"; | ||
$request = <<<AUTHNREQUEST | ||
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" | ||
ID="$id" | ||
Version="2.0" | ||
IssueInstant="$issueInstant" | ||
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" | ||
AssertionConsumerServiceURL="{$this->_settings->spReturnUrl}"> | ||
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{$this->_settings->spIssuer}</saml:Issuer> | ||
<samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" | ||
Format="{$this->_settings->requestedNameIdFormat}" | ||
AllowCreate="true"></samlp:NameIDPolicy> | ||
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"> | ||
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> | ||
</samlp:RequestedAuthnContext> | ||
</samlp:AuthnRequest>"; | ||
AUTHNREQUEST; | ||
|
||
$deflated_request = gzdeflate($request); | ||
$base64_request = base64_encode($deflated_request); | ||
$encoded_request = urlencode($base64_request); | ||
$deflatedRequest = gzdeflate($request); | ||
$base64Request = base64_encode($deflatedRequest); | ||
$encodedRequest = urlencode($base64Request); | ||
|
||
return $this->settings->idp_sso_target_url . "?SAMLRequest=" . $encoded_request; | ||
return $this->_settings->idpSingleSignOnUrl . "?SAMLRequest=" . $encodedRequest; | ||
} | ||
|
||
private function generateUniqueID($length) | ||
private function _generateUniqueID() | ||
{ | ||
$chars = "abcdef0123456789"; | ||
$chars_len = strlen($chars); | ||
$uniqueID = ""; | ||
for ($i = 0; $i < $length; $i++) | ||
$uniqueID .= substr($chars, rand(0, 15), 1); | ||
return "_" . $uniqueID; | ||
return self::ID_PREFIX . sha1(uniqid(mt_rand(), TRUE)); | ||
} | ||
|
||
private function getTimestamp() | ||
private function _getTimestamp() | ||
{ | ||
$defaultTimezone = date_default_timezone_get(); | ||
date_default_timezone_set('UTC'); | ||
return strftime("%Y-%m-%dT%H:%M:%SZ"); | ||
$timestamp = strftime("%Y-%m-%dT%H:%M:%SZ"); | ||
date_default_timezone_set($defaultTimezone); | ||
return $timestamp; | ||
} | ||
} | ||
|
||
; | ||
} |
Oops, something went wrong.