SAML-Toolkits
diff --git a/‎onelogin-saml-sso/php/lib/Saml2/Auth.php‎
Lines changed: 28 additions & 8 deletions b/‎onelogin-saml-sso/php/lib/Saml2/Auth.php‎
Lines changed: 28 additions & 8 deletions
diff --git a/‎onelogin-saml-sso/php/lib/Saml2/AuthnRequest.php‎
Lines changed: 4 additions & 2 deletions b/‎onelogin-saml-sso/php/lib/Saml2/AuthnRequest.php‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎onelogin-saml-sso/php/lib/Saml2/IdPMetadataParser.php‎
Lines changed: 211 additions & 0 deletions b/‎onelogin-saml-sso/php/lib/Saml2/IdPMetadataParser.php‎
Lines changed: 211 additions & 0 deletions
@@ -34,6 +34,14 @@ class OneLogin_Saml2_Auth
      */
     private $_nameidFormat;
 
+
+    /**
+     * NameID NameQualifier
+     *
+     * @var string
+     */
+    private $_nameidNameQualifier;
+
     /**
      * If user is authenticated.
      *
@@ -177,6 +185,7 @@ public function processResponse($requestId = null)
                 $this->_attributes = $response->getAttributes();
                 $this->_nameid = $response->getNameId();
                 $this->_nameidFormat = $response->getNameIdFormat();
+                $this->_nameidNameQualifier = $response->getNameIdNameQualifier();
                 $this->_authenticated = true;
                 $this->_sessionIndex = $response->getSessionIndex();
                 $this->_sessionExpiration = $response->getSessionNotOnOrAfter();
@@ -336,6 +345,16 @@ public function getNameIdFormat()
         return $this->_nameidFormat;
     }
 
+    /**
+     * Returns the nameID NameQualifier
+     *
+     * @return string  The nameID NameQualifier of the assertion
+     */
+    public function getNameIdNameQualifier()
+    {
+        return $this->_nameidNameQualifier;
+    }
+
     /**
      * Returns the SessionIndex
      *
@@ -436,18 +455,19 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
     /**
      * Initiates the SLO process.
      *
-     * @param string|null $returnTo      The target URL the user should be returned to after logout.
-     * @param array       $parameters    Extra parameters to be added to the GET
-     * @param string|null $nameId        The NameID that will be set in the LogoutRequest.
-     * @param string|null $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
-     * @param bool        $stay          True if we want to stay (returns the url string) False to redirect
-     * @param string|null $nameIdFormat  The NameID Format will be set in the LogoutRequest.
+     * @param string|null $returnTo            The target URL the user should be returned to after logout.
+     * @param array       $parameters          Extra parameters to be added to the GET
+     * @param string|null $nameId              The NameID that will be set in the LogoutRequest.
+     * @param string|null $sessionIndex        The SessionIndex (taken from the SAML Response in the SSO process).
+     * @param bool        $stay                True if we want to stay (returns the url string) False to redirect
+     * @param string|null $nameIdFormat        The NameID Format will be set in the LogoutRequest.
+     * @param string|null $nameIdNameQualifier The NameID NameQualifier will be set in the LogoutRequest.
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      *
      * @throws OneLogin_Saml2_Error
      */
-    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null)
+    public function logout($returnTo = null, $parameters = array(), $nameId = null, $sessionIndex = null, $stay = false, $nameIdFormat = null, $nameIdNameQualifier = null)
     {
         assert('is_array($parameters)');
 
@@ -466,7 +486,7 @@ public function logout($returnTo = null, $parameters = array(), $nameId = null,
             $nameIdFormat = $this->_nameidFormat;
         }
 
-        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat);
+        $logoutRequest = new OneLogin_Saml2_LogoutRequest($this->_settings, null, $nameId, $sessionIndex, $nameIdFormat, $nameIdNameQualifier);
 
         $this->_lastRequest = $logoutRequest->getXML();
         $this->_lastRequestID = $logoutRequest->id;
 
@@ -114,6 +114,8 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
             }
         }
 
+        $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES);
+        $acsUrl = htmlspecialchars($spData['assertionConsumerService']['url'], ENT_QUOTES);
         $request = <<<AUTHNREQUEST
 <samlp:AuthnRequest
     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@ -124,8 +126,8 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
     IssueInstant="$issueInstant"
     Destination="{$idpData['singleSignOnService']['url']}"
     ProtocolBinding="{$spData['assertionConsumerService']['binding']}"
-    AssertionConsumerServiceURL="{$spData['assertionConsumerService']['url']}">
-    <saml:Issuer>{$spData['entityId']}</saml:Issuer>
+    AssertionConsumerServiceURL="{$acsUrl}">
+    <saml:Issuer>{$spEntityId}</saml:Issuer>
 {$nameIdPolicyStr}
 {$requestedAuthnStr}
 </samlp:AuthnRequest>
 
@@ -0,0 +1,211 @@
+<?php
+
+/**
+ * IdP Metadata Parser of OneLogin PHP Toolkit
+ *
+ */
+
+class OneLogin_Saml2_IdPMetadataParser
+{
+    /**
+     * Get IdP Metadata Info from URL
+     *
+     * @param string $url                   URL where the IdP metadata is published
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseRemoteXML($url, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        try {
+            $ch = curl_init($url);
+            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
+            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+            curl_setopt($ch, CURLOPT_FAILONERROR, 1);
+
+            $xml = curl_exec($ch);
+            if ($xml !== false) {
+                $metadataInfo = self::parseXML($xml, $entityId);
+            } else {
+                throw new Exception(curl_error($ch), curl_errno($ch));
+            }
+        } catch (Exception $e) {
+        }
+        return $metadataInfo;
+    }
+
+    /**
+     * Get IdP Metadata Info from File
+     *
+     * @param string $filepath              File path
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseFileXML($filepath, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        try {
+            if (file_exists($filepath)) {
+                $data = file_get_contents($filepath);
+                $metadataInfo = self::parseXML($data, $entityId);
+            }
+        } catch (Exception $e) {
+        }
+        return $metadataInfo;
+    }
+
+    /**
+     * Get IdP Metadata Info from URL
+     *
+     * @param string $xml                   XML that contains IdP metadata
+     * @param string $entityId              Entity Id of the desired IdP, if no
+     *                                      entity Id is provided and the XML
+     *                                      metadata contains more than one
+     *                                      IDPSSODescriptor, the first is returned
+     * @param string $desiredNameIdFormat   If available on IdP metadata, use that nameIdFormat
+     *
+     * @return array metadata info in php-saml settings format
+     */
+    public static function parseXML($xml, $entityId = null, $desiredNameIdFormat = null)
+    {
+        $metadataInfo = array();
+
+        $dom = new DOMDocument();
+        $dom->preserveWhiteSpace = false;
+        $dom->formatOutput = true;
+        try {
+            $dom = OneLogin_Saml2_Utils::loadXML($dom, $xml);
+            if (!$dom) {
+                throw new Exception('Error parsing metadata');
+            }
+
+            $customIdPStr = '';
+            if (!empty($entityId)) {
+                $customIdPStr = '[@entityID="' . $entityId . '"]';
+            }
+            $idpDescryptorXPath = '//md:EntityDescriptor' . $customIdPStr . '/md:IDPSSODescriptor';
+
+            $idpDescriptorNodes = OneLogin_Saml2_Utils::query($dom, $idpDescryptorXPath);
+
+            if (isset($idpDescriptorNodes) && $idpDescriptorNodes->length > 0) {
+                $metadataInfo['idp'] = array();
+
+                $idpDescriptor = $idpDescriptorNodes->item(0);
+
+                if (empty($entityId) && $idpDescriptor->parentNode->hasAttribute('entityID')) {
+                    $entityId = $idpDescriptor->parentNode->getAttribute('entityID');
+                }
+
+                if (!empty($entityId)) {
+                    $metadataInfo['idp']['entityId'] = $entityId;
+                }
+
+                $ssoNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService[@Binding="'.OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT.'"]', $idpDescriptor);
+                if ($ssoNodes->length < 1) {
+                    $ssoNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleSignOnService', $idpDescriptor);
+                }
+                if ($ssoNodes->length > 0) {
+                    $metadataInfo['idp']['singleSignOnService'] = array(
+                        'url' => $ssoNodes->item(0)->getAttribute('Location'),
+                        'binding' => $ssoNodes->item(0)->getAttribute('Binding')
+                    );
+                }
+
+                $sloNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleLogoutService[@Binding="'.OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT.'"]', $idpDescriptor);
+                if ($sloNodes->length < 1) {
+                    $sloNodes = OneLogin_Saml2_Utils::query($dom, './md:SingleLogoutService', $idpDescriptor);
+                }
+                if ($sloNodes->length > 0) {
+                    $metadataInfo['idp']['singleLogoutService'] = array(
+                        'url' => $sloNodes->item(0)->getAttribute('Location'),
+                        'binding' => $sloNodes->item(0)->getAttribute('Binding')
+                    );
+                }
+
+                $keyDescriptorCertSigningNodes = OneLogin_Saml2_Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "encryption"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor);
+
+                $keyDescriptorCertEncryptionNodes = OneLogin_Saml2_Utils::query($dom, './md:KeyDescriptor[not(contains(@use, "signing"))]/ds:KeyInfo/ds:X509Data/ds:X509Certificate', $idpDescriptor);
+
+                if (!empty($keyDescriptorCertSigningNodes) || !empty($keyDescriptorCertEncryptionNodes)) {
+                    $metadataInfo['idp']['x509certMulti'] = array();
+                    if (!empty($keyDescriptorCertSigningNodes)) {
+                        $idpInfo['x509certMulti']['signing'] = array();
+                        foreach ($keyDescriptorCertSigningNodes as $keyDescriptorCertSigningNode) {
+                            $metadataInfo['idp']['x509certMulti']['signing'][] = OneLogin_Saml2_Utils::formatCert($keyDescriptorCertSigningNode->nodeValue, false);
+                        }
+                    }
+                    if (!empty($keyDescriptorCertEncryptionNodes)) {
+                        $idpInfo['x509certMulti']['encryption'] = array();
+                        foreach ($keyDescriptorCertEncryptionNodes as $keyDescriptorCertEncryptionNode) {
+                            $metadataInfo['idp']['x509certMulti']['encryption'][] = OneLogin_Saml2_Utils::formatCert($keyDescriptorCertEncryptionNode->nodeValue, false);
+                        }
+                    }
+
+                    $idpCertdata = $metadataInfo['idp']['x509certMulti'];
+                    if (count($idpCertdata) == 1 || ((isset($idpCertdata['signing']) && count($idpCertdata['signing']) == 1) && isset($idpCertdata['encryption']) && count($idpCertdata['encryption']) == 1 && strcmp($idpCertdata['signing'][0], $idpCertdata['encryption'][0]) == 0)) {
+                        if (isset($metadataInfo['idp']['x509certMulti']['signing'][0])) {
+                            $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['signing'][0];
+                        } else {
+                            $metadataInfo['idp']['x509cert'] = $metadataInfo['idp']['x509certMulti']['encryption'][0];
+                        }
+                        unset($metadataInfo['idp']['x509certMulti']);
+                    }
+                }
+
+                $nameIdFormatNodes = OneLogin_Saml2_Utils::query($dom, './md:NameIDFormat', $idpDescriptor);
+                if ($nameIdFormatNodes->length > 0) {
+                    $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNodes->item(0)->nodeValue;
+                    if (!empty($desiredNameIdFormat)) {
+                        foreach ($nameIdFormatNodes as $nameIdFormatNode) {
+                            if (strcmp($nameIdFormatNode->nodeValue, $desiredNameIdFormat) == 0) {
+                                $metadataInfo['sp']['NameIDFormat'] = $nameIdFormatNode->nodeValue;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (Exception $e) {
+            throw new Exception('Error parsing metadata. '.$e->getMessage());
+        }
+
+        return $metadataInfo;
+    }
+
+    /**
+     * Inject metadata info into php-saml settings array
+     *
+     * @param string $settings      php-saml settings array
+     * @param string $metadataInfo  array metadata info
+     *
+     * @return array settings
+     */
+    public static function injectIntoSettings($settings, $metadataInfo)
+    {
+        if (isset($metadataInfo['idp']) && isset($settings['idp'])) {
+            if (isset($metadataInfo['idp']['x509certMulti']) && !empty($metadataInfo['idp']['x509certMulti']) && isset($settings['idp']['x509cert'])) {
+                unset($settings['idp']['x509cert']);
+            }
+
+            if (isset($metadataInfo['idp']['x509cert']) && !empty($metadataInfo['idp']['x509cert']) && isset($settings['idp']['x509certMulti'])) {
+                unset($settings['idp']['x509certMulti']);
+            }
+        }
+
+        return array_replace_recursive($settings, $metadataInfo);
+    }
+}