saml-toolkits / php-saml Goto Github PK

The implementation of OneLogin_Saml2_Utils::getSelfURLNoQuery() does not work for applications that route all requests to a front controller.

This causes the SAML validation error "The response was received at http://foo.test/app_dev.php instead of http://foo.test/login_check".

Dear Folks,
There is a similar request on the Ruby port of the toolkit - has anyone figured out how to decrypt assertions with the PHP port? Ex:

object(SamlResponse)#1 (5) {
["settings:private"]=>
object(SamlSettings)#2 (5) {
["idp_sso_target_url"]=>
string(72) "https://my_domain.com"
["x509certificate"]=>
string(2259) "MY_CERT_REMOVED"
["assertion_consumer_service_url"]=>
string(55) "http://my/php-saml/consume.php"
["issuer"]=>
string(8) "php-saml"
["name_identifier_format"]=>
string(54) "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
}
["assertion"]=>
string(15764) "
<ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://my-domain.com/ns1:Issuer

<ns2:EncryptedAssertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>xenc:CipherDataxenc:CipherValueMY_VALUE_REMOVED/xenc:CipherValue/xenc:CipherData/xenc:EncryptedKeyds:X509Data
ds:X509Certificate
MY_CERT_REMOVED
/ds:X509Certificate
/ds:X509Data
/ds:KeyInfoxenc:CipherDataxenc:CipherValueMY_VALUE_REMOVED/xenc:CipherValue/xenc:CipherData/xenc:EncryptedData/ns2:EncryptedAssertion"
["xml"]=>
object(DOMDocument)#3 (0) {
}
["nameid:private"]=>
NULL
["xpath:private"]=>
NULL
}
Invalid SAML response: Cannot locate Signature Node

The documentation seems to imply it does not, that this toolkit is just an SP. But I thought I would ask in case I am missing something, as this is not make clear until quite deep into the documentation.

If this toolkit is just an SP, are there any recommended IdP libraries for PHP that can be wrapped around custom back-ends? I'm looking for something a little leaner and focused than the SimpleSAML project (which tries to through every possible use, demo views, forms etc into a single package, leaving many unexpected entry-points that pop up unexpectedly).

Okta is using a saml2p and saml2 namespace on their responses, so it causes the Response::validateSignedElements method to fail.

adfdc1b introduced to the change that is causing the problem.

The signed elements array from an Okta response is:

$signedElements = [
    'saml2p:Response',
    'saml2:Assertion'
]

In the README.md

OneLogin_Saml_Auth is referenced in code example under the "Initiate SSO" subtitle. I believe it should read 'OneLogin_Saml2_Auth' -- at least that is when it started working for me.

I notice there is a OneLogin_Saml_Auth class, but its in lib/Saml, not lib/Saml2.

Thanks much.

Hi,

Does php-saml support pasive login - where a check at the IdP can be made without forcing the user to login if they have not authenticated. For example, if a user accesses one of our homepages on an applcication they don't need to be authenticated. However, I would like to update their status whether or not they are logged in (logged in? yes! Show welcome text and logout button .. otherwise, show register button and login button) so I am hoping to at least check whether they are logged in or not on every page load.

Currently I'm playing with SimpleSAMLphp. It allows for passive login but does so using redirects. This works OK, but breaks the back button in Firefox and we have to do some hacking. Also I was kinda hoping that this would have been done from the application using curl requests before returning to the browser. I guess the guys at SSP know what they are doing though and have opted for redirects as a preferred solution.

Anyway I was keen to know if this ability is available in saml-php and if so, a quick overview of how it works (redirects, curl etc). It's kinda the main feature I'm interested in of other SAML client/servers. Thereafter, I might make the time to experiment more with php-saml for our online applications.

Would really appreciate if you could just explain briefly how this works - if php-saml offers it.

Best regards
Martyn

On this line: Utils.php#L53 you are checking for an ENTITY node using strpos

On PHP documentation you could read:

Warning: This function may return Boolean FALSE, but may also return a non-Boolean value which evaluates to FALSE. Please read the section on Booleans for more information. Use the === operator for testing the return value of this function.

In my case the expression:

strpos($xml, '<!ENTITY')

Is returning NULL so your logic:

if (strpos($xml, '<!ENTITY') !== false) {
       throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks');
}

Is always throwing that Exception wouldn't be better if the condition check the expression below instead?

if (strpos($xml, '<!ENTITY')) {
       throw new Exception('Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks');
}

Hi,
I have a problem with validating xml

problem is that I have some xml structure for the idp that need to be provided and here xml schema is hardcoded on saml-schema-metadata-2.0.xsd.

when code :

        $schemaFile = dirname(__FILE__).'/schemas/' . $schema;
        $oldEntityLoader = libxml_disable_entity_loader(false);
        $res = $dom->schemaValidate($schemaFile);
        libxml_disable_entity_loader($oldEntityLoader);

error I pulled from $xmlErrors = libxml_get_errors(); is

["message"]=> string(234) "
Element '{urn:oasis:names:tc:SAML:2.0:metadata}Organization': This element is not expected. Expected is one of ( {urn:oasis:names:tc:SAML:2.0:metadata}ContactPerson, {urn:oasis:names:tc:SAML:2.0:metadata}AdditionalMetadataLocation ).

So I do not know what to do now?

this is loaded from advanced_settings.php

    // Contact information template, it is recommended to suply a technical and support contacts
    'contactPerson' => array (
        'technical' => array (
            'company' => 'experience network',
            'givenName' => '[first name]',
            'surName' => '[last name]]',
            'emailAddress' => '[email]'
        ),
        'administrative' => array (
            'company' => 'experience network',
            'givenName' => '[first name]',
            'surName' => '[last name]]',
            'emailAddress' => '[email]'
        ),
    ),

    'organization' => array (
        'en-US' => array(
            'name' => 'experience network',
            'displayname' => 'expn',
            'url' => '[here goes url]'
        ),
        'de-DE' => array(
            'name' => 'experience network',
            'displayname' => 'expn',
            'url' => '[here goes url]'
        ),
    ),

and this is how it should look like :

<md:Organization>
    <md:OrganizationName xml:lang="de">experience network</md:OrganizationName>
    <md:OrganizationName xml:lang="en">experience network</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="de">expn</md:OrganizationDisplayName>
    <md:OrganizationDisplayName xml:lang="en">expn</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="de">[here goes url]</md:OrganizationURL>
    <md:OrganizationURL xml:lang="en">[here goes url]</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
    <md:Company>experience network</md:Company>
    <md:GivenName>[first name]</md:GivenName>
    <md:SurName>[last name]</md:SurName>
    <md:EmailAddress>[email]</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="administrative">
    <md:Company>experience network</md:Company>
    <md:GivenName>[first name]</md:GivenName>
    <md:SurName>[last name]</md:SurName>
    <md:EmailAddress>[email]</md:EmailAddress>
</md:ContactPerson>

when I comment organization in advanced_settings.php it generates .xml file but without some fields. Even x509 cert. is skipped but I have set it in the settings.php with all other params...

is there any idea what am I doing wrong?

i am using azure as my IDP i think all my settings are fine but it displays invalid response.. when i edit response.php and print the decoded based 64 reply from it displays the attributes... but how come it traps the response ??

Its not uncommon to use other hashing algorithms than SHA1, unfortunately this is hard-coded.
I suggest that the hashing algorithm should be configurable.

As of OneLogin_Saml2_Response::__construct() definition - $settings should be an instance of OneLogin_Saml2_Settings:
public function __construct(OneLogin_Saml2_Settings $settings, $response)

Problem #1 - need to include settings file for have $settings variable.
Problem #2 - before OneLogin_Saml2_Response instantiation need to convert $settings to OneLogin_Saml2_Settings object (simple $settings = new OneLogin_Saml2_Settings($settings);)

Hi @pitbulk!

I got another issue, we got a special config in our server and it seems like some validation are not passing, we got Varnish and HaProxy redirecting some of the request that hit our service, this is the error that we are seeing:

The response was received at http://hq.contactzilla.com:8180/saml/consume instead of https://hq.contactzilla.com/saml/consume - Array ( [0] => invalid_response )

This is happening because the Destination is https://hq.contactzilla.com/saml/consume however internally we (Varnish) are parsing that URL to http://hq.contactzilla.com:8180/saml/consume instead and the method below is not passing:

// Check destination
if ($this->document->documentElement->hasAttribute('Destination')) {
    $destination = $this->document->documentElement->getAttribute('Destination');
    if (!empty($destination)) {
        if (strpos($destination, $currentURL) !== 0) {
            $currentURLrouted = OneLogin_Saml2_Utils::getSelfRoutedURLNoQuery();
            if (strpos($destination, $currentURLrouted) !== 0) {
                throw new Exception("The response was received at $currentURL instead of $destination");
            }
        }
    }
}

I don't wanna turn off the strict option however I'm not sure what could be the best option to avoid this situation and be checking the proper URL.

Just wondering if this is related with the RegExp ACS Valid URL when configuring the OneLogin connector.

Thanks,

Hi,

If I use the demo as it is without any changes, what I get from OneLogin site as response is:

You do not have access to this application.
contact your administrator.

Is it normal the behavior to be like that?
I was expecting to forward me to some login form, so I can authenticate there.

Though I'm not certain why, the SAML2 metadata schema imposes an order on the md:NameIDFormat, md:AssertionConsumerService, etc elements. I found the basic order here:

https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP

This is violated in Metadata.php by including the md:SingleLogoutService tag after the md:AssertionConsumerService tag. The fix should be as simple as moving the sls to the top of the Md:SPSSODescriptor tag, i.e. above md:NameIDFormat (i.e. move {$sls} from line 100 to between line 95/96 in Metadata.php. I'd create a pull request, but the ratio (time spent fixing the bug)/(time spent setting up stuff to submit a pull request) would tend to zero, so I hope I'm forgiven for hoping someone with direct repo access will do it instead.

I wish I was nitpicking, but unfortunately I have a metadata parser that is tripping over this :{.

I am not all that familiar with SAML so bare with me.

I just installed the https://github.com/aacotroneo/laravel-saml2 package with a new instance of Laravel 5. Unfortunately I am getting this error.

The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext

Any thoughts on how what this error means? I am sure it is some type of configuration issue. I am just not familiar enough with SAML to know which side the error is coming from ADFS IDP or my OneLogin configuration.

I was able to connect and login successfully with a PHPSimpleSaml implementation. However, OneLogin gives me more flexibility. This is why I wanted to use this package.

I would appreciate any suggestions. Thanks.

Hi there,

I have implemented the php-saml code with the WSFed protocol successfully, the data that comes back and gets verified by the response object is a WSFed response message. This verifies great. I'm struggling to get it working with a SAMLP Response though. For some reason it just fails when validating the reference.

I'm tried just passing the SAML Assertion in too but that doesn't work for both WSFed and SAMLP.

Any ideas what I'm doing wrong?

Hi all,

I am consistently getting Reference validation failed from the XMLSeclibs library when trying to process the consumer assertion on login.

I have verified the keys are correct, and if the validation is bypassed, login works successfully and all attributes are received.

I have tried using libxml2 2.8.x and 2.7.x, and have tried on both Debian and CentOS.

This problem occurs when trying to connect to a Shibboleth IdP that I have no control over.

Where should I be checking for potential things to debug? I played with the prefixes and canonicalization, checked all the keys, have used stripped down examples, reinstalled the metadata on the IdP, etc. Any pointers?

I have a XML with the definition of the SAML endpoint, how can I use it to get the configuration for php-saml?

Executing $auth->login(); seems to do a GET request. Is there a way to do a POST instead?

How do I debug "A valid SubjectConfirmation was not found on this Response"?

Settings attempts to be required twice when being tested which leads to a bug where it tries to redefine Settings.

Some extra checks for the common (at least in the AWS case) server header X-Forwarded-Proto would be nifty...

https://aws.amazon.com/blogs/aws/keeping-customers-happy-another-new-elastic-load-balancer-feature/

In the case of my AWS setup (and many others), SSL termination is at the load balancer, not at the instances behind it.

ext-openssl: *
ext-dom: *
ext-mcrypt: *

So, I switched my project from being hosted with Apache2 and the standard PHP implementation to being hosted with nginx and HHVM. Everything seems to work correctly until the SAMLResponse is received at the ACS URL. In Apache2, everything does work fine, but under HHVM I'm getting the error "Reference validation failed" from XMLSecurityDSig->validateReference():1057.

The XML element that it's being thrown on is as follows:

<ds:Reference URI="#Assertion-uuidc4dbddde-0147-1c2b-b55e-d9c611913e07"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>ikbxaku8itdvg5tfu74lHjpl7bI=</ds:DigestValue></ds:Reference>

(Generated with $refNode->ownerDocument->saveXML($refNode))

Any ideas what could be causing this? I don't know enough about the inner working of SAML to work it out. :/

I'm receiving this error when trying to log out the user:

The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: https://siteorg/adfs/metadata
Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier:  SPNameQualifier: https://siteorg/adfs/metadata, SPProvidedId: 
Logged-in session participants:
Count: 1, [Issuer: https://siteorg/adfs/metadata, NameID: (Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, NameQualifier:  SPNameQualifier: , SPProvidedId: )] 

This request failed.

User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

And the configuration:

<?php
/**
 * Configuration file for the federation with site.org
 * This is done using the site site.org
 *
 * @package Main
 * @subpackage Controller
 * @author Abraham Cruz <[email protected]>
 * @version $Id: site.org.saml.php 1 2015-05-26 site.org $
 * @license @todo
 */

/**
 * Name of the server we are at this point. This is needed to avoid hardcoding
 * the name of qa, dev* or www
 *
 * @var string
 */
$server = "https://{$_SERVER["SERVER_NAME"]}";

/**
 * Let's return the configuration so this file can only be used by doiong
 * include 'site.org.saml.php',
 *
 *
 * @var array
 */
return [
    /*
    If the responses/requests are marked as signed, but it is received unsigned,
    the library will throw an exception
     */
    'strict' => true,
    /*
    We only debug if we are in QA o dev
     */
    'debug' => $server != "https://www.site.org",
    "security" => [
        'logoutRequestSigned' => true,
    ],
    /*
    Service provider configuration
     */
    'sp' => [
        /*
        The Entity name is the URL of the server plus the location of the metadata
        xml file
         */
        'entityId' => "{$server}/adfs/metadata",
        /*
        To this url will be redirected the callbacks
         */
        'assertionConsumerService' => [
            'url' => "{$server}/adfs/saml2",
            "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        ],
        /*
        To this url will be redirected the logout callback
         */
        'singleLogoutService' => [
            'url' => "{$server}/adfs/logout",
            "binding" => "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        ],
        /*
        format of the nameid.
        We need it to be persistent
         */
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
        /*
        Location of the publick key to check if the callback information is correctly signed
         */
        'privateKey' => file_get_contents(_APP_ . "includes/federation/site.key"),
        'x509cert' => file_get_contents(_APP_ . "includes/federation/site.crt"),
    ],

    'idp' => [
        'entityId' => 'http://site.org/adfs/services/trust',
        'singleSignOnService' => [
            'url' => 'https://site.org/adfs/ls/idpinitiatedsignon',
        ],
        'singleLogoutService' => [
            'url' => 'https://site.org/adfs/ls/idpinitiatedsignon',
        ],
        'x509cert' => 'MIIC1....xMw=',
    ],
];

My IDP returns different names of the XML SAML namespaces than what php-saml expects
For example, my responses look like:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://host.example.com/saml-test.php" ID="myid_klajdlfkjaslkdjf" InResponseTo="ONELOGIN_lkajdlfkjasdlkfj" IssueInstant="2015-01-12T20:15:28.659Z" Version="2.0">

The Assertion namespace is:
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"

My responses fail to validate because the namespaces are hard-coded. For example, in the Auth class:

    /**
     * Verifies that the document has the expected signed nodes.
     *
     * @return bool
     */
    public function validateSignedElements($signedElements)
    {
        if (count($signedElements) > 2) {
            return false;
        }
        $ocurrence = array_count_values($signedElements);
        if ((in_array('samlp:Response', $signedElements) && $ocurrence['samlp:Response'] > 1) ||
            (in_array('saml:Assertion', $signedElements) && $ocurrence['saml:Assertion'] > 1) ||
            !in_array('samlp:Response', $signedElements) && !in_array('saml:Assertion', $signedElements)
        ) {
            return false;
        }
        return true;
    }

In the above code, the namespaces being used are saml and samlp. If I look at my signedElements array, I find saml2:<element> and saml2p:<element>. Doing a cursory glace of the code, I don't see namespaces being taken into account but, I'm not experienced with DOMDocument, so maybe I'm missing it.

The first exception throw thus far for this error with debugging turned on is:

Found an unexpected Signature Element. SAML Response rejected which is what happens with validateSignedElements returns false, which in my case it does. There are lots of direct references to saml and saml2 in the xpath used in the code (not just in this function).

When I print $signedElements I get:

array(2) { [0]=> string(15) "saml2p:Response" [1]=> string(15) "saml2:Assertion" }

Thanks much,

- Mike

The gettext PHP library/package should be listed as a dependency in the readme because functions like bindtextdomain are being used.

The readme and configuration is strong about php security in many ways but still allows end-of-life versions of PHP.
http://php.net/supported-versions.php
I suggest modifications to support php versions >= 5.4 since older releases do not get security support anymore.

Hi,

I've been trying to use OneLogin PHP Toolkit (v2.6) to enable SSO with our IDP (ADFS 3.0). So far I've been able to make single sign on to work however I am still having issues with the single logout process.

After some research about the issue I've found out that I'm having exactly the same issue reported by @jacquesd but for him it happened with the OneLogin Python Toolkit (SAML-Toolkits/python-saml#53).

I've tried to set in ADFS side to use RSA-SHA256 as well as RSA-SHA1 with no luck.

The error on the SP side is:

Signature validation failed. Logout Response rejected

And the error reported by ADFS is listed below.

The SAML Single Logout request does not correspond to the logged-in session participant.
Requestor: https://laravel-adfs.apps.domain.pt/saml2/metadata
Request name identifier: Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier:  SPNameQualifier: https://laravel-adfs.apps.domain.pt/saml2/metadata, SPProvidedId:
Logged-in session participants:
Count: 1, [Issuer: https://laravel-adfs.apps.domain.pt/saml2/metadata, NameID: (Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient, NameQualifier:  SPNameQualifier: , SPProvidedId: )]

This request failed.

User Action
Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.

Below are the SAML AuthnRequest and its response as well as the Logout request and corresponding response.

• AuthnRequest for Login:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="ONELOGIN_1ad5626afbd4d710ee1af977ad85170513b0e70c"
                    Version="2.0"
                    ProviderName="Display Name"
                    IssueInstant="2015-07-21T15:05:32Z"
                    Destination="https://login.domain.pt/adfs/ls/"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="https://laravel-adfs.apps.domain.pt/saml2/acs"
                    >
    <saml:Issuer>https://laravel-adfs.apps.domain.pt/saml2/metadata</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        AllowCreate="true"
                        />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

• Response for login:

<samlp:Response ID="_e0d1cfdc-6325-4c37-918e-77cf1a49f3e4"
                Version="2.0"
                IssueInstant="2015-07-21T15:05:37.942Z"
                Destination="https://laravel-adfs.apps.domain.pt/saml2/acs"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="ONELOGIN_1ad5626afbd4d710ee1af977ad85170513b0e70c"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.domain.pt/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                            >
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>[email protected], OU=DSI, L=Leiria, CN=laravel-adfs.apps.domain.pt, O=domain, S=Leiria, C=pt</ds:X509IssuerName>
                                <ds:X509SerialNumber>0</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>{CIPHER_VALUE}</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>{CIPHER_VALUE}</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

• Logout request:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                     ID="ONELOGIN_6d44e21bea5525f610e944263d2216cb13d4e947"
                     Version="2.0"
                     IssueInstant="2015-07-21T15:05:39Z"
                     Destination="https://login.domain.pt/adfs/ls/"
                     >
    <saml:Issuer>https://laravel-adfs.apps.domain.pt/saml2/metadata</saml:Issuer>
    <saml:NameID SPNameQualifier="https://laravel-adfs.apps.domain.pt/saml2/metadata"
                 Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                 >[email protected]</saml:NameID>
    <samlp:SessionIndex>_5ff47856-2a72-43c2-a512-22443ee38496</samlp:SessionIndex>
</samlp:LogoutRequest>

• Logout response:

<samlp:LogoutResponse ID="_43c58d04-48a7-45bb-917a-610ec22df0d9"
                      Version="2.0"
                      IssueInstant="2015-07-21T15:05:39.442Z"
                      Destination="https://laravel-adfs.apps.domain.pt/saml2/sls"
                      Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                      InResponseTo="ONELOGIN_6d44e21bea5525f610e944263d2216cb13d4e947"
                      xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                      >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://login.domain.pt/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
    </samlp:Status>
</samlp:LogoutResponse>

The onelogin configurations that I've been using is listed below:

<?php

$idp_hostname = 'login.ipleiria.pt';

return $settings = array(
    'useRoutes' => true, //include library routes and controllers
    'routesPrefix' => '/saml2',
    'logoutRoute' => '/',
    'loginRoute' => '/',
    'errorRoute' => '/',


    /*****
     * One Loign Settings
     */
    'strict' => false, //@todo: make this depend on laravel config
    'debug' => true, //@todo: make this depend on laravel config
    'sp' => array(
        'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_TRANSIENT,
        'x509cert' => file_get_contents(base_path('certificates/sp.crt')),
        'privateKey' => file_get_contents(base_path('certificates/sp.key')),
        'entityId' => 'https://laravel-adfs.apps.domain.pt/saml2/metadata', //LARAVEL: This would be set to saml_metadata route
        'assertionConsumerService' => array(
            'url' => 'https://laravel-adfs.apps.domain.pt/saml2/acs', //LARAVEL: This would be set to saml_acs route
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),
        'singleLogoutService' => array(
            'url' => 'https://laravel-adfs.apps.domain.pt/saml2/sls', //LARAVEL: This would be set to saml_sls route
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
    ),

    'idp' => array(
        'entityId' => 'http://' . $idp_hostname . '/adfs/services/trust',
        'singleSignOnService' => array(
            'url' => 'https://' . $idp_hostname . '/adfs/ls/',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        'singleLogoutService' => array(
            'url' => 'https://' . $idp_hostname . '/adfs/ls/',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        'x509cert' => file_get_contents(base_path('certificates/adfs-signing.crt')),
    ),

    /***
     *  OneLogin advanced settings
     */
    'security' => array(
        'nameIdEncrypted' => false,
        'authnRequestsSigned' => true,
        'logoutRequestSigned' => true,
        'logoutResponseSigned' => true,
        'signMetadata' => false,
        'wantMessagesSigned' => true,
        'wantAssertionsSigned' => true,
        'wantNameIdEncrypted' => false,
        'requestedAuthnContext' => true,
        //'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
    ),

    // Contact information template, it is recommended to suply a technical and support contacts
    'contactPerson' => array(
        'technical' => array(
            'givenName' => 'name',
            'emailAddress' => '[email protected]'
        ),
        'support' => array(
            'givenName' => 'Support',
            'emailAddress' => '[email protected]'
        ),
    ),

    // Organization information template, the info in en_US lang is recomended, add more if required
    'organization' => array(
        'en-US' => array(
            'name' => 'Name',
            'displayname' => 'Display Name',
            'url' => 'http://url'
        ),
    ),

);

We also noticed that the signature verification that fails is using the IDP certificate and we ensure that it was correct.

Why you don't use namespaces for the library inclusion?
Thanks!

In _decryptAssertion in Response.php the code both creates and uses an instance of the XMLSecEnc class:

   private function _decryptAssertion($dom)
    {
        // -snip-

        $objenc = new XMLSecEnc(); // <-- Create the object
        $encData = $objenc->locateEncryptedData($dom);
        if (!$encData) {
            throw new Exception("Cannot locate encrypted assertion");
        }

        $objenc->setNode($encData);
        $objenc->type = $encData->getAttribute("Type");
        if (!$objKey = $objenc->locateKey()) {
            throw new Exception("Unknown algorithm");
        }
        $key = null;
        if ($objKeyInfo = $objenc->locateKeyInfo($objKey)) {
            if ($objKeyInfo->isEncrypted) {
                $objencKey = $objKeyInfo->encryptedCtx;
                $objKeyInfo->loadKey($pem, false, false); // <-- Use the object
                $key = $objencKey->decryptKey($objKeyInfo);
            }
        }

        // -snip-
    }

That means there's never a chance to set the XMLSecEnc::passphrase property which is required for passphrase-protected private keys.

If you can refactor the new XMLSecEnc() call into a protected method then I can just subclass. Unfortunately _decryptAssertion is private and both it and the __construct don't really have any extension points here. Alternatively allowing a privateKeyPassphrase (or similar) entry in the sp array would also work.

The latest release, 2.2.0 is not available on Packagist.org.

I'm trying to implement SLO for a Drupal module and I get the following error:
Fatal error: Call to undefined method OneLogin_Saml2_Settings::getValues() in /var/www/builds/build_2014-08-04-075933/sites/all/libraries/php-saml/lib/Saml2/Settings.php on line 106

This seems like an internal error of the toolkit, but most probably I'm doing something wrong in php.
All I'm trying to do is:
$auth = new OneLogin_Saml2_Auth($samlSettings);
$auth->processSLO();

The $samlSettings variable is generated in an internal function, and it works fine with the login process.

Here is the full error message, if it helps:
_Fatal error: Call to undefined method OneLogin_Saml2_Settings::getValues() in /var/www/builds/build_2014-08-04-075933/sites/all/libraries/php-saml/lib/Saml2/Settings.php on line 106 Call Stack: 0.0001 637176 1. {main}() /var/www/builds/build_2014-08-04-075933/index.php:0 0.3715 23239904 2. menu_execute_active_handler() /var/www/builds/build_2014-08-04-075933/index.php:21 0.3728 23267704 3. call_user_func_array() /var/www/builds/build_2014-08-04-075933/includes/menu.inc:517 0.3728 23267952 4. saml_sp__logout() /var/www/builds/build_2014-08-04-075933/includes/menu.inc:517 0.3773 23943512 5. OneLogin_Saml2_Auth->__construct() /var/www/drupal/code/modules/custom/saml_sp/saml_sp.pages.inc:82 0.3773 23944936 6. OneLogin_Saml2_Settings->_construct() /var/www/builds/build_2014-08-04-075933/sites/all/libraries/php-saml/lib/Saml2/Auth.php:59

In Saml2/Response.php xmlseclibs is called with $replace=true so the decrypted assertion replaces the encrypted data.
This can cause namespacing problems because php DOMDocument is really bad at that stuff.

For example the following:

<Assertion ID="_0c423ca5-304d-4d11-a082-3a832fc1dcb8" IssueInstant="2014-05-06T14:04:07.738Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>http://adfs.ad.secoya.dk/adfs/services/trust</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <Reference URI="#_0c423ca5-304d-4d11-a082-3a832fc1dcb8">
                <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <DigestValue>RY+taUp1NfYJYp4tUvLLv2rm4nU=</DigestValue>
            </Reference>
        </SignedInfo>
...

becomes this:

Assertion ID="_a9b17752-e8bb-47db-a417-262fae06dfc4" IssueInstant="2014-05-06T13:49:52.861Z" Version="2.0" xmlns:default="http://www.w3.org/2000/09/xmldsig#">
            <Issuer>http://adfs.ad.secoya.dk/adfs/services/trust</Issuer>
            <default:Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <default:SignedInfo>
                    <default:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <default:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <default:Reference URI="#_a9b17752-e8bb-47db-a417-262fae06dfc4">
                        <default:Transforms>
                            <default:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            <default:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </default:Transforms>
                        <default:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <default:DigestValue>ZoM+YcDFdAb59Gvi5Vxji7g6Nwc=</default:DigestValue>
                    </default:Reference>
                </default:SignedInfo>
...

As you would expect, this is a problem when we want to canonicalize and validate the signature later on...

Would like to be able to extend the OneLogin_Saml2_Auth and implement a different version of redirectTo to return a custom Redirect object from the framework I use to get dispatched to the browser.

However the login and logout methods return void instead and can't use the return value to pass it on.

Thanks.

The README uses nameIdFormat which seems consistent with the other settings keys whereas the code actually uses NameIDFormat which is nicely consistent with the XML element name.

See title.

Thanks much!

• Mike

Hi there,

I have successfully validated a saml response using oneline but oddy enough, the xml is incorrect. For example,

<Response ID="_02d3e657-c909-432f-93c1-8f0f11f3cbe7" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2014-01-16T13:29:12Z" Destination="pop">
<Issuer />https://pop

This is a snipette of the top of the response, I hadn't put the issuer within the XML element, but it validates and logs the user in. If I put it into the element correctly,

<Response ID="_02d3e657-c909-432f-93c1-8f0f11f3cbe7" InResponseTo="_bec424fa5103428909a30ff1e31168327f79474984" Version="2.0" IssueInstant="2014-01-16T13:29:12Z" Destination="pop">
<Issuer>https://pop&lt;/Issuer>

It will fail validation, I can literally swap the code to get it working again but I'm not sure I understand why it makes any difference.

For a start the Response element isn't signed, it's the assertion that's signed so anything outside shouldn't affect the validateDigest method should it? I've been debugging the code and the validateDigest method is indeed getting the Reference element from the Assertion signature and the Assertion element (sans Signature) but it produces a completely different signature when the above Response/Issuer element is formatted as in the latter snipette.

Any ideas??

Many thanks in advance.

ADFS 2.0 complains that when sending signed requests "Destination" should be specified. I'm rather new to SAML and am not sure whether this is an error on my side.

However, adding the destination to Saml2/AuthnRequest solved that issue for me:

     IssueInstant="$issueInstant"
+    Destination="{$idpData['singleSignOnService']['url']}"
     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

p.s.: Does your library work with ADFS 2.0? So far I've only gotten to the point where my acs tells me that the response signature is invalid (even tried validating it myself, no dice).

Hi,

Can you just change this library to use robrichards/xmlseclibs as a composer dependency rather than including a copy of the library so that we don't get this kind of thing when installing via composer:

Generating autoload files
Warning: Ambiguous class resolution, "XMLSecEnc" was found in both "/vagrant/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php" and "/vagrant/vendor/rob
richards/xmlseclibs/src/XMLSecEnc.php", the first will be used.
Warning: Ambiguous class resolution, "XMLSecurityDSig" was found in both "/vagrant/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php" and "/vagrant/vend
or/robrichards/xmlseclibs/src/XMLSecurityDSig.php", the first will be used.
Warning: Ambiguous class resolution, "XMLSecurityKey" was found in both "/vagrant/vendor/onelogin/php-saml/extlib/xmlseclibs/xmlseclibs.php" and "/vagrant/vendo
r/robrichards/xmlseclibs/src/XMLSecurityKey.php", the first will be used.

I am not very familiar with SAML so please bare with me.

My current environment is ADFS as the IDP and a Laravel 5 app with the aacotroneo/laravel-saml2 package as the SP.

I have everything working except for logout. The logout error is Signature validation failed. Logout Response rejected. The interesting thing here is that I get a success message from ADFS that I have been logged out but for some reason the Signature can't be verified. Another thing that is interesting is that the login method calls the same verifySignature with no errors. Only the logout method is failing.

To make things a little easier to debug here is what my settings look like.

//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = 'https://adfs-server.com';

return $settings = array(
    /*****
     * Cosmetic settings - controller routes
     **/
    'useRoutes' => true, //include library routes and controllers


    'routesPrefix' => '/saml2',

    /**
     * Where to redirect after logout
     */
    'logoutRoute' => '/logout',

    /**
     * Where to redirect after login if no other option was provided
     */
    'loginRoute' => '/',


    /**
     * Where to redirect after login if no other option was provided
     */
    'errorRoute' => '/error',




    /*****
     * One Loign Settings
     */



    // If 'strict' is True, then the PHP Toolkit will reject unsigned
    // or unencrypted messages if it expects them signed or encrypted
    // Also will reject the messages if not strictly follow the SAML
    // standard: Destination, NameId, Conditions ... are validated too.
    'strict' => false, //@todo: make this depend on laravel config

    // Enable debug mode (to print errors)
    'debug' => true, //@todo: make this depend on laravel config

    // Service Provider Data that we are deploying
    'sp' => array(

        // Specifies constraints on the name identifier to be used to
        // represent the requested subject.
        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
        'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_TRANSIENT,
        // urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        // urn:oasis:names:tc:SAML:2.0:nameid-format:transient

        // Usually x509cert and privateKey of the SP are provided by files placed at
        // the certs folder. But we can also provide them with the following parameters
        'x509cert' => '<PRIVATECERT>',
        'privateKey' => '<PRIVATEKEY>',

        //LARAVEL - You don't need to change anything else on the sp
        // Identifier of the SP entity  (must be a URI)
        'entityId' => '', //LARAVEL: This would be set to saml_metadata route
        // Specifies info about where and how the <AuthnResponse> message MUST be
        // returned to the requester, in this case our SP.
        'assertionConsumerService' => array(
            // URL Location where the <Response> from the IdP will be returned
            'url' => '', //LARAVEL: This would be set to saml_acs route
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ),
        // Specifies info about where and how the <Logout Response> message MUST be
        // returned to the requester, in this case our SP.
        'singleLogoutService' => array(
            // URL Location where the <Response> from the IdP will be returned
            'url' => '', //LARAVEL: This would be set to saml_sls route
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
    ),

    // Identity Provider Data that we want connect with our SP
    'idp' => array(
        // Identifier of the IdP entity  (must be a URI)
        'entityId' => $idp_host . '/adfs/services/trust',
        // SSO endpoint info of the IdP. (Authentication Request protocol)
        'singleSignOnService' => array(
            // URL Target of the IdP where the SP will send the Authentication Request Message
            'url' => $idp_host . '/adfs/ls/',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-POST binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // SLO endpoint info of the IdP.
        'singleLogoutService' => array(
            // URL Location of the IdP where the SP will send the SLO Request
            'url' => $idp_host . '/adfs/ls/',
            // SAML protocol binding to be used when returning the <Response>
            // message.  Onelogin Toolkit supports for this endpoint the
            // HTTP-Redirect binding only
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ),
        // Public x509 certificate of the IdP
        'x509cert' => '<CERT>',
        /*
         *  Instead of use the whole x509cert you can use a fingerprint
         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
         */
        // 'certFingerprint' => '',
//        'certFingerprintAlgorithm' => 'sha256',
    ),



    /***
     *
     *  OneLogin advanced settings
     *
     *
     */
    // Security settings
    'security' => array(

        /** signatures and encryptions offered */

        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
        // will be encrypted.
        'nameIdEncrypted' => false,

        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
        // will be signed.              [The Metadata of the SP will offer this info]
        'authnRequestsSigned' => false,

        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
        // will be signed.
        'logoutRequestSigned' => true,

        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
        // will be signed.
        'logoutResponseSigned' => true,

        /* Sign the Metadata
         False || True (use sp certs) || array (
                                                    keyFileName => 'metadata.key',
                                                    certFileName => 'metadata.crt'
                                                )
        */
        'signMetadata' => false,


        /** signatures and encryptions required **/

        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
        // <samlp:LogoutResponse> elements received by this SP to be signed.
        'wantMessagesSigned' => true,

        // Indicates a requirement for the <saml:Assertion> elements received by
        // this SP to be signed.        [The Metadata of the SP will offer this info]
        'wantAssertionsSigned' => true,

        // Indicates a requirement for the NameID received by
        // this SP to be encrypted.
        'wantNameIdEncrypted' => false,

        // Authentication context.
        // Set to false and no AuthContext will be sent in the AuthNRequest,
        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
        'requestedAuthnContext' => false,
    ),

    // Contact information template, it is recommended to supply a technical and support contacts
    'contactPerson' => array(
        'technical' => array(
            'givenName' => 'Support',
            'emailAddress' => '[email protected]'
        ),
        'support' => array(
            'givenName' => 'Support',
            'emailAddress' => '[email protected]'
        ),
    ),

);

If anyone has any suggestions I would greatly appreciate the advice.

Thank you.

OpenSSL supports more cryptographic algorithms than mcrypt, and is installed by default on most PHP installations. Many distros are now removing support for the mcrypt extension, and mcrypt itself is completely unmaintained.

In lib/Saml2/Metadata.php, this:

$cacheDuration = time() + self::TIME_CACHED;

Should be this:

$cacheDuration = self::TIME_CACHED;

It's already in the suggest section, and it's not strictly required (for instance, if you're not doing assertion encryption).

IdP returns a session timeout with the response but this is not returned from the library during auth.
Would it not be best to return the response as part of the processResponse() call or assign it to an internal variable and a getResponse() function returns the class so that the user can extract additional data.

I would love to see this as a package available via Composer by submitting it to packagist.org.

Our organization has a need to use the ForceAuthn attribute along with Okta's support for it for some of our applications, but it looks like this support is missing from OneLogin_Saml2_AuthnRequest.

Any chance this can be added?

ref: https://spaces.internet2.edu/display/InCFederation/2013/12/08/ForceAuthn+or+Not

$ grep -rn ForceAuthn .
./lib/Saml2/schemas/saml-schema-protocol-2.0.xsd:163:                <attribute name="ForceAuthn" type="boolean" use="optional"/>
./tests/data/requests/authn_request.xml:1:<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_ONELOGIN103428909abec424fa58327f79474984" Version="2.0" IssueInstant="2014-11-13T11:39:34Z" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://example.com/acs">

The isValid method in OneLogin_Saml2_Response should provide the reason why validation fails. I think this can be done by providing an option to re-throw exceptions.