This code produces FATAL ERROR

585: assert('$key->type === XMLSecurityKey::RSA_SHA1');

It MUST be

585: assert('$key->type === RobRichards\XMLSecLibs\XMLSecurityKey::RSA_SHA1');

Hello!

https://github.com/simplesamlphp/saml2/commits/master/src/SAML2/HTTPRedirect.php

In function receive() always "gzinflate($message);" is executed.

You can have a look here:
https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf
=> 3.4.4.1 DEFLATE Encoding

"SAML protocol messages can be encoded into a URL via the DEFLATE compression method (see
[RFC1951]). "

So a DEFALTE of the message is not a "must-have" for a HTTPRedirect.

I received a pure base64-encoded, NOT deflated SAMLRequest from a SP.
The SimpleSAMLphp-Idp throws the error message:
"Exception: Error while inflating SAML message."

It would be nice, if SimpleSAMLphp can check, if the message is DEFLATED and inflate the massage only if necessary.

The library allows one to configure trusted certificates either in full, or with just the fingerprint. These two ways of working complicate the code significantly, while the advantage of using fingerprints seems marginal. We should therefore transition to only accept full certificates.

Discussion at https://groups.google.com/forum/#!topic/simplesamlphp-dev/MTbTGxAWniw

Sometimes the attribute value for one of the attributes asserted by my Simple SAML IDP has no value in the user store (DB). When this happens the SAML Assertion includes the saml:Attribute but the saml:AttributeValue is empty, for example:

<saml:Attribute Name="sample" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
   <saml:AttributeValue xsi:type="xs:string"/>
</saml:Attribute>

It seems like the attribute should not be sent in this case, or at least there should be an easy option to not send attributes like this (as an attribute with no value could be interpreted incorrectly by some SPs and the IDP should have control over whether such attributes are released).

I submitted a Pull Request earlier and noticed Travis CI failing the PHP 5.3 tests with the following error:

PHP 5.3 is supported only on Precise.
See https://docs.travis-ci.com/user/reference/trusty#PHP-images on how to test PHP 5.3 on Precise.
Terminating.

For completeness' sake, the referenced page says:

Note: We do not support PHP versions 5.2.x and 5.3.x on Trusty. Specifying it will result in build failure. If you need to test with these versions, use Precise.

.travis.yml:

matrix:
  include:
    - php: 5.2
      dist: precise
    - php: 5.3
      dist: precise

PHPmd seems pretty much abandoned (last version ~ 2yrs ago)..
Given the backlog on https://github.com/phpmd/phpmd, we may want to investigate alternatives
This is especially worrying now that we're moving towards 4.0 / PHP7..

During development I've encountered an issue with phpmd, ultimately their dependencies phpdepend and symfony/dependency-injector: pdepend/pdepend#368

I'd like to integrate this library into my application. However, \SAML2\Configuration\IdentityProvider and \SAML2\Configuration\ServiceProvider are classes.
Is there any interest in converting them to pure interfaces such that one can implement completely custom service/identity provider configuration classes (not based on arrays)? If so, should I submit a pull-request and rename the existing class to QueryableIdentityProvider?

Intent: We'd like to use \SAML2\Assertion\ProcessorBuilder to validate our assertions.

@jaimeperez stated in simplesamlphp/simplesamlphp#874 (comment):

SAML is a quite complicated protocol. The SAML2 library is quite low level, and as such it shouldn't be used unless you have a very good knowledge of SAML as a protocol (as pointed out in the readme file), at which point the library itself is pretty much self-explanatory.

I have to disagree; I've read the spec, I know what I want to do, but even after digging through the code in this repo it's not entirely clear how I would go about doing so using the various bits and pieces. Confusingly (to me), stuff for making a response, adding assertion statements, signing the assertion, and then encrypting the assertion seem spread over multiple files. There doesn't appear to be any obvious or "self-explanatory" way to accomplish what I need to accomplish.

To be clear, I do not need to have an actual functional separate IdP or SP service (which SimpleSAMLphp I think would provide); instead, a third-party I need to integrate with requires using SAML 2.0 to send a user over to their service to complete a transaction. All I need to do is generate the response with the requisite signature and encrypt it and send that payload to my user's browser. But to get all the necessary information into the assertion, I need to integrate with my Wordpress site.

What I would like to do is simply write a function that will generate the proper SAML response, embed that in an HTML form, and send it to my user when they click a particular button. All of the libraries I found (for both PHP and Python, since we have services written in Python as well) seem to be primarily geared towards implementing SP-related functions, so decryption, validating signatures, reading assertions, etc. Even the code here seems to be organized for that purpose, and less for going the other way: creating assertions, signing them, and encrypting them.

I have quite a bit of experience as a technical writer, so I'd be happy to contribute documentation if I had some idea of what steps were needed to accomplish the above.

As the first PHP version which supported namespacing is already EOL, I think it's time to move on and use proper namespaces (like SAML2\Assertion\Processor instead of SAML2_Assertion_Processor).

If desired, I can supply a pull-request.

What I see in the saml message:

<saml:Issuer>.....</saml:Issuer>

What I expect to see in the saml message:

<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">.....</saml:Issuer>

I'm running a SP and my logout requests are failing at my Idp probably because of the missing NS. At least that is what I am being told by them. Can someone help with this ?

The text under "Which version to pick?" in README.md mentions that it is strongly recommended to use the latest stable version of the 2.x range.

With the (relatively) recent release of the 3.x range, I assume that this needs to be updated.

Hello,

you are using SAML2_Utils::generateId() function in example, but there is no a such function. Could you update your example?

Not sure but the use of sspmod_saml_Message class into https://github.com/simplesamlphp/saml2/blob/master/src/SAML2/HTTPArtifact.php#L122 will search for a "SAML2\sspmod_saml_Message" class, since 431576a certainly. Isn't \sspmod_saml_Message to use there ?

- sspmod_saml_Message::addSign($this->spMetadata, $idpMetadata, $ar); // Shoaib - moved from the SOAPClient.
+ \sspmod_saml_Message::addSign($this->spMetadata, $idpMetadata, $ar); // Shoaib - moved from the SOAPClient.

I ran a static code analysis on this codebase and it reported that many of the exceptions defined by this library implement PHP's Throwable interface, but that this interface cannot (should not?) be implemented directly.

Not sure if it actually causes a fatal exception in PHP 7 or not, I'm just reporting what the analysis returned and what the docs say.

ADFS appears to apply a message digest that is NOT compliant with the basic XML parsing and C14N standards. \r\n that appears in AttributeStatements (via ADFS outgoing claims) are used to calculate the message digest. For example, attributes that are commonly multi-line like full address fields.

I'll submit some failing unit tests today as well as my VERY awful workaround.

An exception is being thrown when I attempt to process an assertion. Class 'XMLSecurityKey' not found .../vendor/simplesamlphp/saml2/src/SAML2/Assertion.php(585) : assert code on line 1

If I comment out assert('$key->type === XMLSecurityKey::RSA_SHA1'); the exception goes away.

I am using simplesamlphp/saml2 v2.2 and PHP v5.4.45

simplesamlphp/saml2 depends on robrichards/xmlseclibs and it is using mcrypt_* functions. Therefore, using this library it results into deprecated errors.

Why using Mcrypt is wrong? Read here https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong

Has anybody tested SAML2 with robrichards/xmlseclibs 3.0.0+?

The SAML2 library liberally uses the assert function as an assertion (sort of guard clause). Starting PHP7, this function has been changed to have a possible different implementation, that of defining an expectation, with the ability to preserve the behavior of earlier versions.

Starting in PHP 7.2 the old behavior will be deprecated. Since PHP 5.6 is now security support only and PHP7.1 is considered the current stable version, SAML2 should start working on PHP7 compatibility.

My suggestion would be to remove all assert statements and replace them with as much typehints as possible and use beberlei/assert for any other assert statements.

While trying to add more meaningful messages to some of the typical errors, I've noticed that at some points in the library we are throwing simple exceptions with a message that's not really descriptive of the real problem, nor even translated. For instance, in \SAML2\SOAP::receive():

        $postText = file_get_contents('php://input');

        if (empty($postText)) {
            throw new Exception('Invalid message received to AssertionConsumerService endpoint.');
        }

or in \SAML2\Binding::getCurrentBinding():

        throw new Exception('Unable to find the current binding.');

If these were custom exceptions, we could capture them easily and display a meaningful, translated error message to the user, depending on where we are. Therefore I think we should even move some of the exceptions in SimpleSAMLphp to this library, and extend them with specific ones.

KeyLoader.php#L61 currently interprets the specified fingerprints as file names for certificates.
Is this intended behaviour or is this a bug?

Currently, the following check is made in the method validate(XMLSecurityKey $key):

assert($key->type === \RobRichards\XMLSecLibs\XMLSecurityKey::RSA_SHA1);

This restricts assertion messages to use this specific algorithm.

My suggestion is to just drop this assertion.

As discussed in Valencia, the public properties have to go..
The idea is to include getter/setter functions in a 3.3 release, keeping the properties public.
Then for 4.0 we can add type hints for scalar types, remove assert()s and set the properties to private.

Work on this has started on the gettersetter branch
Strategy is to add the getter/setter methods and then run a grep -R ">property;" * and grep -R ">property =" * to find all assignments/lookups that need to be replaced

Line 350 of /lib/SimpleSAML/SessionHandlerPHP.php is causing notices to be raised in the log files as of PHP 7.2. Would it be possible to fix this so these are no longer raised?

Consider the following code:

/composer.json

{
    "require": {
        "simplesamlphp/saml2": "~3.1.6"
    }
}

/application.php

<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'vendor' . DIRECTORY_SEPARATOR . 'autoload.php';

new \SAML2\Assertion();

After running:

• composer install
• php application.php

you will get the following error:

PHP Fatal error: Uncaught Error: Class 'SimpleSAML_Utilities' not found in /var/www/farmed-saml-example/vendor/simplesamlphp/saml2/src/SAML2/Compat/Ssp/Container.php:36

It looks like the package simplesamlphp/saml2 has a dependency on simplesamlphp/simplesamlphp, however, this is not provided when requiring simplesamlphp/saml2 through composer.

Hi all,

For my current project, I need to relay the SOAP backchannel assertion via a Squid proxy, which isn't natively supported by the saml2 library.

Currently, I have made the following change in src/SAML2/SOAPClient.php. This options array is passed into the new SOAPClient() call.

        $options = array(
            'uri' => $issuer,
            'location' => $msg->getDestination(),
            'stream_context' => $context,
            'proxy_host' => 'proxy-url.com',
            'proxy_port' => 8080,
        );

I want to submit this as a pull request, but aren't quite clear on the coupling. My proposal is to include new fields on the SAML2_Message object $msg that is passed into SOAPClient::send() for getting the proxyHost and proxyPort, and only set them in the $options array if they exist in the message.

That way, in src/SAML2/HTTPArtifact.php I can pull the required proxy options through the metadata retriever, and set them in the SAML2_Message. Then, I'd need to submit another pull request to the simplesamlphp/simplesamlphp project adding those variables to the metadata-examples folder for the saml20-idp-remote.php file.

Does this make sense, before I go ahead and make the changes? Because it requires interaction between two modules, I thought I'd outline my suggestion before making the change.

Thanks!

Hi,

I want use this library for add SAML2 capabilities at my IdP but I cannot receive the HTTPPost bindings.

( ! ) Fatal error: Class 'SimpleSAML_Utilities' not found in /src/vendor/simplesamlphp/saml2/src/SAML2/Compat/Ssp/Container.php on line 44
Call Stack
#	Time	Memory	Function	Location
1	0.0007	240896	{main}( )	.../ssosaml.php:0
2	0.1345	1170024	SAML2\HTTPPost->receive( )	.../ssosaml.php:18
3	0.1375	1197880	SAML2\Compat\Ssp\Container->debugMessage( )	.../HTTPPost.php:71

The SimpleSAML_Utilities is not an saml2 library component.

How to ?

Thanks in advance

Dear all,

When will the next release be made so I can make use of the XMLSecLibs V3.0.0? This is required for php 7.1 support. It is quite urgent and I do not want to use master as a branch for release.

I get the following exception if I attempt to process a Response that is not signed. Uncaught exception 'SAML2\Response\Exception\UnsignedResponseException' with message 'Both the response and the assertion it containes are not signed.' in .../vendor/simplesamlphp/saml2/src/SAML2/Response/Processor.php:150

I should be able to process unsigned responses, right?

Using simplesamlphp/saml2 v2.2 on PHP 5.4.45

Call to a member function debug() on a non-object in /Users/amichels/projects/caringbridge/xsaml/vendor/simplesamlphp/saml2/src/SAML2/Assertion/Transformer/NameIdDecryptionTransformer.php on line 63

It looks like you forgot to set $this->logger = $logger in the constructor for NameIdDecryptionTransformer.

Using simplesamlphp/saml2 v2.2 on PHP 5.4.45

Unfortunately 3.2.4 is broken due to 49c1830

39ede7d
and
0e6632e

Have addressed some of those issues, but it would helpful to know when it will be tagged because some projects (i.e. simplesamlphp) will cause the most recent stable to be installed.

Hi,

First of all I would like to thank you for that library !

I was looking creating an identity provider on a Symfony application. As I didn't found anything relevant, I decided to create one.

If you're interested about my changes you could take a look at https://github.com/AdactiveSAS/saml2-bridge-bundle.

The fact is that I'm new with SAML although I read the whole specification. So I'm trying make some noise in order to attract some people interested to help us evolved that project.

Anyway I would be happy to discuss with you about it.

Is there a still a dependency on the mcrypt extension for this library? When running the test suite without the mcrypt module the following errors occur:

There were 8 errors:
1) SAML2\AssertionTest::testEncryptedAttributeValuesWithComplexTypeValuesAreParsedCorrectly
Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128'
/usr/share/php/RobRichards/XMLSecLibs/XMLSecurityKey.php:136
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Assertion.php:1620
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Assertion.php:1354
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AssertionTest.php:744
2) SAML2\AssertionTest::testTypedEncryptedAttributeValuesAreParsedCorrectly
Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128'
/usr/share/php/RobRichards/XMLSecLibs/XMLSecurityKey.php:136
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Assertion.php:1620
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Assertion.php:1354
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AssertionTest.php:789
3) SAML2\AssertionTest::testNameIdEncryption
Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128'
/usr/share/php/RobRichards/XMLSecLibs/XMLSecurityKey.php:122
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Assertion.php:765
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AssertionTest.php:1574
4) SAML2\AuthnRequestTest::testThatAnEncryptedNameIdCanBeDecrypted
Exception: Failed to decrypt XML element.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:558
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/AuthnRequest.php:655
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AuthnRequestTest.php:178
Caused by
Exception: Could not locate key algorithm in encrypted data.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:413
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:551
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/AuthnRequest.php:655
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AuthnRequestTest.php:178
5) SAML2\AuthnRequestTest::testThatAnEncryptedNameIdResultsInTheCorrectXmlStructure
Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128'
/usr/share/php/RobRichards/XMLSecLibs/XMLSecurityKey.php:122
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/AuthnRequest.php:634
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/AuthnRequestTest.php:203
6) SAML2\LogoutRequestTest::testUnmarshalling
Exception: Failed to decrypt XML element.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:558
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/LogoutRequest.php:164
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/LogoutRequestTest.php:88
Caused by
Exception: Could not locate key algorithm in encrypted data.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:413
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:551
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/LogoutRequest.php:164
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/LogoutRequestTest.php:88
7) SAML2\LogoutRequestTest::testEncryptedNameId
Use of undefined constant MCRYPT_RIJNDAEL_128 - assumed 'MCRYPT_RIJNDAEL_128'
/usr/share/php/RobRichards/XMLSecLibs/XMLSecurityKey.php:122
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/LogoutRequest.php:142
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/LogoutRequestTest.php:98
8) SAML2\LogoutRequestTest::testDecryptingNameId
Exception: Failed to decrypt XML element.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:558
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/LogoutRequest.php:164
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/LogoutRequestTest.php:112
Caused by
Exception: Could not locate key algorithm in encrypted data.
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:413
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/Utils.php:551
/builddir/build/BUILDROOT/php-simplesamlphp-saml2_3-3.0.2-1.fc27.x86_64/usr/share/php/SAML2_3/LogoutRequest.php:164
/builddir/build/BUILD/saml2-bacad25473258cfefb7a7fd418cc5f8a22cda0a1/tests/SAML2/LogoutRequestTest.php:112

Seeing that PHP5.6 has reached the end of it's active support period as of January 19th 2017 and PHP7.1 is considered the current stable version, I would like to propose a schedule for starting support of features only available in PHP7.

As a timeline, I propose the following:

As of July 19th 2017 (6 months after active support for PHP5.6 ended) we no longer actively support PHP 5.6 in development and create a PHP5.6 compatible branch.
After that, we allow the introduction of PHP7 only features (e.g. return type declarations and scalar typehints) in the master development and thus effectively no longer actively support PHP5.6. This also means a new major should be released.
We should support the 5.6 compatible branch until December 31st 2018 (end of security updates period for PHP 5.6) with bugfixes and security updates only .

This means three things:

1. Active work on PHP7 support can be started on a non-master branch
2. There is a clear Supported PHP Versions timeline (which can be communicated)
3. There still are 6 months to ensure that any code can work with PHP7.

As to the limited support (bugfixes and security updates only), this is a deliberate choice - it should not be encouraged to use unsupported and possibly insecure versions of PHP.

Thoughts?

The last 2 prs we have had ( #36 and #38 ) have both been for allowing the ommission of the timezone 'Z' in datetimes.

While this appears to be a bug in the spec it's clear that there are faulty implementations out there. As someone who is often asked to 'just make things work' I very much favor the Robustness principle here. Otherwise we might be encouraging developers to fork.

We could introduce a configuration option "Non Standard Date Time" and make the SAML2 lib use a different strategy for parsing date times if that is set?
At least we should document this more clearly in the code.

Hi,

I'm trying to do some pretty basic IDP code ($class->receive()) and I get this:

Fatal error: Class 'SimpleSAML_Utilities' not found in /vagrant/vendor/simplesamlphp/saml2/src/SAML2/Compat/Ssp/Container.php on line 39

That's this:

SimpleSAML_Utilities::debugMessage($message, $type);

Far as I can tell the SimpleSAML_Utilities class simply does not exist.

Hello,
I stumbled upon what appears to be a bug to me, please correct me if I'm wrong.
According to the specs, the AuthnResponse is not required to carry the signature inside the SAML message itself in the case of HTTP-Redirect (where the signature can be done via the query parameters). Actually, an IDP implemented with this library does precisely that : when generating an AuthnResponse using Redirect binding, the SAMLResponse body is left unsigned while the signature correctly appears among query parameters (comparing HTTPRedirect.php and HTTPPost.php).
The problem is, when such Response is treated by the lib, the Response/Processor isn't happy if there is no signature either at root or in assertions, whereas this response does comply with the specification and carries the signature in the query parameters.
I didn't start a discussion over a pull request because I'm not sure which is the best solution, but the ones I am thinking about are :

1. Simply remove the whole block if (!$response->isMessageConstructedWithSignature()) in Response/Processor::verifySignature. The HTTPRedirect adds the correct validator from query params to the Message so if it's invalid there will be an Exception anyway (I checked)
2. In a similar manner, remove the check in Response/Processor::verifySignature
3. If there is a real need to keep the verifications above, add a method (Message.php) to check if there is a validator based on function name ("validateSignature"), and add it as requirement to be unhappy along one of the verifications above.

Anyway, even though HTTP-Post is more common because of the length that can attain the encoded SAML message, in my humble opinion HTTP-Redirect deserves some love too - but maybe I'm missing something here.

Best regards,
Artem

Undefined class constant 'NAME_NEW' in /Users/amichels/projects/caringbridge/xsaml/vendor/simplesamlphp/saml2/src/SAML2/Certificate/PrivateKeyLoader.php on line 49

It looks like maybe PrivateKeyLoader line 49 should be using PrivateKeyConfiguration::NAME_NEW instead of PrivateKey::NAME_NEW.

With simplesamlphp/saml2 v2.2 on PHP 5.4.45

So often I've had to debug a signature failure to discover the wrong key had been used.
It would be nice if the KeyInfo from the Signature was used to compare against the public key of the pair we're using to validate the signature.

I can't see any reason not to, can you @jaimeperez or @pmeulen ?

Running SimpleSAMLphp 1.15 (RC1/2) as SP, against older version SimpleSAMLphp 1.8 as IdP. Gets the following "Received message" which fails at "SAML2\Assertion::parseAttributeValue".

12:03:57 DEBUG <saml:Subject>
12:03:57 DEBUG <saml:NameID SPNameQualifier="sp/" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">---identical---</saml:NameID>
12:03:57 DEBUG <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
12:03:57 DEBUG <saml:SubjectConfirmationData NotOnOrAfter="2017-10-27T10:08:56Z" Recipient="sp/module.php/saml/sp/saml2-acs.php/default-sp" InResponseTo="_snip"/>
12:03:57 DEBUG </saml:SubjectConfirmation>
12:03:57 DEBUG </saml:Subject>

12:03:57 DEBUG <saml:AttributeStatement>
12:03:57 DEBUG <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
12:03:57 DEBUG <saml:AttributeValue xsi:type="xs:string”>[email protected]</saml:AttributeValue>
12:03:57 DEBUG </saml:Attribute>
12:03:57 DEBUG <saml:Attribute Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
12:03:57 DEBUG <saml:AttributeValue xsi:type="xs:string”>g s</saml:AttributeValue>
12:03:57 DEBUG </saml:Attribute>
12:03:57 DEBUG <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
12:03:57 DEBUG <saml:AttributeValue xsi:type="xs:string">---identical---</saml:AttributeValue>
12:03:57 DEBUG </saml:Attribute>
12:03:58 DEBUG </saml:AttributeStatement>
12:03:58 DEBUG </saml:Assertion>
12:03:58 DEBUG </samlp:Response>
12:03:58 ERROR SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
12:03:58 ERROR Backtrace:
12:03:58 ERROR 1 simplesamlphp\www_include.php:45 (SimpleSAML_exception_handler)
12:03:58 ERROR 0 [builtin] (N/A)
12:03:58 ERROR Caused by: SAML2\Exception\RuntimeException: A "urn:oid:1.3.6.1.4.1.5923.1.1.1.10" (EPTI) attribute value must be a NameID, none found for value no. "0"
12:03:58 ERROR Backtrace:
12:03:58 ERROR 7 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\Assertion.php:539 (SAML2\Assertion::parseAttributeValue)
12:03:58 ERROR 6 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\Assertion.php:521 (SAML2\Assertion::parseAttributes)
12:03:58 ERROR 5 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\Assertion.php:280 (SAML2\Assertion::__construct)
12:03:58 ERROR 4 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\Response.php:38 (SAML2\Response::__construct)
12:03:58 ERROR 3 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\Message.php:578 (SAML2\Message::fromXML)
12:03:58 ERROR 2 simplesamlphp\vendor\simplesamlphp\saml2\src\SAML2\HTTPPost.php:76 (SAML2\HTTPPost::receive)
12:03:58 ERROR 1 simplesamlphp\modules\saml\www\sp\saml2-acs.php:31 (require)
12:03:58 ERROR 0 simplesamlphp\www\module.php:135 (N/A)

    private function parseSubject(\DOMElement $xml)
    {
        $subject = Utils::xpQuery($xml, './saml_assertion:Subject');
        if (empty($subject)) {
            /* No Subject node. */
            return;
        } elseif (count($subject) > 1) {
            throw new \Exception('More than one <saml:Subject> in <saml:Assertion>.');
        }
        $subject = $subject[0];
        $nameId = Utils::xpQuery(
            $subject,
            './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData'
        );
        if (count($nameId) > 1) {
            throw new \Exception('More than one <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
        } elseif (!empty($nameId)) {
            $nameId = $nameId[0];
            if ($nameId->localName === 'EncryptedData') {
                /* The NameID element is encrypted. */
                $this->encryptedNameId = $nameId;
            } else {
                $this->nameId = new XML\saml\NameID($nameId);
            }
        }
        $subjectConfirmation = Utils::xpQuery($subject, './saml_assertion:SubjectConfirmation');
        if (empty($subjectConfirmation) && empty($nameId)) {
            throw new \Exception('Missing <saml:SubjectConfirmation> in <saml:Subject>.');
        }
        foreach ($subjectConfirmation as $sc) {
            $this->SubjectConfirmation[] = new SubjectConfirmation($sc);
        }
    }

https://github.com/simplesamlphp/saml2/blob/v3.0.2/src/SAML2/Assertion.php#L291

    private function parseAttributeValue($attribute, $attributeName)
    {
        /** @var \DOMElement[] $values */
        $values = Utils::xpQuery($attribute, './saml_assertion:AttributeValue');
        if ($attributeName === Constants::EPTI_URN_MACE || $attributeName === Constants::EPTI_URN_OID) {
            foreach ($values as $index => $eptiAttributeValue) {
                $eptiNameId = Utils::xpQuery($eptiAttributeValue, './saml_assertion:NameID');
                if (count($eptiNameId) !== 1) {
                    throw new RuntimeException(sprintf(
                        'A "%s" (EPTI) attribute value must be a NameID, none found for value no. "%d"',
                        $attributeName,
                        $index
                    ));
                }
                $this->attributes[$attributeName][] = new XML\saml\NameID($eptiNameId[0]);
            }
            return;
        }
        foreach ($values as $value) {
            $hasNonTextChildElements = false;
            foreach ($value->childNodes as $childNode) {
                /** @var \DOMNode $childNode */
                if ($childNode->nodeType !== XML_TEXT_NODE) {
                    $hasNonTextChildElements = true;
                    break;
                }
            }
            if ($hasNonTextChildElements) {
                $this->attributes[$attributeName][] = $value->childNodes;
                continue;
            }
            $type = $value->getAttribute('xsi:type');
            if ($type === 'xs:integer') {
                $this->attributes[$attributeName][] = (int)$value->textContent;
            } else {
                $this->attributes[$attributeName][] = trim($value->textContent);
            }
        }
    }

https://github.com/simplesamlphp/saml2/blob/v3.0.2/src/SAML2/Assertion.php#L529

We are implementing a SAML2 SP to connect SAML2 to SPID (a sort of italian national sso). We encountered a major issue: SPID requires
"NameQualifier" and "Format" attributes in the Issuer section like:

<saml:Issuer NameQualifier="..(string).." Format="..(string).."> {issuer string value} </saml:Issuer>

but we cant set these parameters (optionals in standard specs).

Line 432 (commit b21340c), file: ./saml2/src/SAML2/Message.php:

the code/configuration doesn't allow to add attributes to the saml:Issuer element but only the issuer value (string)

Thanks a lot for the support

When the XSI namespace tag is introduced while parsing an EncryptedAssertion, if a child node has XSI in the prefix list the verification fails.

This only happens when PHP's internal C14N is used by xmlseclibs - the pre 5.2 workaround correctly discards the added namespace when verifying the signature.

This issue also exists in the other proposed XML security library I think.

Several forks of Rob Richards XML Security library were attempted, the fork by Andreas Schamberger seems to be the one most far along.

Maybe we could switch?

The PSR defined interface method public function log($level, $message, array $context = array()); takes a log level. PSR-3 defines the log levels as strings

https://github.com/php-fig/log/blob/3490ba5925e6dcbe6de950c5c6b8dce9f6e96eda/Psr/Log/LogLevel.php#L10-L17

The ssp compatibility logger uses a case statement with and compares them to the SSP const log levels with are ints. As a result there are no matches and nothing gets logged.

the log method should probably also handle the $context array in a similar fashion to the other methods.

The Simplesamlphp SP does not accept multipe saml:AuthnStatement. Instead, it throws the following error:

Backtrace:
0 www/module.php:170 (N/A)
Caused by: Exception: More that one <saml:AuthnStatement> in <saml:Assertion> not supported.
Backtrace:
6 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:384 (SAML2_Assertion::parseAuthnStatement)
5 vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:254 (SAML2_Assertion::__construct)
4 vendor/simplesamlphp/saml2/src/SAML2/Response.php:36 (SAML2_Response::__construct)
3 vendor/simplesamlphp/saml2/src/SAML2/Message.php:547 (SAML2_Message::fromXML)
2 vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php:74 (SAML2_HTTPPost::receive)
1 modules/saml/www/sp/saml2-acs.php:31 (require)
0 www/module.php:127 (N/A)

When validating signatures, I am usually in the following situation:

• I have a public key needed to validate the signature, as base64 encoded string.
• I have the SignedElement (e.g. a message or a metadata document).
• I want to validate the signature on the signed element.

In this case, I am facing the problem of finding out the signature algorithm. The XMLSecurityKey needs a type, which MUST match the type use to create the signature. However, there is no easy way of finding out that type, so I have to get that algorithm depending on the actual type of the element that I am validating.

This could be fixed by adding a method getSignatureMethod to the SignedElement interface.

I get this error when I run composer update

simplesamlphp/saml2 v0.1.0-alpha requires robrichards/xmlseclibs 1.3.* -> no matching package found.

the composer dependency is declared like this

"simplesamlphp/saml2": "0.1.*"

I am not that familiar with how composer works, however, by looking at the composer.lock I see that it wants to reference revision 50

"reference": "trunk@50"

and when I navigate to

http://xmlseclibs.googlecode.com/svn/

it shows that trunk is at revision 52, so my guess is that the reference needs to be updated.

Today I noticed that simplesaml (branch master) was not able to parse metadata from edugain federation (http://www.garr.it/idem-metadata/edugain2idem-metadata-sha256.xml) on a preprod environment. After some debugging I noticed that parsing terminates with no errors on this line

For instance with https://shib.manchester.ac.uk/shibboleth - this is a print of the node element that generates the failure

DOMElement Object
(
[tagName] => mdrpi:RegistrationInfo
[schemaTypeInfo] =>
[nodeName] => mdrpi:RegistrationInfo
[nodeValue] =>
http://ukfederation.org.uk/doc/mdrps-20130902

[nodeType] => 1
[parentNode] => (object value omitted)
[childNodes] => (object value omitted)
[firstChild] => (object value omitted)
[lastChild] => (object value omitted)
[previousSibling] => (object value omitted)
[nextSibling] => (object value omitted)
[attributes] => (object value omitted)
[ownerDocument] => (object value omitted)
[namespaceURI] => urn:oasis:names:tc:SAML:metadata:rpi
[prefix] => mdrpi
[localName] => RegistrationInfo
[baseURI] => /var/simplesamlphp/
[textContent] => 
	http://ukfederation.org.uk/doc/mdrps-20130902

)

I get no error at all, so I have no useful clues.

It does not seem a php memory limit issue.

Probably this is not a good way to report a bug, and almost certainly I should stop messing with not released version of simplesaml...

SAML2 library does not support reading or writing of the Consent attribute on SAML2 messages.

See also: https://code.google.com/p/simplesamlphp/issues/detail?id=588

is possible create a new release with latest commit?
thanks

According to schemas/saml-schema-protocol-2.0.xsd, the Extensions element in AuthnRequest XML is defined in a sequence of the base type

<complexType name="RequestAbstractType" abstract="true">
    <sequence>
        <element ref="saml:Issuer" minOccurs="0"/>
        <element ref="ds:Signature" minOccurs="0"/>
        <element ref="samlp:Extensions" minOccurs="0"/>
    </sequence>
    ...

The relevant portion of the AuthnRequest schema definition is

<element name="AuthnRequest" type="samlp:AuthnRequestType"/>
<complexType name="AuthnRequestType">
    <complexContent>
        <extension base="samlp:RequestAbstractType">
            <sequence>
                <element ref="saml:Subject" minOccurs="0"/>
                <element ref="samlp:NameIDPolicy" minOccurs="0"/>
                <element ref="saml:Conditions" minOccurs="0"/>
                <element ref="samlp:RequestedAuthnContext" minOccurs="0"/>
                <element ref="samlp:Scoping" minOccurs="0"/>
            </sequence>
            ...

In the toUnsignedXML method of src/SAML2/AuthnRequest.php, the Extensions element is being appended after the NameIdPolicy element. This is causing a validation error in my OpenAM IDP.

I tried moving the Extensions XML code right before the NameIdPolicy XML code and it seems to fix the problem.