aerialship / lightsaml Goto Github PK

View Code? Open in Web Editor NEW

40.0 40.0 26.0 307 KB

SAML 2.0 PHP Library - new version available at

Home Page: http://www.lightsaml.com/

License: MIT License

PHP 99.91% Batchfile 0.09%

lightsaml's People

Contributors

Stargazers

Watchers

lightsaml's Issues

AuthnRequest send and Response receive bidnings and url

Related to aerialship/SamlSPBundle#24

Case 1

IDP:
    SSO:
        binding: A
        url: sso1
SP:
    ACS:
        binding: B
        url: acs1
spMeta: ~

AuthnRequest:
    sent:
        binding: A
        url: sso1
    content:
        acsURL: acs1
        binding: B

Case 2

IDP:
    SSO:
        binding: A
        url: sso1
    SSO:
        binding: B
        url: sso2
SP:
    ACS:
        binding: C
        url: acs1
    ACS:
        binding: D
        url: acs2
spMeta: ~

AuthnRequest:
    sent:
        binding: A
        url: sso1
    content:
        acsURL: acs1
        binding: C

Case 3

IDP:
    SSO:
        binding: A
        url: sso1
    SSO:
        binding: B
        url: sso2
SP:
    ACS:
        binding: C
        url: acs1
    ACS:
        binding: D
        url: acs2
spMeta: 
    authnRequestBinding: B
    responseBinding: D

AuthnRequest:
    sent:
        binding: B
        url: sso2
    content:
        acsURL: acs2
        binding: D

Case 4

IDP:
    SSO:
        binding: A
        url: sso1
    SSO:
        binding: B
        url: sso2
SP:
    ACS:
        binding: C
        url: acs1
    ACS:
        binding: D
        url: acs2
spMeta: 
    authnRequestBinding: X

Exception:
    IDP does not have SSO with binding X

Case 5

IDP:
    SSO:
        binding: A
        url: sso1
    SSO:
        binding: B
        url: sso2
SP:
    ACS:
        binding: C
        url: acs1
    ACS:
        binding: D
        url: acs2
spMeta: 
    responseBinding: X

Exception:
    SP does not have ACS with binding X

Improve code metrix

https://scrutinizer-ci.com/g/aerialship/lightsaml/code-structure/
D Assertion::loadFromXml()
D BindingDetector::getBinding()
D Message::fromXML()
D HttpRedirect::processData()
D HttpRedirect::getRedirectURL()
D KeyDescriptor::loadFromXml()
D SignatureXmlValidator::validate()
C BuildSPMetadataCommand::execute()
C Assertion::prepareForXml()
C Subject::loadFromXml()

Helper tool to generate SP metadata xml

Missing SignatureMethod element

When assertion Signature node is

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <Reference URI="#_e94689e6-8732-4742-8ed0-8203724bbc8a">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <DigestValue>1045FRLuqjlphyRNJxUfIhlg1ZNyaRz/tg1X/a30vpA=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>...</SignatureValue>
            <KeyInfo>
                <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:X509Certificate>...</ds:X509Certificate>
                </ds:X509Data>
            </KeyInfo>
        </Signature>

on response validation getting the error:
Warning: DOMXPath::query(): Undefined namespace prefix in aerialship/lightsaml/src/AerialShip/LightSaml/Model/XmlDSig/SignatureXmlValidator.php on line 174
Notice: Trying to get property of non-object in aerialship/lightsaml/src/AerialShip/LightSaml/Model/XmlDSig/SignatureXmlValidator.php on line 175

and exception
Missing SignatureMethod element

Expected Protocol/Response type but got nothing

This error happens when the user goes back in the browser and ends up in app_dev.php/saml/sp/acs. Apparently a simple request to the acs throws a 500 error and that it's not the desired behavior. Ideally the user has to be redirected to the application again.

Here is my trace:

[1] RuntimeException: Expected Protocol/Response type but got nothing
    at n/a
        in /srv/qcm/wwwroot/vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/Bridge/AssertionConsumer.php line 99

    at AerialShip\SamlSPBundle\Bridge\AssertionConsumer->getSamlResponse(object(Request))
        in /srv/qcm/wwwroot/vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/Bridge/AssertionConsumer.php line 72

    at AerialShip\SamlSPBundle\Bridge\AssertionConsumer->manage(object(Request))
        in /srv/qcm/wwwroot/vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/RelyingParty/RelyingPartyCollection.php line 41

    at AerialShip\SamlSPBundle\RelyingParty\RelyingPartyCollection->manage(object(Request))
        in /srv/qcm/wwwroot/vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/Security/Http/Firewall/SamlSpAuthenticationListener.php line 64

    at AerialShip\SamlSPBundle\Security\Http\Firewall\SamlSpAuthenticationListener->attemptAuthentication(object(Request))
        in /srv/qcm/wwwroot/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php line 145

    at Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener->handle(object(GetResponseEvent))
        in /srv/qcm/wwwroot/app/cache/dev/classes.php line 2454

    at Symfony\Component\Security\Http\Firewall->onKernelRequest(object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in  line 

    at call_user_func(array(object(Firewall), 'onKernelRequest'), object(GetResponseEvent), 'kernel.request', object(TraceableEventDispatcher))
        in /srv/qcm/wwwroot/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Debug/TraceableEventDispatcher.php line 392

    at Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher->Symfony\Component\HttpKernel\Debug\{closure}(object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in  line 

    at call_user_func(object(Closure), object(GetResponseEvent), 'kernel.request', object(ContainerAwareEventDispatcher))
        in /srv/qcm/wwwroot/app/cache/dev/classes.php line 1747

    at Symfony\Component\EventDispatcher\EventDispatcher->doDispatch(array(object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure), object(Closure)), 'kernel.request', object(GetResponseEvent))
        in /srv/qcm/wwwroot/app/cache/dev/classes.php line 1680

    at Symfony\Component\EventDispatcher\EventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /srv/qcm/wwwroot/app/cache/dev/classes.php line 1844

    at Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /srv/qcm/wwwroot/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Debug/TraceableEventDispatcher.php line 139

    at Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher->dispatch('kernel.request', object(GetResponseEvent))
        in /srv/qcm/wwwroot/app/bootstrap.php.cache line 2900

    at Symfony\Component\HttpKernel\HttpKernel->handleRaw(object(Request), '1')
        in /srv/qcm/wwwroot/app/bootstrap.php.cache line 2883

    at Symfony\Component\HttpKernel\HttpKernel->handle(object(Request), '1', true)
        in /srv/qcm/wwwroot/app/bootstrap.php.cache line 3022

    at Symfony\Component\HttpKernel\DependencyInjection\ContainerAwareHttpKernel->handle(object(Request), '1', true)
        in /srv/qcm/wwwroot/app/bootstrap.php.cache line 2303

    at Symfony\Component\HttpKernel\Kernel->handle(object(Request))
        in /srv/qcm/wwwroot/web/app_dev.php line 28

Thanks a lot for your help
Regards

key param cannot be coerced into a private key

Warning: openssl_sign(): supplied key param cannot be coerced into a private key in vendor\rnijveld\xmlseclibs\xmlseclibs.php line 502
at vendor\rnijveld\xmlseclibs\xmlseclibs.php line 502

Happens due to formatter certificate, when trimmed to one line, it works fine

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="http://meere.internal.forgerock.com:8080/OpenAM" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/ArtifactResolver/metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPSloRedirect/metaAlias/idp" ResponseLocation="http://meere.internal.forgerock.com:8080/OpenAM/IDPSloRedirect/metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPSloPOST/metaAlias/idp" ResponseLocation="http://meere.internal.forgerock.com:8080/OpenAM/IDPSloPOST/metaAlias/idp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPSloSoap/metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPMniRedirect/metaAlias/idp" ResponseLocation="http://meere.internal.forgerock.com:8080/OpenAM/IDPMniRedirect/metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPMniPOST/metaAlias/idp" ResponseLocation="http://meere.internal.forgerock.com:8080/OpenAM/IDPMniPOST/metaAlias/idp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/IDPMniSoap/metaAlias/idp"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://meere.internal.forgerock.com:8080/OpenAM/SSORedirect/metaAlias/idp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://meere.internal.forgerock.com:8080/OpenAM/SSOPOST/metaAlias/idp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/SSOSoap/metaAlias/idp"/>
        <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/NIMSoap/metaAlias/idp"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://meere.internal.forgerock.com:8080/OpenAM/AIDReqSoap/IDPRole/metaAlias/idp"/>
        <AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://meere.internal.forgerock.com:8080/OpenAM/AIDReqUri/IDPRole/metaAlias/idp"/>
    </IDPSSODescriptor>
</EntityDescriptor>

[Insight] Commented code should not be commited

in src/AerialShip/LightSaml/Model/Protocol/LogoutRequest.php, line 132

Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

            $sessionIndex = $context->getDocument()->createElementNS(Protocol::SAML2, 'samlp:SessionIndex', $this->getSessionIndex());
            $result->appendChild($sessionIndex);
        }
//        if ($signatureCreator = $this->getSignature()) {
//            if (!$signatureCreator instanceof SignatureCreator) {
//                throw new \RuntimeException('Signature must be SignatureCreator');
//            }
//            $signatureCreator->getXml($result, $context);
//        }
        return $result;
    }

Posted from SensioLabsInsight

Documentation error

The documentation regarding the signing of messages (https://github.com/aerialship/lightsaml/blob/master/doc/signing_and_certificates.md), states that the call to create a private key can be done as:

$privateKey = KeyHelper::createPrivateKey($filename, $pass);

When you pass a filename as first parameter to createPrivateKey though, you have to set the third parameter to 'true' too:

static function createPrivateKey($key, $passphrase, $isFile = false, $isCert = false)

The XMLSeclibs will otherwise set the filename itself as the key instead of loading the file's contents.

Write binding tests for Response and LogoutRequest

So far only AuthnRequest is covered with Binding tests. Should write binding tests for Response and LogoutRequest too.

[composer] no dev-master tag ?

Hi,

I try to use SamlSPBundle, but it requires lightsaml#dev-master, but lightsaml do not have dev-master git tag, just a 1.0.1 release. Should we not have either a dev-master tag or update SamlSPBundle ?

Thx

PS: composer errors

Your requirements could not be resolved to an installable set of packages.

Problem 1
- Installation request for aerialship/saml-sp-bundle dev-master -> satisfiable by aerialship/saml-sp-bundle[dev-master].
- aerialship/saml-sp-bundle dev-master requires aerialship/lightsaml dev-master -> no matching package found.
Problem 2
- aerialship/saml-sp-bundle dev-master requires aerialship/lightsaml dev-master -> no matching package found.
- symfony/framework-standard-edition 2.4.x-dev requires aerialship/saml-sp-bundle dev-master -> satisfiable by aerialship/saml-sp-bundle[dev-master].
- Installation request for symfony/framework-standard-edition 2.4.x-dev -> satisfiable by symfony/framework-standard-edition[2.4.x-dev].

[Insight] Commented code should not be commited

in src/AerialShip/LightSaml/Model/Protocol/LogoutRequest.php, line 134

Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

        }
//        if ($signatureCreator = $this->getSignature()) {
//            if (!$signatureCreator instanceof SignatureCreator) {
//                throw new \RuntimeException('Signature must be SignatureCreator');
//            }
//            $signatureCreator->getXml($result, $context);
//        }
        return $result;
    }

    /**

Posted from SensioLabsInsight

Update requirements pls - PHP 5.4 required

https://packagist.org/packages/aerialship/lightsaml claims that PHP >= 5.3.3 is required, while lib uses XmlChildrenLoaderTrait (PHP 5.4 feature).

Cheers
v.

Logout Request Builder

LogoutRequestBuilder::getDestination() does not return always string

Logging of sent/received messages in Binding

It should be possible to intercept decoded saml message before deserialization in case of receive, or after serialization in case of sending in the binding class.

Session Index

I get the following error,

SQLSTATE[23000]: Integrity constraint violation: 1048 Column 'session_index' cannot be null

I am kind of new to SAML, and from my understanding the session_index is sent in the SAML response(however my current IDP does not send that attribute, I am using salesforce) to implement a single logout. I don't want to implement single logout, it seems to me that the session_index property should allow nulls ???

Bundle specifies dependency on php 5.3 while using traits

.... which are php 5.4 language feature

IdP initiated sign on

SAML allows a user sign on request to start at the IdP. Currently this does not appear to be supported by LightSAML. PR #15 goes part of the way by making the InResponseTo attribute optional but the next problem is that LightSAML can't match the response to a request (since there was no request) and throws a 'Got response to a request that was not made' exception.

I can get around this and sign on successfully if I comment out the checks in AssertionConsumer::validateState but I'm wondering what the security implications of this are. Why is it necessary to check that the response has a corresponding request?

Support for metadata with leading XML comment

Trying to load metadata from: https://engine.surfconext.nl/authentication/idp/metadata yields the following error:

Catchable Fatal Error: Argument 1 passed to 
AerialShip\LightSaml\Model\Metadata\EntityDescriptor::loadFromXml() 
must be an instance of DOMElement, instance of DOMComment given, called in 
/vagrant/vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/Config/EntityDescriptorFileProvider.php 
on line 91 and defined in 
/vagrant/vendor/aerialship/lightsaml/src/AerialShip/LightSaml/Model/Metadata/EntityDescriptor.php 
line 156

It appears to fail at the leading XML comment which is required by eduGain.

Is there any detailed documentation available for beginners?

LightSaml matches my requirements straight forward. But the steps to install and use the classes will be highly helpful for beginners.

Support for EntitiesDescriptor element

Model support for EntitiesDescriptor http://www.testshib.org/metadata/testshib-providers.xml

Linked with aerialship/SamlSPBundle#12

Audience conditions in the assertion xml do not have the saml: prefix

Without a default namespace all elements must have the proper prefix, in my case Salesforce rejected the assertion due to a missing audience.

Patching the assertion class fixed the issue:

class Assertion implements GetXmlInterface, LoadFromXmlInterface {
    /* ... */
    function getXml(\DOMNode $parent, SerializationContext $context) {
        /* ... */
        if ($this->getValidAudience()) {
-            $audienceRestrictionNode = $context->getDocument()->createElement('AudienceRestriction');
+            $audienceRestrictionNode = $context->getDocument()->createElementNS(Protocol::NS_ASSERTION, 'AudienceRestriction');
            $conditionsNode->appendChild($audienceRestrictionNode);
            foreach ($this->getValidAudience() as $v) {
-                $audienceNode = $context->getDocument()->createElement('Audience', $v);
+                $audienceNode = $context->getDocument()->createElementNS(Protocol::NS_ASSERTION, 'Audience', $v);
                $audienceRestrictionNode->appendChild($audienceNode);
            }
        }
        /* ... */
    }
    /* ... */
}

New method in Signature Validator for array of keys

Add a new method in SignatureValidatorInterface and all its implementations that can validate with provided array of keys. It should stop iterating keys when one of them pass and return. If none passes it should throw exception from the last one.

composer.json claims lightsaml functions with php 5.3.3

The composer.json require entry states "php": ">=5.3.3" but traits are used which are only supported in >= php 5.4.

Discovered this when deploying to a php 5.3.x machine :(.

How to really parse SAMLResponse?

I totally bought the idea of dumping 'simplesamlphp', as it is anything but simple.
I was so happy to see the example of parsing a SAML response, but after a test run that returns nothing, and a second look, it's unclear how to feed it with metadata.xml file so it can properly do the decryption.

I've seen another issue about the docs that will hopefully improve with v2. I'd love to participate by challenging authors to think about library consumers as people who would rather talk in terms of SSO and authentication rather than going deep into SAML implementation and concepts..

StatusResponse requires InResponseTo attribute which is optional in specific scenario

See http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf lines 1542-1547:
"InResponseTo [Optional]
A reference to the identifier of the request to which the response corresponds, if any. If the response is not generated in response to a request, or if the ID attribute value of a request cannot be determined (for example, the request is malformed), then this attribute MUST NOT be present.
Otherwise, it MUST be present and its value MUST match the value of the corresponding request's ID attribute."

For an IDP initiated response, the InResponseTo attribute doesn't have to be set (and that is what I'm seeing for the IDP server that talks to our system). However, all code and validation assumes that the attribute is set.

Is NameIDPolicy required in AuthnRequest?

We've been having issues getting SP-initiated authentication working with a Microsoft ADFS server. It kept giving the following error in the IdP logs:

The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://[...]
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
SPNameQualifier:
Exception details:
MSIS1000: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .

After several hours on the phone to the ADFS technician, I got it working by editing AuthnRequest::getXml() to completely remove the NameIDPolicy node. I've tested this change with a SimpleSAML IdP and it works there too.

Do you think we could make the NameIDPolicy element optional, or remove it completely?

Bundle cannot read encrypted assertions from IDP

Hello,
I have a problem with this bundle on my project :

After login, from IDP response as :

<samlp:Response ID="[...]"
                Version="2.0"
                IssueInstant="2014-06-09T14:57:53.368Z"
                Destination="https://mysite.net/saml/sp/acs"
                Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
                InResponseTo="[...]"
                xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                >
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sso.mysite.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    </e:EncryptionMethod>
                    <KeyInfo>
                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                            <ds:X509IssuerSerial>
                                <ds:X509IssuerName>[...]</ds:X509IssuerName>
                                <ds:X509SerialNumber>[...]</ds:X509SerialNumber>
                            </ds:X509IssuerSerial>
                        </ds:X509Data>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>[...]</e:CipherValue>
                    </e:CipherData>
                </e:EncryptedKey>
            </KeyInfo>
            <xenc:CipherData>
                <xenc:CipherValue>[...]</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </EncryptedAssertion>
</samlp:Response>

This bundle thrown this following exception : "No assertion received"

500 Internal Server Error - RuntimeException
Stack Trace :
    in vendor/aerialship/saml-sp-bundle/src/AerialShip/SamlSPBundle/Bridge/AssertionConsumer.php at line 115  -
            {
                $arr = $response->getAllAssertions();
                if (empty($arr)) {
                    throw new \RuntimeException('No assertion received');
                }
                $assertion = array_pop($arr);
    at AssertionConsumer ->getSingleAssertion (object(Response)) 

[...]

This bundle doesnt support EncryptionAssertion's tag from response, ie : "aerialship/lightsaml/src/AerialShip/LightSaml/Model/Protocol/Response.php"

function loadFromXml(\DOMElement $xml) {
    parent::loadFromXml($xml);
    $this->iterateChildrenElements($xml, function(\DOMElement $node) {
        if ($node->localName == 'Assertion' && $node->namespaceURI == Protocol::NS_ASSERTION) {
        $assertion = new Assertion();
        $assertion->loadFromXml($node);
        $this->addAssertion($assertion);
        }
    });
}

You can found an implémentation of this feature in this bundle : https://raw.githubusercontent.com/simplesamlphp/saml2/master/src/SAML2/EncryptedAssertion.php

Do you have planned to develop this enhancement/feature ?

Thanks a lot for your help,

Regards

"KeyDescriptor" elment "use" attribute should be optional

Getting now InvalidXmlException "Missing use attribute"

Linked with aerialship/SamlSPBundle#13

<EntityDescriptor entityID="https://idp.testshib.org/idp/shibboleth">
    <IDPSSODescriptor
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIEDjCCAvagAwIBAgIBADANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJVUzEV
                        MBMGA1UECBMMUGVubnN5bHZhbmlhMRMwEQYDVQQHEwpQaXR0c2J1cmdoMREwDwYD
                        VQQKEwhUZXN0U2hpYjEZMBcGA1UEAxMQaWRwLnRlc3RzaGliLm9yZzAeFw0wNjA4
                        MzAyMTEyMjVaFw0xNjA4MjcyMTEyMjVaMGcxCzAJBgNVBAYTAlVTMRUwEwYDVQQI
                        EwxQZW5uc3lsdmFuaWExEzARBgNVBAcTClBpdHRzYnVyZ2gxETAPBgNVBAoTCFRl
                        c3RTaGliMRkwFwYDVQQDExBpZHAudGVzdHNoaWIub3JnMIIBIjANBgkqhkiG9w0B
                        AQEFAAOCAQ8AMIIBCgKCAQEArYkCGuTmJp9eAOSGHwRJo1SNatB5ZOKqDM9ysg7C
                        yVTDClcpu93gSP10nH4gkCZOlnESNgttg0r+MqL8tfJC6ybddEFB3YBo8PZajKSe
                        3OQ01Ow3yT4I+Wdg1tsTpSge9gEz7SrC07EkYmHuPtd71CHiUaCWDv+xVfUQX0aT
                        NPFmDixzUjoYzbGDrtAyCqA8f9CN2txIfJnpHE6q6CmKcoLADS4UrNPlhHSzd614
                        kR/JYiks0K4kbRqCQF0Dv0P5Di+rEfefC6glV8ysC8dB5/9nb0yh/ojRuJGmgMWH
                        gWk6h0ihjihqiu4jACovUZ7vVOCgSE5Ipn7OIwqd93zp2wIDAQABo4HEMIHBMB0G
                        A1UdDgQWBBSsBQ869nh83KqZr5jArr4/7b+QazCBkQYDVR0jBIGJMIGGgBSsBQ86
                        9nh83KqZr5jArr4/7b+Qa6FrpGkwZzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBl
                        bm5zeWx2YW5pYTETMBEGA1UEBxMKUGl0dHNidXJnaDERMA8GA1UEChMIVGVzdFNo
                        aWIxGTAXBgNVBAMTEGlkcC50ZXN0c2hpYi5vcmeCAQAwDAYDVR0TBAUwAwEB/zAN
                        BgkqhkiG9w0BAQUFAAOCAQEAjR29PhrCbk8qLN5MFfSVk98t3CT9jHZoYxd8QMRL
                        I4j7iYQxXiGJTT1FXs1nd4Rha9un+LqTfeMMYqISdDDI6tv8iNpkOAvZZUosVkUo
                        93pv1T0RPz35hcHHYq2yee59HJOco2bFlcsH8JBXRSRrJ3Q7Eut+z9uo80JdGNJ4
                        /SJy5UorZ8KazGj16lfJhOBXldgrhppQBb0Nq6HKHguqmwRfJ+WkxemZXzhediAj
                        Geka8nz8JjwxpUjAiSWYKLtJhGEaTqCYxCCX2Dw+dOTqUzHOZ7WKv4JXPK5G/Uhr
                        8K/qhmFT2nIQi538n6rVYLeWj8Bbnl+ev0peYzxFyF5sQA==
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
                             Location="https://idp.testshib.org/idp/profile/Shibboleth/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                             Location="https://idp.testshib.org/idp/profile/SAML2/POST/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                             Location="https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                             Location="https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP"/>
    </IDPSSODescriptor>
</EntityDescriptor>

Support for additional NameIDFormats

Trying to load metadata from https://engine.surfconext.nl/authentication/idp/metadata gives the following errors:

Invalid NameIDFormat 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'.

Invalid NameIDFormat 'urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified'

These are very much valid SAML2 NameID formats.

Thanks for lightsaml, you're doing cool stuff Milos!

InvalidArgumentException at LogoutRequest ->setNotOnOrAfter()

Application fails when I try to logout from external application

In LogoutRequest::loadFromXml() line 146:

$this->setNotOnOrAfter(new \DateTime(strtotime($time), new \DateTimeZone('UTC')));

But setNotOnOrAfter() fails if argument is not a string or int.

New EntitiesDescriptor::getByEntityId

Make a new method that will return EntityDescriptor for provided entityID

bin/lightsaml generates an error

As @Spoon4 reported in #2

Ok, found !
So, you need to

execute composer install in the vendor/aerialship/lightsaml/ vendor directory

execute lightsaml program directly from vendor/aerialship/lightsaml/bin/ directory

The aim of my comment was to report that the composer copy in bin/lightsaml of vendor/aerialship/lightsaml/bin/lightsaml generates an error. You should run composer install from vendor/aerialship/lightsaml/ and execute lightsaml directly from its origin directory

Tag new version

Hi, would it be possible to tag a new version with the changes in the master branch?

Thanks!

Signing and Certificates documentation

which kind of cert is waited for cert_file tag ? .cer (public key), .pfx, another fomat ?
is the key_file file have to be a .key file with 64base encoded string between -----BEGIN RSA PRIVATE KEY----- and -----BEGIN RSA PRIVATE KEY----- bounds ?
Does the key_pass is the password given to azure with pfx file on token signin settings ?

Relation to lightsaml/lightsaml

Is lightSAML the official successor to aerialship/lightsaml? If so, should we add a small notice and mark this Composer package as deprecated?