summaryrefslogtreecommitdiffstats
path: root/modules/saml/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #433 from thijskh/feature/deprecate-certFingerprintJaime Pérez Crespo2016-09-141-0/+5
|\ | | | | Deprecate the certFingerprint option.
| * Deprecate the certFingerprint option.Thijs Kinkhorst2016-08-051-0/+5
| | | | | | | | | | | | Issue a notice when the option is used nonetheless. Closes: #432
* | Allow setting the 'Comparison' attribute in authentication contexts.Jaime Pérez2016-09-052-2/+17
| | | | | | | | Even though the default "exact" is used by most people, and few products support anything else, there's people asking for this.
* | Deprecate the old SimpleSAML_Error_NoPassive and ↵Jaime Pérez2016-08-311-0/+2
| | | | | | | | SimpleSAML_Error_ProxyCountExceeded exceptions.
* | Use the new SimpleSAML\Module\saml\Error\ProxyCountExceeded exception.Jaime Pérez2016-08-311-1/+4
| |
* | Use the new SAML error exceptions in the saml module.Jaime Pérez2016-08-312-18/+16
| | | | | | | | Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.
* | Model some SAML errors as exceptions in the SAML module.Jaime Pérez2016-08-315-0/+140
| | | | | | | | This makes it easier to identify error conditions and return errors to an SP. More known errors should also be added here.
* | Keep the requested authentication context.Jaime Pérez2016-08-301-0/+3
| | | | | | | | The SAML2 IdP should keep the RequestedAuthnContext in the state array, so that authentication sources (or processing filters) can use that information during authentication.
* | Multiple enhancements and fixes to IDPList support in proxy mode.Jaime Pérez2016-08-152-7/+56
| | | | | | | | | | | | | | - Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester). - The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response. - We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList. - Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
* | bugfix: Avoid the SAML2 IdP resilient to failures when getting DOMNodeList ↵Jaime Pérez2016-08-101-2/+7
| | | | | | | | | | | | attribute values. Due to recent changes in the SAML2 library, when an attribute has a value that contains XML, its contents are returned as a DOMNodeList instead of a string. This causes problems when running as a proxy, since the SAML2 IdP will obtain attributes in a format that cannot be cast to string. Regardless of the attribute encoding configured in the IdP for a remote SP, we should handle those cases gracefully, so that the IdP don't end up in an uncaught exception.
* | bugfix: Make sure we log the user out before reauthenticating.Jaime Pérez2016-08-081-12/+97
|/ | | | | | When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs. This resolves #84.
* Merge pull request #417 from pmeulen/feature/authnreq-subject-nameid-testsJaime Pérez Crespo2016-08-051-0/+7
|\ | | | | Test for https://github.com/simplesamlphp/simplesamlphp/pull/400
| * Allow the optional Subject NameID to be set in a SAML AuthnRequest through ↵Pieter van der Meulen2016-07-131-0/+7
| | | | | | | | "saml:NameID"
* | bugfix: Do not remove attribute values that are not scoped.Jaime Pérez2016-07-291-0/+1
| | | | | | | | The saml:FilterScopes filter was removing values that did not contain a scope. It shouldn't.
* | authproc: Add new filter to remove invalid scopes.Jaime Pérez2016-07-291-0/+97
| | | | | | | | | | | | The new saml:FilterScopes allows a SAML Service Provider to remove the values from a scoped attribute whose scope is not declared in the IdP metadata and/or does not match with the domain in use by the IdP itself. This closes #22.
* | Bump the version of the SAML2 library.Jaime Pérez2016-07-269-113/+113
|/ | | | Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
* When exceptions happen in the context of a SAML transaction, we don't need ↵Jaime Perez Crespo2016-04-131-2/+2
| | | | to log the sspmod_saml_Error exception itself, as that doesn't have any valuable information. We log the exception itself instead. Reword the previous message a bit, too.
* This is related to #346, and closes #347. It enables richer NameIDPolicy ↵Jaime Perez Crespo2016-03-291-9/+20
| | | | configuration, allowing to set not only the format, but also the value for "AllowCreate".
* Update the modules too.Jaime Perez Crespo2016-03-0911-70/+70
|
* Clean one-liner comments.Jaime Perez Crespo2015-11-067-13/+13
|
* s/simpleSAMLphp/SimpleSAMLphp/gJaime Perez Crespo2015-11-067-8/+8
| | | | (being respectful with occurences that might change the behaviour, i.e. default database prefixes)
* Revert "Make SHA-256 the default signature algorithm."Jaime Perez Crespo2015-11-061-1/+11
| | | | This reverts commit 09c5a23fce38022bc7ba1450902236383aaa90d7.
* Make SHA-256 the default signature algorithm.Thijs Kinkhorst2015-11-051-11/+1
| | | | SHA-1 is still supported but needs to be configured explicitly if you need it.
* XML data is loaded using SAML2_DOMDocumentFactory classSergio Gómez2015-10-112-3/+2
|
* Duplicate the $state['SimpleSAML_Auth_Default.*'] entries to ↵Jaime Perez Crespo2015-08-311-2/+2
| | | | $state['SimpleSAML_Auth_Source.*'] where needed, while we are transitioning to 2.0. Leave those that will be removed in SimpleSAML_Auth_Default. Move the rest of the code to the new entries in the state array.
* When building an assertion, the current time should be obtained once, used ↵Jaime Perez Crespo2015-08-301-4/+8
| | | | many, instead of being obtained every time we are using it (that could lead to clock discrepancies between several timestamps in the same assertion). Additionally, if authentication happened in the past (that is, we got a request that is not the one that triggered authentication, and this is pure SSO), we should calculate the value for SessionNotOnOrAfter relative to the start of the session, not the current time. This resolves #244.
* Reformat sspmod_saml_Auth_Process_TransientNameID and fix some phpdoc comments.Jaime Perez Crespo2015-08-301-24/+27
|
* Reformat sspmod_saml_Auth_Process_NameIDAttribute.Jaime Perez Crespo2015-08-301-131/+137
|
* Reformat sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef.Jaime Perez Crespo2015-08-301-59/+78
|
* Reformat sspmod_saml_Auth_Process_AuthnContextClassRef.Jaime Perez Crespo2015-08-301-40/+45
|
* Reformat sspmod_saml_Auth_Process_AttributeNameID.Jaime Perez Crespo2015-08-301-52/+65
|
* Reformat sspmod_saml_Auth_Process_PersistentNameID2TargetedID.Jaime Perez Crespo2015-08-301-59/+64
|
* Reformat sspmod_saml_Auth_Process_PersistentNameID and fix some phpdoc comments.Jaime Perez Crespo2015-08-301-59/+71
|
* Reformat sspmod_saml_Auth_Process_SQLPersistentNameID.Jaime Perez Crespo2015-08-301-130/+159
|
* Merge pull request #242 from ghalse/masterJaime Pérez Crespo2015-08-301-2/+47
|\ | | | | Make SQLPersistentNameID more flexible
| * Provide config options to allow SQLPersistentNameID to be less conservative ↵Guy Antony Halse2015-08-171-2/+47
| | | | | | | | about creating entries in the SQL datastore, whilst preserving default behaviour
* | Refactor SimpleSAML_Auth_State::extractPersistentAuthState() to ↵Jaime Perez Crespo2015-08-251-2/+2
| | | | | | | | getPersistentAuthData() to avoid confusions around the behaviour of this method.
* | The state array should not be modified after extracting (getting) the ↵Jaime Perez Crespo2015-08-251-2/+1
|/ | | | persistent authentication data. This resolves #247.
* Move SimpleSAML_Auth_Default::handleUnsolicitedAuth() to ↵Jaime Perez Crespo2015-08-121-1/+24
| | | | sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth() and deprecate the former.
* Move SimpleSAML_Auth_Default::extractPersistentAuthState() to ↵Jaime Perez Crespo2015-08-121-1/+3
| | | | SimpleSAML_Auth_State::extractPersistentAuthState() and deprecate the former.
* Fix an issue with data types returned by SimpleSAML_Store.Jaime Perez Crespo2015-08-051-1/+2
|
* Bugfix. Solves #213.Jaime Perez Crespo2015-05-312-2/+2
|
* Use !in_array() for improved readabilityBrian Vuyk2015-05-121-1/+2
|
* Add support for sender-vouchesBrian Vuyk2015-05-111-1/+1
|
* Move SimpleSAML_Utilities:: checkCookie() to ↵Jaime Perez Crespo2015-04-232-2/+2
| | | | SimpleSAML\Utils\HTTP::checkSessionCookie() and deprecate the former.
* Move SimpleSAML_Utilities:: redirectTrustedURL() to SimpleSAML\Utils\HTTP:: ↵Jaime Perez Crespo2015-04-222-3/+3
| | | | redirectTrustedURL() and deprecate the former.
* Move SimpleSAML_Utilities::isHTTPS() to SimpleSAML\Utils\HTTP::isHTTPS() and ↵Jaime Perez Crespo2015-04-212-2/+2
| | | | deprecate the former.
* Move SimpleSAML_Utilities::selfURLNoQuery() to ↵Jaime Perez Crespo2015-04-212-3/+3
| | | | SimpleSAML\Utils\HTTP::getSelfURLNoQuery() and deprecate the former.
* Move SimpleSAML_Utilities::selfURL() to SimpleSAML\Utils\HTTP::getSelfURL() ↵Jaime Perez Crespo2015-04-212-3/+3
| | | | and deprecate the former.
* Bugfix.Jaime Perez Crespo2015-04-211-1/+1
|
* Move SimpleSAML_Utilities::addURLparameter() to ↵Jaime Perez Crespo2015-04-212-2/+2
| | | | SimpleSAML\Utils\HTTP::addURLParameters() and deprecate the former.
* Move SimpleSAML_Utils_Crypto to SimpleSAML\Utils\Crypto.Jaime Perez Crespo2015-04-201-6/+6
|
* Move SimpleSAML_Utils_Arrays to SimpleSAML\Utils\Arrays.Jaime Perez Crespo2015-04-201-1/+1
|
* Move SimpleSAML_Utils_Config to SimpleSAML\Utils\Config.Jaime Perez Crespo2015-04-202-2/+2
|
* Move SimpleSAML_Utils_Random to SimpleSAML\Utils\Random.Jaime Perez Crespo2015-04-203-5/+5
|
* Move SimpleSAML_Utilities::getSecretSalt() to ↵Jaime Perez Crespo2015-04-162-2/+2
| | | | SimpleSAML_Utils_Config::getSecretSalt(). Deprecate the former and stop using it.
* Move SimpleSAML_Utilities::generateID() to ↵Jaime Perez Crespo2015-04-163-5/+5
| | | | SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it for removal in 2.0.
* Schedule SimpleSAML_Utilities::stringToHex() for removal. Deprecate and stop ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | using it.
* Schedule SimpleSAML_Utilities::generateRandomBytes() for removal. Deprecate ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | and stop using it.
* Move loadPublicKey() and loadPrivateKey() in SimpleSAML_Utilities to ↵Jaime Perez Crespo2015-04-161-6/+6
| | | | | | SimpleSAML_Utils_Crypto. Mark the old ones as deprecated and schedule them for removal in 2.0.
* Refactor SimpleSAML_Utilities::arrayize() to SimpleSAML_Utils_Arrays:: ↵Jaime Perez Crespo2015-04-151-1/+1
| | | | | | arrayize(). Schedule SimpleSAML_Utilities:: arrayize() for removal.
* Fix strict comparisons with boolean types and null.Jaime Perez Crespo2015-04-151-1/+1
|
* TyposDick Visser2015-02-201-2/+2
|
* Remove getAuthInstant() from SimpleSAML_Session.Jaime Perez2015-01-191-4/+0
|
* Remove trailing PHP close tags. Closes #59.Jaime Perez2015-01-151-2/+0
|
* Fix client-certificate match if-checkDaan van Renterghem2014-10-221-2/+3
| | | | `preg_match` returns `0` if no matches are found, `FALSE` only on error. This means that with the previous check unmatching certificates would not be identified, only when the preg_match itself would error.
* Formatting.Jaime Perez2014-09-291-3/+2
|
* Add support for signature.privatekey for saml-sp-remoteDan Tsosie2014-09-051-2/+10
|
* saml: Add total time of login operation to stats data.Olav Morken2014-07-102-0/+11
| | | | | | Add statistics data to saml:idp:Response and saml:idp:Response:error with the total time since we began processing the authentication request.
* saml: Split statsData array out from statistics logging.Olav Morken2014-07-102-6/+9
| | | | | This change makes it easier to add elements to the statistics data logged when the IdP sends an authentication response.
* Drop obsolete SVN $Id$ keywords.Thijs Kinkhorst2014-07-0915-15/+0
|
* Rename SimpleSAML_Session::getInstance() to ↵Jaime Perez2014-07-083-4/+4
| | | | SimpleSAML_Session::getSessionFromRequest(), and leave the former as deprecated.
* Fix #82 and #83. Make the checks for an IDPList happen only when we are the ↵Jaime Perez2014-06-271-0/+55
| | | | IdP authenticating the user, not an intermediate proxy.
* Fix typo.Jaime Perez2014-06-251-1/+1
|
* Remove 'saml2.relaxvalidation' option from documentation. This feature was ↵Jaime Perez2014-06-181-1/+1
| | | | removed back in 2009. Fixes #78.
* Blacklist 'http://www.w3.org/2001/04/xmlenc#rsa-1_5' (RSA encryption with ↵Jaime Perez2014-06-181-1/+1
| | | | PKCS#1 v1.5 padding) by default.
* Allow attributes with null values, see saml-core-2.0-os, section 2.7.3.1.1.Jaime Pérez Crespo2014-02-021-0/+6
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3349 44740490-163a-0410-bde0-09ae8108e29a
* Start using the redirectTrustedURL() and redirectUntrustedURL() wrappers.Jaime Pérez Crespo2014-01-172-3/+3
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3326 44740490-163a-0410-bde0-09ae8108e29a
* add isPassive to discovery request if about to send a passive request.Andreas Åkre Solberg2014-01-091-12/+16
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3319 44740490-163a-0410-bde0-09ae8108e29a
* Take into account the NameIDFormat specified in idp-hosted metadata when no ↵Jaime Pérez Crespo2013-12-091-1/+4
| | | | | | such option is configured for an SP. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3312 44740490-163a-0410-bde0-09ae8108e29a
* Split binding prioritizing out of getDefaultEndpoint to a new ↵Jaime Pérez Crespo2013-11-262-4/+4
| | | | | | getEndpointPrioritizedByBinding function. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3303 44740490-163a-0410-bde0-09ae8108e29a
* Save one unnecessary redirection when using iframe logout and the SPs ↵Jaime Pérez Crespo2013-11-251-5/+13
| | | | | | support HTTPRedirect. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3301 44740490-163a-0410-bde0-09ae8108e29a
* Properly document the signature.algorithm option. Also add configuration ↵Jaime Pérez Crespo2013-11-191-0/+10
| | | | | | examples showing how to start using SHA-256, and warning about SHA-1 being disallowed starting in 2014. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3297 44740490-163a-0410-bde0-09ae8108e29a
* Add support for sending AttributeConsumingService and ↵Olav Morken2013-09-021-0/+3
| | | | | | | | | | | AssertionConsumerServiceIndex. This patch adds support for sending the AttributeConsumingService and AssertionConsumerServiceIndex attributes in the authentication request. Thanks to Dale Clarke for providing this patch! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3266 44740490-163a-0410-bde0-09ae8108e29a
* Complete bugfix for issue #561. HTTP-Post supported for SLO not initiated by ↵Jaime Pérez Crespo2013-08-131-26/+79
| | | | | | the SP. Working for both traditional logout and iframe version. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3262 44740490-163a-0410-bde0-09ae8108e29a
* Revert "Bugfix for issue #561."Jaime Pérez Crespo2013-08-121-7/+1
| | | | | | This reverts commit 391145ae84d5aa4150ff5747a304d0af2aeb161f. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3261 44740490-163a-0410-bde0-09ae8108e29a
* Bugfix for issue #561.Jaime Pérez Crespo2013-08-091-1/+7
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3259 44740490-163a-0410-bde0-09ae8108e29a
* Full support for HTTP-POST binding in WebSSO profile. Two new directives in ↵Jaime Pérez Crespo2013-07-173-27/+32
| | | | | | | | hosted metadata (SingleSignOnServiceBinding and SingleLogoutServiceBinding) to control the bindings published as supported in the metadata. Bugfix in the logout handler (SOAP binding should be reused when responding a request). git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3257 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix saml:sp:IdP for SAML 1.1Olav Morken2013-05-221-0/+4
| | | | | | | | | | The saml:sp:IdP authentication data was only saved for SAML 2.0 authentication. This patch moves this variable into common code, so that it is shared between SAML 2.0 and SAML 1.1. Thanks to Tim Jobling for reporting this bug! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3240 44740490-163a-0410-bde0-09ae8108e29a
* Fix some typos with method Session::getTrackID()Jaime Pérez Crespo2013-01-231-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3225 44740490-163a-0410-bde0-09ae8108e29a
* saml:PersistentNameID2TargetedID: New filter for storing persistent NameID ↵Olav Morken2013-01-111-0/+79
| | | | | | in eduPersonTargetedID attribute. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3221 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix SAML 2.0 SP logout with PostgreSQL.Olav Morken2012-12-031-2/+3
| | | | | | | | The PostgreSQL database server returns all column names in lowercase, but we are using mixed case column names. This patch changes the query to always request lowercase column names. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3207 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix NULL return from saml_IdP_SAML2::getAssociationConfig().Olav Morken2012-12-031-2/+2
| | | | | | | | This function should not return NULL, but did so due to a missing return statement. This patch adds that return statement, and fixes the documentation for the function. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3206 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add separate option to enable HoK support on SP.Olav Morken2012-10-181-6/+5
| | | | | | | Instead of always adding the endpoint to the metadata, require setting a separate option to enable it. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3194 44740490-163a-0410-bde0-09ae8108e29a
* The issuer of an AuthnResponse is now validated to check if we get the ↵Jaime Pérez Crespo2012-10-151-0/+3
| | | | | | response from the same entity ID we sent the request to. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3189 44740490-163a-0410-bde0-09ae8108e29a
* Fixed a bug on ArtifactResolutionService introduced by a previous commit on ↵Jaime Pérez Crespo2012-10-091-2/+2
| | | | | | new SHA signatures support. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3186 44740490-163a-0410-bde0-09ae8108e29a
* Support for RSA_SHA256, RSA_SHA384 and RSA_SHA512 in HTTP Redirect binding. ↵Jaime Pérez Crespo2012-10-011-1/+5
| | | | | | Signature algorithm can now be set also in the remote IdP metadata, with more priority than the one specified in hosted SP metadata. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3181 44740490-163a-0410-bde0-09ae8108e29a
* Fixed typo in modules/saml/lib/Message.php, addSign().Jaime Pérez Crespo2012-09-201-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3165 44740490-163a-0410-bde0-09ae8108e29a
* Added support for RSA-SHA256, RSA-SHA384 and RSA-SHA512 signature ↵Jaime Pérez Crespo2012-09-201-1/+2
| | | | | | algorithms. New hosted IdP metadata option 'signature.algorithm' to configure this, defaults to SHA1 for backwards compatibility. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3164 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add "encryption.blacklisted-algorithms"-option.Olav Morken2012-08-021-2/+26
| | | | | | This option allows us to disable some encryption algorithms. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3139 44740490-163a-0410-bde0-09ae8108e29a
generated by cgit v1.1 at 2025-06-09 05:14:36 +0000