Lines Matching refs:to
5 Add SAML support to your PHP software using this library.
15 …to the validator but the SAMLResponse does not contain a InResponseTo attribute. And an additiona…
17 …dates xmlseclibs to 3.0.4 (CVE-2019-3465), but php-saml was not directly affected since it impleme…
21 Update php-saml to 2.15.0, this version includes a security patch related to XEE attacks
25 Update php-saml to 2.10.4, this version includes a security patch related to
28 Update php-saml to 2.10.0, this version includes a security patch that contains extra validations t…
36 …ption. We follow responsible disclosure guidelines, and will work with you to quickly find a resol…
39 Why add SAML support to my software?
52 * **Speed** - SAML is fast. One browser redirect is all it takes to securely
59 * **Opportunity** - B2B cloud vendor should support SAML to facilitate the
67 your PHP application and connect it to any IdP (Identity Provider).
84 * **Easy to use** - Programmer will be allowed to code high-level and
85 low-level programming, 2 easy to use APIs are available.
98 * `mcrypt`. Install that library and its php driver if you're going to handle
101 * `curl`. Install that library and its php driver if you plan to use the IdP Metadata parser.
103 Since [PHP 5.3 is officially unsupported](http://php.net/eol.php) we recommend you to use a newer P…
119 structure so take your time to locate the PHP SAML toolkit in the best place).
120 See the "Guide to add SAML support to my app" to know how.
123 If you plan to play with the demos, use the Option 1.
129 In order to import the saml toolkit to your current php project, execute
139 …nstead of using settings files, you pass the settings as an array directly to the constructor (exp…
146 The old code that you used in order to add SAML support will continue working
147 with minor changes. You only need to load the files of the `lib/Saml` folder.
157 We recommend that you migrate the old code to the new one to be able to use
165 namespaces, remember that calls to the class must be done by adding a backslash (`\`) to the
166 start, for example to use the static method getSelfURLNoQuery use:
175 `signatureAlgorithm` and `digestAlgorithm` under `security` must be set to
177 environment is not secure and will be exposed to attacks.
179 …to register on the settings the IdP certificate instead of using the fingerprint method. The finge…
193 SAML requires a x509 cert to sign and encrypt elements like `NameID`, `Message`,
209 Use `sp_new.crt` if you are in a key rollover process and you want to
224 old code to keep working. (This library is provided to maintain
245 files when adding SAML support to your applications. Take in mind that those
258 * `settings_example.php` - A template to be used in order to create a
260 * `advanced_settings_example.php` - A template to be used in order to create a
261 advanced_settings.php file which contains extra configuration info related to
262 the security, the contact person, and the organization associated to the SP.
264 * `compatibility` - Import that file to make compatible your old code with the
275 the toolkit to demonstrate the backwards compatibility.
282 First of all we need to configure the toolkit. The SP's info, the IdP's info,
286 There are two ways to provide the settings information:
290 * Use an array with the setting data and provide it directly to the
302 // or unencrypted messages if it expects them to be signed or encrypted.
307 // Enable debug mode (to print errors).
310 // Set a BaseURL to be used instead of try to guess
321 // returned to the requester, in this case our SP.
325 // SAML protocol binding to be used when returning the <Response>
330 // If you need to specify requested attributes, set a
347 // returned to the requester, in this case our SP.
351 // SAML protocol binding to be used when returning the <Response>
356 // Specifies the constraints on the name identifier to be used to
358 // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported.
367 * If you plan to update the SP x509cert and privateKey
384 // SAML protocol binding to be used when returning the <Response>
396 // SAML protocol binding to be used when returning the <Response>
404 * Instead of use the whole x509cert you can use a fingerprint in order to
405 * validate a SAMLResponse, but we don't recommend to use that
407 * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
410 * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
414 … * Notice that if you want to validate any SAML Message sent by the HTTP-Redirect binding, you
415 * will need to provide the whole x509cert.
423 * In order to handle that the toolkit offers that parameter.
438 In addition to the required settings data (IdP, SP), there is extra
490 // and <samlp:LogoutResponse> elements received by this SP to be signed.
494 // this SP to be encrypted.
498 // this SP to be signed. [Metadata of the SP will offer this info]
502 // received by this SP to be present.
506 // this SP to be encrypted.
510 // Set to false and no AuthContext will be sent in the AuthNRequest.
516 // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
523 // If true, Destination URL should strictly match to the address to
530 // AuthNRequest ID provided to the validation method.
555 // Contact information template, it is recommended to supply a
580 The compression settings allow you to instruct whether or not the IdP can accept
582 But if we provide a `$deflate` boolean parameter to the `getRequest` or `getResponse` method it wil…
587 and communicate them to the IdP's admin too.
608 execution or locate them in any file and load the file in order to get the
623 In order to use the toolkit library you need to import the `_toolkit_loader.php`
634 After that line we will be able to use the classes (and their methods) of the
638 you will need to load the `compatibility.php`, file which loads the SAML library files,
639 in addition to the the `_toolkit_loader.php`.
643 to accomplish the same things.
652 In order to send an `AuthNRequest` to the IdP:
669 …to the user's client. The client is then forwarded to the Attribute Consumer Service of the SP wit…
671 We can set a `'returnTo'` url to change the workflow and redirect the user to the other PHP file.
681 * `$parameters` - An array of parameters that will be added to the `GET` in the HTTP-Redirect.
684 * `$strict` - True if we want to stay (returns the url string) False to redirect
686 * `$nameIdValueReq` - Indicates to the IdP the subject that should be authenticated.
688 …he future SAMLResponse ID and the AuthNRequest ID to be sent is required, that AuthNRequest ID mus…
701 Related to the SP there are three important views: The metadata view, the ACS view and the SLS view…
735 Before the XML metadata is exposed, a check takes place to ensure
736 that the info to be provided is valid.
743 to get the settings object and with the true parameter we will avoid the IdP Settings validation.
748 This code handles the SAML response that the IdP forwards to the SP through the user's client.
753 session_start(); // IMPORTANT: This is required in order to be able
754 // to store the user data in the session.
824 Notice that we saved the user data in the session before the redirection to
830 In order to retrieve attributes we can use:
864 Each attribute name can be used as an index into `$attributes` to obtain the value. Every attribute…
880 Before trying to get an attribute, check that the user is
883 returned. For example, if we call to `getAttributes` before a
895 session_start(); // IMPORTANT: This is required in order to be able
896 // to close the user session.
941 the session is closed and a Logout Response is sent to the SLS endpoint of
978 way to destroy the session, you can pass a callback method to the
991 If we don't want that `processSLO` to destroy the session, pass a true
992 parameter to the `processSLO` method
1001 In order to send a Logout Request to the IdP:
1015 * `$returnTo` - The target URL the user should be returned to after logout.
1016 * `$parameters` - Extra parameters to be added to the GET.
1017 * `$name_id` - That will be used to build the LogoutRequest. If `name_id` parameter is not set and …
1020 * `$stay` - True if we want to stay (returns the url string) False to redirect.
1028 The IdP will return the Logout Response through the user's client to the
1032 endpoint will redirect the user to the file that launched the SLO request.
1034 We can set an `'returnTo'` url to change the workflow and redirect the user
1035 to other php file.
1071 …future LogoutResponse ID and the LogoutRequest ID to be sent is required, that LogoutRequest ID mu…
1102 if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the IdP
1107 } else if (isset($_GET['slo'])) { // SLO action. Will sent a Logout Request to IdP
1160 echo '<p><a href="?sso2" >Login and access to attrs.php page</a></p>';
1180 // put SAML settings into an array to avoid placing files in the
1206 php-saml toolkit uses a bunch of methods in OneLogin_Saml2_Utils that try to guess the URL where th…
1216 getSelfURLNoQuery and getSelfRoutedURLNoQuery are used to calculate the currentURL in order to vali…
1220 …to define a specific value to be returned by `isHTTPS`, `getSelfHost`, `getSelfPort` and `getBaseU…
1222 …he settings the developer will be able to set a `'baseurl'` parameter that automatically will use …
1229 You should be able to workaround this by configuring your server so that it is aware of the proxy a…
1236 If you plan to update the SP x509cert and privateKey you can define the new x509cert as `$settings[…
1245 In order to handle that the toolkit offers the `$settings['idp']['x509certMulti']` parameter.
1250 - `'signing'`. An array of certs that will be used to validate IdP signature
1251 - `'encryption'` An array with one unique cert that will be used to encrypt data to be sent to the …
1256 …to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid pro…
1268 of the old v.1 toolkit that is provided to keep the backward compability.
1290 A simple class used to build the Setting object used in the v1.0 of the toolkit.
1301 Auxiliary class that contains methods to validate the SAML Response:
1321 * `redirectTo` - Redirects the user to the url past by parameter or to the url
1385 …* `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id…
1447 A class that contains functionality related to the metadata of the SP
1451 * `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to
1458 * `validateXML` - This function attempts to validate an XML string against
1462 * `redirect` - Executes a redirection to the provided url (or return the
1472 * `parseTime2SAML` - Converts a UNIX timestamp to SAML2 timestamp on the
1475 `yyyy-mm-ddThh:mm:ss(\.s+)?Z` to a UNIX timestamp. The sub-second part is
1477 * `parseDuration` - Interprets a ISO8601 duration value relative to a given
1488 * `castKey` - Converts a `XMLSecurityKey` to the correct algorithm.
1489 * `addSign` - Adds signature key and senders certificate to an element
1495 Auxiliary class that contains several methods to retrieve and process IdP metadata
1504 about what it does and how to use it are provided. Make sure to also check the doc folder where
1512 The toolkit includes three demo apps to teach how use the toolkit, take a look on it.
1520 The Onelogin's PHP Toolkit allows you to provide the settings info in two ways:
1528 to create the `settings.php` settings and store it in the `demo1/` folder.
1532 file is loaded in order to get the `$settingsInfo` var to be used in order to initialize
1548 1. First time you access to `index.php` view, you can select to login and return
1549 to the same view or login and be redirected to the `attrs.php` view.
1553 2.1 in the first link, we access to (`index.php?sso`) an `AuthNRequest`
1554 is sent to the IdP, we authenticate at the IdP and then a Response is sent
1555 …through the user's client to the SP, specifically the Assertion Consumer Service view: `index.php?…
1556 Notice that a `RelayState` parameter is set to the url that initiated the
1559 2.2 in the second link we access to (`attrs.php`) have the same process
1564 are redirected to the RelayState view. a) `index.php` or b) `attrs.php`.
1572 Logout Request is sent to the IdP, the session at the IdP is closed and
1573 replies through the client to the SP with a Logout Response (sent to the
1580 Request to the SP (SLS endpoint, `index.php?sls`). The SLS endpoint of the SP
1582 at the local app and send a Logout Response to the IdP (to the SLS endpoint
1587 the `index.php` file and how `GET` parameters are used to know the action that
1595 The Onelogin's PHP Toolkit allows you to provide the settings info in two ways:
1603 Review the `setting_example.php` and the `advanced_settings_example.php` to
1604 learn how to build them.
1606 In this case as Attribute Consume Service and Single Logout Service we are going to
1632 sent to the IdP automatically, (as `RelayState` is sent the origin url).
1633 We authenticate at the IdP and then a `Response` is sent to the SP, to the
1638 to the `RelayState` view (`sso.php` or `index.php`). The `sso.php` detects if the
1639 user is logged and redirects to `index.php`, so we will be in the
1648 we are redirected to the `slo.php` view and there a Logout Request is sent
1649 to the IdP, the session at the IdP is closed and replies to the SP a
1650 Logout Response (sent to the Single Logout Service endpoint). In this case
1657 Request to the SP (SLS endpoint `sls.php` of the endpoint folder).
1660 to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout
1670 An object of the class `OneLogin_Saml_Settings` must be provided to the
1679 `idp_sso_target_url`, `x509certificate`). You'll need to add your own code here
1680 to identify the user or user origin (e.g. by `subdomain`, `ip_address` etc.).
1696 sends it to the identity provider (IdP).