CHANGELOG ========= v.2.18.1 * Add setSchemasPath to Auth class and fix backward compatibility v.2.18.0 * Support rejecting unsolicited SAMLResponses. * Support stric destination matching. * Reject SAMLResponse if requestID was provided to the validotr but the InResponseTo attributeof the SAMLResponse is missing * Check destination against the getSelfURLNoQuery as well on LogoutRequest and LogoutResponse as we do on Response * Improve getSelfRoutedURLNoQuery method * Only add responseUrl to the settings if ResponseLocation present in the IdPMetadataParser * Remove use of $_GET on static method validateBinarySign * Fix error message when Assertion and NameId are both encrypted (not supported) v.2.17.1 * Update xmlseclibs to 3.0.4 * Remove Comparison atribute from RequestedAuthnContext when setting has empty value v.2.17.0 * Set true as the default value for strict setting * Support 'x509cert' and 'privateKey' on signMetadata security settings * Relax comparision of false on SignMetadata * Fix CI v.2.16.0 * Support SLO ResponseLocation * [#344](https://github.com/onelogin/php-saml/issues/344) Raise errors on IdPMetadataParser::parseRemoteXML and IdPMetadataParser::parseFileXML * Adjusted acs endpoint to extract NameQualifier and SPNameQualifier from SAMLResponse. Adjusted single logout service to provide NameQualifier and SPNameQualifier to logout method. Add getNameIdNameQualifier to Auth and SamlResponse. Extend logout method from Auth and LogoutRequest constructor to support SPNameQualifier parameter. Align LogoutRequest constructor with SAML specs * Add support for Subjects on AuthNRequests by the new parameter * Set strict=true on config examples v.2.15.0 * Security improvement suggested by Nils Engelbertz to prevent DDOS by expansion of internally defined entities (XEE) * Fix bug on settings_example.php v.2.14.0 * Add parameter to the decryptElement method to make optional the formatting * [#283](https://github.com/onelogin/php-saml/pull/283) New method of importing a decrypted assertion into the XML document to replace the EncryptedAssertion. Fix signature issues on Signed Encrypted Assertions with default namespace * Allow the getSPMetadata() method to always include the encryption Key Descriptor * Change some Fatal Error to Exceptions * [#265](https://github.com/onelogin/php-saml/issues/265) Support parameters at getSPMetadata method * Avoid calling static method using this v.2.13.0 * Update xmlseclibs with some fixes. * Add extra protection verifying the Signature algorithm used on SignedInfo element, not only rely on the xmlseclibs verify / verifySignature methods. * Add getAttributesWithFriendlyName method which returns the set of SAML attributes indexed by FriendlyName * Fix bug on parseRemoteXML and parseFileXML. Internal calls to parseXML missed the desiredNameIdFormat parameter v.2.12.0 * Improve Time management. Use DateTime/DateTimeZone classes. * Escape error messages in debug mode * Improve phpdoc * Add an extra filter to the url to be used on redirection * [#242](https://github.com/onelogin/php-saml/pull/242) Document that SHA-1 must not be used * [#250](https://github.com/onelogin/php-saml/pull/250) Fixed issue with IdPMetadataParser only keeping 1 certificate when multiple certificates of a single type were provided. * [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest. v.2.11.0 * [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads * [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request * Improve logout documentation on Readme. * Improve multi-certificate support v.2.10.7 * Fix IdPMetadataParser. The SingleLogoutService retrieved method was wrong * [#201](https://github.com/onelogin/php-saml/issues/201) Fix issues with SP entity_id, acs url and sls url that contains & v.2.10.6 * [#206](https://github.com/onelogin/php-saml/pull/206)Be able to register future SP x509cert on the settings and publish it on SP metadata * [#206](https://github.com/onelogin/php-saml/pull/206) Be able to register more than 1 Identity Provider x509cert, linked with an specific use (signing or encryption) * [#206](https://github.com/onelogin/php-saml/pull/206) Support the ability to parse IdP XML metadata (remote url or file) and be able to inject the data obtained on the settings. v.2.10.5 * Be able to get at the auth object the last processed ID * Improve NameID Format support * Reset errorReason attribute of the auth object after each Process method * Validate serial number as string to work around libxml2 limitation * Make the Issuer on the Response Optional v.2.10.4 * [+](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1) Security update for signature validation on LogoutRequest/LogoutResponse * [#192](https://github.com/onelogin/php-saml/pull/192) Added ability to configure DigestAlgorithm in settings * [#183](https://github.com/onelogin/php-saml/pull/183) Fix strpos bug when decrypting assertions * [#186](https://github.com/onelogin/php-saml/pull/186) Improve info on entityId validation Exception * [#188](https://github.com/onelogin/php-saml/pull/188) Fixed issue with undefined constant of UNEXPECTED_SIGNED_ELEMENT * Read ACS binding on AuthNRequest builder from settings * Be able to relax Destination validation on SAMLResponses and let this attribute to be empty with the 'relaxDestinationValidation' setting v.2.10.3 * Implement a more specific exception class for handling some validation errors * Minor changes on time validation/exceptions * Add hooks to retrieve last-sent and last-received requests and responses * Improve/Fix tests * Add DigestAlgorithm support on addSign * [#177](https://github.com/onelogin/php-saml/pull/177) Add error message for bad OneLogin_Saml2_Settings argument v.2.10.2 * [#175](https://github.com/onelogin/php-saml/pull/175) Allow overriding of host, port, protocol and url path for URL building * [#173](https://github.com/onelogin/php-saml/pull/173) Provide better support to NameIdFormat * Fix another issue on Assertion Signature validation when the assertion contains no namespace, container has saml2 namespace and it was encrypted v.2.10.1 * Fix error message on SignMetadata process * Fix issue on Assertion Signature validation when the assertion contains no namespace and it was encrypted v.2.10.0 * Several security improvements: * Conditions element required and unique. * AuthnStatement element required and unique. * SPNameQualifier must math the SP EntityID * Reject saml:Attribute element with same “Name” attribute * Reject empty nameID * Require Issuer element. (Must match IdP EntityID). * Destination value can't be blank (if present must match ACS URL). * Check that the EncryptedAssertion element only contains 1 Assertion element. * Improve Signature validation process * AttributeConsumingService support * Support lowercase Urlencoding (ADFS compatibility). * [#154](https://github.com/onelogin/php-saml/pull/154) getSelfHost no longer returns a port number * [#156](https://github.com/onelogin/php-saml/pull/156) Use correct host on response destination fallback check * [#158](https://github.com/onelogin/php-saml/pull/158) NEW Control usage of X-Forwarded-* headers * Fix issue with buildRequestSignature. Added RelayState to the SignQuery only if is not null. * Add Signature Wrapping prevention Test * Improve _decryptAssertion in order to take care of Assertions with problems with namespaces * Improve documentation v.2.9.1 ....... * [134](https://github.com/onelogin/php-saml/pull/134) PHP7 production settings compiles out assert(), throw an exception explicitly * [132](https://github.com/onelogin/php-saml/pull/132) Add note for "wantAssertionsEncrypted" * Update copyright on LICENSE v.2.9.0 ------- * Change the decrypt assertion process. * Add 2 extra validations to prevent Signature wrapping attacks. * Remove reference to wrong NameIDFormat: urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified should be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified * [128](https://github.com/onelogin/php-saml/pull/128) Test php7 and upgrade phpunit * Update Readme with more descriptive requestedAuthnContext description and Security Guidelines v.2.8.0 ------- * Make NameIDPolicy of AuthNRequest optional * Make nameID requirement on SAMLResponse optional * Fix empty URI support * Symmetric encryption key support * Add more Auth Context options to the constant class * Fix DSA_SHA1 constant on xmlseclibs * Set none requestedAuthnContext as default behaviour * Update xmlseclibs lib * Improve formatPrivateKey method * Fix bug when signing metadata, the SignatureMethod was not provided * Fix getter for lastRequestID parameter in OneLogin_Saml2_Auth class * Add $wantEncrypted parameter on addX509KeyDescriptors method that will allow to set KeyDescriptor[use='encryption'] if wantNameIdEncrypted or wantAssertionsEncrypted enabled * Add $stay parameter on redirectTo method. (login/logout supports $stay but I forgot add this on previous 2.7.0 version) * Improve code style v.2.7.0 ------- * Trim acs, slo and issuer urls. * Fix PHP 7 error (used continue outside a loop/switch). * Fix bug on organization element of the SP metadata builder. * Fix typos on documentation. Fix ALOWED Misspell. * Be able to extract RequestID. Add RequestID validation on demo1. * Add $stay parameter to login, logout and processSLO method. v.2.6.1 ------- * Fix bug on cacheDuration of the Metadata XML generated. * Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder. * Allows the authn comparsion attribute to be set via config. * Retrieve Session Timeout after processResponse with getSessionExpiration(). * Improve readme readability. * Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO. v.2.6.0 ------- * Set NAMEID_UNSPECIFIED as default NameIDFormat to prevent conflicts with IdPs that don't support NAMEID_PERSISTENT. * Now the SP is able to select the algorithm to be used on signatures (DSA_SHA1, RSA_SHA1, RSA_SHA256, RSA_SHA384, RSA_SHA512). * Change visibility of _decryptAssertion to protected. * Update xmlseclibs library. * Handle valid but uncommon dsig block with no URI in the reference. * login, logout and processSLO now return ->redirectTo instead of just call it. * Split the setting check methods. Now 1 method for IdP settings and other for SP settings. * Let the setting object to avoid the IdP setting check. required if we want to publish SP SAML Metadata when the IdP data is still not provided. v.2.5.0 ------- * Do accesible the ID of the object Logout Request (id attribute). * Add note about the fact that PHP 5.3 is unssuported. * Add fingerprint algorithm support. * Add dependences to composer. v.2.4.0 ------- * Fix wrong element order in generated metadata. * Added SLO with nameID and SessionIndex in demo1. * Improve isHTTPS method in order to support HTTP_X_FORWARDED_PORT. * Set optional the XMLvalidation (enable/disable it with wantXMLValidation security setting). v.2.3.0 ------- * Resolve namespace problem. Some IdPs uses saml2p:Response and saml2:Assertion instead of samlp:Response saml:Assertion. * Improve test and documentation. * Improve ADFS compatibility. * Remove unnecessary XSDs files. * Make available the reason for the saml message invalidation. * Adding ability to set idp cert once the Setting object initialized. * Fix status info issue. * Reject SAML Response if not signed and strict = false. * Support NameId and SessionIndex in LogoutRequest. * Add ForceAuh and IsPassive support. v.2.2.0 ------- * Fix bug with Encrypted nameID on LogoutRequest. * Fixed usability bug. SP will inform about AuthFail status after process a Response. * Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class. * LogoutRequest and LogoutResponse classes now accept non deflated xml. * Improved the XML metadata/ Decrypted Assertion output. (prettyprint). * Fix bug in formatPrivateKey method, the key could be not RSA. * Explicit warning message for signed element problem. * Decrypt method improved. * Support more algorithm at the SigAlg in the Signed LogoutRequests and LogoutResponses * AuthNRequest now stores ID (it can be retrieved later). * Fixed a typo on the 'NameIdPolicy' attribute that appeared at the README and settings_example file. v.2.1.0 ------- * The isValid method of the Logout Request is now non-static. (affects processSLO method of Auth.php). * Logout Request constructor now accepts encoded logout requests. * Now after validate a message, if fails a method getError of the object will return the cause. * Fix typos. * Added extra parameters option to login and logout methods. * Improve Test (new test, use the new getError method for testing). * Bugfix namespace problem when getting Attributes. v.2.0.0 ------- * New PHP SAML Toolkit (SLO, Sign, Encryptation). v.1.0.0 ------- * Old PHP SAML Toolkit.