You are here

Home » API reference » SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 7 » Acs.php » MiniOrangeAcs

public function MiniOrangeAcs::processSamlResponse in SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider 7

The function processSamlResponse.

File

includes/Acs.php, line 20

Class

MiniOrangeAcs
The MiniOrangeAcs class.

Code

public function processSamlResponse($post, $acs_url, $cert_fingerprint, $issuer, $b_url, $spEntityId) {
  if (array_key_exists('SAMLResponse', $post)) {
    $saml_response = $post['SAMLResponse'];
  }
  else {
    throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
  }
  if (array_key_exists('RelayState', $post)) {
    $RelayState = $post['RelayState'];
  }
  else {
    $RelayState = '';
  }
  $saml_response = base64_decode($saml_response);
  $document = new DOMDocument();
  $document
    ->loadXML($saml_response);
  $saml_response_xml = $document->firstChild;
  if ($RelayState == "showSamlResponse") {
    Utilities::Print_SAML_Request($saml_response, "displaySamlResponse");
  }
  $doc = $document->documentElement;
  $xpath = new DOMXpath($document);
  $xpath
    ->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
  $xpath
    ->registerNamespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');
  $status = $xpath
    ->query('/samlp:Response/samlp:Status/samlp:StatusCode', $doc);
  $statusString = $status
    ->item(0)
    ->getAttribute('Value');
  $statusChildString = '';
  if ($status
    ->item(0)->firstChild !== null) {
    $statusChildString = $status
      ->item(0)->firstChild
      ->getAttribute('Value');
  }
  $stat = explode(":", $statusString);
  $status = $stat[7];
  if ($status != "Success") {
    if (!empty($statusChildString)) {
      $stat = explode(":", $statusChildString);
      $status = $stat[7];
    }
    $this
      ->show_error_message($status, $RelayState);
  }
  $cert_fingerprint = XMLSecurityKey::getRawThumbprint($cert_fingerprint);
  $saml_response = new SAML2_Response($saml_response_xml);
  $cert_fingerprint = preg_replace('/\\s+/', '', $cert_fingerprint);
  $cert_fingerprint = iconv("UTF-8", "CP1252//IGNORE", $cert_fingerprint);
  $response_signature_data = $saml_response
    ->getSignatureData();
  $assertion_signature_data = current($saml_response
    ->getAssertions())
    ->getSignatureData();
  if (is_null($response_signature_data) && is_null($assertion_signature_data)) {
    echo 'Neither response nor assertion is signed';
    exit;
  }
  if (!is_null($response_signature_data)) {
    $response_valid_signature = Utilities::processResponse($acs_url, $cert_fingerprint, $response_signature_data, $saml_response, $RelayState);
    if (!$response_valid_signature) {
      echo 'Invalid Signature in SAML Response';
      exit;
    }
  }
  if (!is_null($assertion_signature_data)) {
    $assertion_valid_signature = Utilities::processResponse($acs_url, $cert_fingerprint, $assertion_signature_data, $saml_response, $RelayState);
    if (!$assertion_valid_signature) {
      echo 'Invalid Signature in SAML Assertion';
      exit;
    }
  }
  Utilities::validateIssuerAndAudience($saml_response, $spEntityId, $issuer, $b_url, $RelayState);
  $username = current(current($saml_response
    ->getAssertions())
    ->getNameId());
  $attrs = current($saml_response
    ->getAssertions())
    ->getAttributes();

  // Get RelayState if any.
  if (array_key_exists('RelayState', $post)) {
    if ($post['RelayState'] == 'testValidate') {
      $this
        ->showTestResults($username, $attrs);
    }
  }
  return $username;
}