diff --git a/lib/IdP/ADFS.php b/lib/IdP/ADFS.php index 9af9e87..58ad145 100644 --- a/lib/IdP/ADFS.php +++ b/lib/IdP/ADFS.php @@ -4,8 +4,12 @@ use RobRichards\XMLSecLibs\XMLSecurityDSig; use RobRichards\XMLSecLibs\XMLSecurityKey; +use SAML2\Constants; + use SimpleSAML\Utils\Config\Metadata; use SimpleSAML\Utils\Crypto; +use SimpleSAML\Utils\HTTP; +use SimpleSAML\Utils\Time; class ADFS { @@ -40,7 +44,7 @@ public static function receiveAuthnRequest(\SimpleSAML\IdP $idp) ]; if (isset($query['wreply']) && !empty($query['wreply'])) { - $state['adfs:wreply'] = \SimpleSAML\Utils\HTTP::checkURLAllowed($query['wreply']); + $state['adfs:wreply'] = HTTP::checkURLAllowed($query['wreply']); } $idp->handleAuthenticationRequest($state); @@ -57,13 +61,19 @@ public static function receiveAuthnRequest(\SimpleSAML\IdP $idp) */ private static function generateResponse($issuer, $target, $nameid, $attributes, $assertionLifetime) { - $issueInstant = \SimpleSAML\Utils\Time::generateTimestamp(); - $notBefore = \SimpleSAML\Utils\Time::generateTimestamp(time() - 30); - $assertionExpire = \SimpleSAML\Utils\Time::generateTimestamp(time() + $assertionLifetime); + $issueInstant = Time::generateTimestamp(); + $notBefore = Time::generateTimestamp(time() - 30); + $assertionExpire = Time::generateTimestamp(time() + $assertionLifetime); $assertionID = \SimpleSAML\Utils\Random::generateID(); $nameidFormat = 'http://schemas.xmlsoap.org/claims/UPN'; $nameid = htmlspecialchars($nameid); + if (HTTP::isHTTPS()) { + $method = Constants::AC_PASSWORD_PROTECTED_TRANSPORT; + } else { + $method = Constants::AC_PASSWORD; + } + $result = << @@ -73,7 +83,7 @@ private static function generateResponse($issuer, $target, $nameid, $attributes, $target - + $nameid @@ -202,15 +212,15 @@ public static function getHostedMetadata($entityid) 'entityid' => $entityid, 'SingleSignOnService' => [ [ - 'Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, + 'Binding' => Constants::BINDING_HTTP_REDIRECT, 'Location' => $endpoint, ] ], 'SingleLogoutService' => [ - 'Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, + 'Binding' => Constants::BINDING_HTTP_REDIRECT, 'Location' => $endpoint, ], - 'NameIDFormat' => $config->getString('NameIDFormat', \SAML2\Constants::NAMEID_TRANSIENT), + 'NameIDFormat' => $config->getString('NameIDFormat', Constants::NAMEID_TRANSIENT), 'contacts' => [], ]; @@ -376,8 +386,8 @@ public static function sendLogoutResponse(\SimpleSAML\IdP $idp, array $state) { // NB:: we don't know from which SP the logout request came from $idpMetadata = $idp->getConfig(); - \SimpleSAML\Utils\HTTP::redirectTrustedURL( - $idpMetadata->getValue('redirect-after-logout', \SimpleSAML\Utils\HTTP::getBaseURL()) + HTTP::redirectTrustedURL( + $idpMetadata->getValue('redirect-after-logout', HTTP::getBaseURL()) ); } @@ -392,7 +402,7 @@ public static function receiveLogoutMessage(\SimpleSAML\IdP $idp) // if a redirect is to occur based on wreply, we will redirect to url as // this implies an override to normal sp notification if (isset($_GET['wreply']) && !empty($_GET['wreply'])) { - $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['wreply'])); + $idp->doLogoutRedirect(HTTP::checkURLAllowed($_GET['wreply'])); throw new \Exception("Code should never be reached"); }