Use saml 1.1 and ws-security libraries to build metadata and messages

composer.json

@@ -19,7 +19,8 @@
             "composer/package-versions-deprecated": true,
             "dealerdirect/phpcodesniffer-composer-installer": true,
             "phpstan/extension-installer": true,
-            "simplesamlphp/composer-module-installer": true
+            "simplesamlphp/composer-module-installer": true,
+            "simplesamlphp/composer-xmlprovider-installer": true
         }
     },
     "autoload": {
@@ -36,18 +37,20 @@
         "php": "^8.1",
         "ext-dom": "*",
 
-        "robrichards/xmlseclibs": "^3.1",
-        "simplesamlphp/assert": "^1.0",
+        "beste/clock": "^3.0",
+        "psr/clock": "^1.0",
+        "simplesamlphp/assert": "^1.1",
         "simplesamlphp/saml11": "^1.0",
         "simplesamlphp/saml2": "^5@dev",
-        "simplesamlphp/simplesamlphp": "^2.0",
-        "simplesamlphp/xml-common": "^1.12",
-        "simplesamlphp/ws-security": "^1.0",
+        "simplesamlphp/simplesamlphp": "dev-feature/adfs-upgrade",
+        "simplesamlphp/ws-security": "^1.6",
+        "simplesamlphp/xml-common": "^1.16",
+        "simplesamlphp/xml-security": "^1.9",
         "symfony/http-foundation": "^6.4"
     },
     "require-dev": {
-        "simplesamlphp/simplesamlphp-test-framework": "^1.5",
-        "simplesamlphp/xml-security": "^1.6"
+        "simplesamlphp/simplesamlphp-test-framework": "^1.6",
+        "simplesamlphp/xml-security": "^1.7"
     },
     "support": {
         "issues": "https://github.com/simplesamlphp/simplesamlphp-module-adfs/issues",

hooks/hook_generate_metadata.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+use SimpleSAML\Assert\Assert;
+use SimpleSAML\SAML2\Constants as C;
+use SimpleSAML\{Configuration, Utils, Logger, Module};
+use SimpleSAML\Locale\Translate;
+use SimpleSAML\Metadata\MetaDataStorageHandler;
+
+function adfs_hook_generate_metadata(array &$hookinfo): void
+{
+    if ($hookinfo['set'] === 'adfs-idp-hosted') {
+        $property = $hookinfo['property'];
+        $endpoint = Module::getModuleURL('adfs/idp/prp.php');
+
+        switch ($property) {
+            case 'SingleSignOnService':
+                $hookinfo['result'] = $endpoint;
+                break;
+            case 'SingleSignOnServiceBinding':
+                $hookinfo['result'] = C::BINDING_HTTP_REDIRECT;
+                break;
+            case 'SingleLogoutService':
+                $hookinfo['result'] = $endpoint;
+                break;
+            case 'SingleLogoutServiceBinding':
+                $hookinfo['result'] = C::BINDING_HTTP_REDIRECT;
+                break;
+        }
+    }
+}
+

routing/routes/routes.yml

@@ -12,7 +12,7 @@ adfs-prp:
   defaults: {
     _controller: 'SimpleSAML\Module\adfs\Controller\Adfs::prp'
   }
-  methods: [GET]
+  methods: [GET, POST]
 
 adfs-metadata-legacy:
   path: /idp/metadata.php
@@ -26,4 +26,4 @@ adfs-prp-legacy:
   defaults: {
     _controller: 'SimpleSAML\Module\adfs\Controller\Adfs::prp'
   }
-  methods: [GET]
+  methods: [GET, POST]

src/Controller/Adfs.php

@@ -5,20 +5,11 @@
 namespace SimpleSAML\Module\adfs\Controller;
 
 use Exception;
-use SimpleSAML\Assert\Assert;
-use SimpleSAML\Configuration;
+use SimpleSAML\{Configuration, IdP, Logger, Metadata, Module, Session, Utils};
 use SimpleSAML\Error as SspError;
-use SimpleSAML\IdP;
-use SimpleSAML\Logger;
-use SimpleSAML\Metadata;
-use SimpleSAML\Module;
 use SimpleSAML\Module\adfs\IdP\ADFS as ADFS_IDP;
-use SimpleSAML\SAML2\Constants;
-use SimpleSAML\Session;
-use SimpleSAML\Utils;
-use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\HttpFoundation\StreamedResponse;
+use SimpleSAML\Module\adfs\IdP\MetadataBuilder;
+use Symfony\Component\HttpFoundation\{Request, Response, StreamedResponse};
 
 /**
  * Controller class for the adfs module.
@@ -50,7 +41,7 @@
     public function __construct(Configuration $config, Session $session)
     {
         $this->config = $config;
         $this->metadata = Metadata\MetaDataStorageHandler::getMetadataHandler($config);
         $this->session = $session;
         $this->cryptoUtils = new Utils\Crypto();
     }
@@ -78,134 +69,20 @@
             } else {
                 $idpentityid = $this->metadata->getMetaDataCurrentEntityID('adfs-idp-hosted');
             }
             $idpmeta = $this->metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted');
 
-            $availableCerts = [];
-            $keys = [];
-            $certInfo = $this->cryptoUtils->loadPublicKey($idpmeta, false, 'new_');
+            $builder = new MetadataBuilder($this->config, $idpmeta);
 
-            if ($certInfo !== null) {
-                $availableCerts['new_idp.crt'] = $certInfo;
-                $keys[] = [
-                    'type'            => 'X509Certificate',
-                    'signing'         => true,
-                    'encryption'      => true,
-                    'X509Certificate' => $certInfo['certData'],
-                ];
-                $hasNewCert = true;
-            } else {
-                $hasNewCert = false;
-            }
-
-            /** @var array $certInfo */
-            $certInfo = $this->cryptoUtils->loadPublicKey($idpmeta, true);
-            $availableCerts['idp.crt'] = $certInfo;
-            $keys[] = [
-                'type'            => 'X509Certificate',
-                'signing'         => true,
-                'encryption'      => ($hasNewCert ? false : true),
-                'X509Certificate' => $certInfo['certData'],
-            ];
-
-            if ($idpmeta->hasValue('https.certificate')) {
-                /** @var array $httpsCert */
-                $httpsCert = $this->cryptoUtils->loadPublicKey($idpmeta, true, 'https.');
-                Assert::keyExists($httpsCert, 'certData');
-                $availableCerts['https.crt'] = $httpsCert;
-                $keys[] = [
-                    'type'            => 'X509Certificate',
-                    'signing'         => true,
-                    'encryption'      => false,
-                    'X509Certificate' => $httpsCert['certData'],
-                ];
-            }
-
-            $adfs_service_location = Module::getModuleURL('adfs') . '/idp/prp.php';
-            $metaArray = [
-                'metadata-set'        => 'adfs-idp-remote',
-                'entityid'            => $idpentityid,
-                'SingleSignOnService' => [
-                    0 => [
-                        'Binding'  => Constants::BINDING_HTTP_REDIRECT,
-                        'Location' => $adfs_service_location,
-                    ],
-                ],
-                'SingleLogoutService' => [
-                    0 => [
-                        'Binding'  => Constants::BINDING_HTTP_REDIRECT,
-                        'Location' => $adfs_service_location,
-                    ],
-                ],
-            ];
-
-            if (count($keys) === 1) {
-                $metaArray['certData'] = $keys[0]['X509Certificate'];
-            } else {
-                $metaArray['keys'] = $keys;
-            }
-
-            $metaArray['NameIDFormat'] = $idpmeta->getOptionalString(
-                'NameIDFormat',
-                Constants::NAMEID_TRANSIENT,
-            );
-
-            if ($idpmeta->hasValue('OrganizationName')) {
-                $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
-                $metaArray['OrganizationDisplayName'] = $idpmeta->getOptionalLocalizedString(
-                    'OrganizationDisplayName',
-                    $metaArray['OrganizationName'],
-                );
-
-                if (!$idpmeta->hasValue('OrganizationURL')) {
-                    throw new SspError\Exception('If OrganizationName is set, OrganizationURL must also be set.');
-                }
-                $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
-            }
-
-            if ($idpmeta->hasValue('scope')) {
-                $metaArray['scope'] = $idpmeta->getArray('scope');
-            }
-
-            if ($idpmeta->hasValue('EntityAttributes')) {
-                $metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
-            }
-
-            if ($idpmeta->hasValue('UIInfo')) {
-                $metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
-            }
+            $document = $builder->buildDocument()->toXML();
+            // Some products like DirX are known to break on pretty-printed XML
+            $document->ownerDocument->formatOutput = false;
+            $document->ownerDocument->encoding = 'UTF-8';
 
-            if ($idpmeta->hasValue('DiscoHints')) {
-                $metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
-            }
-
-            if ($idpmeta->hasValue('RegistrationInfo')) {
-                $metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
-            }
-
-            $metaBuilder = new Metadata\SAMLBuilder($idpentityid);
-            $metaBuilder->addSecurityTokenServiceType($metaArray);
-            $metaBuilder->addOrganizationInfo($metaArray);
-            $technicalContactEmail = $this->config->getOptionalString('technicalcontact_email', null);
-            if ($technicalContactEmail !== null && $technicalContactEmail !== '[email protected]') {
-                $metaBuilder->addContact(Utils\Config\Metadata::getContact([
-                    'emailAddress' => $technicalContactEmail,
-                    'givenName'    => $this->config->getOptionalString('technicalcontact_name', null),
-                    'contactType'  => 'technical',
-                ]));
-            }
-            $metaxml = $metaBuilder->getEntityDescriptorText();
-
-            // sign the metadata if enabled
-            $metaxml = Metadata\Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
+            $metaxml = $document->ownerDocument->saveXML();
 
             $response = new Response();
             $response->setEtag(hash('sha256', $metaxml));
-            $response->setCache([
-                'no_cache' => $protectedMetadata === true,
-                'public' => $protectedMetadata === false,
-                'private' => $protectedMetadata === true,
-            ]);
-
+            $response->setPublic();
             if ($response->isNotModified($request)) {
                 return $response;
             }
@@ -229,10 +106,10 @@
         Logger::info('ADFS - IdP.prp: Accessing ADFS IdP endpoint prp');
 
         $idpEntityId = $this->metadata->getMetaDataCurrentEntityID('adfs-idp-hosted');
-        $idp = IdP::getById($this->config, 'adfs:' . $idpEntityId);
+        $idp = IdP::getById('adfs:' . $idpEntityId);
 
-        if ($request->query->has('wa')) {
-            $wa = $request->query->get('wa');
+        if ($request->get('wa', null) !== null) {
+            $wa = $request->get('wa');
             if ($wa === 'wsignout1.0') {
                 return new StreamedResponse(
                     function () use ($idp) {
@@ -243,18 +120,18 @@
                 return ADFS_IDP::receiveAuthnRequest($request, $idp);
             }
             throw new SspError\BadRequest("Unsupported value for 'wa' specified in request.");
-        } elseif ($request->query->has('assocId')) {
+        } elseif ($request->get('assocId', null) !== null) {
             // logout response from ADFS SP
             // Association ID of the SP that sent the logout response
-            $assocId = $request->query->get('assocId');
+            $assocId = $request->get('assocId');
             // Data that was sent in the logout request to the SP. Can be null
-            $relayState = $request->query->get('relayState');
+            $relayState = $request->get('relayState');
             // null on success, or an instance of a \SimpleSAML\Error\Exception on failure.
             $logoutError = null;
 
             return new StreamedResponse(
                 function () use ($idp, /** @scrutinizer ignore-type */ $assocId, $relayState, $logoutError) {
                     $idp->handleLogoutResponse($assocId, $relayState, $logoutError);
                 },
             );
         }