Fix #136. Support lowercase Urlencoding (ADFS compatibility).

README.md

@@ -451,6 +451,10 @@ $advancedSettings = array (
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
         'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+
+        // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
+        // uppercase. Turn it True for ADFS compatibility on signature verification
+        'lowercaseUrlencoding' => false,
     ),
 
     // Contact information template, it is recommended to supply a

advanced_settings_example.php

@@ -84,6 +84,10 @@
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
         //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
         'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+
+        // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
+        // uppercase. Turn it True for ADFS compatibility on signature verification
+        'lowercaseUrlencoding' => false,
     ),
 
     // Contact information template, it is recommended to suply a technical and support contacts

lib/Saml2/Auth.php

@@ -475,11 +475,19 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
-        $msg = 'SAMLRequest='.urlencode($samlRequest);
-        if (isset($relayState)) {
-            $msg .= '&RelayState='.urlencode($relayState);
+        if ($this->_security['lowercaseUrlencoding']) {
+            $msg = 'SAMLRequest='.rawurlencode($samlRequest);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.rawurlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
+        } else {
+            $msg = 'SAMLRequest='.urlencode($samlRequest);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.urlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . urlencode($signAlgorithm);
         }
-        $msg .= '&SigAlg=' . urlencode($signAlgorithm);
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }
@@ -510,11 +518,19 @@ public function buildResponseSignature($samlResponse, $relayState, $signAlgorith
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
-        $msg = 'SAMLResponse='.urlencode($samlResponse);
-        if (isset($relayState)) {
-            $msg .= '&RelayState='.urlencode($relayState);
+        if ($this->_security['lowercaseUrlencoding']) {
+            $msg = 'SAMLResponse='.rawurlencode($samlResponse);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.rawurlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . rawurlencode($signAlgorithm);
+        } else {
+            $msg = 'SAMLResponse='.urlencode($samlResponse);
+            if (isset($relayState)) {
+                $msg .= '&RelayState='.urlencode($relayState);
+            }
+            $msg .= '&SigAlg=' . urlencode($signAlgorithm);
         }
-        $msg .= '&SigAlg=' . urlencode($signAlgorithm);
         $signature = $objKey->signData($msg);
         return base64_encode($signature);
     }

lib/Saml2/Settings.php

@@ -373,6 +373,10 @@ private function _addDefaultValues()
             $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1;
         }
 
+        if (!isset($this->_security['lowercaseUrlencoding'])) {
+            $this->_security['lowercaseUrlencoding'] = false;
+        }
+
         // Certificates / Private key /Fingerprint
         if (!isset($this->_idp['x509cert'])) {
             $this->_idp['x509cert'] = '';