From 3738c11947b80f0f39cede18164afb052c355148 Mon Sep 17 00:00:00 2001 From: Sixto Martin Date: Tue, 20 Sep 2016 00:52:36 +0200 Subject: [PATCH] Fix #136. Support lowercase Urlencoding (ADFS compatibility). --- README.md | 4 ++++ advanced_settings_example.php | 4 ++++ lib/Saml2/Auth.php | 32 ++++++++++++++++++++++++-------- lib/Saml2/Settings.php | 4 ++++ 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e4db7f7a..978803f6 100644 --- a/README.md +++ b/README.md @@ -451,6 +451,10 @@ $advancedSettings = array ( // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' 'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + + // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses + // uppercase. Turn it True for ADFS compatibility on signature verification + 'lowercaseUrlencoding' => false, ), // Contact information template, it is recommended to supply a diff --git a/advanced_settings_example.php b/advanced_settings_example.php index e5bb788d..018ded4e 100644 --- a/advanced_settings_example.php +++ b/advanced_settings_example.php @@ -84,6 +84,10 @@ // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' // 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' 'signatureAlgorithm' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1', + + // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses + // uppercase. Turn it True for ADFS compatibility on signature verification + 'lowercaseUrlencoding' => false, ), // Contact information template, it is recommended to suply a technical and support contacts diff --git a/lib/Saml2/Auth.php b/lib/Saml2/Auth.php index faed3a7e..84a9c9cf 100644 --- a/lib/Saml2/Auth.php +++ b/lib/Saml2/Auth.php @@ -475,11 +475,19 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private')); $objKey->loadKey($key, false); - $msg = 'SAMLRequest='.urlencode($samlRequest); - if (isset($relayState)) { - $msg .= '&RelayState='.urlencode($relayState); + if ($this->_security['lowercaseUrlencoding']) { + $msg = 'SAMLRequest='.rawurlencode($samlRequest); + if (isset($relayState)) { + $msg .= '&RelayState='.rawurlencode($relayState); + } + $msg .= '&SigAlg=' . rawurlencode($signAlgorithm); + } else { + $msg = 'SAMLRequest='.urlencode($samlRequest); + if (isset($relayState)) { + $msg .= '&RelayState='.urlencode($relayState); + } + $msg .= '&SigAlg=' . urlencode($signAlgorithm); } - $msg .= '&SigAlg=' . urlencode($signAlgorithm); $signature = $objKey->signData($msg); return base64_encode($signature); } @@ -510,11 +518,19 @@ public function buildResponseSignature($samlResponse, $relayState, $signAlgorith $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private')); $objKey->loadKey($key, false); - $msg = 'SAMLResponse='.urlencode($samlResponse); - if (isset($relayState)) { - $msg .= '&RelayState='.urlencode($relayState); + if ($this->_security['lowercaseUrlencoding']) { + $msg = 'SAMLResponse='.rawurlencode($samlResponse); + if (isset($relayState)) { + $msg .= '&RelayState='.rawurlencode($relayState); + } + $msg .= '&SigAlg=' . rawurlencode($signAlgorithm); + } else { + $msg = 'SAMLResponse='.urlencode($samlResponse); + if (isset($relayState)) { + $msg .= '&RelayState='.urlencode($relayState); + } + $msg .= '&SigAlg=' . urlencode($signAlgorithm); } - $msg .= '&SigAlg=' . urlencode($signAlgorithm); $signature = $objKey->signData($msg); return base64_encode($signature); } diff --git a/lib/Saml2/Settings.php b/lib/Saml2/Settings.php index d941cb37..632d5d2b 100644 --- a/lib/Saml2/Settings.php +++ b/lib/Saml2/Settings.php @@ -373,6 +373,10 @@ private function _addDefaultValues() $this->_security['signatureAlgorithm'] = XMLSecurityKey::RSA_SHA1; } + if (!isset($this->_security['lowercaseUrlencoding'])) { + $this->_security['lowercaseUrlencoding'] = false; + } + // Certificates / Private key /Fingerprint if (!isset($this->_idp['x509cert'])) { $this->_idp['x509cert'] = '';