Add support for Subjects on AuthNRequests by the new parameter nameIdValueReq

Author: pitbulk

README.md

@@ -602,13 +602,14 @@ $auth = new OneLogin\Saml2\Auth();
 $auth->login($newTargetUrl);
 ```
 
-The login method can receive other five optional parameters:
+The login method can receive other six optional parameters:
 
 * `$parameters` - An array of parameters that will be added to the `GET` in the HTTP-Redirect.
 * `$forceAuthn` - When true the `AuthNRequest` will set the `ForceAuthn='true'`
 * `$isPassive` - When true the `AuthNRequest` will set the `Ispassive='true'`
 * `$strict` - True if we want to stay (returns the url string) False to redirect
 * `$setNameIdPolicy` - When true the AuthNRequest will set a nameIdPolicy element.
+* `$nameIdValueReq` - Indicates to the IdP the subject that should be authenticated.
 
 If a match on the future SAMLResponse ID and the AuthNRequest ID to be sent is required, that AuthNRequest ID must to be extracted and saved.
 

src/Saml2/Auth.php

@@ -520,14 +520,15 @@ public function getAttributeWithFriendlyName($friendlyName)
      * @param bool        $isPassive       When true the AuthNRequest will set the Ispassive='true'
      * @param bool        $stay            True if we want to stay (returns the url string) False to redirect
      * @param bool        $setNameIdPolicy When true the AuthNRequest will set a nameIdPolicy element
+     * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated
      *
      * @return string|null If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
-     * 
+     *
      * @throws Error
      */
-    public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true)
+    public function login($returnTo = null, array $parameters = array(), $forceAuthn = false, $isPassive = false, $stay = false, $setNameIdPolicy = true, $nameIdValueReq = null)
     {
-        $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy);
+        $authnRequest = $this->buildAuthnRequest($this->_settings, $forceAuthn, $isPassive, $setNameIdPolicy, $nameIdValueReq);
 
         $this->_lastRequest = $authnRequest->getXML();
         $this->_lastRequestID = $authnRequest->getId();

src/Saml2/AuthnRequest.php

@@ -44,12 +44,13 @@ class AuthnRequest
     /**
      * Constructs the AuthnRequest object.
      *
-     * @param Settings $settings        SAML Toolkit Settings
-     * @param bool                    $forceAuthn      When true the AuthNReuqest will set the ForceAuthn='true'
-     * @param bool                    $isPassive       When true the AuthNReuqest will set the Ispassive='true'
-     * @param bool                    $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy
+     * @param Settings $settings SAML Toolkit Settings
+     * @param bool $forceAuthn When true the AuthNReuqest will set the ForceAuthn='true'
+     * @param bool $isPassive When true the AuthNReuqest will set the Ispassive='true'
+     * @param bool $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy
+     * @param string $nameIdValueReq Indicates to the IdP the subject that should be authenticated
      */
-    public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = false, $isPassive = false, $setNameIdPolicy = true)
+    public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = false, $isPassive = false, $setNameIdPolicy = true, $nameIdValueReq = null)
     {
         $this->_settings = $settings;
 
@@ -60,6 +61,17 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = fa
         $id = Utils::generateUniqueID();
         $issueInstant = Utils::parseTime2SAML(time());
 
+        $subjectStr = "";
+        if (isset($nameIdValueReq)) {
+            $subjectStr = <<<SUBJECT
+
+     <saml:Subject>
+        <saml:NameID Format="{$spData['NameIDFormat']}">{$nameIdValueReq}</saml:NameID>
+        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"></saml:SubjectConfirmation>
+    </saml:Subject>
+SUBJECT;
+        }
+
         $nameIdPolicyStr = '';
         if ($setNameIdPolicy) {
             $nameIDPolicyFormat = $spData['NameIDFormat'];
@@ -68,6 +80,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = fa
             }
 
             $nameIdPolicyStr = <<<NAMEIDPOLICY
+
     <samlp:NameIDPolicy
         Format="{$nameIDPolicyFormat}"
         AllowCreate="true" />
@@ -116,6 +129,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = fa
 
             if ($security['requestedAuthnContext'] === true) {
                 $requestedAuthnStr = <<<REQUESTEDAUTHN
+
     <samlp:RequestedAuthnContext Comparison="$authnComparison">
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
     </samlp:RequestedAuthnContext>
@@ -142,9 +156,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $forceAuthn = fa
     Destination="{$idpData['singleSignOnService']['url']}"
     ProtocolBinding="{$spData['assertionConsumerService']['binding']}"
     AssertionConsumerServiceURL="{$acsUrl}">
-    <saml:Issuer>{$spEntityId}</saml:Issuer>
-{$nameIdPolicyStr}
-{$requestedAuthnStr}
+    <saml:Issuer>{$spEntityId}</saml:Issuer>{$subjectStr}{$nameIdPolicyStr}{$requestedAuthnStr}
 </samlp:AuthnRequest>
 AUTHNREQUEST;
 

tests/src/OneLogin/Saml2/AuthTest.php

@@ -1274,6 +1274,89 @@ public function testLoginNameIDPolicy()
         }
     }
 
+    /**
+    * Tests the login method of the Auth class
+    * Case Login with no parameters. A AuthN Request is built with and without Subject
+    *
+    * @covers OneLogin\Saml2\Auth::login
+    * @runInSeparateProcess
+    */
+    public function testLoginSubject()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+        $auth = new Auth($settingsInfo);
+
+        try {
+            // The Header of the redirect produces an Exception
+            $returnTo = 'http://example.com/returnto';
+            $auth->login($returnTo);
+            // Do not ever get here
+            $this->assertFalse(true);
+        } catch (Exception $e) {
+            $this->assertContains('Cannot modify header information', $e->getMessage());
+            $trace = $e->getTrace();
+            $targetUrl = getUrlFromRedirect($trace);
+            $parsedQuery = getParamsFromUrl($targetUrl);
+
+            $ssoUrl = $settingsInfo['idp']['singleSignOnService']['url'];
+            $this->assertContains($ssoUrl, $targetUrl);
+            $this->assertArrayHasKey('SAMLRequest', $parsedQuery);
+            $encodedRequest = $parsedQuery['SAMLRequest'];
+            $decoded = base64_decode($encodedRequest);
+            $request = gzinflate($decoded);
+            $this->assertNotContains('<saml:Subject', $request);
+        }
+
+        try {
+            // The Header of the redirect produces an Exception
+            $returnTo = 'http://example.com/returnto';
+            $auth->login($returnTo, array(), false, false, false, true, "testuser@example.com");
+            // Do not ever get here
+            $this->assertFalse(true);
+        } catch (Exception $e) {
+            $this->assertContains('Cannot modify header information', $e->getMessage());
+            $trace2 = $e->getTrace();
+            $targetUrl2 = getUrlFromRedirect($trace2);
+            $parsedQuery2 = getParamsFromUrl($targetUrl2);
+
+            $ssoUrl2 = $settingsInfo['idp']['singleSignOnService']['url'];
+            $this->assertContains($ssoUrl2, $targetUrl2);
+            $this->assertArrayHasKey('SAMLRequest', $parsedQuery2);
+            $encodedRequest2 = $parsedQuery2['SAMLRequest'];
+            $decoded2 = base64_decode($encodedRequest2);
+            $request2 = gzinflate($decoded2);
+            $this->assertContains('<saml:Subject', $request2);
+            $this->assertContains('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testuser@example.com</saml:NameID>', $request2);
+            $this->assertContains('<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">', $request2);
+        }
+
+        try {
+            // The Header of the redirect produces an Exception
+            $returnTo = 'http://example.com/returnto';
+            $settingsInfo['sp']['NameIDFormat'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+            $auth2 = new Auth($settingsInfo);
+            $auth2->login($returnTo);
+            // Do not ever get here
+            $this->assertFalse(true);
+        } catch (Exception $e) {
+            $this->assertContains('Cannot modify header information', $e->getMessage());
+            $trace3 = $e->getTrace();
+            $targetUrl3 = getUrlFromRedirect($trace3);
+            $parsedQuery3 = getParamsFromUrl($targetUrl3);
+
+            $ssoUrl3 = $settingsInfo['idp']['singleSignOnService']['url'];
+            $this->assertContains($ssoUrl3, $targetUrl3);
+            $this->assertArrayHasKey('SAMLRequest', $parsedQuery3);
+            $encodedRequest3 = $parsedQuery3['SAMLRequest'];
+            $decoded3 = base64_decode($encodedRequest3);
+            $request3 = gzinflate($decoded3);
+            $this->assertContains('<saml:Subject', $request3);
+            $this->assertContains('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@example.com</saml:NameID>', $request3);
+            $this->assertContains('<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">', $request3);
+        }
+    }
+
     /**
      * Tests the logout method of the Auth class
      * Case Logout with no parameters. A logout Request is built and redirect executed

tests/src/OneLogin/Saml2/AuthnRequestTest.php

@@ -195,6 +195,43 @@ public function testNameIDPolicy()
         $this->assertContains('<samlp:NameIDPolicy', $request3);
     }
 
+    /**
+    * Tests the AuthnRequest Constructor.
+    * The creation of a deflated SAML Request with and without Subject
+    *
+    * @covers OneLogin\Saml2\AuthnRequest
+    */
+    public function testSubject()
+    {
+        $settingsDir = TEST_ROOT .'/settings/';
+        include $settingsDir.'settings1.php';
+
+        $settings = new Settings($settingsInfo);
+        $authnRequest = new AuthnRequest($settings);
+        $encodedRequest = $authnRequest->getRequest();
+        $decoded = base64_decode($encodedRequest);
+        $request = gzinflate($decoded);
+        $this->assertNotContains('<saml:Subject', $request);
+
+        $authnRequest2 = new AuthnRequest($settings, false, false, true, "testuser@example.com");
+        $encodedRequest2 = $authnRequest2->getRequest();
+        $decoded2 = base64_decode($encodedRequest2);
+        $request2 = gzinflate($decoded2);
+        $this->assertContains('<saml:Subject', $request2);
+        $this->assertContains('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">testuser@example.com</saml:NameID>', $request2);
+
+        $this->assertContains('<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">', $request2);
+        $settingsInfo['sp']['NameIDFormat'] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+        $settings = new Settings($settingsInfo);
+        $authnRequest3 = new AuthnRequest($settings, false, false, true, "testuser@example.com");
+        $encodedRequest3 = $authnRequest3->getRequest();
+        $decoded3 = base64_decode($encodedRequest3);
+        $request3 = gzinflate($decoded3);
+        $this->assertContains('<saml:Subject', $request3);
+        $this->assertContains('Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">testuser@example.com</saml:NameID>', $request3);
+        $this->assertContains('<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">', $request3);
+    }
+
     /**
      * Tests the AuthnRequest Constructor.
      * The creation of a deflated SAML Request