SAML-Toolkits
diff --git a/‎.travis.yml‎
Lines changed: 2 additions & 1 deletion b/‎.travis.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 19 additions & 42 deletions b/‎README.md‎
Lines changed: 19 additions & 42 deletions
diff --git a/‎_toolkit_loader.php‎
Lines changed: 15 additions & 3 deletions b/‎_toolkit_loader.php‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎composer.json‎
Lines changed: 7 additions & 9 deletions b/‎composer.json‎
Lines changed: 7 additions & 9 deletions
diff --git a/‎lib/Saml2/Auth.php‎
Lines changed: 26 additions & 16 deletions b/‎lib/Saml2/Auth.php‎
Lines changed: 26 additions & 16 deletions
diff --git a/‎lib/Saml2/AuthnRequest.php‎
Lines changed: 20 additions & 6 deletions b/‎lib/Saml2/AuthnRequest.php‎
Lines changed: 20 additions & 6 deletions
diff --git a/‎lib/Saml2/Constants.php‎
Lines changed: 14 additions & 1 deletion b/‎lib/Saml2/Constants.php‎
Lines changed: 14 additions & 1 deletion
@@ -1,9 +1,11 @@
 language: php
 
 php:
+  - 5.4
   - 5.6
   - 7.0
   - 7.1
+  - 7.2
 
 env:
  - TRAVIS=true
@@ -21,7 +23,6 @@ before_script:
 script:
   - vendor/bin/phpunit --bootstrap tests/bootstrap.php --configuration tests/phpunit.xml
   - php vendor/bin/phpcpd --exclude tests --exclude vendor .
-  - php vendor/bin/phploc . --exclude vendor
   - php vendor/bin/phploc lib/.
   - mkdir -p tests/build/dependences
   - php vendor/bin/pdepend --summary-xml=tests/build/logs/dependence-summary.xml --jdepend-chart=tests/build/dependences/jdepend.svg --overview-pyramid=tests/build/dependences/pyramid.svg  lib/.
 
@@ -10,13 +10,7 @@ and supported by OneLogin Inc.
 Warning
 -------
 
-Update php-saml to 2.10.4, this version includes a security patch related to
-[signature validations on LogoutRequests/LogoutResponses](https://github.com/onelogin/php-saml/commit/949359f5cad5e1d085c4e5447d9aa8f49a6e82a1)
-
-Update php-saml to 2.10.0, this version includes a security patch that contains extra validations that will prevent signature wrapping attacks. [CVE-2016-1000253](https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/ab8ae6e845eb506fbeb10a7e4ccb379f0b4222ca/DWF/2016/1000253/CVE-2016-1000253.json)
-
-php-saml < v2.10.0 is vulnerable and allows signature wrapping!
-
+This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json)
 
 Security Guidelines
 -------------------
@@ -81,23 +75,20 @@ Installation
 
 ### Dependencies ###
 
- * `php >= 5.3.3` and some core extensions like `php-xml`, `php-date`, `php-zlib`.
+ * `php >= 5.4` and some core extensions like `php-xml`, `php-date`, `php-zlib`.
  * `openssl`. Install the openssl library. It handles x509 certificates.
- * `mcrypt`. Install that library and its php driver if you gonna handle
-   encrypted data (`nameID`, `assertions`).
  * `gettext`. Install that library and its php driver. It handles translations.
  * `curl`. Install that library and its php driver if you plan to use the IdP Metadata parser.
 
-Since [PHP 5.3 is officially unsupported](http://php.net/eol.php) we recommend you to use a newer PHP version.
-
 ### Code ###
 
 #### Option 1. Download from github ####
 
 The toolkit is hosted on github. You can download it from:
 
- * Lastest release: https://github.com/onelogin/php-saml/releases/latest
- * Master repo: https://github.com/onelogin/php-saml/tree/master
+ * https://github.com/onelogin/php-saml/releases
+
+Search for 3.X.X releases
 
 Copy the core of the library inside the php application. (each application has its
 structure so take your time to locate the PHP SAML toolkit in the best place).
@@ -112,6 +103,8 @@ In order to import the saml toolkit to your current php project, execute
 composer require onelogin/php-saml
 ```
 
+Remember to select the 3.X.X branch
+
 After installation has completed you will find at the `vendor/` folder a new folder named `onelogin` and inside the `php-saml`. Make sure you are including the autoloader provided by composer. It can be found at `vendor/autoload.php`.
 
 **Important** In this option, the x509 certs must be stored at `vendor/onelogin/php-saml/certs`
@@ -122,7 +115,7 @@ Your settings are at risk of being deleted when updating packages using `compose
 Compatibility
 -------------
 
-This 3.X version only supports PHP 7.X..
+This 3.X.X supports PHP 7.X. but can be used with PHP >=5.4 as well  (5.6.24+ recommended for security reasons).
 
 Namespaces
 ----------
@@ -147,7 +140,7 @@ Getting started
 ### Knowing the toolkit ###
 
 The new OneLogin SAML Toolkit contains different folders (`certs`, `endpoints`,
-`extlib`, `lib`, `demo`, etc.) and some files.
+`lib`, `demo`, etc.) and some files.
 
 Let's start describing the folders:
 
@@ -172,20 +165,10 @@ cert: `metadata.crt` and `metadata.key`.
 Use `sp_new.crt` if you are in a key rollover process and you want to
 publish that x509certificate on Service Provider metadata.
 
-#### `extlib/` ####
-
-This folder contains the 3rd party libraries that the toolkit uses. At the
-moment only uses the `xmlseclibs` (autor Robert Richards, BSD Licensed) which
-handle the sign and the encryption of xml elements.
-
-
 #### `lib/` ####
 
 This folder contains the heart of the toolkit, the libraries:
 
- * `Saml` folder contains a modified version of the toolkit v.1 and allows the
-   old code to keep working. (This library is provided to maintain
-   backward compatibility).
  * `Saml2` folder contains the new version of the classes and methods that
    are described in a later section.
 
@@ -224,8 +207,6 @@ and support multiple languages.
   advanced_settings.php file which contains extra configuration info related to
   the security, the contact person, and the organization associated to the SP.
 * `_toolkit_loader.php` - This file load the toolkit libraries (The SAML2 lib).
-* `compatibility` - Import that file to make compatible your old code with the
-  new toolkit (loads the SAML library).
 
 
 #### Miscellaneous ####
@@ -563,9 +544,13 @@ $auth = new OneLogin_Saml2_Auth($settingsInfo);
 
 #### How load the library ####
 
-In order to use the toolkit library you need to import the `_toolkit_loader.php`
-file located on the base folder of the toolkit. You can load this file in this
-way:
+
+In order to use the toolkit library, if your project support composer you only
+need to install it with composer (See the installation section) and you are done.
+
+
+If your project doesn't use composer you need to import the `_toolkit_loader.php`
+file located on the base folder of the toolkit. You can load this file in this way:
 
 ```php
 <?php
@@ -577,17 +562,9 @@ require_once(TOOLKIT_PATH . '_toolkit_loader.php');
 After that line we will be able to use the classes (and their methods) of the
 toolkit (because the external and the Saml2 libraries files are loaded).
 
-If you wrote the code of your SAML app for the version 1 of the PHP-SAML toolkit
-you will need to load the `compatibility.php`, file which loads the SAML library files,
-in addition to the the `_toolkit_loader.php`.
-
-That SAML library uses the new classes and methods of the latest version of the
-toolkits but maintain the old classes, methods, and workflow of the old process
-to accomplish the same things.
-
-We strongly recommend migrating your old code and use the new API of the
-new toolkit due there are a lot of new features that you can't handle with the
-old code.
+That toolkit depends on [xmlseclibs](https://github.com/robrichards/xmlseclibs) 3.X.X branch,
+you will need to get its code and place on your project and reuse the _toolkit_loader.php 
+file to include xmlseclibs as well.
 
 
 #### Initiate SSO ####
 
@@ -4,13 +4,25 @@
 // (can conflicts other autoloaders)
 // http://php.net/manual/en/language.oop5.autoload.php
 
-$libDir = dirname(__FILE__) . '/lib/Saml2/';
-
-// Load composer
+// Load composer vendor folder if any
 if (file_exists('vendor/autoload.php')) {
     require 'vendor/autoload.php';
 }
 
+/*
+// Load xmlseclibs
+
+$xmlseclibsSrcDir = '';
+
+include_once $xmlseclibsSrcDir.'/XMLSecEnc.php';
+include_once $xmlseclibsSrcDir.'/XMLSecurityDSig.php';
+include_once $xmlseclibsSrcDir.'/XMLSecurityKey.php';
+*/
+
+
+// Load php-saml
+$libDir = dirname(__FILE__) . '/lib/Saml2/';
+
 $folderInfo = scandir($libDir);
 
 foreach ($folderInfo as $element) {
 
@@ -16,21 +16,19 @@
         "source": "https://github.com/onelogin/php-saml/"
     },
     "require": {
-        "php": ">= 5.4",
-        "robrichards/xmlseclibs": "^3.0.0",
-        "ext-openssl": "*",
-        "ext-dom": "*"
+        "php": ">=5.4",
+        "robrichards/xmlseclibs": ">=3.0"
     },
     "require-dev": {
-        "phpunit/phpunit": "^5.7",
-        "satooshi/php-coveralls": "1.0.1",
+        "phpunit/phpunit": ">=4.8",
+        "satooshi/php-coveralls": ">=1.0.2",
         "sebastian/phpcpd": "*",
         "phploc/phploc": "*",
-        "pdepend/pdepend" : "1.1.0",
-        "squizlabs/php_codesniffer": "2.*"
+        "pdepend/pdepend" : ">=2.5.0"
     },
     "suggest": {
-        "lib-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)",
+        "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)",
+        "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs",
         "ext-gettext": "Install gettext and php5-gettext libs to handle translations"
     }
 }
@@ -1,10 +1,22 @@
 <?php
+/**
+ * This file is part of php-saml.
+ *
+ * (c) OneLogin Inc
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package OneLogin
+ * @author  OneLogin Inc <saml-info@onelogin.com>
+ * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE
+ * @link    https://github.com/onelogin/php-saml
+ */
 
 use RobRichards\XMLSecLibs\XMLSecurityKey;
 
 /**
  * Main class of OneLogin's PHP Toolkit
- *
  */
 class OneLogin_Saml2_Auth
 {
@@ -201,11 +213,11 @@ public function processResponse($requestId = null)
     /**
      * Process the SAML Logout Response / Logout Request sent by the IdP.
      *
-     * @param bool        $keepLocalSession              When false will destroy the local session, otherwise will keep it
-     * @param string|null $requestId                     The ID of the LogoutRequest sent by this SP to the IdP
-     * @param bool        $retrieveParametersFromServer
-     * @param callable    $cbDeleteSession
-     * @param bool        $stay                          True if we want to stay (returns the url string) False to redirect
+     * @param bool        $keepLocalSession             When false will destroy the local session, otherwise will keep it
+     * @param string|null $requestId                    The ID of the LogoutRequest sent by this SP to the IdP
+     * @param bool        $retrieveParametersFromServer True if we want to use parameters from $_SERVER to validate the signature
+     * @param callable    $cbDeleteSession              Method name to be executed to delete session
+     * @param bool        $stay                         True if we want to stay (returns the url string) False to redirect
      *
      * @return string|void
      *
@@ -438,12 +450,12 @@ public function login($returnTo = null, $parameters = array(), $forceAuthn = fal
     /**
      * Initiates the SLO process.
      *
-     * @param string|null $returnTo      The target URL the user should be returned to after logout.
-     * @param array       $parameters    Extra parameters to be added to the GET
-     * @param string|null $nameId        The NameID that will be set in the LogoutRequest.
-     * @param string|null $sessionIndex  The SessionIndex (taken from the SAML Response in the SSO process).
-     * @param bool        $stay          True if we want to stay (returns the url string) False to redirect
-     * @param string|null $nameIdFormat  The NameID Format will be set in the LogoutRequest.
+     * @param string|null $returnTo     The target URL the user should be returned to after logout.
+     * @param array       $parameters   Extra parameters to be added to the GET
+     * @param string|null $nameId       The NameID that will be set in the LogoutRequest.
+     * @param string|null $sessionIndex The SessionIndex (taken from the SAML Response in the SSO process).
+     * @param bool        $stay         True if we want to stay (returns the url string) False to redirect
+     * @param string|null $nameIdFormat The NameID Format will be set in the LogoutRequest.
      *
      * @return If $stay is True, it return a string with the SLO URL + LogoutRequest + parameters
      *
@@ -531,8 +543,8 @@ public function getLastRequestID()
     /**
      * Generates the Signature for a SAML Request
      *
-     * @param string $samlRequest    The SAML Request
-     * @param string $relayState     The RelayState
+     * @param string $samlRequest   The SAML Request
+     * @param string $relayState    The RelayState
      * @param string $signAlgorithm Signature algorithm method
      *
      * @return string A base64 encoded signature
@@ -550,8 +562,6 @@ public function buildRequestSignature($samlRequest, $relayState, $signAlgorithm
             );
         }
 
-        $key = $this->_settings->getSPkey();
-
         $objKey = new XMLSecurityKey($signAlgorithm, array('type' => 'private'));
         $objKey->loadKey($key, false);
 
 
@@ -1,37 +1,52 @@
 <?php
+/**
+ * This file is part of php-saml.
+ *
+ * (c) OneLogin Inc
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package OneLogin
+ * @author  OneLogin Inc <saml-info@onelogin.com>
+ * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE
+ * @link    https://github.com/onelogin/php-saml
+ */
 
 /**
  * SAML 2 Authentication Request
- *
  */
 class OneLogin_Saml2_AuthnRequest
 {
 
     /**
      * Object that represents the setting info
+     *
      * @var OneLogin_Saml2_Settings
      */
     protected $_settings;
 
     /**
      * SAML AuthNRequest string
+     *
      * @var string
      */
     private $_authnRequest;
 
     /**
      * SAML AuthNRequest ID.
+     *
      * @var string
      */
     private $_id;
 
     /**
      * Constructs the AuthnRequest object.
      *
-     * @param OneLogin_Saml2_Settings $settings Settings
-     * @param bool   $forceAuthn      When true the AuthNReuqest will set the ForceAuthn='true'
-     * @param bool   $isPassive       When true the AuthNReuqest will set the Ispassive='true'
-     * @param bool   $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy
+     * @param OneLogin_Saml2_Settings $settings        Settings
+     * @param bool                    $forceAuthn      When true the AuthNReuqest will set the ForceAuthn='true'
+     * @param bool                    $isPassive       When true the AuthNReuqest will set the Ispassive='true'
+     * @param bool                    $setNameIdPolicy When true the AuthNReuqest will set a nameIdPolicy
      */
     public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = false, $isPassive = false, $setNameIdPolicy = true)
     {
@@ -93,7 +108,6 @@ public function __construct(OneLogin_Saml2_Settings $settings, $forceAuthn = fal
 
         $requestedAuthnStr = '';
         if (isset($security['requestedAuthnContext']) && $security['requestedAuthnContext'] !== false) {
-
             $authnComparison = 'exact';
             if (isset($security['requestedAuthnContextComparison'])) {
                 $authnComparison = $security['requestedAuthnContextComparison'];
 
@@ -1,5 +1,18 @@
 <?php
- 
+/**
+ * This file is part of php-saml.
+ *
+ * (c) OneLogin Inc
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package OneLogin
+ * @author  OneLogin Inc <saml-info@onelogin.com>
+ * @license MIT https://github.com/onelogin/php-saml/blob/master/LICENSE
+ * @link    https://github.com/onelogin/php-saml
+ */
+
 /**
  * Constants of OneLogin PHP Toolkit
  *