2

SAML Response

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0" IssueInstant="2014-07-17T01:01:48Z" Destination="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685">
  <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75" Version="2.0" IssueInstant="2014-07-17T01:01:48Z">
    <saml:Issuer>http://idp.example.com/metadata.php</saml:Issuer>
    <saml:Subject>
      <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z" Recipient="http://sp.example.com/demo1/index.php?acs" InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z">
      <saml:AudienceRestriction>
        <saml:Audience>http://sp.example.com/demo1/metadata.php</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z" SessionNotOnOrAfter="2024-07-17T09:01:48Z" SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">users</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">examplerole1</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
  </saml:Assertion>
</samlp:Response>

Need to retrieve attribute from above xml

array (
  'uid' => 
  array (
    0 => 'test',
  ),
  'mail' => 
  array (
    0 => 'test@example.com',
  ),
  'eduPersonAffiliation' => 
  array (
    0 => 'users',
    1 => 'examplerole1',
  ),
)

What i tried 

$p = xml_parser_create();
xml_parse_into_struct($p, $http_result_arr_data, $vals, $index);
xml_parser_free($p);
print_r($index);

The above is not much user friendly and it is more over not simple to handle, because keys get diff when we refresh every time.

Please suggest best approach to get attribute from saml response

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
Bharanikumar
  • 25,457
  • 50
  • 131
  • 201

1 Answers1

11

It is better to search the XML document with XPath expressions as in:

$dom = new DOMDocument();
$dom->loadXML($response);
$doc = $dom->documentElement;
$xpath = new DOMXpath($dom);
$xpath->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
$xpath->registerNamespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');
foreach ($xpath->query('/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute', $doc) as $attr) {
    echo " # Attribute: " . $attr->getAttribute('Name') . "\n";
    foreach ($xpath->query('saml:AttributeValue', $attr) as $value) {
        echo "   Value: " . $value->textContent . "\n";
    }
}
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • FWIW: in general one shouldn't have to interpret bare SAML assertions in native code; that should have been handled as part of a library/tool/server that you use to terminate the protocol and propagate attributes/nameid as part of the integration whilst taking care of all the security considerations surrounding it... – Hans Z. Feb 14 '17 at 18:41
  • Good to know @hans Z ... I am setting this up right now and was given no details, I saw that I could decode this and then was trying to figure out how to process it ... – Mike Q Feb 14 '17 at 18:54
  • then I think the warning applies to you ;-) – Hans Z. Feb 14 '17 at 19:03
  • But I am receiving this as a decode via an encrypted connection , do you think I need to do anything more than decode it ? @Hans Z. – Mike Q Feb 16 '17 at 18:33
  • if you mean via a direct call over an SSL connection where the client validated the SSL server certificate then you don't need to verify; if you mean via a redirect/POST in the browser over an SSL connection then you should verify – Hans Z. Feb 17 '17 at 14:04