diff --git a/CHANGELOG b/CHANGELOG index 3a304791..b1e25c8c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -64,7 +64,7 @@ v3.5.0 * [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443 * Update xmlseclibs to 3.1.1 * Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts -* Get lib path dinamically +* Get lib path dynamically * Check for x509Cert of the IdP when loading settings, even if the security index was not provided * Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting @@ -87,7 +87,7 @@ v.3.3.1 v.3.3.0 * Set true as the default value for strict setting -* Relax comparision of false on SignMetadata +* Relax comparison of false on SignMetadata * Fix CI v.3.2.1 @@ -203,7 +203,7 @@ v.2.12.0 * [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest. v.2.11.0 -* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads +* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecessary files from Composer production downloads * [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request * Improve logout documentation on Readme. * Improve multi-certificate support @@ -316,7 +316,7 @@ v.2.6.1 ------- * Fix bug on cacheDuration of the Metadata XML generated. * Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder. -* Allows the authn comparsion attribute to be set via config. +* Allows the authn comparison attribute to be set via config. * Retrieve Session Timeout after processResponse with getSessionExpiration(). * Improve readme readability. * Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO. @@ -334,8 +334,8 @@ v.2.6.0 v.2.5.0 ------- -* Do accesible the ID of the object Logout Request (id attribute). -* Add note about the fact that PHP 5.3 is unssuported. +* Do accessible the ID of the object Logout Request (id attribute). +* Add note about the fact that PHP 5.3 is unsupported. * Add fingerprint algorithm support. * Add dependences to composer. @@ -363,7 +363,7 @@ v.2.2.0 ------- * Fix bug with Encrypted nameID on LogoutRequest. * Fixed usability bug. SP will inform about AuthFail status after process a Response. -* Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class. +* Added SessionIndex support on LogoutRequest, and know is accessible from the Auth class. * LogoutRequest and LogoutResponse classes now accept non deflated xml. * Improved the XML metadata/ Decrypted Assertion output. (prettyprint). * Fix bug in formatPrivateKey method, the key could be not RSA. diff --git a/README.md b/README.md index 67c50ede..951068b8 100644 --- a/README.md +++ b/README.md @@ -160,14 +160,14 @@ a trusted and expected URL. Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html). -### Avoiding Reply attacks ### +### Avoiding Replay attacks ### -A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). +A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that make harder this kind of attacks, but they are still possible. -In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need +In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy validated and processed. Those values only need to be stored the amount of time of the SAML Message life time, so we don't need to store all processed message/assertion Ids, but the most recent ones. @@ -507,7 +507,7 @@ $advancedSettings = array( // If true, Destination URL should strictly match to the address to // which the response has been sent. - // Notice that if 'relaxDestinationValidation' is true an empty Destintation + // Notice that if 'relaxDestinationValidation' is true an empty Destination // will be accepted. 'destinationStrictlyMatches' => false, @@ -515,7 +515,7 @@ $advancedSettings = array( // contain atribute elements with name duplicated 'allowRepeatAttributeName' => false, - // If true, SAMLResponses with an InResponseTo value will be rejectd if not + // If true, SAMLResponses with an InResponseTo value will be rejected if not // AuthNRequest ID provided to the validation method. 'rejectUnsolicitedResponsesWithInResponseTo' => false, @@ -566,7 +566,7 @@ $advancedSettings = array( ), // Organization information template, the info in en_US lang is - // recomended, add more if required. + // recommended, add more if required. 'organization' => array( 'en-US' => array( 'name' => '', @@ -909,7 +909,7 @@ $auth->processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { - echo 'Sucessfully logged out'; + echo 'Successfully logged out'; } else { echo implode(', ', $errors); } @@ -1116,7 +1116,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I echo '
' . implode(', ', $errors) . '
'; } // This check if the response was - if (!$auth->isAuthenticated()) { // sucessfully validated and the user + if (!$auth->isAuthenticated()) { // successfully validated and the user echo 'Not authenticated
'; // data retrieved or not exit(); } @@ -1131,7 +1131,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I $auth->processSLO(); // Process the Logout Request & Logout Response $errors = $auth->getErrors(); // Retrieves possible validation errors if (empty($errors)) { - echo 'Sucessfully logged out
'; + echo 'Successfully logged out
'; } else { echo '' . htmlentities(implode(', ', $errors)) . '
'; } @@ -1302,7 +1302,7 @@ SAML 2 Authentication Response class SAML 2 Logout Request class * `LogoutRequest` - Constructs the Logout Request object. - * `getRequest` - Returns the Logout Request defated, base64encoded, unsigned + * `getRequest` - Returns the Logout Request deflated, base64encoded, unsigned * `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id attribute) * `getNameIdData` - Gets the NameID Data of the the Logout Request. * `getNameId` - Gets the NameID of the Logout Request. @@ -1369,7 +1369,7 @@ A class that contains functionality related to the metadata of the SP * `builder` - Generates the metadata of the SP based on the settings. * `signmetadata` - Signs the metadata with the key/cert provided -* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to +* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encryption) to the metadata ##### OneLogin\Saml2\Utils - `Utils.php` ##### diff --git a/advanced_settings_example.php b/advanced_settings_example.php index d9c16e28..6336d965 100644 --- a/advanced_settings_example.php +++ b/advanced_settings_example.php @@ -87,7 +87,7 @@ // If true, Destination URL should strictly match to the address to // which the response has been sent. - // Notice that if 'relaxDestinationValidation' is true an empty Destintation + // Notice that if 'relaxDestinationValidation' is true an empty Destination // will be accepted. 'destinationStrictlyMatches' => false, @@ -95,7 +95,7 @@ // contain atribute elements with name duplicated 'allowRepeatAttributeName' => false, - // If true, SAMLResponses with an InResponseTo value will be rejectd if not + // If true, SAMLResponses with an InResponseTo value will be rejected if not // AuthNRequest ID provided to the validation method. 'rejectUnsolicitedResponsesWithInResponseTo' => false, @@ -132,7 +132,7 @@ 'lowercaseUrlencoding' => false, ), - // Contact information template, it is recommended to suply a technical and support contacts + // Contact information template, it is recommended to supply a technical and support contacts 'contactPerson' => array( 'technical' => array( 'givenName' => '', @@ -144,7 +144,7 @@ ), ), - // Organization information template, the info in en_US lang is recomended, add more if required + // Organization information template, the info in en_US lang is recommended, add more if required 'organization' => array( 'en-US' => array( 'name' => '', diff --git a/demo1/Readme.txt b/demo1/Readme.txt index 7fcc57d4..92092312 100644 --- a/demo1/Readme.txt +++ b/demo1/Readme.txt @@ -45,7 +45,7 @@ How it works process, the index.php view. 2.2 in the second link we access to (attrs.php) have the same process - described at 2.1 with the diference that as RelayState is set the attrs.php + described at 2.1 with the difference that as RelayState is set the attrs.php 3. The SAML Response is processed in the ACS (index.php?acs), if the Response is not valid, the process stop here and a message is showed. Otherwise we @@ -68,7 +68,7 @@ How it works Request to the SP (SLS endpoint, index.php?sls). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and send a Logout Response to the IdP (to the SLS endpoint - of the IdP). The IdP recieve the Logout Response, process it and close the + of the IdP). The IdP receive the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. Notice that all the SAML Requests and Responses are handler at a unique file, diff --git a/demo1/index.php b/demo1/index.php index 4ad32ada..5156e8f0 100644 --- a/demo1/index.php +++ b/demo1/index.php @@ -1,5 +1,5 @@ processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { - echo 'Sucessfully logged out
'; + echo 'Successfully logged out
'; } else { echo '' . htmlentities(implode(', ', $errors)) . '
'; if ($auth->getSettings()->isDebugActive()) { diff --git a/demo2/Readme.txt b/demo2/Readme.txt index b969e670..0e1cdde0 100644 --- a/demo2/Readme.txt +++ b/demo2/Readme.txt @@ -8,7 +8,7 @@ The Onelogin's PHP Toolkit allows you to provide the settings info in 2 ways: toolkit. * Use an array with the setting data. -The first is the case of the demo2 app. The setting.php file and the +The first is the case of the demo2 app. The setting.php file and the setting_extended.php file should be defined at the base folder of the toolkit. Review the setting_example.php and the advanced_settings_example.php to learn how to build them. @@ -44,17 +44,17 @@ demo1, only changes the targets. sent to the IdP automatically, (as RelayState is sent the origin url). We authenticate at the IdP and then a Response is sent to the SP, to the ACS endpoint, in this case acs.php of the endpoints folder. - + 2. The SAML Response is processed in the ACS, if the Response is not valid, the process stop here and a message is showed. Otherwise we are redirected to the RelayState view (sso.php or index.php). The sso.php detect if the user is logged and do a redirect to index.php, so we will be in the index.php at the end. - 3. We are logged in the app and the user attributes are showed. + 3. We are logged in the app and the user attributes are showed. At this point, we can test the single log out functionality. - 4. The single log out funcionality could be tested by 2 ways. + 4. The single log out functionality could be tested by 2 ways. 4.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that we are redirected to the slo.php view and there a Logout Request is sent @@ -63,14 +63,12 @@ demo1, only changes the targets. The SLS endpoint of the SP process the Logout Response and if is valid, close the user session of the local app. Notice that the SLO Workflow starts and ends at the SP. - + 5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP - side, the logout process is initiated at the idP, sends a Logout + side, the logout process is initiated at the idP, sends a Logout Request to the SP (SLS endpoint sls.php of the endpoint folder). The SLS endpoint of the SP process the Logout Request and if is valid, close the session of the user at the local app and sends a Logout Response - to the IdP (to the SLS endpoint of the IdP).The IdP recieves the Logout + to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout Response, process it and close the session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP. - - diff --git a/endpoints/sls.php b/endpoints/sls.php index 40c04f5b..0f522489 100644 --- a/endpoints/sls.php +++ b/endpoints/sls.php @@ -1,5 +1,5 @@ getErrors(); if (empty($errors)) { - echo 'Sucessfully logged out'; + echo 'Successfully logged out'; } else { echo htmlentities(implode(', ', $errors)); } diff --git a/src/Saml2/LogoutRequest.php b/src/Saml2/LogoutRequest.php index 1821113d..1e539105 100644 --- a/src/Saml2/LogoutRequest.php +++ b/src/Saml2/LogoutRequest.php @@ -155,7 +155,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null, } /** - * Returns the Logout Request defated, base64encoded, unsigned + * Returns the Logout Request deflated, base64encoded, unsigned * * @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it. * diff --git a/src/Saml2/LogoutResponse.php b/src/Saml2/LogoutResponse.php index 8bb44345..64e373c1 100644 --- a/src/Saml2/LogoutResponse.php +++ b/src/Saml2/LogoutResponse.php @@ -235,7 +235,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false } /** - * Extracts a node from the DOMDocument (Logout Response Menssage) + * Extracts a node from the DOMDocument (Logout Response Message) * * @param string $query Xpath Expression * diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php index b987ca44..7523f6cb 100644 --- a/src/Saml2/Response.php +++ b/src/Saml2/Response.php @@ -245,7 +245,7 @@ public function isValid($requestId = null) ); } - // Validate Asserion timestamps + // Validate Assertion timestamps $this->validateTimestamps(); // Validate AuthnStatement element exists and is unique @@ -1007,9 +1007,9 @@ public function validateSignedElements($signedElements) $responseTag = '{'.Constants::NS_SAMLP.'}Response'; $assertionTag = '{'.Constants::NS_SAML.'}Assertion'; - $ocurrence = array_count_values($signedElements); - if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1) - || (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1) + $occurrence = array_count_values($signedElements); + if ((in_array($responseTag, $signedElements) && $occurrence[$responseTag] > 1) + || (in_array($assertionTag, $signedElements) && $occurrence[$assertionTag] > 1) || !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements) ) { return false; @@ -1092,7 +1092,7 @@ protected function _queryAssertion($assertionXpath) } /** - * Extracts nodes that match the query from the DOMDocument (Response Menssage) + * Extracts nodes that match the query from the DOMDocument (Response Message) * * @param string $query Xpath Expression * diff --git a/src/Saml2/Settings.php b/src/Saml2/Settings.php index c7d01c0b..0ca095a9 100644 --- a/src/Saml2/Settings.php +++ b/src/Saml2/Settings.php @@ -661,7 +661,7 @@ public function checkSPSettings(array $settings) if (!isset($contact['givenName']) || empty($contact['givenName']) || !isset($contact['emailAddress']) || empty($contact['emailAddress']) ) { - $errors[] = 'contact_not_enought_data'; + $errors[] = 'contact_not_enough_data'; break; } } @@ -673,7 +673,7 @@ public function checkSPSettings(array $settings) || !isset($organization['displayname']) || empty($organization['displayname']) || !isset($organization['url']) || empty($organization['url']) ) { - $errors[] = 'organization_not_enought_data'; + $errors[] = 'organization_not_enough_data'; break; } } @@ -1037,7 +1037,7 @@ public function formatIdPCert() } /** - * Formats the Multple IdP certs. + * Formats the Multiple IdP certs. */ public function formatIdPCertMulti() { diff --git a/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd b/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd index 8513959a..d669d91b 100644 --- a/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd +++ b/src/Saml2/schemas/saml-schema-authn-context-types-2.0.xsd @@ -1,5 +1,5 @@ -