Add check if assertion contains decrypted name id and decrypt it

joonlabs · joonlabs · commit 5c1e247f480b · 2024-09-11T01:15:21.000+02:00
Remove validation error when document contains a decrypted name id
diff --git a/src/Saml2/Response.php b/src/Saml2/Response.php
@@ -61,6 +61,13 @@ class Response
      */
     public $encrypted = false;
 
+    /**
+     * The response contains an encrypted nameId in the assertion.
+     *
+     * @var bool
+     */
+    public $encryptedNameId = false;
+
     /**
      * After validation, if it fail this var has the cause of the problem
      *
@@ -227,14 +234,11 @@ public function isValid($requestId = null)
                     );
                 }
 
-                if ($security['wantNameIdEncrypted']) {
-                    $encryptedIdNodes = $this->_queryAssertion('/saml:Subject/saml:EncryptedID/xenc:EncryptedData');
-                    if ($encryptedIdNodes->length != 1) {
-                        throw new ValidationError(
-                            "The NameID of the Response is not encrypted and the SP requires it",
-                            ValidationError::NO_ENCRYPTED_NAMEID
-                        );
-                    }
+                if (!$this->encryptedNameId && $security['wantNameIdEncrypted']) {
+                    throw new ValidationError(
+                        "The NameID of the Response is not encrypted and the SP requires it",
+                        ValidationError::NO_ENCRYPTED_NAMEID
+                    );
                 }
 
                 // Validate Conditions element exists
@@ -394,17 +398,6 @@ public function isValid($requestId = null)
                 }
             }
 
-            // Detect case not supported
-            if ($this->encrypted) {
-                $encryptedIDNodes = Utils::query($this->decryptedDocument, '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID');
-                if ($encryptedIDNodes->length > 0) {
-                    throw new ValidationError(
-                        'SAML Response that contains an encrypted Assertion with encrypted nameId is not supported.',
-                        ValidationError::NOT_SUPPORTED
-                    );
-                }
-            }
-
             if (empty($signedElements) || (!$hasSignedResponse && !$hasSignedAssertion)) {
                 throw new ValidationError(
                     'No Signature found. SAML Response rejected',
@@ -1168,6 +1161,16 @@ protected function decryptAssertion(\DomNode $dom)
         if ($check === false) {
             throw new Exception('Error: string from decrypted assertion could not be loaded into a XML document');
         }
+
+        // check if the decrypted assertion contains an encryptedID
+        $encryptedID = $decrypted->getElementsByTagName('EncryptedID')->item(0);
+
+        if($encryptedID) {
+            // decrypt the encryptedID
+            $this->encryptedNameId = true;
+            $this->decryptAssertion($encryptedID);
+        }
+
         if ($encData->parentNode instanceof DOMDocument) {
             return $decrypted;
         } else {
