@@ -61,6 +61,13 @@ class Response
61
61
*/
62
62
public $ encrypted = false ;
63
63
64
+ /**
65
+ * The response contains an encrypted nameId in the assertion.
66
+ *
67
+ * @var bool
68
+ */
69
+ public $ encryptedNameId = false ;
70
+
64
71
/**
65
72
* After validation, if it fail this var has the cause of the problem
66
73
*
@@ -227,14 +234,12 @@ public function isValid($requestId = null)
227
234
);
228
235
}
229
236
230
- if ($ security ['wantNameIdEncrypted ' ]) {
231
- $ encryptedIdNodes = $ this ->_queryAssertion ('/saml:Subject/saml:EncryptedID/xenc:EncryptedData ' );
232
- if ($ encryptedIdNodes ->length != 1 ) {
233
- throw new ValidationError (
234
- "The NameID of the Response is not encrypted and the SP requires it " ,
235
- ValidationError::NO_ENCRYPTED_NAMEID
236
- );
237
- }
237
+ $ this ->encryptedNameId = $ this ->encryptedNameId || $ this ->_queryAssertion ('/saml:Subject/saml:EncryptedID/xenc:EncryptedData ' )->length > 0 ;
238
+ if (!$ this ->encryptedNameId && $ security ['wantNameIdEncrypted ' ]) {
239
+ throw new ValidationError (
240
+ "The NameID of the Response is not encrypted and the SP requires it " ,
241
+ ValidationError::NO_ENCRYPTED_NAMEID
242
+ );
238
243
}
239
244
240
245
// Validate Conditions element exists
@@ -392,17 +397,6 @@ public function isValid($requestId = null)
392
397
}
393
398
}
394
399
395
- // Detect case not supported
396
- if ($ this ->encrypted ) {
397
- $ encryptedIDNodes = Utils::query ($ this ->decryptedDocument , '/samlp:Response/saml:Assertion/saml:Subject/saml:EncryptedID ' );
398
- if ($ encryptedIDNodes ->length > 0 ) {
399
- throw new ValidationError (
400
- 'SAML Response that contains an encrypted Assertion with encrypted nameId is not supported. ' ,
401
- ValidationError::NOT_SUPPORTED
402
- );
403
- }
404
- }
405
-
406
400
if (empty ($ signedElements ) || (!$ hasSignedResponse && !$ hasSignedAssertion )) {
407
401
throw new ValidationError (
408
402
'No Signature found. SAML Response rejected ' ,
@@ -1163,6 +1157,16 @@ protected function decryptAssertion(\DomNode $dom)
1163
1157
if ($ check === false ) {
1164
1158
throw new Exception ('Error: string from decrypted assertion could not be loaded into a XML document ' );
1165
1159
}
1160
+
1161
+ // check if the decrypted assertion contains an encryptedID
1162
+ $ encryptedID = $ decrypted ->getElementsByTagName ('EncryptedID ' )->item (0 );
1163
+
1164
+ if ($ encryptedID ) {
1165
+ // decrypt the encryptedID
1166
+ $ this ->encryptedNameId = true ;
1167
+ $ this ->decryptAssertion ($ encryptedID );
1168
+ }
1169
+
1166
1170
if ($ encData ->parentNode instanceof DOMDocument) {
1167
1171
return $ decrypted ;
1168
1172
} else {
0 commit comments