How to decode SAML Response and get the attribute values sent by Idp in PHP
I am implementing SAML Single Sign-On and using idp initiated method for login request. After login it redirect users on the login url defined on the request with the base64 encoded SAML Response.
Now, I have extract to this response, validate it and get the attribute value sent by the Idp like email address, name etc.
I have decoded from base64 and got the following XML. This XML have encrypted Signature, CipherData, Certificate etc.. but don't know how to validate and decode/extract the attribute values so that we can use it further.
I search for it and fond the online tool which is decoding it, by providing the private key. I tried it and got the attribute values.
The same thing I have to do in our application using PHP and have to use this attributes value. If any one have did the same thing and can put some light on it then it will be really appreciated.
Pleas Check the SAML Response below.
<samlp:Response Version="2.0" ID="vafmraxdfkermx" IssueInstant="2015-07-31T07:26:00.180Z" Destination="http://domain.com/saml/SSO" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MI-TEST-SAML2-EntityID</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#DLSr8z03t7WZ-F7ZFwbxUw91vQF">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>gnvnDwu/eDBpLnPtiaHeOI7UCD4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Signature Value
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
Certifivate Contents
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey>
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<xenc:CipherData>
<xenc:CipherValue>CIPHER VALUE</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>CIPHER CONTETNS</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml:EncryptedAssertion>
Answer
The online tool that you used is based on the OneLogin's PHP SAML Toolkit [1]. I implemented both.
Read the documentation. The processResponse and the getAttributes do what you want.