This is a tool for Security Assertion Markup Language (SAML) that allows identity providers (IdP) to pass authorization credentials to service providers (SP). Use this tool to base64 decode and inflate an intercepted SAML Message. Paste a deflated base64 encoded SAML Message and obtain its array version. Here is the Sample Program to Parse SAML in PHP
$xmlDoc = new DOMDocument();
$xmlDoc->loadXML(base64_decode($xmlString));
$xpath = new DOMXPath($xmlDoc);
$xpath->registerNamespace('samlp', 'urn:oasis:names:tc:SAML:2.0:protocol');
$xpath->registerNamespace('saml', 'urn:oasis:names:tc:SAML:2.0:assertion');
$xpath->registerNamespace('ds', 'http://www.w3.org/2000/09/xmldsig#');
$query = "/samlp:Response/saml:Issuer";
$nodeset = $xpath->query($query, $xmlDoc);
$entityNode = $nodeset->item(0);
// fetch Signature node from XML
$query = "/samlp:Response/saml:Assertion/ds:Signature";
$nodeset = $xpath->query($query, $xmlDoc);
$signatureNode = $nodeset->item(0);
// fetch SignedInfo node from XML
$query = "./ds:SignedInfo";
$nodeset = $xpath->query($query, $signatureNode);
$signedInfoNode = $nodeset->item(0);
// canonicalize SignedInfo using the method descried in
// ./ds:SignedInfo/ds:CanonicalizationMethod/@Algorithm
$signedInfoNodeCanonicalized = $signedInfoNode->C14N(true, false);
$query = 'string(./ds:KeyInfo/ds:X509Data/ds:X509Certificate)';
$x509cert = $xpath->evaluate($query, $signatureNode);
// we have to re-wrap the certificate from XML to respect the PEM standard
$x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
// fetch public key from x509 certificate
$publicKey = openssl_get_publickey($x509cert);
// fetch the signature from XML
$query = 'string(./ds:SignatureValue)';
$signature = base64_decode($xpath->evaluate($query, $signatureNode));
// verify the signature
$ok = openssl_verify($signedInfoNodeCanonicalized, $signature, $publicKey, 'RSA-SHA256');
// fetch attribute fromn assertion
$stdObj = new stdClass;
$stdObj->saml_unique_id = '';
if(!empty($entityNode->textContent))
{
$idpIssuer = explode('/', $entityNode->textContent);
$idpEntity = end(array_filter($idpIssuer));
$idpEntity = preg_replace('/[\x00-\x1F\x7F-\xFF]/', '', $idpEntity);
$stdObj->saml_unique_id = $idpEntity;
}
$query = '/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute';
foreach ($xpath->query($query, $xmlDoc) as $attr)
{
$key = str_replace(' ', '', $attr->getAttribute('Name'));
if($key){
$key = end(array_filter(explode('/', $key)));
}
foreach ($xpath->query('saml:AttributeValue', $attr) as $value)
{
$stdObj->$key = $value->textContent;
}
}
$fingerprint_assertion = "";
if(!empty($entityNode->textContent))
{
$idpIssuer = explode('/', $entityNode->textContent);
$idpEntity = array_filter($idpIssuer);
$azure_idp_url = array('sts.windows-ppe.net', 'sts.windows.net');
$is_azure = count(array_intersect($idpEntity, $azure_idp_url));
$stdObj->saml_type = "azure";
$cert_fingerprint_assertion = openssl_x509_fingerprint($x509cert, 'SHA1');
$fingerprint_assertion = preg_replace('/[\x00-\x1F\x7F-\xFF]/', '', $cert_fingerprint_assertion);
$fingerprint_assertion = strtoupper($fingerprint_assertion);
}
$stdObj->acs_fingerprint = $fingerprint_assertion;
$stdObj->cert_match = false;
if($ok == true)
{
$stdObj->cert_match = $ok;
}
print_r($stdobj);