Skip to content

Commit

Permalink
Fix mispelings. See #592
Browse files Browse the repository at this point in the history
  • Loading branch information
pitbulk committed Sep 29, 2024
1 parent 580371f commit b1e5c9c
Show file tree
Hide file tree
Showing 23 changed files with 106 additions and 108 deletions.
14 changes: 7 additions & 7 deletions CHANGELOG
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ v3.5.0
* [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443
* Update xmlseclibs to 3.1.1
* Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts
* Get lib path dinamically
* Get lib path dynamically
* Check for x509Cert of the IdP when loading settings, even if the security index was not provided
* Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting

Expand All @@ -87,7 +87,7 @@ v.3.3.1

v.3.3.0
* Set true as the default value for strict setting
* Relax comparision of false on SignMetadata
* Relax comparison of false on SignMetadata
* Fix CI

v.3.2.1
Expand Down Expand Up @@ -203,7 +203,7 @@ v.2.12.0
* [#263](https://github.com/onelogin/php-saml/issues/263) Fix incompatibility with ADFS on SLO. When on php saml settings NameID Format is set as unspecified but the SAMLResponse has no NameID Format, no NameID Format should be specified on LogoutRequest.

v.2.11.0
* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecesary files from Composer production downloads
* [#236](https://github.com/onelogin/php-saml/pull/236) Exclude unnecessary files from Composer production downloads
* [#226](https://github.com/onelogin/php-saml/pull/226) Add possibility to handle nameId NameQualifier attribute in SLO Request
* Improve logout documentation on Readme.
* Improve multi-certificate support
Expand Down Expand Up @@ -316,7 +316,7 @@ v.2.6.1
-------
* Fix bug on cacheDuration of the Metadata XML generated.
* Make SPNameQualifier optional on the generateNameId method. Avoid the use of SPNameQualifier when generating the NameID on the LogoutRequest builder.
* Allows the authn comparsion attribute to be set via config.
* Allows the authn comparison attribute to be set via config.
* Retrieve Session Timeout after processResponse with getSessionExpiration().
* Improve readme readability.
* Allow single log out to work for applications not leveraging php session_start. Added a callback parameter in order to close the session at processSLO.
Expand All @@ -334,8 +334,8 @@ v.2.6.0

v.2.5.0
-------
* Do accesible the ID of the object Logout Request (id attribute).
* Add note about the fact that PHP 5.3 is unssuported.
* Do accessible the ID of the object Logout Request (id attribute).
* Add note about the fact that PHP 5.3 is unsupported.
* Add fingerprint algorithm support.
* Add dependences to composer.

Expand Down Expand Up @@ -363,7 +363,7 @@ v.2.2.0
-------
* Fix bug with Encrypted nameID on LogoutRequest.
* Fixed usability bug. SP will inform about AuthFail status after process a Response.
* Added SessionIndex support on LogoutRequest, and know is accesible from the Auth class.
* Added SessionIndex support on LogoutRequest, and know is accessible from the Auth class.
* LogoutRequest and LogoutResponse classes now accept non deflated xml.
* Improved the XML metadata/ Decrypted Assertion output. (prettyprint).
* Fix bug in formatPrivateKey method, the key could be not RSA.
Expand Down
22 changes: 11 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -160,14 +160,14 @@ a trusted and expected URL.
Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).


### Avoiding Reply attacks ###
### Avoiding Replay attacks ###

A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).

SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
make harder this kind of attacks, but they are still possible.

In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy valdidated and processed. Those values only need
In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs alredy validated and processed. Those values only need
to be stored the amount of time of the SAML Message life time, so
we don't need to store all processed message/assertion Ids, but the most recent ones.

Expand Down Expand Up @@ -507,15 +507,15 @@ $advancedSettings = array(

// If true, Destination URL should strictly match to the address to
// which the response has been sent.
// Notice that if 'relaxDestinationValidation' is true an empty Destintation
// Notice that if 'relaxDestinationValidation' is true an empty Destination
// will be accepted.
'destinationStrictlyMatches' => false,

// If true, the toolkit will not raised an error when the Statement Element
// contain atribute elements with name duplicated
'allowRepeatAttributeName' => false,

// If true, SAMLResponses with an InResponseTo value will be rejectd if not
// If true, SAMLResponses with an InResponseTo value will be rejected if not
// AuthNRequest ID provided to the validation method.
'rejectUnsolicitedResponsesWithInResponseTo' => false,

Expand Down Expand Up @@ -566,7 +566,7 @@ $advancedSettings = array(
),

// Organization information template, the info in en_US lang is
// recomended, add more if required.
// recommended, add more if required.
'organization' => array(
'en-US' => array(
'name' => '',
Expand Down Expand Up @@ -909,7 +909,7 @@ $auth->processSLO(false, $requestID);
$errors = $auth->getErrors();

if (empty($errors)) {
echo 'Sucessfully logged out';
echo 'Successfully logged out';
} else {
echo implode(', ', $errors);
}
Expand Down Expand Up @@ -1116,7 +1116,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I
echo '<p>' . implode(', ', $errors) . '</p>';
}
// This check if the response was
if (!$auth->isAuthenticated()) { // sucessfully validated and the user
if (!$auth->isAuthenticated()) { // successfully validated and the user
echo '<p>Not authenticated</p>'; // data retrieved or not
exit();
}
Expand All @@ -1131,7 +1131,7 @@ if (isset($_GET['sso'])) { // SSO action. Will send an AuthNRequest to the I
$auth->processSLO(); // Process the Logout Request & Logout Response
$errors = $auth->getErrors(); // Retrieves possible validation errors
if (empty($errors)) {
echo '<p>Sucessfully logged out</p>';
echo '<p>Successfully logged out</p>';
} else {
echo '<p>' . htmlentities(implode(', ', $errors)) . '</p>';
}
Expand Down Expand Up @@ -1302,7 +1302,7 @@ SAML 2 Authentication Response class
SAML 2 Logout Request class

* `LogoutRequest` - Constructs the Logout Request object.
* `getRequest` - Returns the Logout Request defated, base64encoded, unsigned
* `getRequest` - Returns the Logout Request deflated, base64encoded, unsigned
* `getID` - Returns the ID of the Logout Request. (If you have the object you can access to the id attribute)
* `getNameIdData` - Gets the NameID Data of the the Logout Request.
* `getNameId` - Gets the NameID of the Logout Request.
Expand Down Expand Up @@ -1369,7 +1369,7 @@ A class that contains functionality related to the metadata of the SP

* `builder` - Generates the metadata of the SP based on the settings.
* `signmetadata` - Signs the metadata with the key/cert provided
* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encriptation) to
* `addX509KeyDescriptors` - Adds the x509 descriptors (sign/encryption) to
the metadata

##### OneLogin\Saml2\Utils - `Utils.php` #####
Expand Down
8 changes: 4 additions & 4 deletions advanced_settings_example.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,15 +87,15 @@

// If true, Destination URL should strictly match to the address to
// which the response has been sent.
// Notice that if 'relaxDestinationValidation' is true an empty Destintation
// Notice that if 'relaxDestinationValidation' is true an empty Destination
// will be accepted.
'destinationStrictlyMatches' => false,

// If true, the toolkit will not raised an error when the Statement Element
// contain atribute elements with name duplicated
'allowRepeatAttributeName' => false,

// If true, SAMLResponses with an InResponseTo value will be rejectd if not
// If true, SAMLResponses with an InResponseTo value will be rejected if not
// AuthNRequest ID provided to the validation method.
'rejectUnsolicitedResponsesWithInResponseTo' => false,

Expand Down Expand Up @@ -132,7 +132,7 @@
'lowercaseUrlencoding' => false,
),

// Contact information template, it is recommended to suply a technical and support contacts
// Contact information template, it is recommended to supply a technical and support contacts
'contactPerson' => array(
'technical' => array(
'givenName' => '',
Expand All @@ -144,7 +144,7 @@
),
),

// Organization information template, the info in en_US lang is recomended, add more if required
// Organization information template, the info in en_US lang is recommended, add more if required
'organization' => array(
'en-US' => array(
'name' => '',
Expand Down
4 changes: 2 additions & 2 deletions demo1/Readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ How it works
process, the index.php view.

2.2 in the second link we access to (attrs.php) have the same process
described at 2.1 with the diference that as RelayState is set the attrs.php
described at 2.1 with the difference that as RelayState is set the attrs.php

3. The SAML Response is processed in the ACS (index.php?acs), if the Response
is not valid, the process stop here and a message is showed. Otherwise we
Expand All @@ -68,7 +68,7 @@ How it works
Request to the SP (SLS endpoint, index.php?sls). The SLS endpoint of the SP
process the Logout Request and if is valid, close the session of the user
at the local app and send a Logout Response to the IdP (to the SLS endpoint
of the IdP). The IdP recieve the Logout Response, process it and close the
of the IdP). The IdP receive the Logout Response, process it and close the
session at of the IdP. Notice that the SLO Workflow starts and ends at the IdP.

Notice that all the SAML Requests and Responses are handler at a unique file,
Expand Down
4 changes: 2 additions & 2 deletions demo1/index.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?php

/**
* SAML Handler
*/
Expand Down Expand Up @@ -111,7 +111,7 @@
$auth->processSLO(false, $requestID);
$errors = $auth->getErrors();
if (empty($errors)) {
echo '<p>Sucessfully logged out</p>';
echo '<p>Successfully logged out</p>';
} else {
echo '<p>' . htmlentities(implode(', ', $errors)) . '</p>';
if ($auth->getSettings()->isDebugActive()) {
Expand Down
16 changes: 7 additions & 9 deletions demo2/Readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The Onelogin's PHP Toolkit allows you to provide the settings info in 2 ways:
toolkit.
* Use an array with the setting data.

The first is the case of the demo2 app. The setting.php file and the
The first is the case of the demo2 app. The setting.php file and the
setting_extended.php file should be defined at the base folder of the toolkit.
Review the setting_example.php and the advanced_settings_example.php to
learn how to build them.
Expand Down Expand Up @@ -44,17 +44,17 @@ demo1, only changes the targets.
sent to the IdP automatically, (as RelayState is sent the origin url).
We authenticate at the IdP and then a Response is sent to the SP, to the
ACS endpoint, in this case acs.php of the endpoints folder.

2. The SAML Response is processed in the ACS, if the Response is not valid,
the process stop here and a message is showed. Otherwise we are redirected
to the RelayState view (sso.php or index.php). The sso.php detect if the
user is logged and do a redirect to index.php, so we will be in the
index.php at the end.

3. We are logged in the app and the user attributes are showed.
3. We are logged in the app and the user attributes are showed.
At this point, we can test the single log out functionality.

4. The single log out funcionality could be tested by 2 ways.
4. The single log out functionality could be tested by 2 ways.

4.1 SLO Initiated by SP. Click on the "logout" link at the SP, after that
we are redirected to the slo.php view and there a Logout Request is sent
Expand All @@ -63,14 +63,12 @@ demo1, only changes the targets.
The SLS endpoint of the SP process the Logout Response and if is
valid, close the user session of the local app. Notice that the SLO
Workflow starts and ends at the SP.

5.2 SLO Initiated by IdP. In this case, the action takes place on the IdP
side, the logout process is initiated at the idP, sends a Logout
side, the logout process is initiated at the idP, sends a Logout
Request to the SP (SLS endpoint sls.php of the endpoint folder).
The SLS endpoint of the SP process the Logout Request and if is valid,
close the session of the user at the local app and sends a Logout Response
to the IdP (to the SLS endpoint of the IdP).The IdP recieves the Logout
to the IdP (to the SLS endpoint of the IdP).The IdP receives the Logout
Response, process it and close the session at of the IdP. Notice that the
SLO Workflow starts and ends at the IdP.


4 changes: 2 additions & 2 deletions endpoints/sls.php
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?php

/**
* SP Single Logout Service Endpoint
*/
Expand All @@ -17,7 +17,7 @@
$errors = $auth->getErrors();

if (empty($errors)) {
echo 'Sucessfully logged out';
echo 'Successfully logged out';
} else {
echo htmlentities(implode(', ', $errors));
}
2 changes: 1 addition & 1 deletion src/Saml2/LogoutRequest.php
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ public function __construct(\OneLogin\Saml2\Settings $settings, $request = null,
}

/**
* Returns the Logout Request defated, base64encoded, unsigned
* Returns the Logout Request deflated, base64encoded, unsigned
*
* @param bool|null $deflate Whether or not we should 'gzdeflate' the request body before we return it.
*
Expand Down
2 changes: 1 addition & 1 deletion src/Saml2/LogoutResponse.php
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ public function isValid($requestId = null, $retrieveParametersFromServer = false
}

/**
* Extracts a node from the DOMDocument (Logout Response Menssage)
* Extracts a node from the DOMDocument (Logout Response Message)
*
* @param string $query Xpath Expression
*
Expand Down
10 changes: 5 additions & 5 deletions src/Saml2/Response.php
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,7 @@ public function isValid($requestId = null)
);
}

// Validate Asserion timestamps
// Validate Assertion timestamps
$this->validateTimestamps();

// Validate AuthnStatement element exists and is unique
Expand Down Expand Up @@ -1007,9 +1007,9 @@ public function validateSignedElements($signedElements)
$responseTag = '{'.Constants::NS_SAMLP.'}Response';
$assertionTag = '{'.Constants::NS_SAML.'}Assertion';

$ocurrence = array_count_values($signedElements);
if ((in_array($responseTag, $signedElements) && $ocurrence[$responseTag] > 1)
|| (in_array($assertionTag, $signedElements) && $ocurrence[$assertionTag] > 1)
$occurrence = array_count_values($signedElements);
if ((in_array($responseTag, $signedElements) && $occurrence[$responseTag] > 1)
|| (in_array($assertionTag, $signedElements) && $occurrence[$assertionTag] > 1)
|| !in_array($responseTag, $signedElements) && !in_array($assertionTag, $signedElements)
) {
return false;
Expand Down Expand Up @@ -1092,7 +1092,7 @@ protected function _queryAssertion($assertionXpath)
}

/**
* Extracts nodes that match the query from the DOMDocument (Response Menssage)
* Extracts nodes that match the query from the DOMDocument (Response Message)
*
* @param string $query Xpath Expression
*
Expand Down
6 changes: 3 additions & 3 deletions src/Saml2/Settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -661,7 +661,7 @@ public function checkSPSettings(array $settings)
if (!isset($contact['givenName']) || empty($contact['givenName'])
|| !isset($contact['emailAddress']) || empty($contact['emailAddress'])
) {
$errors[] = 'contact_not_enought_data';
$errors[] = 'contact_not_enough_data';
break;
}
}
Expand All @@ -673,7 +673,7 @@ public function checkSPSettings(array $settings)
|| !isset($organization['displayname']) || empty($organization['displayname'])
|| !isset($organization['url']) || empty($organization['url'])
) {
$errors[] = 'organization_not_enought_data';
$errors[] = 'organization_not_enough_data';
break;
}
}
Expand Down Expand Up @@ -1037,7 +1037,7 @@ public function formatIdPCert()
}

/**
* Formats the Multple IdP certs.
* Formats the Multiple IdP certs.
*/
public function formatIdPCertMulti()
{
Expand Down
Loading

0 comments on commit b1e5c9c

Please sign in to comment.