NIA - eIdentita

Kvalifikovaný poskytovatel Otevřená Města

Unable to validate Signature

Implementace(1) - Získání adresy pro přesměrování uživatele

Prvním krokem je získání informací z metadat IdP

V dokumentaci je uveden odkaz na metadata NIA IdP FederationMetadata.xml

Více informací o NIA IdP metadatech je uvedeno na stránce IdP - Úvod

Postup

  1. Stažení souboru metadat
  2. Ověření obsahu metadat (dle RSA-SHA256 signatury XMLDSIG)
  3. Získání adresy pro přesměrování uživatele

1. stažení souboru a parsování jeho dat

    
 <?php
 // použijeme knihovnu simplesamlphp/saml2 z https://github.com/simplesamlphp/saml2
 use SAML2\XML\md\EntityDescriptor;
 use SAML2\DOMDocumentFactory;

 $metadata_url = "https://tnia.identitaobcana.cz/FPSTS/FederationMetadata/2007-06/FederationMetadata.xml";
 $metadata_string = file_get_contents($metadata_url);
 $metadata_dom = DOMDocumentFactory::fromString($metadata_string);
 $metadata = new EntityDescriptor($metadata_dom->documentElement);
 // také lze využít metodu DOMDocumentFactory::fromFile($filepath); pokud máte metadata stažena lokálně
Objekt následovně obsahuje tato data:
EntityDescriptor {#96
  #signatureKey: null
  #certificates: array:1 [
    0 => "MIII1DCCBrygAwIBAgIJArSiY9Dr6OiqMA0GCSqGSIb3DQEBCwUAMIGBMSowKAYDVQQDDCFJLkNBIEVVIFF1YWxpZmllZCBDQTIvUlNBIDA2LzIwMjIxLTArBgNVBAoMJFBydm7DrSBjZXJ0aWZpa2HEjW7DrSBhdXRvcml0YSwgYS5zLjEXMBUGA1UEYQwOTlRSQ1otMjY0MzkzOTUxCzAJBgNVBAYTAkNaMB4XDTI2MDMxNjE0MTQzOFoXDTI3MDMxNjE0MTQzOFowgYoxLDAqBgNVBAoMI0RpZ2l0w6FsbsOtIGEgaW5mb3JtYcSNbsOtIGFnZW50dXJhMRcwFQYDVQRhDA5OVFJDWi0xNzY1MTkyMTEbMBkGA1UEAwwSR0dfRlBTVFNfVEVTVF9TSUdOMQswCQYDVQQGEwJDWjEXMBUGA1UEBRMOSUNBIC0gMTA3MTkyNjkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaPpoE/w9HoA2IldqnUzyp2nrP4PSKaWYZjoUIFhtVSBqila4Gwdkao9hocsTSJ9FIMP3TuiNW4m1Ppc3DRwi7iA6RIqbo2i8WqCZKX7enNEPYzj5+4A3VNwa5+jn9svoQssnW3Fq8xNGBWT5CNSCkjfPhT/SWzQzajJE9lr1N9IlG//gtolc/t6vFexaJK+9Rqs7lHnhfypcqcnittcjnJ71WYAu+da//TOJ7dY0symLbdPLM9zeiMMyyrfN8+U9yTz1mGgX2qj+NPmAFF3o8nYeu1egTKTDSYfGHkHd5BfL1b9PKB50JARqUD0eB7rsE9dSGNWqWnZ8tepqIvqAm7vlWpAsjlMDR2c8eYr9XPLg79+3sXRU13JdFh1MC0uULcjpNVKMi4+CVaukwLmOqrjBB80xX9m7hBO4NeJGbiETTPfr2x3F1r9xbDUuWmfX0LqOR0A5nTPIhsYi1DK3fjeM1j87rZ5+HTOT9UH192sNTEzSaGIysa6eM06eJeHsKUwmNQIGQa/+YF8QlZWrh/GYU1BSPvrtd3ywC0QC4eLRA5Tf0vXX0odXCdPVa+giem7Xzpqspzluf8b6aE9wLTU2ptwvDulc9ZW469GEwjaDlGwG9cFGo7XFZcIiMekh557UTg2wxRoh0GwA7xX0cWJGMMJ2f7RGrJhpLZeXKAQIDAQABo4IDQjCCAz4wIwYDVR0RBBwwGqAYBgorBgEEAYG4SAQGoAoMCDEwNzE5MjY5MA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMIIBIwYDVR0gBIIBGjCCARYwggEHBg0rBgEEAYG4SAoBHwEAMIH1MB0GCCsGAQUFBwIBFhFodHRwOi8vd3d3LmljYS5jejCB0wYIKwYBBQUHAgIwgcYMgcNUZW50byBrdmFsaWZpa292YW55IGNlcnRpZmlrYXQgcHJvIGVsZWt0cm9uaWNrb3UgcGVjZXQgYnlsIHZ5ZGFuIHYgc291bGFkdSBzIG5hcml6ZW5pbSBFVSBjLiA5MTAvMjAxNC5UaGlzIGlzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGZvciBlbGVjdHJvbmljIHNlYWwgYWNjb3JkaW5nIHRvIFJlZ3VsYXRpb24gKEVVKSBObyA5MTAvMjAxNC4wCQYHBACL7EABATCBjwYDVR0fBIGHMIGEMCqgKKAmhiRodHRwOi8vcWNybGRwMS5pY2EuY3ovMnFjYTIyX3JzYS5jcmwwKqAooCaGJGh0dHA6Ly9xY3JsZHAyLmljYS5jei8ycWNhMjJfcnNhLmNybDAqoCigJoYkaHR0cDovL3FjcmxkcDMuaWNhLmN6LzJxY2EyMl9yc2EuY3JsMIGGBggrBgEFBQcBAwR6MHgwCAYGBACORgEBMFcGBgQAjkYBBTBNMC0WJ2h0dHBzOi8vd3d3LmljYS5jei9acHJhdnktcHJvLXV6aXZhdGVsZRMCY3MwHBYWaHR0cHM6Ly93d3cuaWNhLmN6L1BEUxMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgIwZQYIKwYBBQUHAQEEWTBXMCoGCCsGAQUFBzAChh5odHRwOi8vcS5pY2EuY3ovMnFjYTIyX3JzYS5jZXIwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLmljYS5jei8ycWNhMjJfcnNhMB8GA1UdIwQYMBaAFIr/YLK2SFAljy7NQ1M7CITFyuhkMB0GA1UdDgQWBBTlbk6bTKmLfap4yWnepMmuxm8zVDATBgNVHSUEDDAKBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAH3des0Xc1Kit0heIgRjY5+0FhQHA78zj5NF0JvKSuf8mZSQLhHbg+XEzXut1so0YkR9gsVJfeMxK2yJ+uOq5vYKHmCvfS2SJHlgrMa+CaFR+YOKu8bpPYGRv2tunYz2PmaxHmtjGrx7OtQK3dNxBP3bgqZU2dg0ZH8dMoRu7hWLWne+Vm7MNR0jqhxzm46cX+SCOPb+ubwsxF199ZBzX4awenoXXzqZgdTqe51NeTTaMxLGnMBeamKSbF8EENMZyALQpJ0iYv/+2DIk4Umj1YkAaa+fm7AmiL6BgggXmy70gG7sa/RGkpFpb68gPbwCEVqF+UXM4+wMedvb1s2wnmiZrilirP6Mj614DrpS8OIgEn/4PVdmT6+hUlFd9VaNARjNXbyhNR0xOJ1XNBCWBW8L2+o0xqleKhhNJLJDP2HRULRZRgFzukyc5rSub6jKUvIcg+O6RJPAeppEu9oEuOV7aOe/tyCBzFVArt/B1nj7HCt6c8e8nifdWAsef5ElhXbmRNJB8MGrrOUSOIwUshUBSZI77au0RaVYXrmquWAyiDtHbQChKrr38AXbAA58v5Tmsg5CGrmdzy6i4QgwruhheOsp/Rjnb2AmRemncz+rqtLeTdrry+5oNNsKOpbRtpHvwKHXs37W1b9AK+wZZ3ay/G/B9RQQhmHbVQWNIr3c="
  ]
  -validators: array:1 [
    0 => array:2 [
      "Function" => array:2 [
        0 => "SAML2\Utils"
        1 => "validateSignature"
      ]
      "Data" => array:2 [
        "Signature" => XMLSecurityDSig {#94
          +sigNode: DOMElement {#99
            +schemaTypeInfo: null
            +nodeName: "Signature"
            +nodeValue: ""
            +nodeType: XML_ELEMENT_NODE
            +parentNode: null
            +childNodes: DOMNodeList {#176
              +length: 3
            }
            +firstChild: DOMElement {#178 …}
            +lastChild: DOMElement {#180 …}
            +previousSibling: null
            +nextSibling: null
            +attributes: DOMNamedNodeMap {#183
              +length: 0
            }
            +ownerDocument: DOMDocument {#185 …}
            +namespaceURI: "http://www.w3.org/2000/09/xmldsig#"
            +prefix: ""
            +localName: "Signature"
            +baseURI: "/nix/store/lkd4h4x14ss3xqq5fhlfhdxm6v4rvp3k-nia.otevrenamesta.cz/webroot/"
            +textContent: ""
            +tagName: "Signature"
          }
          +idKeys: array:1 [
            0 => "ID"
          ]
          +idNS: []
          -signedInfo: "<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="#_a4fa7a92-4708-4f3f-adbc-e81b8b17513d"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>MxfPWJE5Sn6broER2SSqGE6E8cyCSNX+PRkZUcynsqU=</DigestValue></Reference></SignedInfo>"
          -xPathCtx: DOMXPath {#98
            +document: DOMDocument {#185 …}
          }
          -canonicalMethod: null
          -prefix: "ds:"
          -searchpfx: "secdsig"
          -validatedNodes: array:1 [
            "_a4fa7a92-4708-4f3f-adbc-e81b8b17513d" => DOMElement {#95
              +schemaTypeInfo: null
              +nodeName: "EntityDescriptor"
              +nodeValue: ""
              +nodeType: XML_ELEMENT_NODE
              +parentNode: DOMNamedNodeMap {#183}
              +childNodes: DOMNodeList {#182
                +length: 3
              }
              +firstChild: DOMText {#179 …}
              +lastChild: DOMElement {#180 …}
              +previousSibling: DOMElement {#178 …}
              +nextSibling: DOMNodeList {#176}
              +attributes: DOMNamedNodeMap {#175
                +length: 2
              }
              +ownerDocument: DOMNamedNodeMap {#183}
              +namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata"
              +prefix: ""
              +localName: "EntityDescriptor"
              +baseURI: "/nix/store/lkd4h4x14ss3xqq5fhlfhdxm6v4rvp3k-nia.otevrenamesta.cz/webroot/"
              +textContent: ""
              +tagName: "EntityDescriptor"
            }
          ]
        }
        "Certificates" => array:1 [
          0 => "MIII1DCCBrygAwIBAgIJArSiY9Dr6OiqMA0GCSqGSIb3DQEBCwUAMIGBMSowKAYDVQQDDCFJLkNBIEVVIFF1YWxpZmllZCBDQTIvUlNBIDA2LzIwMjIxLTArBgNVBAoMJFBydm7DrSBjZXJ0aWZpa2HEjW7DrSBhdXRvcml0YSwgYS5zLjEXMBUGA1UEYQwOTlRSQ1otMjY0MzkzOTUxCzAJBgNVBAYTAkNaMB4XDTI2MDMxNjE0MTQzOFoXDTI3MDMxNjE0MTQzOFowgYoxLDAqBgNVBAoMI0RpZ2l0w6FsbsOtIGEgaW5mb3JtYcSNbsOtIGFnZW50dXJhMRcwFQYDVQRhDA5OVFJDWi0xNzY1MTkyMTEbMBkGA1UEAwwSR0dfRlBTVFNfVEVTVF9TSUdOMQswCQYDVQQGEwJDWjEXMBUGA1UEBRMOSUNBIC0gMTA3MTkyNjkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaPpoE/w9HoA2IldqnUzyp2nrP4PSKaWYZjoUIFhtVSBqila4Gwdkao9hocsTSJ9FIMP3TuiNW4m1Ppc3DRwi7iA6RIqbo2i8WqCZKX7enNEPYzj5+4A3VNwa5+jn9svoQssnW3Fq8xNGBWT5CNSCkjfPhT/SWzQzajJE9lr1N9IlG//gtolc/t6vFexaJK+9Rqs7lHnhfypcqcnittcjnJ71WYAu+da//TOJ7dY0symLbdPLM9zeiMMyyrfN8+U9yTz1mGgX2qj+NPmAFF3o8nYeu1egTKTDSYfGHkHd5BfL1b9PKB50JARqUD0eB7rsE9dSGNWqWnZ8tepqIvqAm7vlWpAsjlMDR2c8eYr9XPLg79+3sXRU13JdFh1MC0uULcjpNVKMi4+CVaukwLmOqrjBB80xX9m7hBO4NeJGbiETTPfr2x3F1r9xbDUuWmfX0LqOR0A5nTPIhsYi1DK3fjeM1j87rZ5+HTOT9UH192sNTEzSaGIysa6eM06eJeHsKUwmNQIGQa/+YF8QlZWrh/GYU1BSPvrtd3ywC0QC4eLRA5Tf0vXX0odXCdPVa+giem7Xzpqspzluf8b6aE9wLTU2ptwvDulc9ZW469GEwjaDlGwG9cFGo7XFZcIiMekh557UTg2wxRoh0GwA7xX0cWJGMMJ2f7RGrJhpLZeXKAQIDAQABo4IDQjCCAz4wIwYDVR0RBBwwGqAYBgorBgEEAYG4SAQGoAoMCDEwNzE5MjY5MA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMIIBIwYDVR0gBIIBGjCCARYwggEHBg0rBgEEAYG4SAoBHwEAMIH1MB0GCCsGAQUFBwIBFhFodHRwOi8vd3d3LmljYS5jejCB0wYIKwYBBQUHAgIwgcYMgcNUZW50byBrdmFsaWZpa292YW55IGNlcnRpZmlrYXQgcHJvIGVsZWt0cm9uaWNrb3UgcGVjZXQgYnlsIHZ5ZGFuIHYgc291bGFkdSBzIG5hcml6ZW5pbSBFVSBjLiA5MTAvMjAxNC5UaGlzIGlzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGZvciBlbGVjdHJvbmljIHNlYWwgYWNjb3JkaW5nIHRvIFJlZ3VsYXRpb24gKEVVKSBObyA5MTAvMjAxNC4wCQYHBACL7EABATCBjwYDVR0fBIGHMIGEMCqgKKAmhiRodHRwOi8vcWNybGRwMS5pY2EuY3ovMnFjYTIyX3JzYS5jcmwwKqAooCaGJGh0dHA6Ly9xY3JsZHAyLmljYS5jei8ycWNhMjJfcnNhLmNybDAqoCigJoYkaHR0cDovL3FjcmxkcDMuaWNhLmN6LzJxY2EyMl9yc2EuY3JsMIGGBggrBgEFBQcBAwR6MHgwCAYGBACORgEBMFcGBgQAjkYBBTBNMC0WJ2h0dHBzOi8vd3d3LmljYS5jei9acHJhdnktcHJvLXV6aXZhdGVsZRMCY3MwHBYWaHR0cHM6Ly93d3cuaWNhLmN6L1BEUxMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgIwZQYIKwYBBQUHAQEEWTBXMCoGCCsGAQUFBzAChh5odHRwOi8vcS5pY2EuY3ovMnFjYTIyX3JzYS5jZXIwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLmljYS5jei8ycWNhMjJfcnNhMB8GA1UdIwQYMBaAFIr/YLK2SFAljy7NQ1M7CITFyuhkMB0GA1UdDgQWBBTlbk6bTKmLfap4yWnepMmuxm8zVDATBgNVHSUEDDAKBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAH3des0Xc1Kit0heIgRjY5+0FhQHA78zj5NF0JvKSuf8mZSQLhHbg+XEzXut1so0YkR9gsVJfeMxK2yJ+uOq5vYKHmCvfS2SJHlgrMa+CaFR+YOKu8bpPYGRv2tunYz2PmaxHmtjGrx7OtQK3dNxBP3bgqZU2dg0ZH8dMoRu7hWLWne+Vm7MNR0jqhxzm46cX+SCOPb+ubwsxF199ZBzX4awenoXXzqZgdTqe51NeTTaMxLGnMBeamKSbF8EENMZyALQpJ0iYv/+2DIk4Umj1YkAaa+fm7AmiL6BgggXmy70gG7sa/RGkpFpb68gPbwCEVqF+UXM4+wMedvb1s2wnmiZrilirP6Mj614DrpS8OIgEn/4PVdmT6+hUlFd9VaNARjNXbyhNR0xOJ1XNBCWBW8L2+o0xqleKhhNJLJDP2HRULRZRgFzukyc5rSub6jKUvIcg+O6RJPAeppEu9oEuOV7aOe/tyCBzFVArt/B1nj7HCt6c8e8nifdWAsef5ElhXbmRNJB8MGrrOUSOIwUshUBSZI77au0RaVYXrmquWAyiDtHbQChKrr38AXbAA58v5Tmsg5CGrmdzy6i4QgwruhheOsp/Rjnb2AmRemncz+rqtLeTdrry+5oNNsKOpbRtpHvwKHXs37W1b9AK+wZZ3ay/G/B9RQQhmHbVQWNIr3c="
        ]
      ]
    ]
  ]
  +validUntil: null
  +cacheDuration: null
  -entityID: "urn:microsoft:cgg2010:fpsts"
  -ID: "_a4fa7a92-4708-4f3f-adbc-e81b8b17513d"
  -Extensions: []
  -RoleDescriptor: array:2 [
    0 => UnknownRoleDescriptor {#103
      #signatureKey: null
      #certificates: []
      -validators: []
      +validUntil: null
      +cacheDuration: null
      -elementName: "md:RoleDescriptor"
      -ID: null
      -protocolSupportEnumeration: array:1 [
        0 => "http://docs.oasis-open.org/wsfed/federation/200706"
      ]
      -errorURL: null
      -Extensions: []
      -KeyDescriptor: array:1 [
        0 => KeyDescriptor {#105
          -use: "signing"
          -KeyInfo: KeyInfo {#101
            -Id: null
            -info: array:1 [
              0 => X509Data {#111
                -data: array:1 [
                  0 => X509Certificate {#113
                    -certificate: "MIII1DCCBrygAwIBAgIJArSiY9Dr6OiqMA0GCSqGSIb3DQEBCwUAMIGBMSowKAYDVQQDDCFJLkNBIEVVIFF1YWxpZmllZCBDQTIvUlNBIDA2LzIwMjIxLTArBgNVBAoMJFBydm7DrSBjZXJ0aWZpa2HEjW7DrSBhdXRvcml0YSwgYS5zLjEXMBUGA1UEYQwOTlRSQ1otMjY0MzkzOTUxCzAJBgNVBAYTAkNaMB4XDTI2MDMxNjE0MTQzOFoXDTI3MDMxNjE0MTQzOFowgYoxLDAqBgNVBAoMI0RpZ2l0w6FsbsOtIGEgaW5mb3JtYcSNbsOtIGFnZW50dXJhMRcwFQYDVQRhDA5OVFJDWi0xNzY1MTkyMTEbMBkGA1UEAwwSR0dfRlBTVFNfVEVTVF9TSUdOMQswCQYDVQQGEwJDWjEXMBUGA1UEBRMOSUNBIC0gMTA3MTkyNjkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaPpoE/w9HoA2IldqnUzyp2nrP4PSKaWYZjoUIFhtVSBqila4Gwdkao9hocsTSJ9FIMP3TuiNW4m1Ppc3DRwi7iA6RIqbo2i8WqCZKX7enNEPYzj5+4A3VNwa5+jn9svoQssnW3Fq8xNGBWT5CNSCkjfPhT/SWzQzajJE9lr1N9IlG//gtolc/t6vFexaJK+9Rqs7lHnhfypcqcnittcjnJ71WYAu+da//TOJ7dY0symLbdPLM9zeiMMyyrfN8+U9yTz1mGgX2qj+NPmAFF3o8nYeu1egTKTDSYfGHkHd5BfL1b9PKB50JARqUD0eB7rsE9dSGNWqWnZ8tepqIvqAm7vlWpAsjlMDR2c8eYr9XPLg79+3sXRU13JdFh1MC0uULcjpNVKMi4+CVaukwLmOqrjBB80xX9m7hBO4NeJGbiETTPfr2x3F1r9xbDUuWmfX0LqOR0A5nTPIhsYi1DK3fjeM1j87rZ5+HTOT9UH192sNTEzSaGIysa6eM06eJeHsKUwmNQIGQa/+YF8QlZWrh/GYU1BSPvrtd3ywC0QC4eLRA5Tf0vXX0odXCdPVa+giem7Xzpqspzluf8b6aE9wLTU2ptwvDulc9ZW469GEwjaDlGwG9cFGo7XFZcIiMekh557UTg2wxRoh0GwA7xX0cWJGMMJ2f7RGrJhpLZeXKAQIDAQABo4IDQjCCAz4wIwYDVR0RBBwwGqAYBgorBgEEAYG4SAQGoAoMCDEwNzE5MjY5MA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMIIBIwYDVR0gBIIBGjCCARYwggEHBg0rBgEEAYG4SAoBHwEAMIH1MB0GCCsGAQUFBwIBFhFodHRwOi8vd3d3LmljYS5jejCB0wYIKwYBBQUHAgIwgcYMgcNUZW50byBrdmFsaWZpa292YW55IGNlcnRpZmlrYXQgcHJvIGVsZWt0cm9uaWNrb3UgcGVjZXQgYnlsIHZ5ZGFuIHYgc291bGFkdSBzIG5hcml6ZW5pbSBFVSBjLiA5MTAvMjAxNC5UaGlzIGlzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGZvciBlbGVjdHJvbmljIHNlYWwgYWNjb3JkaW5nIHRvIFJlZ3VsYXRpb24gKEVVKSBObyA5MTAvMjAxNC4wCQYHBACL7EABATCBjwYDVR0fBIGHMIGEMCqgKKAmhiRodHRwOi8vcWNybGRwMS5pY2EuY3ovMnFjYTIyX3JzYS5jcmwwKqAooCaGJGh0dHA6Ly9xY3JsZHAyLmljYS5jei8ycWNhMjJfcnNhLmNybDAqoCigJoYkaHR0cDovL3FjcmxkcDMuaWNhLmN6LzJxY2EyMl9yc2EuY3JsMIGGBggrBgEFBQcBAwR6MHgwCAYGBACORgEBMFcGBgQAjkYBBTBNMC0WJ2h0dHBzOi8vd3d3LmljYS5jei9acHJhdnktcHJvLXV6aXZhdGVsZRMCY3MwHBYWaHR0cHM6Ly93d3cuaWNhLmN6L1BEUxMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgIwZQYIKwYBBQUHAQEEWTBXMCoGCCsGAQUFBzAChh5odHRwOi8vcS5pY2EuY3ovMnFjYTIyX3JzYS5jZXIwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLmljYS5jei8ycWNhMjJfcnNhMB8GA1UdIwQYMBaAFIr/YLK2SFAljy7NQ1M7CITFyuhkMB0GA1UdDgQWBBTlbk6bTKmLfap4yWnepMmuxm8zVDATBgNVHSUEDDAKBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAH3des0Xc1Kit0heIgRjY5+0FhQHA78zj5NF0JvKSuf8mZSQLhHbg+XEzXut1so0YkR9gsVJfeMxK2yJ+uOq5vYKHmCvfS2SJHlgrMa+CaFR+YOKu8bpPYGRv2tunYz2PmaxHmtjGrx7OtQK3dNxBP3bgqZU2dg0ZH8dMoRu7hWLWne+Vm7MNR0jqhxzm46cX+SCOPb+ubwsxF199ZBzX4awenoXXzqZgdTqe51NeTTaMxLGnMBeamKSbF8EENMZyALQpJ0iYv/+2DIk4Umj1YkAaa+fm7AmiL6BgggXmy70gG7sa/RGkpFpb68gPbwCEVqF+UXM4+wMedvb1s2wnmiZrilirP6Mj614DrpS8OIgEn/4PVdmT6+hUlFd9VaNARjNXbyhNR0xOJ1XNBCWBW8L2+o0xqleKhhNJLJDP2HRULRZRgFzukyc5rSub6jKUvIcg+O6RJPAeppEu9oEuOV7aOe/tyCBzFVArt/B1nj7HCt6c8e8nifdWAsef5ElhXbmRNJB8MGrrOUSOIwUshUBSZI77au0RaVYXrmquWAyiDtHbQChKrr38AXbAA58v5Tmsg5CGrmdzy6i4QgwruhheOsp/Rjnb2AmRemncz+rqtLeTdrry+5oNNsKOpbRtpHvwKHXs37W1b9AK+wZZ3ay/G/B9RQQhmHbVQWNIr3c="
                  }
                ]
              }
            ]
          }
          -EncryptionMethod: []
        }
      ]
      -Organization: null
      -ContactPerson: []
      -xml: Chunk {#106
        -localName: "RoleDescriptor"
        -namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata"
        -xml: DOMElement {#108
          +schemaTypeInfo: null
          +nodeName: "RoleDescriptor"
          +nodeValue: ""
          +nodeType: XML_ELEMENT_NODE
          +parentNode: null
          +childNodes: DOMNodeList {#156
            +length: 5
          }
          +firstChild: DOMElement {#158 …}
          +lastChild: DOMElement {#160 …}
          +previousSibling: null
          +nextSibling: null
          +attributes: DOMNamedNodeMap {#163
            +length: 2
          }
          +ownerDocument: DOMDocument {#165 …}
          +namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata"
          +prefix: ""
          +localName: "RoleDescriptor"
          +baseURI: null
          +textContent: ""
          +tagName: "RoleDescriptor"
        }
      }
    }
    1 => IDPSSODescriptor {#104
      #signatureKey: null
      #certificates: []
      -validators: []
      +validUntil: null
      +cacheDuration: null
      -elementName: "md:IDPSSODescriptor"
      -ID: null
      -protocolSupportEnumeration: array:1 [
        0 => "urn:oasis:names:tc:SAML:2.0:protocol"
      ]
      -errorURL: null
      -Extensions: []
      -KeyDescriptor: array:1 [
        0 => KeyDescriptor {#110
          -use: "signing"
          -KeyInfo: KeyInfo {#114
            -Id: null
            -info: array:1 [
              0 => X509Data {#118
                -data: array:1 [
                  0 => X509Certificate {#120
                    -certificate: "MIII1DCCBrygAwIBAgIJArSiY9Dr6OiqMA0GCSqGSIb3DQEBCwUAMIGBMSowKAYDVQQDDCFJLkNBIEVVIFF1YWxpZmllZCBDQTIvUlNBIDA2LzIwMjIxLTArBgNVBAoMJFBydm7DrSBjZXJ0aWZpa2HEjW7DrSBhdXRvcml0YSwgYS5zLjEXMBUGA1UEYQwOTlRSQ1otMjY0MzkzOTUxCzAJBgNVBAYTAkNaMB4XDTI2MDMxNjE0MTQzOFoXDTI3MDMxNjE0MTQzOFowgYoxLDAqBgNVBAoMI0RpZ2l0w6FsbsOtIGEgaW5mb3JtYcSNbsOtIGFnZW50dXJhMRcwFQYDVQRhDA5OVFJDWi0xNzY1MTkyMTEbMBkGA1UEAwwSR0dfRlBTVFNfVEVTVF9TSUdOMQswCQYDVQQGEwJDWjEXMBUGA1UEBRMOSUNBIC0gMTA3MTkyNjkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaPpoE/w9HoA2IldqnUzyp2nrP4PSKaWYZjoUIFhtVSBqila4Gwdkao9hocsTSJ9FIMP3TuiNW4m1Ppc3DRwi7iA6RIqbo2i8WqCZKX7enNEPYzj5+4A3VNwa5+jn9svoQssnW3Fq8xNGBWT5CNSCkjfPhT/SWzQzajJE9lr1N9IlG//gtolc/t6vFexaJK+9Rqs7lHnhfypcqcnittcjnJ71WYAu+da//TOJ7dY0symLbdPLM9zeiMMyyrfN8+U9yTz1mGgX2qj+NPmAFF3o8nYeu1egTKTDSYfGHkHd5BfL1b9PKB50JARqUD0eB7rsE9dSGNWqWnZ8tepqIvqAm7vlWpAsjlMDR2c8eYr9XPLg79+3sXRU13JdFh1MC0uULcjpNVKMi4+CVaukwLmOqrjBB80xX9m7hBO4NeJGbiETTPfr2x3F1r9xbDUuWmfX0LqOR0A5nTPIhsYi1DK3fjeM1j87rZ5+HTOT9UH192sNTEzSaGIysa6eM06eJeHsKUwmNQIGQa/+YF8QlZWrh/GYU1BSPvrtd3ywC0QC4eLRA5Tf0vXX0odXCdPVa+giem7Xzpqspzluf8b6aE9wLTU2ptwvDulc9ZW469GEwjaDlGwG9cFGo7XFZcIiMekh557UTg2wxRoh0GwA7xX0cWJGMMJ2f7RGrJhpLZeXKAQIDAQABo4IDQjCCAz4wIwYDVR0RBBwwGqAYBgorBgEEAYG4SAQGoAoMCDEwNzE5MjY5MA4GA1UdDwEB/wQEAwIF4DAJBgNVHRMEAjAAMIIBIwYDVR0gBIIBGjCCARYwggEHBg0rBgEEAYG4SAoBHwEAMIH1MB0GCCsGAQUFBwIBFhFodHRwOi8vd3d3LmljYS5jejCB0wYIKwYBBQUHAgIwgcYMgcNUZW50byBrdmFsaWZpa292YW55IGNlcnRpZmlrYXQgcHJvIGVsZWt0cm9uaWNrb3UgcGVjZXQgYnlsIHZ5ZGFuIHYgc291bGFkdSBzIG5hcml6ZW5pbSBFVSBjLiA5MTAvMjAxNC5UaGlzIGlzIGEgcXVhbGlmaWVkIGNlcnRpZmljYXRlIGZvciBlbGVjdHJvbmljIHNlYWwgYWNjb3JkaW5nIHRvIFJlZ3VsYXRpb24gKEVVKSBObyA5MTAvMjAxNC4wCQYHBACL7EABATCBjwYDVR0fBIGHMIGEMCqgKKAmhiRodHRwOi8vcWNybGRwMS5pY2EuY3ovMnFjYTIyX3JzYS5jcmwwKqAooCaGJGh0dHA6Ly9xY3JsZHAyLmljYS5jei8ycWNhMjJfcnNhLmNybDAqoCigJoYkaHR0cDovL3FjcmxkcDMuaWNhLmN6LzJxY2EyMl9yc2EuY3JsMIGGBggrBgEFBQcBAwR6MHgwCAYGBACORgEBMFcGBgQAjkYBBTBNMC0WJ2h0dHBzOi8vd3d3LmljYS5jei9acHJhdnktcHJvLXV6aXZhdGVsZRMCY3MwHBYWaHR0cHM6Ly93d3cuaWNhLmN6L1BEUxMCZW4wEwYGBACORgEGMAkGBwQAjkYBBgIwZQYIKwYBBQUHAQEEWTBXMCoGCCsGAQUFBzAChh5odHRwOi8vcS5pY2EuY3ovMnFjYTIyX3JzYS5jZXIwKQYIKwYBBQUHMAGGHWh0dHA6Ly9vY3NwLmljYS5jei8ycWNhMjJfcnNhMB8GA1UdIwQYMBaAFIr/YLK2SFAljy7NQ1M7CITFyuhkMB0GA1UdDgQWBBTlbk6bTKmLfap4yWnepMmuxm8zVDATBgNVHSUEDDAKBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAH3des0Xc1Kit0heIgRjY5+0FhQHA78zj5NF0JvKSuf8mZSQLhHbg+XEzXut1so0YkR9gsVJfeMxK2yJ+uOq5vYKHmCvfS2SJHlgrMa+CaFR+YOKu8bpPYGRv2tunYz2PmaxHmtjGrx7OtQK3dNxBP3bgqZU2dg0ZH8dMoRu7hWLWne+Vm7MNR0jqhxzm46cX+SCOPb+ubwsxF199ZBzX4awenoXXzqZgdTqe51NeTTaMxLGnMBeamKSbF8EENMZyALQpJ0iYv/+2DIk4Umj1YkAaa+fm7AmiL6BgggXmy70gG7sa/RGkpFpb68gPbwCEVqF+UXM4+wMedvb1s2wnmiZrilirP6Mj614DrpS8OIgEn/4PVdmT6+hUlFd9VaNARjNXbyhNR0xOJ1XNBCWBW8L2+o0xqleKhhNJLJDP2HRULRZRgFzukyc5rSub6jKUvIcg+O6RJPAeppEu9oEuOV7aOe/tyCBzFVArt/B1nj7HCt6c8e8nifdWAsef5ElhXbmRNJB8MGrrOUSOIwUshUBSZI77au0RaVYXrmquWAyiDtHbQChKrr38AXbAA58v5Tmsg5CGrmdzy6i4QgwruhheOsp/Rjnb2AmRemncz+rqtLeTdrry+5oNNsKOpbRtpHvwKHXs37W1b9AK+wZZ3ay/G/B9RQQhmHbVQWNIr3c="
                  }
                ]
              }
            ]
          }
          -EncryptionMethod: []
        }
      ]
      -Organization: null
      -ContactPerson: []
      -ArtifactResolutionService: []
      -SingleLogoutService: array:1 [
        0 => EndpointType {#112
          -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
          -Location: "https://tnia.identita.gov.cz/FPSTS/saml2/basic"
          -ResponseLocation: null
          -attributes: []
        }
      ]
      -ManageNameIDService: []
      -NameIDFormat: []
      -WantAuthnRequestsSigned: null
      -SingleSignOnService: array:2 [
        0 => EndpointType {#116
          -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
          -Location: "https://tnia.identita.gov.cz/FPSTS/saml2/basic"
          -ResponseLocation: null
          -attributes: []
        }
        1 => EndpointType {#122
          -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
          -Location: "https://tnia.identita.gov.cz/FPSTS/saml2/basic"
          -ResponseLocation: null
          -attributes: []
        }
      ]
      -NameIDMappingService: []
      -AssertionIDRequestService: []
      -AttributeProfile: []
      -Attribute: []
    }
  ]
  -AffiliationDescriptor: null
  -Organization: null
  -ContactPerson: []
  -AdditionalMetadataLocation: []
}

2. Ověření obsahu souboru

    
 <?php
 use RobRichards\XMLSecLibs\XMLSecurityKey;

 // soubor s certifikátem bychom měli mít uložen lokálně, aby validace podpisu proběhla korektně
 // na uvedené adrese je uložen NIA certifikát (PEM) z testovacího prostředí
 $tnia_cert_data = file_get_contents('https://nia.otevrenamesta.cz/tnia.crt');
 // z dat certifikátu vytvoříme klíč
 $tnia_key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']);
 $tnia_key->loadKey($tnia_cert_data, false, true);
 // a použijeme interní metodu EntityDescriptor->validate(XMLSecurityKey $key) pro validaci
 $valid = $metadata->validate($tnia_key);
Obsah proměnné valid:
Warning (2) : Undefined variable $valid [in /nix/store/lkd4h4x14ss3xqq5fhlfhdxm6v4rvp3k-nia.otevrenamesta.cz/templates/Pages/example_step1.php, line 66] 
null

3. Získání adresy pro přesměrování uživatele

    
    <?php
    use SAML2\Constants;
    use SAML2\XML\md\IDPSSODescriptor;
    use SAML2\XML\md\EntityDescriptor;

    private function extractSSOLoginUrls(EntityDescriptor $idp_descriptor){
        $idp_sso_descriptor = false;
        foreach ($idp_descriptor->getRoleDescriptor() as $role_descriptor) {
            if ($role_descriptor instanceof IDPSSODescriptor) {
                $idp_sso_descriptor = $role_descriptor;
            }
        }

        $sso_redirect_login_url = false;
        $sso_post_login_url = false;

        if ($idp_sso_descriptor instanceof IDPSSODescriptor) {
            foreach ($idp_sso_descriptor->getSingleSignOnService() as $descriptorType) {
                if ($descriptorType->getBinding() === Constants::BINDING_HTTP_REDIRECT) {
                    $sso_redirect_login_url = $descriptorType->getLocation();
                } else if ($descriptorType->getBinding() === Constants::BINDING_HTTP_POST) {
                    $sso_post_login_url = $descriptorType->getLocation();
                }
            }
        }

        return [Constants::BINDING_HTTP_REDIRECT => $sso_redirect_login_url, Constants::BINDING_HTTP_POST => $sso_post_login_url];
    }

    $urls = extractSSOLoginUrls($metadata);
    $redirect_url = $urls[Constants::BINDING_HTTP_REDIRECT];
    $post_url = $urls[Constants::BINDING_HTTP_POST];
Obsah proměnné urls: 
array:2 [
  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" => "https://tnia.identita.gov.cz/FPSTS/saml2/basic"
  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" => "https://tnia.identita.gov.cz/FPSTS/saml2/basic"
]