Prvním krokem je získání informací z metadat IdP
V dokumentaci je uveden odkaz na metadata NIA IdP FederationMetadata.xml
Více informací o NIA IdP metadatech je uvedeno na stránce IdP - Úvod
<?php
// použijeme knihovnu simplesamlphp/saml2 z https://github.com/simplesamlphp/saml2
use SAML2\XML\md\EntityDescriptor;
use SAML2\DOMDocumentFactory;
$metadata_url = "https://tnia.identitaobcana.cz/FPSTS/FederationMetadata/2007-06/FederationMetadata.xml";
$metadata_string = file_get_contents($metadata_url);
$metadata_dom = DOMDocumentFactory::fromString($metadata_string);
$metadata = new EntityDescriptor($metadata_dom->documentElement);
// také lze využít metodu DOMDocumentFactory::fromFile($filepath); pokud máte metadata stažena lokálně
Objekt následovně obsahuje tato data:EntityDescriptor {#95 #signatureKey: null #certificates: array:1 [ 0 => "MIIH0jCCBbqgAwIBAgIEAVjUZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIyMDMxMTA3NTEyNloXDTIzMDMzMTA3NTEyNloweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Ls3pWnNohUtQPvsTkqLbBs40/Yx05eLGQ8PfHtuZriCAjHOqaHUN9KOIvPV0pdgLy4PYCpOjOf2EQyOuP0oBk7Hq2+9atIZbA01/SUynR2w6GyAosCdoSJwWBR4lp62Ld0wGg8glgO83peADC7yIcZ+M9ZjhJeWcwyP71AfP35MdIJdLzaGX6prT9viUwu5O8xrvs1pqZ8ksk2ZRiLc9eTUaiVoMZ35026FMT82HFdcZMuMi0mFSJLw98pA92OAi/WGhy1ihh+LGxK2BbFyE6FD8z/cKSau+Q0v+57Wg6gWq+pi8ZfN5XRCmWOCEzpIXehAQ4x6qzuhm/RhaLRPVAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBSCtStzngo8o0QmO5SqPS1mfPhrFTANBgkqhkiG9w0BAQsFAAOCAgEAM+0izVaNJakTg8HHhkFyYAupCszr8B0Q3paAsNkrbEQpFK9hGOxB76lqamlfPSgydmqAvBCXbgFQ9KQ2TZ+x9fNuYABJHPVbBAnegAPgDhj/HjSCY15SFD3U4D1eQtZ+lN1KKMYOIMhGY6wiMkQXh0+4NQ9tJoB8dyFFEtoW/wm+RcFyMqYKlzVPHHZDigDalTdHkFoQnyK0GCfE3mhSWRLT8bKI9um8xdinbM4VjmMuocQ2r/TpO0kvJy/bV0Po/o0YRZMw3ExTOqd2ubFltDE/M2LxI+6OnRITjV++XAWUcrDRYzq+SLT/mxIO207jGqcXUxxRjWWPPBFOWStVlJ4wWenAel0XW1mAMFwmOwJ9sgix2OdUYteCIqpakgM13tRtSU+TCV33MrRpbxB9T50ucG6QYILDCeSq6Q45zqi8d/2wmX5vIV3n8TT0XyN+/KrX5kIO5ozTnPIGtIh6/C4jn8i0J4Z1VycuP0V9RPL55hZDJFYuTHxuBp3C0wpkjRs86J8X9dJG+Ex2TCdp3zx+V2PRDZv7S/4cU6ah0YJUXS2LZM1X4rTzHK7367LcWdvIsmDp1D7I9AwBsDLMAn4SdEmjBa2RO9wx3SHxkG9JFEyiET38l6kjmFqZtRBZOSu2A0lB0nDExJ4BENuGFQ5q+lonazSY+e7i623FhQg=" ] -validators: array:1 [ 0 => array:2 [ "Function" => array:2 [ 0 => "SAML2\Utils" 1 => "validateSignature" ] "Data" => array:2 [ "Signature" => XMLSecurityDSig {#92 +sigNode: DOMElement {#98 +schemaTypeInfo: null +nodeName: "Signature" +nodeValue: "" +nodeType: XML_ELEMENT_NODE +parentNode: null +childNodes: DOMNodeList {#175 +length: 3 } +firstChild: DOMElement {#177 …} +lastChild: DOMElement {#179 …} +previousSibling: null +nextSibling: null +attributes: DOMNamedNodeMap {#182 +length: 0 } +ownerDocument: DOMDocument {#184 …} +namespaceURI: "http://www.w3.org/2000/09/xmldsig#" +prefix: "" +localName: "Signature" +baseURI: "/nix/store/fhb1japhdj213azhjdysq3b8plzb888n-nia.otevrenamesta.cz/webroot/" +textContent: "" +tagName: "Signature" } +idKeys: array:1 [ 0 => "ID" ] +idNS: [] -signedInfo: "<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="#_5e44b88f-65c0-4f47-a7b0-ac9a202fe8a2"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>1YmE0AZiMEKhV63ItZX1qRK50nt/+iegNmbdfFrOEG0=</DigestValue></Reference></SignedInfo>" -xPathCtx: DOMXPath {#97 +document: DOMDocument {#184 …} } -canonicalMethod: null -prefix: "ds:" -searchpfx: "secdsig" -validatedNodes: array:1 [ "_5e44b88f-65c0-4f47-a7b0-ac9a202fe8a2" => DOMElement {#94 +schemaTypeInfo: null +nodeName: "EntityDescriptor" +nodeValue: "" +nodeType: XML_ELEMENT_NODE +parentNode: DOMNamedNodeMap {#182} +childNodes: DOMNodeList {#181 +length: 3 } +firstChild: DOMText {#178 …} +lastChild: DOMElement {#179 …} +previousSibling: DOMElement {#177 …} +nextSibling: DOMNodeList {#175} +attributes: DOMNamedNodeMap {#174 +length: 2 } +ownerDocument: DOMNamedNodeMap {#182} +namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata" +prefix: "" +localName: "EntityDescriptor" +baseURI: "/nix/store/fhb1japhdj213azhjdysq3b8plzb888n-nia.otevrenamesta.cz/webroot/" +textContent: "" +tagName: "EntityDescriptor" } ] } "Certificates" => array:1 [ 0 => "MIIH0jCCBbqgAwIBAgIEAVjUZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIyMDMxMTA3NTEyNloXDTIzMDMzMTA3NTEyNloweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Ls3pWnNohUtQPvsTkqLbBs40/Yx05eLGQ8PfHtuZriCAjHOqaHUN9KOIvPV0pdgLy4PYCpOjOf2EQyOuP0oBk7Hq2+9atIZbA01/SUynR2w6GyAosCdoSJwWBR4lp62Ld0wGg8glgO83peADC7yIcZ+M9ZjhJeWcwyP71AfP35MdIJdLzaGX6prT9viUwu5O8xrvs1pqZ8ksk2ZRiLc9eTUaiVoMZ35026FMT82HFdcZMuMi0mFSJLw98pA92OAi/WGhy1ihh+LGxK2BbFyE6FD8z/cKSau+Q0v+57Wg6gWq+pi8ZfN5XRCmWOCEzpIXehAQ4x6qzuhm/RhaLRPVAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBSCtStzngo8o0QmO5SqPS1mfPhrFTANBgkqhkiG9w0BAQsFAAOCAgEAM+0izVaNJakTg8HHhkFyYAupCszr8B0Q3paAsNkrbEQpFK9hGOxB76lqamlfPSgydmqAvBCXbgFQ9KQ2TZ+x9fNuYABJHPVbBAnegAPgDhj/HjSCY15SFD3U4D1eQtZ+lN1KKMYOIMhGY6wiMkQXh0+4NQ9tJoB8dyFFEtoW/wm+RcFyMqYKlzVPHHZDigDalTdHkFoQnyK0GCfE3mhSWRLT8bKI9um8xdinbM4VjmMuocQ2r/TpO0kvJy/bV0Po/o0YRZMw3ExTOqd2ubFltDE/M2LxI+6OnRITjV++XAWUcrDRYzq+SLT/mxIO207jGqcXUxxRjWWPPBFOWStVlJ4wWenAel0XW1mAMFwmOwJ9sgix2OdUYteCIqpakgM13tRtSU+TCV33MrRpbxB9T50ucG6QYILDCeSq6Q45zqi8d/2wmX5vIV3n8TT0XyN+/KrX5kIO5ozTnPIGtIh6/C4jn8i0J4Z1VycuP0V9RPL55hZDJFYuTHxuBp3C0wpkjRs86J8X9dJG+Ex2TCdp3zx+V2PRDZv7S/4cU6ah0YJUXS2LZM1X4rTzHK7367LcWdvIsmDp1D7I9AwBsDLMAn4SdEmjBa2RO9wx3SHxkG9JFEyiET38l6kjmFqZtRBZOSu2A0lB0nDExJ4BENuGFQ5q+lonazSY+e7i623FhQg=" ] ] ] ] +validUntil: null +cacheDuration: null -entityID: "urn:microsoft:cgg2010:fpsts" -ID: "_5e44b88f-65c0-4f47-a7b0-ac9a202fe8a2" -Extensions: [] -RoleDescriptor: array:2 [ 0 => UnknownRoleDescriptor {#102 #signatureKey: null #certificates: [] -validators: [] +validUntil: null +cacheDuration: null -elementName: "md:RoleDescriptor" -ID: null -protocolSupportEnumeration: array:1 [ 0 => "http://docs.oasis-open.org/wsfed/federation/200706" ] -errorURL: null -Extensions: [] -KeyDescriptor: array:1 [ 0 => KeyDescriptor {#104 -use: "signing" -KeyInfo: KeyInfo {#100 -Id: null -info: array:1 [ 0 => X509Data {#110 -data: array:1 [ 0 => X509Certificate {#112 -certificate: "MIIH0jCCBbqgAwIBAgIEAVjUZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIyMDMxMTA3NTEyNloXDTIzMDMzMTA3NTEyNloweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Ls3pWnNohUtQPvsTkqLbBs40/Yx05eLGQ8PfHtuZriCAjHOqaHUN9KOIvPV0pdgLy4PYCpOjOf2EQyOuP0oBk7Hq2+9atIZbA01/SUynR2w6GyAosCdoSJwWBR4lp62Ld0wGg8glgO83peADC7yIcZ+M9ZjhJeWcwyP71AfP35MdIJdLzaGX6prT9viUwu5O8xrvs1pqZ8ksk2ZRiLc9eTUaiVoMZ35026FMT82HFdcZMuMi0mFSJLw98pA92OAi/WGhy1ihh+LGxK2BbFyE6FD8z/cKSau+Q0v+57Wg6gWq+pi8ZfN5XRCmWOCEzpIXehAQ4x6qzuhm/RhaLRPVAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBSCtStzngo8o0QmO5SqPS1mfPhrFTANBgkqhkiG9w0BAQsFAAOCAgEAM+0izVaNJakTg8HHhkFyYAupCszr8B0Q3paAsNkrbEQpFK9hGOxB76lqamlfPSgydmqAvBCXbgFQ9KQ2TZ+x9fNuYABJHPVbBAnegAPgDhj/HjSCY15SFD3U4D1eQtZ+lN1KKMYOIMhGY6wiMkQXh0+4NQ9tJoB8dyFFEtoW/wm+RcFyMqYKlzVPHHZDigDalTdHkFoQnyK0GCfE3mhSWRLT8bKI9um8xdinbM4VjmMuocQ2r/TpO0kvJy/bV0Po/o0YRZMw3ExTOqd2ubFltDE/M2LxI+6OnRITjV++XAWUcrDRYzq+SLT/mxIO207jGqcXUxxRjWWPPBFOWStVlJ4wWenAel0XW1mAMFwmOwJ9sgix2OdUYteCIqpakgM13tRtSU+TCV33MrRpbxB9T50ucG6QYILDCeSq6Q45zqi8d/2wmX5vIV3n8TT0XyN+/KrX5kIO5ozTnPIGtIh6/C4jn8i0J4Z1VycuP0V9RPL55hZDJFYuTHxuBp3C0wpkjRs86J8X9dJG+Ex2TCdp3zx+V2PRDZv7S/4cU6ah0YJUXS2LZM1X4rTzHK7367LcWdvIsmDp1D7I9AwBsDLMAn4SdEmjBa2RO9wx3SHxkG9JFEyiET38l6kjmFqZtRBZOSu2A0lB0nDExJ4BENuGFQ5q+lonazSY+e7i623FhQg=" } ] } ] } -EncryptionMethod: [] } ] -Organization: null -ContactPerson: [] -xml: Chunk {#105 -localName: "RoleDescriptor" -namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata" -xml: DOMElement {#107 +schemaTypeInfo: null +nodeName: "RoleDescriptor" +nodeValue: "" +nodeType: XML_ELEMENT_NODE +parentNode: null +childNodes: DOMNodeList {#155 +length: 5 } +firstChild: DOMElement {#157 …} +lastChild: DOMElement {#159 …} +previousSibling: null +nextSibling: null +attributes: DOMNamedNodeMap {#162 +length: 2 } +ownerDocument: DOMDocument {#164 …} +namespaceURI: "urn:oasis:names:tc:SAML:2.0:metadata" +prefix: "" +localName: "RoleDescriptor" +baseURI: null +textContent: "" +tagName: "RoleDescriptor" } } } 1 => IDPSSODescriptor {#103 #signatureKey: null #certificates: [] -validators: [] +validUntil: null +cacheDuration: null -elementName: "md:IDPSSODescriptor" -ID: null -protocolSupportEnumeration: array:1 [ 0 => "urn:oasis:names:tc:SAML:2.0:protocol" ] -errorURL: null -Extensions: [] -KeyDescriptor: array:1 [ 0 => KeyDescriptor {#109 -use: "signing" -KeyInfo: KeyInfo {#113 -Id: null -info: array:1 [ 0 => X509Data {#117 -data: array:1 [ 0 => X509Certificate {#119 -certificate: "MIIH0jCCBbqgAwIBAgIEAVjUZzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEXMBUGA1UEYRMOTlRSQ1otNDcxMTQ5ODMxHTAbBgNVBAoMFMSMZXNrw6EgcG/FoXRhLCBzLnAuMSIwIAYDVQQDExlQb3N0U2lnbnVtIFF1YWxpZmllZCBDQSA0MB4XDTIyMDMxMTA3NTEyNloXDTIzMDMzMTA3NTEyNloweTELMAkGA1UEBhMCQ1oxFzAVBgNVBGETDk5UUkNaLTcyMDU0NTA2MScwJQYDVQQKDB5TcHLDoXZhIHrDoWtsYWRuw61jaCByZWdpc3Ryxa8xFjAUBgNVBAMMDUdHX0ZQU1RTX1RFU1QxEDAOBgNVBAUTB1MyNzU3MzAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Ls3pWnNohUtQPvsTkqLbBs40/Yx05eLGQ8PfHtuZriCAjHOqaHUN9KOIvPV0pdgLy4PYCpOjOf2EQyOuP0oBk7Hq2+9atIZbA01/SUynR2w6GyAosCdoSJwWBR4lp62Ld0wGg8glgO83peADC7yIcZ+M9ZjhJeWcwyP71AfP35MdIJdLzaGX6prT9viUwu5O8xrvs1pqZ8ksk2ZRiLc9eTUaiVoMZ35026FMT82HFdcZMuMi0mFSJLw98pA92OAi/WGhy1ihh+LGxK2BbFyE6FD8z/cKSau+Q0v+57Wg6gWq+pi8ZfN5XRCmWOCEzpIXehAQ4x6qzuhm/RhaLRPVAgMBAAGjggNwMIIDbDCCASYGA1UdIASCAR0wggEZMIIBCgYJZ4EGAQQBEoFIMIH8MIHTBggrBgEFBQcCAjCBxhqBw1RlbnRvIGt2YWxpZmlrb3ZhbnkgY2VydGlmaWthdCBwcm8gZWxla3Ryb25pY2tvdSBwZWNldCBieWwgdnlkYW4gdiBzb3VsYWR1IHMgbmFyaXplbmltIEVVIGMuIDkxMC8yMDE0LlRoaXMgaXMgYSBxdWFsaWZpZWQgY2VydGlmaWNhdGUgZm9yIGVsZWN0cm9uaWMgc2VhbCBhY2NvcmRpbmcgdG8gUmVndWxhdGlvbiAoRVUpIE5vIDkxMC8yMDE0LjAkBggrBgEFBQcCARYYaHR0cDovL3d3dy5wb3N0c2lnbnVtLmN6MAkGBwQAi+xAAQEwgZsGCCsGAQUFBwEDBIGOMIGLMAgGBgQAjkYBATBqBgYEAI5GAQUwYDAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfZW4ucGRmEwJlbjAuFihodHRwczovL3d3dy5wb3N0c2lnbnVtLmN6L3Bkcy9wZHNfY3MucGRmEwJjczATBgYEAI5GAQYwCQYHBACORgEGAjB9BggrBgEFBQcBAQRxMG8wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQucG9zdHNpZ251bS5jei9jcnQvcHNxdWFsaWZpZWRjYTQuY3J0MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wb3N0c2lnbnVtLmN6L09DU1AvUUNBNC8wDgYDVR0PAQH/BAQDAgXgMB8GA1UdJQQYMBYGCCsGAQUFBwMEBgorBgEEAYI3CgMMMB8GA1UdIwQYMBaAFA8ofD42ADgQUK49uCGXi/dgXGF4MIGxBgNVHR8EgakwgaYwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5jei9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMDagNKAyhjBodHRwOi8vY3JsMi5wb3N0c2lnbnVtLmN6L2NybC9wc3F1YWxpZmllZGNhNC5jcmwwNaAzoDGGL2h0dHA6Ly9jcmwucG9zdHNpZ251bS5ldS9jcmwvcHNxdWFsaWZpZWRjYTQuY3JsMB0GA1UdDgQWBBSCtStzngo8o0QmO5SqPS1mfPhrFTANBgkqhkiG9w0BAQsFAAOCAgEAM+0izVaNJakTg8HHhkFyYAupCszr8B0Q3paAsNkrbEQpFK9hGOxB76lqamlfPSgydmqAvBCXbgFQ9KQ2TZ+x9fNuYABJHPVbBAnegAPgDhj/HjSCY15SFD3U4D1eQtZ+lN1KKMYOIMhGY6wiMkQXh0+4NQ9tJoB8dyFFEtoW/wm+RcFyMqYKlzVPHHZDigDalTdHkFoQnyK0GCfE3mhSWRLT8bKI9um8xdinbM4VjmMuocQ2r/TpO0kvJy/bV0Po/o0YRZMw3ExTOqd2ubFltDE/M2LxI+6OnRITjV++XAWUcrDRYzq+SLT/mxIO207jGqcXUxxRjWWPPBFOWStVlJ4wWenAel0XW1mAMFwmOwJ9sgix2OdUYteCIqpakgM13tRtSU+TCV33MrRpbxB9T50ucG6QYILDCeSq6Q45zqi8d/2wmX5vIV3n8TT0XyN+/KrX5kIO5ozTnPIGtIh6/C4jn8i0J4Z1VycuP0V9RPL55hZDJFYuTHxuBp3C0wpkjRs86J8X9dJG+Ex2TCdp3zx+V2PRDZv7S/4cU6ah0YJUXS2LZM1X4rTzHK7367LcWdvIsmDp1D7I9AwBsDLMAn4SdEmjBa2RO9wx3SHxkG9JFEyiET38l6kjmFqZtRBZOSu2A0lB0nDExJ4BENuGFQ5q+lonazSY+e7i623FhQg=" } ] } ] } -EncryptionMethod: [] } ] -Organization: null -ContactPerson: [] -ArtifactResolutionService: [] -SingleLogoutService: array:1 [ 0 => EndpointType {#111 -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" -Location: "https://tnia.identitaobcana.cz/FPSTS/saml2/basic" -ResponseLocation: null -attributes: [] } ] -ManageNameIDService: [] -NameIDFormat: [] -WantAuthnRequestsSigned: null -SingleSignOnService: array:2 [ 0 => EndpointType {#115 -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" -Location: "https://tnia.identitaobcana.cz/FPSTS/saml2/basic" -ResponseLocation: null -attributes: [] } 1 => EndpointType {#121 -Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" -Location: "https://tnia.identitaobcana.cz/FPSTS/saml2/basic" -ResponseLocation: null -attributes: [] } ] -NameIDMappingService: [] -AssertionIDRequestService: [] -AttributeProfile: [] -Attribute: [] } ] -AffiliationDescriptor: null -Organization: null -ContactPerson: [] -AdditionalMetadataLocation: [] }
<?php
use RobRichards\XMLSecLibs\XMLSecurityKey;
// soubor s certifikátem bychom měli mít uložen lokálně, aby validace podpisu proběhla korektně
// na uvedené adrese je uložen NIA certifikát (PEM) z testovacího prostředí
$tnia_cert_data = file_get_contents('https://nia.otevrenamesta.cz/tnia.crt');
// z dat certifikátu vytvoříme klíč
$tnia_key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'public']);
$tnia_key->loadKey($tnia_cert_data, false, true);
// a použijeme interní metodu EntityDescriptor->validate(XMLSecurityKey $key) pro validaci
$valid = $metadata->validate($tnia_key);
Obsah proměnné valid: true
<?php
use SAML2\Constants;
use SAML2\XML\md\IDPSSODescriptor;
use SAML2\XML\md\EntityDescriptor;
private function extractSSOLoginUrls(EntityDescriptor $idp_descriptor){
$idp_sso_descriptor = false;
foreach ($idp_descriptor->getRoleDescriptor() as $role_descriptor) {
if ($role_descriptor instanceof IDPSSODescriptor) {
$idp_sso_descriptor = $role_descriptor;
}
}
$sso_redirect_login_url = false;
$sso_post_login_url = false;
if ($idp_sso_descriptor instanceof IDPSSODescriptor) {
foreach ($idp_sso_descriptor->getSingleSignOnService() as $descriptorType) {
if ($descriptorType->getBinding() === Constants::BINDING_HTTP_REDIRECT) {
$sso_redirect_login_url = $descriptorType->getLocation();
} else if ($descriptorType->getBinding() === Constants::BINDING_HTTP_POST) {
$sso_post_login_url = $descriptorType->getLocation();
}
}
}
return [Constants::BINDING_HTTP_REDIRECT => $sso_redirect_login_url, Constants::BINDING_HTTP_POST => $sso_post_login_url];
}
$urls = extractSSOLoginUrls($metadata);
$redirect_url = $urls[Constants::BINDING_HTTP_REDIRECT];
$post_url = $urls[Constants::BINDING_HTTP_POST];
Obsah proměnné urls: array:2 [ "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" => "https://tnia.identitaobcana.cz/FPSTS/saml2/basic" "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" => "https://tnia.identitaobcana.cz/FPSTS/saml2/basic" ]