Support for Conditions/AudienceRestriction/Audience in AuthnRequest

src/SAML2/AuthnRequest.php

@@ -108,6 +108,13 @@ class AuthnRequest extends Request
      */
     private $requestedAuthnContext;
 
+    /**
+     * Audiences to send in the request.
+     *
+     * @var array
+     */
+    private $audiences;
+
     /**
      * @var \SAML2\XML\saml\SubjectConfirmation[]
      */
@@ -404,6 +411,30 @@ public function setIsPassive($isPassive)
         $this->isPassive = $isPassive;
     }
 
+    /**
+     * Retrieve the audiences to send in the request.
+     *
+     * This may be null, in which case no audience will be sent.
+     *
+     * @return array|null The audiences.
+     */
+    public function getAudiences()
+    {
+        return $this->audiences;
+    }
+
+    /**
+     * Set the audiences to send in the request.
+     *
+     * This may be null, in which case no audience will be sent.
+     *
+     * @param array|null $audiences The audiences.
+     */
+    public function setAudiences(array $audiences = null)
+    {
+        $this->audiences = $audiences;
+    }
+
 
     /**
      * This function sets the scoping for the request.
@@ -732,6 +763,8 @@ public function toUnsignedXML()
             $root->appendChild($nameIdPolicy);
         }
 
+        $this->addConditions($root);
+
         $rac = $this->requestedAuthnContext;
         if (!empty($rac) && !empty($rac['AuthnContextClassRef'])) {
             $e = $this->document->createElementNS(Constants::NS_SAMLP, 'RequestedAuthnContext');
@@ -806,4 +839,24 @@ private function addSubject(\DOMElement $root)
             $sc->toXML($subject);
         }
     }
+
+    /**
+     * Add a Conditions-node to the request.
+     *
+     * @param \DOMElement $root The request element we should add the conditions to.
+     */
+    private function addConditions(\DOMElement $root)
+    {
+        if ($this->audiences !== null) {
+            $document = $root->ownerDocument;
+
+            $conditions = $document->createElementNS(Constants::NS_SAML, 'saml:Conditions');
+            $root->appendChild($conditions);
+
+            $ar = $document->createElementNS(Constants::NS_SAML, 'saml:AudienceRestriction');
+            $conditions->appendChild($ar);
+
+            Utils::addStrings($ar, Constants::NS_SAML, 'saml:Audience', false, $this->audiences);
+        }
+    }
 }

tests/SAML2/AuthnRequestTest.php

@@ -984,4 +984,39 @@ public function testEmptySubjectThrowsException()
         $this->setExpectedException('Exception', 'Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>');
         $authnRequest = new AuthnRequest(DOMDocumentFactory::fromString($xml)->documentElement);
     }
+
+    /**
+     * Test setting audiences.
+     */
+    public function testAudiencesAreAddedCorrectly()
+    {
+        // basic AuthnRequest
+        $request = new AuthnRequest();
+        $request->setIssuer('https://gateway.example.org/saml20/sp/metadata');
+        $request->setDestination('https://tiqr.example.org/idp/profile/saml2/Redirect/SSO');
+        $request->setAudiences(array('https://sp1.example.org', 'https://sp2.example.org'));
+
+        $expectedStructureDocument = <<<AUTHNREQUEST
+<samlp:AuthnRequest
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    ID=""
+    Version=""
+    IssueInstant=""
+    Destination="https://tiqr.example.org/idp/profile/saml2/Redirect/SSO">
+    <saml:Issuer>https://gateway.example.org/saml20/sp/metadata</saml:Issuer>
+    <saml:Conditions>
+      <saml:AudienceRestriction>
+        <saml:Audience>https://sp1.example.org</saml:Audience>
+        <saml:Audience>https://sp2.example.org</saml:Audience>
+      </saml:AudienceRestriction>
+    </saml:Conditions>
+</samlp:AuthnRequest>
+AUTHNREQUEST;
+
+        $expectedStructure = DOMDocumentFactory::fromString($expectedStructureDocument)->documentElement;
+        $requestStructure = $request->toUnsignedXML();
+
+        $this->assertEqualXMLStructure($expectedStructure, $requestStructure);
+    }
 }