1<?php
2
3namespace SAML2;
4
5/**
6 * Various SAML 2 constants.
7 *
8 * @package SimpleSAMLphp
9 */
10class Constants
11{
12    /**
13     * Password authentication context.
14     */
15    const AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password';
16
17    /**
18     * PasswordProtectedTransport authentication context.
19     */
20    const AC_PASSWORD_PROTECTED_TRANSPORT = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport';
21
22    /**
23     * Unspecified authentication context.
24     */
25    const AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified';
26
27    /**
28     * The URN for the HTTP-POST binding.
29     */
30    const BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST';
31
32    /**
33     * The URN for the HTTP-Redirect binding.
34     */
35    const BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect';
36
37    /**
38     * The URN for the HTTP-ARTIFACT binding.
39     */
40    const BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
41
42    /**
43     * The URN for the SOAP binding.
44     */
45    const BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP';
46
47    /**
48     * The URN for the PAOS binding.
49     */
50    const BINDING_PAOS = 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS';
51
52    /**
53     * The URN for the Holder-of-Key Web Browser SSO Profile binding
54     */
55    const BINDING_HOK_SSO = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
56
57    /**
58     * Bearer subject confirmation method.
59     */
60    const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer';
61
62    /**
63    * Holder-of-Key subject confirmation method.
64    */
65    const CM_HOK = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key';
66
67    /**
68     * Vouches subject confirmation method.
69     */
70    const CM_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches';
71
72    /**
73     * Request Authentication Context Comparison indicating that  the resulting authentication context in the
74     * authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication
75     * contexts specified
76     */
77    const COMPARISON_BETTER = 'better';
78
79    /**
80     * Request Authentication Context Comparison indicating that the resulting authentication context in the
81     * authentication statement MUST be the exact match of at least one of the authentication contexts specified
82     */
83    const COMPARISON_EXACT = 'exact';
84
85    /**
86     * Request Authentication Context Comparison indicating that the resulting authentication context in the
87     * authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the
88     * strength of at least one of the authentication contexts specified.
89     */
90    const COMPARISON_MAXIMUM = 'maximum';
91
92    /**
93     * Request Authentication Context Comparison indicating that he resulting authentication context in the
94     * authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication
95     * contexts specified.
96     */
97    const COMPARISON_MINIMUM = 'minimum';
98
99    /**
100     * No claim as to principal consent is being made.
101     */
102    const CONSENT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:consent:unspecified';
103
104    /**
105     * Indicates that a principal’s consent has been obtained by the issuer of the message.
106     */
107    const CONSENT_OBTAINED = 'urn:oasis:names:tc:SAML:2.0:consent:obtained';
108
109    /**
110     * Indicates that a principal’s consent has been obtained by the issuer of the message at some point prior to
111     * the action that initiated the message.
112     */
113    const CONSENT_PRIOR = 'urn:oasis:names:tc:SAML:2.0:consent:prior';
114
115    /**
116     * Indicates that a principal’s consent has been implicitly obtained by the issuer of the message during the
117     * action that initiated the message, as part of a broader indication of consent.
118     * Implicit consent is typically more proximal to the action in time and presentation than prior consent,
119     * such as part of a session of activities.
120     */
121    const CONSENT_IMPLICIT = 'urn:oasis:names:tc:SAML:2.0:consent:current-implicit';
122
123    /**
124     * Indicates that a principal’s consent has been explicitly obtained by the issuer of the message during the
125     * action that initiated the message.
126     */
127    const CONSENT_EXPLICIT = 'urn:oasis:names:tc:SAML:2.0:consent:current-explicit';
128
129    /**
130     * Indicates that the issuer of the message did not obtain consent.
131     */
132    const CONSENT_UNAVAILABLE = 'urn:oasis:names:tc:SAML:2.0:consent:unavailable';
133
134    /**
135     * Indicates that the issuer of the message does not believe that they need to obtain or report consent.
136     */
137    const CONSENT_INAPPLICABLE = 'urn:oasis:names:tc:SAML:2.0:consent:inapplicable';
138
139    const EPTI_URN_MACE = 'urn:mace:dir:attribute-def:eduPersonTargetedID';
140
141    const EPTI_URN_OID = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10';
142
143    /**
144     * The interpretation of the attribute name is left to individual implementations.
145     */
146    const NAMEFORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified';
147
148    /**
149     * The attribute name follows the convention for URI references [RFC 2396], for example as used in XACML
150     * [XACML] attribute identifiers. The interpretation of the URI content or naming scheme is application-
151     * specific. See [SAMLProf] for attribute profiles that make use of this identifier.
152     */
153    const NAMEFORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri';
154
155    /**
156     * The class of strings acceptable as the attribute name MUST be drawn from the set of values belonging to
157     * the primitive type xs:Name as defined in [Schema2] Section 3.3.6. See [SAMLProf] for attribute profiles
158     * that make use of this identifier.
159     */
160    const NAMEFORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic';
161
162    /**
163     * Unspecified NameID format.
164     */
165    const NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified';
166
167    /**
168     * Email address NameID format.
169     */
170    const NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress';
171
172    /**
173     * X509 Subject Name NameID format.
174     */
175    const NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName';
176
177    /**
178     * Windows Domain Qualifier Name NameID format.
179     */
180    const NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName';
181
182    /**
183     * Kerberos Principal Name NameID format.
184     */
185    const NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos';
186
187    /**
188     * Entity NameID format.
189     */
190    const NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity';
191
192    /**
193     * Persistent NameID format.
194     */
195    const NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';
196
197    /**
198     * Transient NameID format.
199     */
200    const NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
201
202    /**
203     * Encrypted NameID format.
204     */
205    const NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted';
206
207    /**
208     * The namespace for the ECP protocol.
209     */
210    const NS_ECP = 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp';
211
212    /**
213     * The namespace for the SOAP protocol.
214     */
215    const NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/';
216
217    /**
218     * The namespace for the SAML 2 protocol.
219     */
220    const NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol';
221
222    /**
223     * The namespace for the SAML 2 assertions.
224     */
225    const NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion';
226
227    /**
228     * The namespace for the SAML 2 metadata.
229     */
230    const NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata';
231
232    /**
233     * The namespace fox XML schema.
234     */
235    const NS_XS = 'http://www.w3.org/2001/XMLSchema';
236
237    /**
238     * The namespace for XML schema instance.
239     */
240    const NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance';
241
242    /**
243     * The namespace for the SAML 2 HoK Web Browser SSO Profile.
244     */
245    const NS_HOK = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
246
247    /**
248     * The status namespace
249     */
250    const STATUS_PREFIX = 'urn:oasis:names:tc:SAML:2.0:status:';
251
252    /**
253     * Top-level status code indicating successful processing of the request.
254     * The request succeeded. Additional information MAY be returned in the <StatusMessage>
255     * and/or <StatusDetail> elements.
256     *
257     * Top-level status code.
258     */
259    const STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success';
260
261    /**
262     * The request could not be performed due to an error on the part of the requester.
263     *
264     * Top-level status code.
265     */
266    const STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester';
267
268    /**
269     * The request could not be performed due to an error on the part of the SAML responder or SAML authority.
270     *
271     * Top-level status code.
272     */
273    const STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder';
274
275    /**
276     * The SAML responder could not process the request because the version of the request message was incorrect.
277     *
278     * Top-level status code.
279     */
280    const STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch';
281
282    /**
283     * The responding provider was unable to successfully authenticate the principal.
284     *
285     * Second-level status code.
286     */
287    const STATUS_AUTHN_FAILED = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed';
288
289    /**
290     * Unexpected or invalid content was encountered within a <saml:Attribute> or <saml:AttributeValue> element.
291     *
292     * Second-level status code.
293     */
294    const STATUS_INVALID_ATTR = 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue';
295
296    /**
297     * The responding provider cannot or will not support the requested name identifier policy.
298     *
299     * Second-level status code.
300     */
301    const STATUS_INVALID_NAMEID_POLICY = 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy';
302
303    /**
304     * The specified authentication context requirements cannot be met by the responder.
305     *
306     * Second-level status code.
307     */
308    const STATUS_NO_AUTHN_CONTEXT = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext';
309
310    /**
311     * Used by an intermediary to indicate that none of the supported identity provider <Loc> elements in an
312     * <IDPList> can be resolved or that none of the supported identity providers are available.
313     *
314     * Second-level status code.
315     */
316    const STATUS_NO_AVAILABLE_IDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP';
317
318    /**
319     * Indicates the responding provider cannot authenticate the principal passively, as has been requested.
320     *
321     * Second-level status code.
322     */
323    const STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive';
324
325    /**
326     * Used by an intermediary to indicate that none of the identity providers in an <IDPList> are
327     * supported by the intermediary.
328     *
329     * Second-level status code.
330     */
331    const STATUS_NO_SUPPORTED_IDP = 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP';
332
333    /**
334     * Used by a session authority to indicate to a session participant that it was not able to propagate logout
335     * to all other session participants.
336     *
337     * Second-level status code.
338     */
339    const STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout';
340
341    /**
342     * Indicates that a responding provider cannot authenticate the principal directly and is not permitted
343     * to proxy the request further.
344     *
345     * Second-level status code.
346     */
347    const STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded';
348
349    /**
350     * The SAML responder or SAML authority is able to process the request but has chosen not to respond.
351     * This status code MAY be used when there is concern about the security context of the request message or
352     * the sequence of request messages received from a particular requester.
353     *
354     * Second-level status code.
355     */
356    const STATUS_REQUEST_DENIED = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied';
357
358    /**
359     * The SAML responder or SAML authority does not support the request.
360     *
361     * Second-level status code.
362     */
363    const STATUS_REQUEST_UNSUPPORTED = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported';
364
365    /**
366     * The SAML responder cannot process any requests with the protocol version specified in the request.
367     *
368     * Second-level status code.
369     */
370    const STATUS_REQUEST_VERSION_DEPRECATED = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated';
371
372    /**
373     * The SAML responder cannot process the request because the protocol version specified in the request message
374     * is a major upgrade from the highest protocol version supported by the responder.
375     *
376     * Second-level status code.
377     */
378    const STATUS_REQUEST_VERSION_TOO_HIGH = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh';
379
380    /**
381     * The SAML responder cannot process the request because the protocol version specified in the request message
382     * is too low.
383     *
384     * Second-level status code.
385     */
386    const STATUS_REQUEST_VERSION_TOO_LOW = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow';
387
388    /**
389     * The resource value provided in the request message is invalid or unrecognized.
390     *
391     * Second-level status code.
392     */
393    const STATUS_RESOURCE_NOT_RECOGNIZED = 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized';
394
395    /**
396     * The response message would contain more elements than the SAML responder is able to return.
397     *
398     * Second-level status code.
399     */
400    const STATUS_TOO_MANY_RESPONSES = 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses';
401
402    /**
403     * An entity that has no knowledge of a particular attribute profile has been presented with an attribute
404     * drawn from that profile.
405     *
406     * Second-level status code.
407     */
408    const STATUS_UNKNOWN_ATTR_PROFILE = 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile';
409
410    /**
411     * The responding provider does not recognize the principal specified or implied by the request.
412     *
413     * Second-level status code.
414     */
415    const STATUS_UNKNOWN_PRINCIPAL = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal';
416
417    /**
418     * The SAML responder cannot properly fulfill the request using the protocol binding specified in the request.
419     *
420     * Second-level status code.
421     */
422    const STATUS_UNSUPPORTED_BINDING = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding';
423}
424