1<?php 2 3namespace SAML2; 4 5/** 6 * Various SAML 2 constants. 7 * 8 * @package SimpleSAMLphp 9 */ 10class Constants 11{ 12 /** 13 * Password authentication context. 14 */ 15 const AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; 16 17 /** 18 * PasswordProtectedTransport authentication context. 19 */ 20 const AC_PASSWORD_PROTECTED_TRANSPORT = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'; 21 22 /** 23 * Unspecified authentication context. 24 */ 25 const AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified'; 26 27 /** 28 * The URN for the HTTP-POST binding. 29 */ 30 const BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'; 31 32 /** 33 * The URN for the HTTP-Redirect binding. 34 */ 35 const BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'; 36 37 /** 38 * The URN for the HTTP-ARTIFACT binding. 39 */ 40 const BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'; 41 42 /** 43 * The URN for the SOAP binding. 44 */ 45 const BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP'; 46 47 /** 48 * The URN for the PAOS binding. 49 */ 50 const BINDING_PAOS = 'urn:oasis:names:tc:SAML:2.0:bindings:PAOS'; 51 52 /** 53 * The URN for the Holder-of-Key Web Browser SSO Profile binding 54 */ 55 const BINDING_HOK_SSO = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser'; 56 57 /** 58 * Bearer subject confirmation method. 59 */ 60 const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'; 61 62 /** 63 * Holder-of-Key subject confirmation method. 64 */ 65 const CM_HOK = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key'; 66 67 /** 68 * Vouches subject confirmation method. 69 */ 70 const CM_VOUCHES = 'urn:oasis:names:tc:SAML:2.0:cm:sender-vouches'; 71 72 /** 73 * Request Authentication Context Comparison indicating that the resulting authentication context in the 74 * authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication 75 * contexts specified 76 */ 77 const COMPARISON_BETTER = 'better'; 78 79 /** 80 * Request Authentication Context Comparison indicating that the resulting authentication context in the 81 * authentication statement MUST be the exact match of at least one of the authentication contexts specified 82 */ 83 const COMPARISON_EXACT = 'exact'; 84 85 /** 86 * Request Authentication Context Comparison indicating that the resulting authentication context in the 87 * authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the 88 * strength of at least one of the authentication contexts specified. 89 */ 90 const COMPARISON_MAXIMUM = 'maximum'; 91 92 /** 93 * Request Authentication Context Comparison indicating that he resulting authentication context in the 94 * authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication 95 * contexts specified. 96 */ 97 const COMPARISON_MINIMUM = 'minimum'; 98 99 /** 100 * No claim as to principal consent is being made. 101 */ 102 const CONSENT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:consent:unspecified'; 103 104 /** 105 * Indicates that a principal’s consent has been obtained by the issuer of the message. 106 */ 107 const CONSENT_OBTAINED = 'urn:oasis:names:tc:SAML:2.0:consent:obtained'; 108 109 /** 110 * Indicates that a principal’s consent has been obtained by the issuer of the message at some point prior to 111 * the action that initiated the message. 112 */ 113 const CONSENT_PRIOR = 'urn:oasis:names:tc:SAML:2.0:consent:prior'; 114 115 /** 116 * Indicates that a principal’s consent has been implicitly obtained by the issuer of the message during the 117 * action that initiated the message, as part of a broader indication of consent. 118 * Implicit consent is typically more proximal to the action in time and presentation than prior consent, 119 * such as part of a session of activities. 120 */ 121 const CONSENT_IMPLICIT = 'urn:oasis:names:tc:SAML:2.0:consent:current-implicit'; 122 123 /** 124 * Indicates that a principal’s consent has been explicitly obtained by the issuer of the message during the 125 * action that initiated the message. 126 */ 127 const CONSENT_EXPLICIT = 'urn:oasis:names:tc:SAML:2.0:consent:current-explicit'; 128 129 /** 130 * Indicates that the issuer of the message did not obtain consent. 131 */ 132 const CONSENT_UNAVAILABLE = 'urn:oasis:names:tc:SAML:2.0:consent:unavailable'; 133 134 /** 135 * Indicates that the issuer of the message does not believe that they need to obtain or report consent. 136 */ 137 const CONSENT_INAPPLICABLE = 'urn:oasis:names:tc:SAML:2.0:consent:inapplicable'; 138 139 const EPTI_URN_MACE = 'urn:mace:dir:attribute-def:eduPersonTargetedID'; 140 141 const EPTI_URN_OID = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10'; 142 143 /** 144 * The interpretation of the attribute name is left to individual implementations. 145 */ 146 const NAMEFORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'; 147 148 /** 149 * The attribute name follows the convention for URI references [RFC 2396], for example as used in XACML 150 * [XACML] attribute identifiers. The interpretation of the URI content or naming scheme is application- 151 * specific. See [SAMLProf] for attribute profiles that make use of this identifier. 152 */ 153 const NAMEFORMAT_URI = 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; 154 155 /** 156 * The class of strings acceptable as the attribute name MUST be drawn from the set of values belonging to 157 * the primitive type xs:Name as defined in [Schema2] Section 3.3.6. See [SAMLProf] for attribute profiles 158 * that make use of this identifier. 159 */ 160 const NAMEFORMAT_BASIC = 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'; 161 162 /** 163 * Unspecified NameID format. 164 */ 165 const NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'; 166 167 /** 168 * Email address NameID format. 169 */ 170 const NAMEID_EMAIL_ADDRESS = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'; 171 172 /** 173 * X509 Subject Name NameID format. 174 */ 175 const NAMEID_X509_SUBJECT_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName'; 176 177 /** 178 * Windows Domain Qualifier Name NameID format. 179 */ 180 const NAMEID_WINDOWS_DOMAIN_QUALIFIED_NAME = 'urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName'; 181 182 /** 183 * Kerberos Principal Name NameID format. 184 */ 185 const NAMEID_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos'; 186 187 /** 188 * Entity NameID format. 189 */ 190 const NAMEID_ENTITY = 'urn:oasis:names:tc:SAML:2.0:nameid-format:entity'; 191 192 /** 193 * Persistent NameID format. 194 */ 195 const NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'; 196 197 /** 198 * Transient NameID format. 199 */ 200 const NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; 201 202 /** 203 * Encrypted NameID format. 204 */ 205 const NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted'; 206 207 /** 208 * The namespace for the ECP protocol. 209 */ 210 const NS_ECP = 'urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp'; 211 212 /** 213 * The namespace for the SOAP protocol. 214 */ 215 const NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/'; 216 217 /** 218 * The namespace for the SAML 2 protocol. 219 */ 220 const NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol'; 221 222 /** 223 * The namespace for the SAML 2 assertions. 224 */ 225 const NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion'; 226 227 /** 228 * The namespace for the SAML 2 metadata. 229 */ 230 const NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata'; 231 232 /** 233 * The namespace fox XML schema. 234 */ 235 const NS_XS = 'http://www.w3.org/2001/XMLSchema'; 236 237 /** 238 * The namespace for XML schema instance. 239 */ 240 const NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'; 241 242 /** 243 * The namespace for the SAML 2 HoK Web Browser SSO Profile. 244 */ 245 const NS_HOK = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser'; 246 247 /** 248 * The status namespace 249 */ 250 const STATUS_PREFIX = 'urn:oasis:names:tc:SAML:2.0:status:'; 251 252 /** 253 * Top-level status code indicating successful processing of the request. 254 * The request succeeded. Additional information MAY be returned in the <StatusMessage> 255 * and/or <StatusDetail> elements. 256 * 257 * Top-level status code. 258 */ 259 const STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success'; 260 261 /** 262 * The request could not be performed due to an error on the part of the requester. 263 * 264 * Top-level status code. 265 */ 266 const STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester'; 267 268 /** 269 * The request could not be performed due to an error on the part of the SAML responder or SAML authority. 270 * 271 * Top-level status code. 272 */ 273 const STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder'; 274 275 /** 276 * The SAML responder could not process the request because the version of the request message was incorrect. 277 * 278 * Top-level status code. 279 */ 280 const STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch'; 281 282 /** 283 * The responding provider was unable to successfully authenticate the principal. 284 * 285 * Second-level status code. 286 */ 287 const STATUS_AUTHN_FAILED = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed'; 288 289 /** 290 * Unexpected or invalid content was encountered within a <saml:Attribute> or <saml:AttributeValue> element. 291 * 292 * Second-level status code. 293 */ 294 const STATUS_INVALID_ATTR = 'urn:oasis:names:tc:SAML:2.0:status:InvalidAttrNameOrValue'; 295 296 /** 297 * The responding provider cannot or will not support the requested name identifier policy. 298 * 299 * Second-level status code. 300 */ 301 const STATUS_INVALID_NAMEID_POLICY = 'urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy'; 302 303 /** 304 * The specified authentication context requirements cannot be met by the responder. 305 * 306 * Second-level status code. 307 */ 308 const STATUS_NO_AUTHN_CONTEXT = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext'; 309 310 /** 311 * Used by an intermediary to indicate that none of the supported identity provider <Loc> elements in an 312 * <IDPList> can be resolved or that none of the supported identity providers are available. 313 * 314 * Second-level status code. 315 */ 316 const STATUS_NO_AVAILABLE_IDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP'; 317 318 /** 319 * Indicates the responding provider cannot authenticate the principal passively, as has been requested. 320 * 321 * Second-level status code. 322 */ 323 const STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive'; 324 325 /** 326 * Used by an intermediary to indicate that none of the identity providers in an <IDPList> are 327 * supported by the intermediary. 328 * 329 * Second-level status code. 330 */ 331 const STATUS_NO_SUPPORTED_IDP = 'urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP'; 332 333 /** 334 * Used by a session authority to indicate to a session participant that it was not able to propagate logout 335 * to all other session participants. 336 * 337 * Second-level status code. 338 */ 339 const STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout'; 340 341 /** 342 * Indicates that a responding provider cannot authenticate the principal directly and is not permitted 343 * to proxy the request further. 344 * 345 * Second-level status code. 346 */ 347 const STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded'; 348 349 /** 350 * The SAML responder or SAML authority is able to process the request but has chosen not to respond. 351 * This status code MAY be used when there is concern about the security context of the request message or 352 * the sequence of request messages received from a particular requester. 353 * 354 * Second-level status code. 355 */ 356 const STATUS_REQUEST_DENIED = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied'; 357 358 /** 359 * The SAML responder or SAML authority does not support the request. 360 * 361 * Second-level status code. 362 */ 363 const STATUS_REQUEST_UNSUPPORTED = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported'; 364 365 /** 366 * The SAML responder cannot process any requests with the protocol version specified in the request. 367 * 368 * Second-level status code. 369 */ 370 const STATUS_REQUEST_VERSION_DEPRECATED = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated'; 371 372 /** 373 * The SAML responder cannot process the request because the protocol version specified in the request message 374 * is a major upgrade from the highest protocol version supported by the responder. 375 * 376 * Second-level status code. 377 */ 378 const STATUS_REQUEST_VERSION_TOO_HIGH = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh'; 379 380 /** 381 * The SAML responder cannot process the request because the protocol version specified in the request message 382 * is too low. 383 * 384 * Second-level status code. 385 */ 386 const STATUS_REQUEST_VERSION_TOO_LOW = 'urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow'; 387 388 /** 389 * The resource value provided in the request message is invalid or unrecognized. 390 * 391 * Second-level status code. 392 */ 393 const STATUS_RESOURCE_NOT_RECOGNIZED = 'urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized'; 394 395 /** 396 * The response message would contain more elements than the SAML responder is able to return. 397 * 398 * Second-level status code. 399 */ 400 const STATUS_TOO_MANY_RESPONSES = 'urn:oasis:names:tc:SAML:2.0:status:TooManyResponses'; 401 402 /** 403 * An entity that has no knowledge of a particular attribute profile has been presented with an attribute 404 * drawn from that profile. 405 * 406 * Second-level status code. 407 */ 408 const STATUS_UNKNOWN_ATTR_PROFILE = 'urn:oasis:names:tc:SAML:2.0:status:UnknownAttrProfile'; 409 410 /** 411 * The responding provider does not recognize the principal specified or implied by the request. 412 * 413 * Second-level status code. 414 */ 415 const STATUS_UNKNOWN_PRINCIPAL = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal'; 416 417 /** 418 * The SAML responder cannot properly fulfill the request using the protocol binding specified in the request. 419 * 420 * Second-level status code. 421 */ 422 const STATUS_UNSUPPORTED_BINDING = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding'; 423} 424