Knowing the toolkit
The new OneLogin SAML Toolkit contains different folders (certs, lib,
demo-django, demo-flask and tests) and some files.
Let’s start describing them:
src
This folder contains the heart of the toolkit, onelogin/saml2 folder
contains the new version of the classes and methods that are described
in a later section.
demo-django
This folder contains a Django project that will be used as demo to show
how to add SAML support to the Django Framework. ‘demo’ is the main
folder of the django project (with its settings.py, views.py, urls.py),
‘templates’ is the django templates of the project and ‘saml’ is a
folder that contains the ‘certs’ folder that could be used to store the
x509 public and private key, and the saml toolkit settings
(settings.json and advanced_settings.json).
*Notice about certs*
SAML requires a x.509 cert to sign and encrypt elements like NameID,
Message, Assertion, Metadata.
If our environment requires sign or encrypt support, the certs folder
may contain the x509 cert and the private key that the SP will use:
- sp.crt The public cert of the SP
- sp.key The privake key of the SP
Or also we can provide those data in the setting file at the ‘x509cert’
and the privateKey’ json parameters of the ‘sp’ element.
Sometimes we could need a signature on the metadata published by the SP,
in this case we could use the x.509 cert previously mentioned or use a
new x.509 cert: metadata.crt and metadata.key.
If you want to create self-signed certs, you can do it at the
https://www.samltool.com/self_signed_certs.php service, or using the
command:
openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout saml.key
demo-flask
This folder contains a Flask project that will be used as demo to show
how to add SAML support to the Flask Framework. ‘index.py’ is the main
flask file that has all the code, this file uses the templates stored at
the ‘templates’ folder. In the ‘saml’ folder we found the ‘certs’ folder
to store the x509 public and private key, and the saml toolkit settings
(settings.json and advanced_settings.json).
tests
Contains the unit test of the toolkit.
In order to execute the test you only need to load the virtualenv with
the toolkit installed on it and execute:
The previous line will run the tests for the whole toolkit. You can also
run the tests for a specific module. To do so for the auth module you
would have to execute this:
python setup.py test --test-suite tests.src.OneLogin.saml2_tests.auth_test.OneLogin_Saml2_Auth_Test
With the –test-suite parameter you can specify the module to test.
You’ll find all the module available and their class names at
tests/src/OneLogin
This is the settings.json file:
{
// If strict is True, then the Python Toolkit will reject unsigned
// or unencrypted messages if it expects them to be signed or encrypted.
// Also it will reject the messages if the SAML standard is not strictly
// followed. Destination, NameId, Conditions ... are validated too.
"strict": true,
// Enable debug mode (outputs errors).
"debug": true,
// Service Provider Data that we are deploying.
"sp": {
// Identifier of the SP entity (must be a URI)
"entityId": "https://<sp_domain>/metadata/",
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
"assertionConsumerService": {
// URL Location where the <Response> from the IdP will be returned
"url": "https://<sp_domain>/?acs",
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports this endpoint for the
// HTTP-POST binding only.
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
"singleLogoutService": {
// URL Location where the <Response> from the IdP will be returned
"url": "https://<sp_domain>/?sls",
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports the HTTP-Redirect binding
// only for this endpoint.
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
// Specifies the constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on src/onelogin/saml2/constants.py to see the NameIdFormat that are supported.
"NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified",
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => '',
'privateKey' > ''
},
// Identity Provider Data that we want connected with our SP.
"idp": {
// Identifier of the IdP entity (must be a URI)
"entityId": "https://app.onelogin.com/saml/metadata/<onelogin_connector_id>",
// SSO endpoint info of the IdP. (Authentication Request protocol)
"singleSignOnService": {
// URL Target of the IdP where the Authentication Request Message
// will be sent.
"url": "https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>",
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports the HTTP-Redirect binding
// only for this endpoint.
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
// SLO endpoint info of the IdP.
"singleLogoutService": {
// URL Location of the IdP where SLO Request will be sent.
"url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>",
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports the HTTP-Redirect binding
// only for this endpoint.
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
// Public x509 certificate of the IdP
"x509cert": "<onelogin_connector_cert>"
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
// "certFingerprint": ""
}
}
In addition to the required settings data (idp, sp), there is extra information that could be defined at advanced_settings.json
{
// Security settings
"security": {
/** signatures and encryptions offered **/
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
"nameIdEncrypted": false,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [Metadata of the SP will offer this info]
"authnRequestsSigned": false,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
"logoutRequestSigned": false,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
"logoutResponseSigned": false,
/* Sign the Metadata
false || true (use sp certs) || {
"keyFileName": "metadata.key",
"certFileName": "metadata.crt"
}
*/
"signMetadata": false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest>
// and <samlp:LogoutResponse> elements received by this SP to be signed.
"wantMessagesSigned": false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [Metadata of the SP will offer this info]
"wantAssertionsSigned": false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
"wantNameIdEncrypted": false
},
// Contact information template, it is recommended to suply a
// technical and support contacts.
"contactPerson": {
"technical": {
"givenName": "technical_name",
"emailAddress": "technical@example.com"
},
"support": {
"givenName": "support_name",
"emailAddress": "support@example.com"
}
},
// Organization information template, the info in en_US lang is
// recomended, add more if required.
"organization": {
"en-US": {
"name": "sp_test",
"displayname": "SP test",
"url": "http://sp.example.com"
}
}
}
In the security section, you can set the way that the SP will handle the
messages and assertions. Contact the admin of the IdP and ask him what
the IdP expects, and decide what validations will handle the SP and what
requirements the SP will have and communicate them to the IdP’s admin
too.
Once we know what kind of data could be configured, let’s talk about the
way settings are handled within the toolkit.
The settings files described (settings.json and advanced_settings.json)
are loaded by the toolkit if not other dict with settings info is
provided in the constructors of the toolkit. Let’s see some examples.
# Initializes toolkit with settings.json & advanced_settings.json files.
auth = OneLogin_Saml2_Auth(req)
# or
settings = OneLogin_Saml2_Settings()
# Initializes toolkit with settings.json & advanced_settings.json files from a custom base path.
custom_folder = '/var/www/django-project'
auth = OneLogin_Saml2_Auth(req, custom_base_path=custom_folder)
# or
settings = OneLogin_Saml2_Settings(custom_base_path=custom_folder)
# Initializes toolkit with the dict provided.
auth = OneLogin_Saml2_Auth(req, settings_data)
# or
settings = OneLogin_Saml2_Settings(settings_data)
You can declare the settings_data in the file that constains the
constructor execution or locate them in any file and load the file in
order to get the dict available as we see in the following example:
filename = "/var/www/django-project/custom_settings.json" # The custom_settings.json contains a
json_data_file = open(filename, 'r') # settings_data dict.
settings_data = json.load(json_data_file)
json_data_file.close()
auth = OneLogin_Saml2_Auth(req, settings_data)
How load the library
In order to use the toolkit library you need to import the file that
contains the class that you will need on the top of your python file.
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from onelogin.saml2.settings import OneLogin_Saml2_Settings
from onelogin.saml2.utils import OneLogin_Saml2_Utils
The Request
Building an OneLogin_Saml2_Auth object requires a ‘request’ parameter.
auth = OneLogin_Saml2_Auth(req)
This parameter has the following scheme:
req = {
"http_host": "",
"script_name": "",
"server_port": "",
"get_data": "",
"post_data": ""
}
Each python framework built its own request object, you may map its data
to match what the saml toolkit expects. Let`s see some examples:
def prepare_from_django_request(request):
return {
'http_host': request.META['HTTP_HOST'],
'script_name': request.META['PATH_INFO'],
'server_port': request.META['SERVER_PORT'],
'get_data': request.GET.copy(),
'post_data': request.POST.copy()
}
def prepare_from_flask_request(request):
url_data = urlparse(request.url)
return {
'http_host': request.host,
'server_port': url_data.port,
'script_name': request.path,
'get_data': request.args.copy(),
'post_data': request.form.copy()
}
Initiate SSO
In order to send an AuthNRequest to the IdP:
from onelogin.saml2.auth import OneLogin_Saml2_Auth
req = prepare_request_for_toolkit(request)
auth = OneLogin_Saml2_Auth(req) # Constructor of the SP, loads settings.json
# and advanced_settings.json
auth.login() # Method that builds and sends the AuthNRequest
The AuthNRequest will be sent signed or unsigned based on the security
info of the advanced_settings.json (‘authnRequestsSigned’).
The IdP will return the SAML Response to the Attribute Consumer Service
of the SP.
We can set a ‘return_to’ url parameter to the login function and that
will be converted as a ‘RelayState’ parameter:
target_url = 'https://example.com'
auth.login(return_to=target_url)
The SP Endpoints
Related to the SP there are 3 important endpoints: The metadata view,
the ACS view and the SLS view. The toolkit provides examples of those
views in the demos, but lets see an example.
*SP Metadata*
This code will provide the XML metadata file of our SP, based on the
info that we provided in the settings files.
req = prepare_request_for_toolkit(request)
auth = OneLogin_Saml2_Auth(req)
saml_settings = auth.get_settings()
metadata = saml_settings.get_sp_metadata()
errors = saml_settings.validate_metadata(metadata)
if len(errors) == 0:
print metadata
else:
print "Error found on Metadata: %s" % (', '.join(errors))
The get_sp_metadata will return the metadata signed or not based on
the security info of the advanced_settings.json (‘signMetadata’).
Before the XML metadata is exposed, a check takes place to ensure that
the info to be provided is valid.
*Attribute Consumer Service(ACS)*
This code handles the SAML response that the IdP returns to the SP.
req = prepare_request_for_toolkit(request)
auth = OneLogin_Saml2_Auth(req)
auth.process_response()
errors = auth.get_errors()
if not errors:
if not auth.is_authenticated():
request.session['samlUserdata'] = auth.get_attributes()
if 'RelayState' in req['post_data'] and
OneLogin_Saml2_Utils.get_self_url(req) != req['post_data']['RelayState']:
auth.redirect_to(req['post_data']['RelayState'])
else:
for attr_name in request.session['samlUserdata'].keys():
print '%s ==> %s' % (attr_name, '|| '.join(request.session['samlUserdata'][attr_name]))
else:
print 'Not authenticated'
else:
print "Error when processing SAML Response: %s" % (', '.join(errors))
The SAML response is processed and then checked that there are no
errors. It also verifies that the user is authenticated and stored the
userdata in session.
At that point there are 2 possible alternatives:
- If no RelayState is provided, we could show the user data in this
view or however we wanted.
- If RelayState is provided, a rediretion take place.
Notice that we saved the user data in the session before the redirection
to have the user data available at the RelayState view.
In order to retrieve attributes we use:
attributes = auth.get_attributes();
With this method we get a dict with all the user data provided by the
IdP in the Assertion of the SAML Response.
If we execute print attributes we could get:
{
"cn": ["Jhon"],
"sn": ["Doe"],
"mail": ["Doe"],
"groups": ["users", "members"]
}
Each attribute name can be used as a key to obtain the value. Every
attribute is a list of values. A single-valued attribute is a listy of a
single element.
The following code is equivalent:
attributes = auth.get_attributes();
print attributes['cn']
print auth.get_attribute('cn')
Before trying to get an attribute, check that the user is authenticated.
If the user isn’t authenticated, an empty dict will be returned. For
example, if we call to get_attributes before a auth.process_response,
the get_attributes() will return an empty dict.
*Single Logout Service (SLS)*
This code handles the Logout Request and the Logout Responses.
delete_session_callback = lambda: request.session.flush()
url = auth.process_slo(delete_session_cb=delete_session_callback)
errors = auth.get_errors()
if len(errors) == 0:
if url is not None:
return redirect(url)
else:
print "Sucessfully Logged out"
else:
print "Error when processing SLO: %s" % (', '.join(errors))
If the SLS endpoints receives a Logout Response, the response is
validated and the session could be closed, using the callback.
# Part of the process_slo method
logout_response = OneLogin_Saml2_Logout_Response(self.__settings, self.__request_data['get_data']['SAMLResponse'])
if not logout_response.is_valid(self.__request_data, request_id):
self.__errors.append('invalid_logout_response')
elif logout_response.get_status() != OneLogin_Saml2_Constants.STATUS_SUCCESS:
self.__errors.append('logout_not_success')
elif not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
If the SLS endpoints receives an Logout Request, the request is
validated, the session is closed and a Logout Response is sent to the
SLS endpoint of the idP.
# Part of the process_slo method
request = OneLogin_Saml2_Utils.decode_base64_and_inflate(self.__request_data['get_data']['SAMLRequest'])
if not OneLogin_Saml2_Logout_Request.is_valid(self.__settings, request, self.__request_data):
self.__errors.append('invalid_logout_request')
else:
if not keep_local_session:
OneLogin_Saml2_Utils.delete_local_session(delete_session_cb)
in_response_to = OneLogin_Saml2_Logout_Request.get_id(request)
response_builder = OneLogin_Saml2_Logout_Response(self.__settings)
response_builder.build(in_response_to)
logout_response = response_builder.get_response()
parameters = {'SAMLResponse': logout_response}
if 'RelayState' in self.__request_data['get_data']:
parameters['RelayState'] = self.__request_data['get_data']['RelayState']
security = self.__settings.get_security_data()
if 'logoutResponseSigned' in security and security['logoutResponseSigned']:
parameters['SigAlg'] = OneLogin_Saml2_Constants.RSA_SHA1
parameters['Signature'] = self.build_response_signature(logout_response, parameters.get('RelayState', None))
return self.redirect_to(self.get_slo_url(), parameters)
If we don’t want that process_slo to destroy the session, pass a true
parameter to the process_slo method
keepLocalSession = true
auth.process_slo(keep_local_session=keepLocalSession);
Initiate SLO
In order to send a Logout Request to the IdP:
The Logout Request will be sent signed or unsigned based on the security
info of the advanced_settings.json (‘logoutRequestSigned’).
The IdP will return the Logout Response to the Single Logout Service of
the SP.
We can set a ‘return_to’ url parameter to the logout function and that
will be converted as a ‘RelayState’ parameter:
target_url = 'https://example.com'
auth.logout(return_to=target_url)
Example of a view that initiates the SSO request and handles the response (is the acs target)
We can code a unique file that initiates the SSO process, handle the
response, get the attributes, initiate the slo and processes the logout
response.
Note: Review the demos, in a later section we explain the demo use case
further in detail.
req = prepare_request_for_toolkit(request) # Process the request and build the request dict that
# the toolkit expects
auth = OneLogin_Saml2_Auth(req) # Initialize the SP SAML instance
if 'sso' in request.args: # SSO action (SP-SSO initited). Will send an AuthNRequest to the IdP
return redirect(auth.login())
elif 'sso2' in request.args: # Another SSO init action
return_to = '%sattrs/' % request.host_url # but set a custom RelayState URL
return redirect(auth.login(return_to))
elif 'slo' in request.args: # SLO action. Will sent a Logout Request to IdP
return redirect(auth.logout())
elif 'acs' in request.args: # Assertion Consumer Service
auth.process_response() # Process the Response of the IdP
errors = auth.get_errors() # This method receives an array with the errors
if len(errors) == 0: # that could took place during the process
if not auth.is_authenticated(): # This check if the response was ok and the user
msg = "Not authenticated" # data retrieved or not (user authenticated)
else:
request.session['samlUserdata'] = auth.get_attributes() # Retrieves user data
self_url = OneLogin_Saml2_Utils.get_self_url(req)
if 'RelayState' in request.form and self_url != request.form['RelayState']:
return redirect(auth.redirect_to(request.form['RelayState'])) # Redirect if there is a relayState
else: # If there is user data we save that to print it later.
msg = ''
for attr_name in request.session['samlUserdata'].keys():
msg += '%s ==> %s' % (attr_name, '|| '.join(request.session['samlUserdata'][attr_name]))
elif 'sls' in request.args: # Single Logout Service
delete_session_callback = lambda: session.clear() # Obtain session clear callback
url = auth.process_slo(delete_session_cb=delete_session_callback) # Process the Logout Request & Logout Response
errors = auth.get_errors() # Retrieves possible validation errors
if len(errors) == 0:
if url is not None:
return redirect(url)
else:
msg = "Sucessfully logged out"
if len(errors) == 0:
print msg
else:
print ', '.join(errors)
Main classes and methods
Described below are the main classes and methods that can be invoked
from the SAML2 library.
OneLogin_Saml2_Auth - auth.py
Main class of OneLogin Python Toolkit
- __init__ Initializes the SP SAML instance.
- *login* Initiates the SSO process.
- *logout* Initiates the SLO process.
- *process_response* Process the SAML Response sent by the IdP.
- *process_slo* Process the SAML Logout Response / Logout Request
sent by the IdP.
- *redirect_to* Redirects the user to the url past by parameter or
to the url that we defined in our SSO Request.
- *is_authenticated* Checks if the user is authenticated or not.
- *get_attributes* Returns the set of SAML attributes.
- *get_attribute* Returns the requested SAML attribute.
- *get_nameid* Returns the nameID.
- *get_session_index* Gets the SessionIndex from the
AuthnStatement.
- *get_errors* Returns a list with code errors if something went
wrong.
- *get_sso_url* Gets the SSO url.
- *get_slo_url* Gets the SLO url.
- *build_request_signature* Builds the Signature of the SAML
Request.
- *build_response_signature* Builds the Signature of the SAML
Response.
- *get_settings* Returns the settings info.
- *set_strict* Set the strict mode active/disable.
OneLogin_Saml2_Auth - authn_request.py
SAML 2 Authentication Request class
- __init__ This class handles an AuthNRequest. It builds an
AuthNRequest object.
- *get_request* Returns unsigned AuthnRequest.
- *get_id* Returns the AuthNRequest ID.
OneLogin_Saml2_Response - response.py
SAML 2 Authentication Response class
- __init__ Constructs the SAML Response object.
- *is_valid* Determines if the SAML Response is valid. Includes
checking of the signature by a certificate.
- *check_status* Check if the status of the response is success or
not
- *get_audiences* Gets the audiences
- *get_issuers* Gets the issuers (from message and from assertion)
- *get_nameid_data* Gets the NameID Data provided by the SAML
Response from the IdP (returns a dict)
- *get_nameid* Gets the NameID provided by the SAML Response from
the IdP (returns a string)
- *get_session_not_on_or_after* Gets the SessionNotOnOrAfter
from the AuthnStatement
- *get_session_index* Gets the SessionIndex from the
AuthnStatement
- *get_attributes* Gets the Attributes from the AttributeStatement
element.
- *validate_num_assertions* Verifies that the document only
contains a single Assertion (encrypted or not)
- *validate_timestamps* Verifies that the document is valid
according to Conditions Element
- *get_error* After execute a validation process, if fails this
method returns the cause
OneLogin_Saml2_LogoutRequest
SAML 2 Logout Request class
- __init__ Constructs the Logout Request object.
- *get_request* Returns the Logout Request defated, base64encoded.
- *get_id* Returns the ID of the Logout Request.
- *get_nameid_data* Gets the NameID Data of the the Logout
Request (returns a dict).
- *get_nameid* Gets the NameID of the Logout Request Message
(returns a string).
- *get_issuer* Gets the Issuer of the Logout Request Message.
- *get_session_indexes* Gets the SessionIndexes from the Logout
Request.
- *is_valid* Checks if the Logout Request recieved is valid.
- *get_error* After execute a validation process, if fails this
method returns the cause.
OneLogin_Saml2_LogoutResponse
SAML 2 Logout Response class
- __init__ Constructs a Logout Response object.
- *get_issuer* Gets the Issuer of the Logout Response Message
- *get_status* Gets the Status of the Logout Response.
- *is_valid* Determines if the SAML LogoutResponse is valid
- *build* Creates a Logout Response object.
- *get_response* Returns a Logout Response object.
- *get_error* After execute a validation process, if fails this
method returns the cause.
OneLogin_Saml2_Settings
Configuration of the OneLogin Python Toolkit
- __init__ Initializes the settings: Sets the paths of the
different folders and Loads settings info from settings file or
array/object provided.
- *check_settings* Checks the settings info.
- *get_errors* Returns an array with the errors, the array is
empty when the settings is ok.
- *get_sp_metadata* Gets the SP metadata. The XML representation.
- *validate_metadata* Validates an XML SP Metadata.
- *get_base_path* Returns base path.
- *get_cert_path* Returns cert path.
- *get_lib_path* Returns lib path.
- *get_ext_lib_path* Returns external lib path.
- *get_schemas_path* Returns schema path.
- *check_sp_certs* Checks if the x509 certs of the SP exists and
are valid.
- *get_sp_key* Returns the x509 private key of the SP.
- *get_sp_cert* Returns the x509 public cert of the SP.
- *get_idp_cert* Returns the x509 public cert of the IdP.
- *get_sp_data* Gets the SP data.
- *get_idp_data* Gets the IdP data.
- *get_security_data* Gets security data.
- *get_contacts* Gets contacts data.
- *get_organization* Gets organization data.
- *format_idp_cert* Formats the IdP cert.
- *format_sp_cert* Formats the SP cert.
- *format_sp_key* Formats the private key.
- *set_strict* Activates or deactivates the strict mode.
- *is_strict* Returns if the ‘strict’ mode is active.
- *is_debug_active* Returns if the debug is active.
OneLogin_Saml2_Utils
Auxiliary class that contains several methods
- *decode_base64_and_inflate* Base64 decodes and then inflates
according to RFC1951.
- *deflate_and_base64_encode* Deflates and the base64 encodes a
string.
- *validate_xml* Validates a xml against a schema.
- *format_cert* Returns a x509 cert (adding header & footer if
required).
- *format_private_key* Returns a private key (adding header &
footer if required).
- *redirect* Executes a redirection to the provided url (or return
the target url).
- *get_self_url_host* Returns the protocol + the current host +
the port (if different than common ports).
- *get_self_host* Returns the current host.
- *is_https* Checks if https or http.
- *get_self_url_no_query* Returns the URL of the current host +
current view.
- *get_self_routed_url_no_query* Returns the routed URL of the
current host + current view.
- *get_self_url* Returns the URL of the current host + current
view + query.
- *generate_unique_id* Generates an unique string (used for
example as ID for assertions).
- *parse_time_to_SAML* Converts a UNIX timestamp to SAML2
timestamp on the form yyyy-mm-ddThh:mm:ss(.s+)?Z.
- *parse_SAML_to_time* Converts a SAML2 timestamp on the form
yyyy-mm-ddThh:mm:ss(.s+)?Z to a UNIX timestamp.
- *now* Returns unix timestamp of actual time.
- *parse_duration* Interprets a ISO8601 duration value relative to
a given timestamp.
- *get_expire_time* Compares 2 dates and returns the earliest.
- *query* Extracts nodes that match the query from the Element.
- *delete_local_session* Deletes the local session.
- *calculate_x509_fingerprint* Calculates the fingerprint of a
x509cert.
- *format_finger_print* Formates a fingerprint.
- *generate_name_id* Generates a nameID.
- *get_status* Gets Status from a Response.
- *decrypt_element* Decrypts an encrypted element.
- *write_temp_file* Writes some content into a temporary file and
returns it.
- *add_sign* Adds signature key and senders certificate to an
element (Message or Assertion).
- *validate_sign* Validates a signature (Message or Assertion).
- *validate_binary_sign* Validates signed bynary data (Used to
validate GET Signature).
For more info, look at the source code; each method is documented and
details about what does and how to use it are provided. Make sure to
also check the doc folder where HTML documentation about the classes and
methods is provided.