/**
* Default Constructor
*
* Instantiate an instance of the SimpleSAML_Auth_Simple class
* and call requireAuth() to validate a user
*
* @param array $options Array of options to pass to the constructor
*
*/
function __construct($options = array())
{
// Auto load libraries and
// obtain simple SAML SP configuration data
$this->samlLib = $options["ssphp_lib"];
$this->samlConfig = $options["ssphp_config"];
require_once $this->samlLib . '/lib/_autoload.php';
SimpleSAML_Configuration::init($this->samlConfig);
// You can specifically overide any of the default configuration options setup above
if (count($options) > 0) {
if (array_key_exists("ssphp_sp", $options)) {
$this->ssphpSP = $options["ssphp_sp"];
} else {
Log::Error("Could not connect to SAML service provider." . " Please check your SAML configuration settings");
}
}
$this->authSimple = new SimpleSAML_Auth_Simple($this->ssphpSP);
// requireAuth() redirects user to SSO login page
// where user needs to enter SSO username and password.
// If user is not validated, then this function does not return
$this->authSimple->requireAuth();
}
require_once get_config('libroot') . 'institution.php';
// check that the plugin is active
if (get_field('auth_installed', 'active', 'name', 'saml') != 1) {
redirect();
}
// get the config pointing to the SAML library - and load it
$samllib = get_config_plugin('auth', 'saml', 'simplesamlphplib');
if (!file_exists($samllib . '/lib/_autoload.php')) {
throw new AuthInstanceException(get_string('errorbadssphplib', 'auth.saml'));
}
require_once $samllib . '/lib/_autoload.php';
// point at the configured config directory
$samlconfig = get_config_plugin('auth', 'saml', 'simplesamlphpconfig');
// get all the things that we will need from the SAML authentication
// and then shutdown the session control
SimpleSAML_Configuration::init($samlconfig);
$saml_session = SimpleSAML_Session::getInstance();
// do we have a logout request?
if (param_variable("logout", false)) {
// logout the saml session
$sp = $saml_session->getAuthority();
if (!$sp) {
$sp = 'default-sp';
}
$as = new SimpleSAML_Auth_Simple($sp);
$as->logout($CFG->wwwroot);
}
$sp = param_alphanumext('as', 'default-sp');
if (!in_array($sp, SimpleSAML_Auth_Source::getSources())) {
$sp = 'default-sp';
}
require_once $THISPATH . 'lib/Pages/PageProfile.php'; require_once $THISPATH . 'lib/Pages/PageAttributes.php'; require_once $THISPATH . 'lib/Pages/PageUser.php'; require_once $THISPATH . 'lib/Pages/PageSupport.php'; require_once $THISPATH . 'lib/Pages/PageStats.php'; require_once $THISPATH . 'lib/Pages/FixDate.php'; require_once $THISPATH . 'lib/Pages/Login.php'; require_once $THISPATH . 'lib/Pages/PageWidget.php'; require_once $THISPATH . 'lib/Pages/EmbedFoodle.php'; require_once $THISPATH . 'lib/Pages/RSSFoodle.php'; require_once $THISPATH . 'lib/Pages/CSVFoodle.php'; require_once $THISPATH . 'lib/Pages/PageCreate.php'; require_once $THISPATH . 'lib/Pages/PageEdit.php'; // Loading icalendar scripts.. require_once $THISPATH . 'lib/cal/Calendar.class.php'; require_once $THISPATH . 'lib/cal/CalendarAggregator.class.php'; require_once $THISPATH . 'lib/cal/Event.class.php'; require_once $THISPATH . 'lib/cal/functions/class.Parser.php'; require_once $THISPATH . 'lib/cal/functions/class.iCalObj.php'; require_once $THISPATH . 'lib/cal/functions/class.Vcalendar.php'; require_once $THISPATH . 'lib/cal/functions/class.Vtimezone.php'; require_once $THISPATH . 'lib/cal/functions/class.Vevent.php'; require_once $THISPATH . 'lib/cal/functions/class.Vfreebusy.php'; require_once $THISPATH . 'lib/cal/functions/class.Daylight.php'; require_once $THISPATH . 'lib/cal/functions/class.Standard.php'; /** * Initializating configuration */ SimpleSAML_Configuration::init(dirname(dirname(__FILE__)) . '/config', 'foodle'); SimpleSAML_Configuration::init($SIMPLESAMLPATH . 'config'); session_start();
/**
* Accept a SAML Request and form a Response
* NOTE: that this function is Google Specific
*
*/
function gsaml_send_auth_response($samldata)
{
global $CFG, $SESSION, $USER;
SimpleSAML_Configuration::init($CFG->dirroot . '/auth/gsaml/config');
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$session = SimpleSAML_Session::getInstance();
try {
$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idmetaindex = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted', 'metaindex');
$idpmetadata = $metadata->getMetaDataCurrent('saml20-idp-hosted');
if (!array_key_exists('auth', $idpmetadata)) {
throw new Exception('Missing mandatory parameter in SAML 2.0 IdP Hosted Metadata: [auth]');
}
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
}
/// SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService');
if (!$config->getValue('enable.saml20-idp', false)) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS');
}
$rawRequest = $samldata;
if (!empty($SESSION->samlrelaystate)) {
$relaystate = $SESSION->samlrelaystate;
} else {
$relaystate = NULL;
}
$decodedRequest = @base64_decode($rawRequest);
if (!$decodedRequest) {
throw new Exception('Could not base64 decode SAMLRequest GET parameter');
}
$samlRequestXML = @gzinflate($decodedRequest);
if (!$samlRequestXML) {
$error = error_get_last();
throw new Exception('Could not gzinflate base64 decoded SAMLRequest: ' . $error['message']);
}
SimpleSAML_Utilities::validateXMLDocument($samlRequestXML, 'saml20');
$samlRequest = new SimpleSAML_XML_SAML20_AuthnRequest($config, $metadata);
$samlRequest->setXML($samlRequestXML);
if (!is_null($relaystate)) {
$samlRequest->setRelayState($relaystate);
}
// $samlRequest presenting the request object
$authnrequest = $samlRequest;
if ($session == NULL) {
debugging('No SAML Session gsaml_send_auth_response', DEBUG_DEVELOPER);
return false;
// if this func returns we Know it's an error
}
if (!empty($USER->id)) {
// TODO: if moodle user is not the same as google user
// use the mapping
$username = $USER->username;
} else {
debugging('No User given to gsaml_send_auth_response', DEBUG_DEVELOPER);
return false;
}
//TODO: better errors
if (!($domain = get_config('auth/gsaml', 'domainname'))) {
debugging('No domain set in gsaml_send_auth_response', DEBUG_DEVELOPER);
return false;
// if this func returns we Know it's an error
}
$attributes['useridemail'] = array($username . '@' . $domain);
$session->doLogin('login');
// was login
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
$requestcache = array('RequestID' => $authnrequest->getRequestID(), 'Issuer' => $authnrequest->getIssuer(), 'ConsentCookie' => SimpleSAML_Utilities::generateID(), 'RelayState' => $authnrequest->getRelayState());
try {
$spentityid = $requestcache['Issuer'];
$spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote');
$sp_name = isset($spmetadata['name']) ? $spmetadata['name'] : $spentityid;
// TODO: Are we really tracking SP's???
//
// Adding this service provider to the list of sessions.
// Right now the list is used for SAML 2.0 only.
$session->add_sp_session($spentityid);
/// SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Sending back AuthnResponse to ' . $spentityid);
// TODO: handle passive situtation
// Rigth now I replaced $isPassive with isset($isPassive) to prevent notice on debug mode
if (isset($isPassive)) {
/* Generate an SAML 2.0 AuthNResponse message
With statusCode: urn:oasis:names:tc:SAML:2.0:status:NoPassive
*/
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestcache['RequestID'], null, array(), 'NoPassive');
// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
$httppost->sendResponse($authnResponseXML, $idpentityid, $spentityid, $requestcache['RelayState']);
exit;
}
/*
* Attribute handling
*/
$attributes = $session->getAttributes();
$afilter = new SimpleSAML_XML_AttributeFilter($config, $attributes);
$afilter->process($idpmetadata, $spmetadata);
// KEEP this code for REFERENCE
// /**
// * Make a log entry in the statistics for this SSO login.
// */
// $tempattr = $afilter->getAttributes();
// $realmattr = $config->getValue('statistics.realmattr', null);
// $realmstr = 'NA';
// if (!empty($realmattr)) {
// //error_log('SSO 420: if (!empty($realmattr)) {\n ',0);
// if (array_key_exists($realmattr, $tempattr) && is_array($tempattr[$realmattr]) ) {
// $realmstr = $tempattr[$realmattr][0];
// } else {
// SimpleSAML_Logger::warning('Could not get realm attribute to log [' . $realmattr. ']');
// }
// }
// SimpleSAML_Logger::stats('saml20-idp-SSO ' . $spentityid . ' ' . $idpentityid . ' ' . $realmstr);
//
//
$afilter->processFilter($idpmetadata, $spmetadata);
$filteredattributes = $afilter->getAttributes();
//
// KEEP THIS CODE FOR RERFERENCE
// /*
// * Dealing with attribute release consent.
// */
// $requireconsent = false;
// if (isset($idpmetadata['requireconsent'])) {
// //error_log('SSO 453: if (isset($idpmetadata[\'requireconsent\']))\n ',0);
// if (is_bool($idpmetadata['requireconsent'])) {
// $requireconsent = $idpmetadata['requireconsent'];
// } else {
// throw new Exception('SAML 2.0 IdP hosted metadata parameter [requireconsent] is in illegal format, must be a PHP boolean type.');
// }
// }
// if ($requireconsent) {
//
// $consent = new SimpleSAML_Consent_Consent($config, $session, $spentityid, $idpentityid, $attributes, $filteredattributes, $requestcache['ConsentCookie']);
//
// if (!$consent->consent()) {
// /* Save the request information. */
// $authId = SimpleSAML_Utilities::generateID();
// $session->setAuthnRequest('saml2', $authId, $requestcache);
//
// $t = new SimpleSAML_XHTML_Template($config, 'consent.php', 'attributes.php');
// $t->data['header'] = 'Consent';
// $t->data['sp_name'] = $sp_name;
// $t->data['attributes'] = $filteredattributes;
// $t->data['consenturl'] = SimpleSAML_Utilities::selfURLNoQuery();//$selfURLNoQuery; //SimpleSAML_Utilities::selfURLNoQuery(); DEBUG
// $t->data['requestid'] = $authId;
// $t->data['consent_cookie'] = $requestcache['ConsentCookie'];
// $t->data['usestorage'] = $consent->useStorage();
// $t->data['noconsent'] = '/' . $config->getBaseURL() . 'noconsent.php';
// $t->show();
// exit;
// }
//
// }
// // END ATTRIBUTE CONSENT CODE
// Generate the SAML 2.0 AuthNResponse message
$ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata);
$authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestcache['RequestID'], null, $filteredattributes);
// TODO: clean the $SESSION->samlrelaystate so we don't accidently call it again
// Sending the AuthNResponse using HTTP-Post SAML 2.0 binding
$httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata);
$httppost->sendResponse($authnResponseXML, $idmetaindex, $spentityid, $requestcache['RelayState']);
die;
// VERY IMPORTANT BUG FIX to stop outputing the rest of the page.
} catch (Exception $exception) {
// TODO: better error reporting
debugging('<pre>' . print_r($exception, true) . '</pre>', DEBUG_DEVELOPER);
return false;
}
}
