Build an authentication request based on information in the metadata.
public static buildAuthnRequest ( SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata ) | ||
$spMetadata | SimpleSAML_Configuration | The metadata of the service provider. |
$idpMetadata | SimpleSAML_Configuration | The metadata of the identity provider. |
SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::addURLparameter($discourl, array('return' => SimpleSAML_Utilities::selfURL(), 'remember' => 'true', 'entityID' => $spentityid, 'returnIDParam' => 'idpentityid')), 'returnIDParam' => 'idpentityid', 'isPassive' => 'true')); } $discoparameters = array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid'); $discoparameters['isPassive'] = $isPassive; if (sizeof($reachableIDPs) > 0) { $discoparameters['IDPList'] = $reachableIDPs; } SimpleSAML_Utilities::redirectTrustedURL($discourl, $discoparameters); } /* * Create and send authentication request to the IdP. */ try { $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-hosted'); $idpMetadata = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-remote'); $ar = sspmod_saml_Message::buildAuthnRequest($spMetadata, $idpMetadata); $assertionConsumerServiceURL = $metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted'); $ar->setAssertionConsumerServiceURL($assertionConsumerServiceURL); $ar->setRelayState($returnTo); if ($isPassive) { $ar->setIsPassive(TRUE); } if ($forceAuthn) { $ar->setForceAuthn(TRUE); } if (array_key_exists('IDPList', $spmetadata)) { $IDPList = array_unique(array_merge($IDPList, $spmetadata['IDPList'])); } if (isset($_GET['IDPList']) && !empty($_GET['IDPList'])) { $providers = $_GET['IDPList']; if (!is_array($providers)) {
/** * Send a SAML2 SSO request to an IdP. * * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @param array $state The state array for the current authentication. */ private function startSSO2(SimpleSAML_Configuration $idpMetadata, array $state) { if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) { SimpleSAML_Auth_State::throwException($state, new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)); } $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata); $ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId)); if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) { $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']); } if (isset($state['saml:AuthnContextClassRef'])) { $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']); $comp = SAML2\Constants::COMPARISON_EXACT; if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(SAML2\Constants::COMPARISON_EXACT, SAML2\Constants::COMPARISON_MINIMUM, SAML2\Constants::COMPARISON_MAXIMUM, SAML2\Constants::COMPARISON_BETTER))) { $comp = $state['saml:AuthnContextComparison']; } $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp)); } if (isset($state['ForceAuthn'])) { $ar->setForceAuthn((bool) $state['ForceAuthn']); } if (isset($state['isPassive'])) { $ar->setIsPassive((bool) $state['isPassive']); } if (isset($state['saml:NameID'])) { if (!is_array($state['saml:NameID'])) { throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].'); } $ar->setNameId($state['saml:NameID']); } if (isset($state['saml:NameIDPolicy'])) { if (is_string($state['saml:NameIDPolicy'])) { $policy = array('Format' => (string) $state['saml:NameIDPolicy'], 'AllowCreate' => TRUE); } elseif (is_array($state['saml:NameIDPolicy'])) { $policy = $state['saml:NameIDPolicy']; } else { throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].'); } $ar->setNameIdPolicy($policy); } if (isset($state['saml:IDPList'])) { $IDPList = $state['saml:IDPList']; } else { $IDPList = array(); } $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()), $idpMetadata->getArray('IDPList', array()), (array) $IDPList))); if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) { $ar->setProxyCount($state['saml:ProxyCount']); } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) { $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null)); } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) { $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null)); } $requesterID = array(); if (isset($state['saml:RequesterID'])) { $requesterID = $state['saml:RequesterID']; } if (isset($state['core:SP'])) { $requesterID[] = $state['core:SP']; } $ar->setRequesterID($requesterID); if (isset($state['saml:Extensions'])) { $ar->setExtensions($state['saml:Extensions']); } // save IdP entity ID as part of the state $state['ExpectedIssuer'] = $idpMetadata->getString('entityid'); $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE); $ar->setId($id); SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), TRUE)); /* Select appropriate SSO endpoint */ if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) { $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(\SAML2\Constants::BINDING_HOK_SSO)); } else { $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(\SAML2\Constants::BINDING_HTTP_REDIRECT, \SAML2\Constants::BINDING_HTTP_POST)); } $ar->setDestination($dst['Location']); $b = \SAML2\Binding::getBinding($dst['Binding']); $this->sendSAML2AuthnRequest($state, $b, $ar); assert('FALSE'); }
/** * Send a SAML2 SSO request to an IdP. * * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @param array $state The state array for the current authentication. */ private function startSSO2(SimpleSAML_Configuration $idpMetadata, array $state) { if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_ProxyCountExceeded("ProxyCountExceeded")); } $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata); $ar->setAssertionConsumerServiceURL(SimpleSAML_Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId)); if (isset($state['SimpleSAML_Auth_Default.ReturnURL'])) { $ar->setRelayState($state['SimpleSAML_Auth_Default.ReturnURL']); } if (isset($state['saml:AuthnContextClassRef'])) { $accr = SimpleSAML_Utilities::arrayize($state['saml:AuthnContextClassRef']); $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr)); } if (isset($state['ForceAuthn'])) { $ar->setForceAuthn((bool) $state['ForceAuthn']); } if (isset($state['isPassive'])) { $ar->setIsPassive((bool) $state['isPassive']); } if (isset($state['saml:NameIDPolicy'])) { if (is_string($state['saml:NameIDPolicy'])) { $policy = array('Format' => (string) $state['saml:NameIDPolicy'], 'AllowCreate' => TRUE); } elseif (is_array($state['saml:NameIDPolicy'])) { $policy = $state['saml:NameIDPolicy']; } else { throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].'); } $ar->setNameIdPolicy($policy); } if (isset($state['saml:IDPList'])) { $IDPList = $state['saml:IDPList']; } else { $IDPList = array(); } $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()), $idpMetadata->getArray('IDPList', array()), (array) $IDPList))); if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) { $ar->setProxyCount($state['saml:ProxyCount']); } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) { $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null)); } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) { $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null)); } $requesterID = array(); if (isset($state['saml:RequesterID'])) { $requesterID = $state['saml:RequesterID']; } if (isset($state['core:SP'])) { $requesterID[] = $state['core:SP']; } $ar->setRequesterID($requesterID); if (isset($state['saml:Extensions'])) { $ar->setExtensions($state['saml:Extensions']); } $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE); $ar->setId($id); SimpleSAML_Logger::debug('Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), TRUE)); $b = new SAML2_HTTPRedirect(); $this->sendSAML2AuthnRequest($state, $b, $ar); assert('FALSE'); }