public function testSAMLEncoding()
{
require_once 'modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml.php';
require 'modules/Users/authentication/SAMLAuthenticate/settings.php';
$authrequest = new SamlAuthRequest($settings);
$url = $authrequest->create();
$query = parse_url($url, PHP_URL_QUERY);
$this->assertNotEmpty($query, 'No query part');
parse_str($query, $components);
$this->assertArrayHasKey('SAMLRequest', $components);
$data = gzinflate(base64_decode(rawurldecode($components['SAMLRequest'])));
$this->assertNotEmpty($data, "Data did not decode");
$xml = simplexml_load_string($data, 'SimpleXMLElement', LIBXML_NONET);
$this->assertNotEmpty($xml, 'XML did not parse');
$myurl = $xml['AssertionConsumerServiceURL'];
$this->assertNotEmpty($myurl, 'URL not found');
$this->assertEquals(parse_url($GLOBALS['sugar_config']['site_url'] . "/index.php", PHP_URL_PATH), parse_url($myurl, PHP_URL_PATH), "Bad URL");
}
/*********************************************************************************
Copyright (c) 2010, OneLogin, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the <organization> nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL ONELOGIN, INC. BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
********************************************************************************/
require 'modules/Users/authentication/SAMLAuthenticate/settings.php';
require 'modules/Users/authentication/SAMLAuthenticate/lib/onelogin/saml.php';
$authrequest = new SamlAuthRequest(get_saml_settings());
$url = $authrequest->create();
header("Location: {$url}");
/**
* Redirect to login page
*
* @param SugarApplication $app
*/
public function redirectToLogin(SugarApplication $app)
{
require get_custom_file_if_exists('modules/Users/authentication/SAMLAuthenticate/settings.php');
$loginVars = $app->createLoginVars();
// $settings - variable from modules/Users/authentication/SAMLAuthenticate/settings.php
$settings->assertion_consumer_service_url .= htmlspecialchars($loginVars);
$authRequest = new SamlAuthRequest($settings);
$url = $authRequest->create();
SugarApplication::redirect($url);
}
/**
* Checks the session to see if the user is already logged in
*
* If not logged in, redirects to SAML provider
*/
public function trustExternal($user, $pass, $sticky = false)
{
global $USERINFO;
global $ID;
global $ACT;
global $conf;
// trust session info, no need to recheck
if (isset($_SESSION[DOKU_COOKIE]['auth']) && $_SESSION[DOKU_COOKIE]['auth']['buid'] == auth_browseruid() && isset($_SESSION[DOKU_COOKIE]['auth']['user'])) {
$_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user'];
$USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info'];
return true;
}
if (!isset($_POST['SAMLResponse']) && ($ACT == 'login' || get_doku_pref('adfs_autologin', 0))) {
// Initiate SAML auth request
$authrequest = new SamlAuthRequest($this->settings);
$url = $authrequest->create();
$_SESSION['adfs_redirect'] = wl($ID, '', true, '&');
// remember current page
send_redirect($url);
} elseif (isset($_POST['SAMLResponse'])) {
// consume SAML response
$samlresponse = new SamlResponse($this->settings, $_POST['SAMLResponse']);
try {
if ($samlresponse->is_valid()) {
$_SERVER['REMOTE_USER'] = $samlresponse->get_attribute('login');
$USERINFO['user'] = $_SERVER['REMOTE_USER'];
$USERINFO['name'] = $samlresponse->get_attribute('fullname');
$USERINFO['mail'] = $samlresponse->get_attribute('email');
$USERINFO['grps'] = (array) $samlresponse->get_attribute('groups');
$USERINFO['grps'][] = $conf['defaultgroup'];
$USERINFO['grps'] = array_map(array($this, 'cleanGroup'), $USERINFO['grps']);
$_SESSION[DOKU_COOKIE]['auth']['user'] = $_SERVER['REMOTE_USER'];
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
# cache login
// cache user data
$changes = array('name' => $USERINFO['name'], 'mail' => $USERINFO['mail'], 'grps' => $USERINFO['grps']);
if ($this->triggerUserMod('modify', array($user, $changes)) === false) {
$this->triggerUserMod('create', array($user, "nil", $USERINFO['name'], $USERINFO['mail'], $USERINFO['grps']));
}
// successful login
if (isset($_SESSION['adfs_redirect'])) {
$go = $_SESSION['adfs_redirect'];
unset($_SESSION['adfs_redirect']);
} else {
$go = wl($ID, '', true, '&');
}
set_doku_pref('adfs_autologin', 1);
send_redirect($go);
// decouple the history from POST
return true;
} else {
$this->logOff();
msg('The SAML response signature was invalid.', -1);
return false;
}
} catch (Exception $e) {
$this->logOff();
msg('Invalid SAML response: ' . hsc($e->getMessage()), -1);
return false;
}
}
// no login happened
return false;
}