/**
* Add widget title link if Widget Manager is enabled.
*
* @param string $hook the name of the hook
* @param string $type the type of the hook
* @param array $return_value current return value
* @param array $params supplied params
*
* @return void|string
*/
public static function widgetURL($hook, $type, $return_value, $params)
{
if (!empty($return_value)) {
// url already set
return;
}
if (elgg_is_logged_in()) {
// already logged in
return;
}
$widget = elgg_extract('entity', $params);
if (!$widget instanceof \ElggWidget) {
return;
}
if ($widget->handler !== 'simplesaml') {
return;
}
$samlsource = $widget->samlsource;
if (empty($samlsource) || $samlsource === 'all') {
return;
}
if (!simplesaml_is_enabled_source($samlsource)) {
return;
}
return "/saml/login/{$samlsource}";
}
/**
* Take some actions during the login event of a user
*
* @param string $event 'login' is the event this function handles
* @param string $type 'user' is the type for this event
* @param ElggUser $object the current user trying to login
*
* @return void
*/
function simplesaml_login_event_handler($event, $type, $object)
{
if (empty($object) || !elgg_instanceof($object, "user")) {
return;
}
if (!isset($_SESSION["saml_attributes"]) || !isset($_SESSION["saml_source"])) {
return;
}
$saml_attributes = $_SESSION["saml_attributes"];
$source = $_SESSION["saml_source"];
if (!simplesaml_is_enabled_source($source)) {
return;
}
if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) {
return;
}
$saml_uid = elgg_extract("elgg:external_id", $saml_attributes);
if (!empty($saml_uid)) {
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
// save the external id so the next login will go faster
simplesaml_link_user($object, $source, $saml_uid);
}
// save the attributes to the user
simplesaml_save_authentication_attributes($object, $source, $saml_attributes);
// save source name for single logout
$_SESSION["saml_login_source"] = $source;
unset($_SESSION["saml_attributes"]);
unset($_SESSION["saml_source"]);
}
/**
* Add widget title link if Widget Manager is enabled.
*
* @param string $hook 'widget_url' is the hook name
* @param string $type 'widget_manager' is the type if this hook
* @param array $return_value the default return value
* @param array $params an array with parameter to help extending the result
*
* @return string an url to be put in the widget title
*/
function simplesaml_widget_url_hook($hook, $type, $return_value, $params)
{
$result = $return_value;
if (!empty($params) && is_array($params)) {
$widget = elgg_extract("entity", $params);
if (!empty($widget)) {
if ($widget->handler == "simplesaml") {
$samlsource = $widget->samlsource;
if (!empty($samlsource) && $samlsource !== "all") {
if (simplesaml_is_enabled_source($samlsource)) {
$result = "/saml/login/" . $samlsource;
}
}
}
}
}
return $result;
}
/**
* Take some actions during the login event of a user
*
* @param string $event the name of the event
* @param string $type type of the event
* @param ElggUser $object the current user trying to login
*
* @return void
*/
public static function loginEvent($event, $type, $object)
{
if (!$object instanceof \ElggUser) {
return;
}
$saml_attributes = simplesaml_get_from_session('saml_attributes');
$source = simplesaml_get_from_session('saml_source');
// simplesaml login?
if (!isset($saml_attributes) || !isset($source)) {
return;
}
// source enabled
if (!simplesaml_is_enabled_source($source)) {
return;
}
// validate additional authentication rules
if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) {
return;
}
// link the user to this source
$saml_uid = elgg_extract('elgg:external_id', $saml_attributes);
if (!empty($saml_uid)) {
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
// save the external id so the next login will go faster
simplesaml_link_user($object, $source, $saml_uid);
}
// save the attributes to the user
simplesaml_save_authentication_attributes($object, $source, $saml_attributes);
// save source name for single logout
simplesaml_store_in_session('saml_login_source', $source);
// cleanup
simplesaml_remove_from_session('saml_attributes');
simplesaml_remove_from_session('saml_source');
}
function subsite_manager_simplesaml_check_auto_create_account($source, $auth_attributes)
{
$result = false;
if (!empty($source) && !empty($auth_attributes) && is_array($auth_attributes)) {
// is the source enabled
if (!subsite_manager_on_subsite() || simplesaml_is_enabled_source($source)) {
// check if auto create is enabled for this source
if (!subsite_manager_on_subsite() || elgg_get_plugin_setting($source . "_auto_create_accounts", "simplesaml")) {
// do we have all the require information
$email = elgg_extract("elgg:email", $auth_attributes);
$firstname = elgg_extract("elgg:firstname", $auth_attributes);
$lastname = elgg_extract("elgg:lastname", $auth_attributes);
$external_id = elgg_extract("elgg:external_id", $auth_attributes);
if (!empty($email) && (!empty($firstname) || !empty($lastname)) && !empty($external_id)) {
$result = true;
} else {
error_log("SAML: fail 5");
}
} else {
error_log("SAML: fail 4");
}
} else {
error_log("SAML: fail 3");
}
} else {
error_log("SAML: fail 2");
}
return $result;
}
<?php
if (elgg_is_logged_in()) {
register_error(elgg_echo('simplesaml:error:loggedin'));
forward(REFERER);
}
$source = get_input('saml_source');
$session_source = simplesaml_get_from_session('saml_source');
if (empty($source) || empty($session_source)) {
register_error(elgg_echo('simplesaml:error:no_source'));
forward(REFERER);
}
$label = simplesaml_get_source_label($source);
if (!simplesaml_is_enabled_source($source)) {
register_error(elgg_echo('simplesaml:error:source_not_enabled', [$label]));
forward(REFERER);
}
if ($source !== $session_source) {
register_error(elgg_echo('simplesaml:error:source_mismatch'));
forward(REFERER);
}
$saml_attributes = simplesaml_get_from_session('saml_attributes');
if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) {
// not authorized
register_error(elgg_echo('simplesaml:error:attribute_validation', [$label]));
forward(REFERER);
}
$displayname = get_input('displayname');
$user_email = get_input('email');
$forward_url = REFERER;
$error = false;
/**
* Check the saml attributes for additional access rules
*
* @param string $saml_source the name of the Service Provider
* @param array $saml_attributes the return SAML attributes from the IDP
*
* @return bool
*/
function simplesaml_validate_authentication_attributes($saml_source, $saml_attributes)
{
if (empty($saml_source) || empty($saml_attributes)) {
return false;
}
if (!simplesaml_is_enabled_source($saml_source)) {
return false;
}
// get plugin settings
$access_type = elgg_get_plugin_setting($saml_source . "_access_type", "simplesaml");
$access_matching = elgg_get_plugin_setting($saml_source . "_access_matching", "simplesaml");
$access_field = elgg_get_plugin_setting($saml_source . "_access_field", "simplesaml");
$access_value = elgg_get_plugin_setting($saml_source . "_access_value", "simplesaml");
if (!in_array($access_type, array("allow", "deny")) || !in_array($access_matching, array("exact", "regex")) || empty($access_field) || empty($access_value)) {
// no additional validation configured
return true;
}
if (!isset($saml_attributes[$access_field])) {
// field to check doesn't exists in reponse
if ($access_type === "deny") {
// deny access when the field matches, but no field exists so allowed
return true;
} else {
// allow access when the field matches, but no field exists so denied
return false;
}
}
$match_found = false;
foreach ($saml_attributes[$access_field] as $field_value) {
if ($access_matching === "regex") {
if (preg_match($access_value, $field_value)) {
$match_found = true;
break;
}
} else {
if ($field_value === $access_value) {
$match_found = true;
break;
}
}
}
// apply access rule
if ($access_type === "deny") {
return !$match_found;
} else {
return $match_found;
}
}
$configured_source = $widget->samlsource;
if (empty($configured_source) || $configured_source === "all") {
// show all configured sources
foreach ($sources as $source) {
$label = simplesaml_get_source_label($source);
$icon_url = simplesaml_get_source_icon_url($source);
if (!empty($icon_url)) {
$text = elgg_view("output/img", array("src" => $icon_url, "alt" => $label));
} else {
$text = $label;
}
echo "<div class='mbs'>";
echo elgg_view("output/url", array("text" => $text, "title" => $label, "href" => "saml/login/" . $source));
echo "</div>";
}
} elseif (!empty($configured_source) && simplesaml_is_enabled_source($configured_source)) {
// show one saml source
$label = simplesaml_get_source_label($configured_source);
$icon_url = simplesaml_get_source_icon_url($configured_source);
if (!empty($icon_url)) {
$text = elgg_view("output/img", array("src" => $icon_url, "alt" => $label));
} else {
$text = $label;
}
echo "<div>";
echo elgg_view("output/url", array("text" => $text, "title" => $label, "href" => "saml/login/" . $configured_source));
echo "</div>";
}
}
} else {
// user is already loggedin
