/** * Add widget title link if Widget Manager is enabled. * * @param string $hook the name of the hook * @param string $type the type of the hook * @param array $return_value current return value * @param array $params supplied params * * @return void|string */ public static function widgetURL($hook, $type, $return_value, $params) { if (!empty($return_value)) { // url already set return; } if (elgg_is_logged_in()) { // already logged in return; } $widget = elgg_extract('entity', $params); if (!$widget instanceof \ElggWidget) { return; } if ($widget->handler !== 'simplesaml') { return; } $samlsource = $widget->samlsource; if (empty($samlsource) || $samlsource === 'all') { return; } if (!simplesaml_is_enabled_source($samlsource)) { return; } return "/saml/login/{$samlsource}"; }
/** * Take some actions during the login event of a user * * @param string $event 'login' is the event this function handles * @param string $type 'user' is the type for this event * @param ElggUser $object the current user trying to login * * @return void */ function simplesaml_login_event_handler($event, $type, $object) { if (empty($object) || !elgg_instanceof($object, "user")) { return; } if (!isset($_SESSION["saml_attributes"]) || !isset($_SESSION["saml_source"])) { return; } $saml_attributes = $_SESSION["saml_attributes"]; $source = $_SESSION["saml_source"]; if (!simplesaml_is_enabled_source($source)) { return; } if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) { return; } $saml_uid = elgg_extract("elgg:external_id", $saml_attributes); if (!empty($saml_uid)) { if (is_array($saml_uid)) { $saml_uid = $saml_uid[0]; } // save the external id so the next login will go faster simplesaml_link_user($object, $source, $saml_uid); } // save the attributes to the user simplesaml_save_authentication_attributes($object, $source, $saml_attributes); // save source name for single logout $_SESSION["saml_login_source"] = $source; unset($_SESSION["saml_attributes"]); unset($_SESSION["saml_source"]); }
/** * Add widget title link if Widget Manager is enabled. * * @param string $hook 'widget_url' is the hook name * @param string $type 'widget_manager' is the type if this hook * @param array $return_value the default return value * @param array $params an array with parameter to help extending the result * * @return string an url to be put in the widget title */ function simplesaml_widget_url_hook($hook, $type, $return_value, $params) { $result = $return_value; if (!empty($params) && is_array($params)) { $widget = elgg_extract("entity", $params); if (!empty($widget)) { if ($widget->handler == "simplesaml") { $samlsource = $widget->samlsource; if (!empty($samlsource) && $samlsource !== "all") { if (simplesaml_is_enabled_source($samlsource)) { $result = "/saml/login/" . $samlsource; } } } } } return $result; }
/** * Take some actions during the login event of a user * * @param string $event the name of the event * @param string $type type of the event * @param ElggUser $object the current user trying to login * * @return void */ public static function loginEvent($event, $type, $object) { if (!$object instanceof \ElggUser) { return; } $saml_attributes = simplesaml_get_from_session('saml_attributes'); $source = simplesaml_get_from_session('saml_source'); // simplesaml login? if (!isset($saml_attributes) || !isset($source)) { return; } // source enabled if (!simplesaml_is_enabled_source($source)) { return; } // validate additional authentication rules if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) { return; } // link the user to this source $saml_uid = elgg_extract('elgg:external_id', $saml_attributes); if (!empty($saml_uid)) { if (is_array($saml_uid)) { $saml_uid = $saml_uid[0]; } // save the external id so the next login will go faster simplesaml_link_user($object, $source, $saml_uid); } // save the attributes to the user simplesaml_save_authentication_attributes($object, $source, $saml_attributes); // save source name for single logout simplesaml_store_in_session('saml_login_source', $source); // cleanup simplesaml_remove_from_session('saml_attributes'); simplesaml_remove_from_session('saml_source'); }
function subsite_manager_simplesaml_check_auto_create_account($source, $auth_attributes) { $result = false; if (!empty($source) && !empty($auth_attributes) && is_array($auth_attributes)) { // is the source enabled if (!subsite_manager_on_subsite() || simplesaml_is_enabled_source($source)) { // check if auto create is enabled for this source if (!subsite_manager_on_subsite() || elgg_get_plugin_setting($source . "_auto_create_accounts", "simplesaml")) { // do we have all the require information $email = elgg_extract("elgg:email", $auth_attributes); $firstname = elgg_extract("elgg:firstname", $auth_attributes); $lastname = elgg_extract("elgg:lastname", $auth_attributes); $external_id = elgg_extract("elgg:external_id", $auth_attributes); if (!empty($email) && (!empty($firstname) || !empty($lastname)) && !empty($external_id)) { $result = true; } else { error_log("SAML: fail 5"); } } else { error_log("SAML: fail 4"); } } else { error_log("SAML: fail 3"); } } else { error_log("SAML: fail 2"); } return $result; }
<?php if (elgg_is_logged_in()) { register_error(elgg_echo('simplesaml:error:loggedin')); forward(REFERER); } $source = get_input('saml_source'); $session_source = simplesaml_get_from_session('saml_source'); if (empty($source) || empty($session_source)) { register_error(elgg_echo('simplesaml:error:no_source')); forward(REFERER); } $label = simplesaml_get_source_label($source); if (!simplesaml_is_enabled_source($source)) { register_error(elgg_echo('simplesaml:error:source_not_enabled', [$label])); forward(REFERER); } if ($source !== $session_source) { register_error(elgg_echo('simplesaml:error:source_mismatch')); forward(REFERER); } $saml_attributes = simplesaml_get_from_session('saml_attributes'); if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) { // not authorized register_error(elgg_echo('simplesaml:error:attribute_validation', [$label])); forward(REFERER); } $displayname = get_input('displayname'); $user_email = get_input('email'); $forward_url = REFERER; $error = false;
/** * Check the saml attributes for additional access rules * * @param string $saml_source the name of the Service Provider * @param array $saml_attributes the return SAML attributes from the IDP * * @return bool */ function simplesaml_validate_authentication_attributes($saml_source, $saml_attributes) { if (empty($saml_source) || empty($saml_attributes)) { return false; } if (!simplesaml_is_enabled_source($saml_source)) { return false; } // get plugin settings $access_type = elgg_get_plugin_setting($saml_source . "_access_type", "simplesaml"); $access_matching = elgg_get_plugin_setting($saml_source . "_access_matching", "simplesaml"); $access_field = elgg_get_plugin_setting($saml_source . "_access_field", "simplesaml"); $access_value = elgg_get_plugin_setting($saml_source . "_access_value", "simplesaml"); if (!in_array($access_type, array("allow", "deny")) || !in_array($access_matching, array("exact", "regex")) || empty($access_field) || empty($access_value)) { // no additional validation configured return true; } if (!isset($saml_attributes[$access_field])) { // field to check doesn't exists in reponse if ($access_type === "deny") { // deny access when the field matches, but no field exists so allowed return true; } else { // allow access when the field matches, but no field exists so denied return false; } } $match_found = false; foreach ($saml_attributes[$access_field] as $field_value) { if ($access_matching === "regex") { if (preg_match($access_value, $field_value)) { $match_found = true; break; } } else { if ($field_value === $access_value) { $match_found = true; break; } } } // apply access rule if ($access_type === "deny") { return !$match_found; } else { return $match_found; } }
$configured_source = $widget->samlsource; if (empty($configured_source) || $configured_source === "all") { // show all configured sources foreach ($sources as $source) { $label = simplesaml_get_source_label($source); $icon_url = simplesaml_get_source_icon_url($source); if (!empty($icon_url)) { $text = elgg_view("output/img", array("src" => $icon_url, "alt" => $label)); } else { $text = $label; } echo "<div class='mbs'>"; echo elgg_view("output/url", array("text" => $text, "title" => $label, "href" => "saml/login/" . $source)); echo "</div>"; } } elseif (!empty($configured_source) && simplesaml_is_enabled_source($configured_source)) { // show one saml source $label = simplesaml_get_source_label($configured_source); $icon_url = simplesaml_get_source_icon_url($configured_source); if (!empty($icon_url)) { $text = elgg_view("output/img", array("src" => $icon_url, "alt" => $label)); } else { $text = $label; } echo "<div>"; echo elgg_view("output/url", array("text" => $text, "title" => $label, "href" => "saml/login/" . $configured_source)); echo "</div>"; } } } else { // user is already loggedin