This function logs the user out. It will never return. By default, it will cause a redirect to the current page
after logging the user out, but a different URL can be given with the $params parameter.
Generic parameters are:
- 'ReturnTo': The URL the user should be returned to after logout.
- 'ReturnCallback': The function that should be called after logout.
- 'ReturnStateParam': The parameter we should return the state in when redirecting.
- 'ReturnStateStage': The stage the state array should be saved with.
function procesarFormulario()
{
$saml_lib_path = '/var/simplesamlphp/lib/_autoload.php';
require_once $saml_lib_path;
// $aplication_base_url = 'http://10.20.0.38/splocal/';
$aplication_base_url = $this->host . $this->site . '/';
$source = 'SPcrono';
// Fuente de autenticación definida en el authsources del SP
$auth = new SimpleSAML_Auth_Simple($source);
// Se pasa como parametro la fuente de autenticación
$auth->logout($aplication_base_url . 'index.php');
return true;
}
public function logout()
{
//check for application session and invalidate
if (Auth::check()) {
Auth::logout();
}
//check for sso session and invalidate
$as = new \SimpleSAML_Auth_Simple('default-sp');
if ($as->isAuthenticated()) {
$as->logout();
}
//redirect to home
return Redirect::Action('mainController@index');
}
/**
* Hook on the forward function to make sure we can logout on SimpleSAML
*
* @param string $hook the name of the hook
* @param string $type the tpe of the hook
* @param bool $return_value the current url to forward to
* @param array $params supplied params
*
* @return void
*/
public static function forward($hook, $type, $return_value, $params)
{
global $SIMPLESAML_SOURCE;
if (elgg_is_logged_in() || empty($SIMPLESAML_SOURCE)) {
return;
}
// do we have a logout source
try {
$source = new \SimpleSAML_Auth_Simple($SIMPLESAML_SOURCE);
// logout of the external source
$source->logout(elgg_get_site_url());
} catch (Exception $e) {
// do nothing
}
}
/**
* Process a logout request.
*
* This function will never return.
*
* @param array &$state The logout request state.
* @param string|NULL $assocId The association we received the logout request from, or NULL if there was no association.
*/
public function handleLogoutRequest(array &$state, $assocId)
{
assert('isset($state["Responder"])');
assert('is_string($assocId) || is_null($assocId)');
$state['core:IdP'] = $this->id;
$state['core:TerminatedAssocId'] = $assocId;
if ($assocId !== NULL) {
$this->terminateAssociation($assocId);
}
/* Terminate the local session. */
$id = SimpleSAML_Auth_State::saveState($state, 'core:Logout:afterbridge');
$returnTo = SimpleSAML_Module::getModuleURL('core/idp/resumelogout.php', array('id' => $id));
$this->authSource->logout($returnTo);
$handler = $this->getLogoutHandler();
$handler->startLogout($state, $assocId);
assert('FALSE');
}
/**
* Process a logout request.
*
* This function will never return.
*
* @param array &$state The logout request state.
* @param string|null $assocId The association we received the logout request from, or null if there was no
* association.
*/
public function handleLogoutRequest(array &$state, $assocId)
{
assert('isset($state["Responder"])');
assert('is_string($assocId) || is_null($assocId)');
$state['core:IdP'] = $this->id;
$state['core:TerminatedAssocId'] = $assocId;
if ($assocId !== null) {
$this->terminateAssociation($assocId);
$session = SimpleSAML_Session::getSessionFromRequest();
$session->deleteData('core:idp-ssotime', $this->id . ':' . $state['saml:SPEntityId']);
}
// terminate the local session
$id = SimpleSAML_Auth_State::saveState($state, 'core:Logout:afterbridge');
$returnTo = SimpleSAML\Module::getModuleURL('core/idp/resumelogout.php', array('id' => $id));
$this->authSource->logout($returnTo);
$handler = $this->getLogoutHandler();
$handler->startLogout($state, $assocId);
assert('false');
}
}
include_once $saml_param->samllib . '/_autoload.php';
$as = new SimpleSAML_Auth_Simple($saml_param->sp_source);
if (isset($_GET["logout"])) {
if (isset($_SERVER['SCRIPT_URI'])) {
$urltogo = $_SERVER['SCRIPT_URI'];
$urltogo = str_replace('auth/saml/index.php', '', $urltogo);
} else {
if (isset($_SERVER['HTTP_REFERER'])) {
$urltogo = $_SERVER['HTTP_REFERER'];
} else {
$urltogo = '/';
}
}
if ($saml_param->dosinglelogout) {
$as->logout($urltogo);
assert("FALSE");
// The previous line issues a redirect
} else {
header('Location: ' . $urltogo);
exit;
}
}
$as->requireAuth();
$valid_saml_session = $as->isAuthenticated();
$saml_attributes = $as->getAttributes();
} catch (Exception $e) {
session_write_close();
require_once '../../config.php';
require_once 'error.php';
global $CFG, $err, $PAGE, $OUTPUT;
<?php
/**
* Endpoint for logging out in with an authentication source.
*
* @package simpleSAMLphp
* @version $Id$
*/
if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->logout(SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']));
<?php
$config = SimpleSAML_Configuration::getInstance();
if (!array_key_exists('as', $_REQUEST)) {
$t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php');
$t->data['sources'] = SimpleSAML_Auth_Source::getSources();
$t->show();
exit;
}
$asId = (string) $_REQUEST['as'];
$as = new SimpleSAML_Auth_Simple($asId);
if (array_key_exists('logout', $_REQUEST)) {
$as->logout('/' . $config->getBaseURL() . 'logout.php');
}
if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) {
// This is just a simple example of an error
$state = SimpleSAML_Auth_State::loadExceptionState();
assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)');
$e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA];
header('Content-Type: text/plain');
echo "Exception during login:\n";
foreach ($e->format() as $line) {
echo $line . "\n";
}
exit(0);
}
if (!$as->isAuthenticated()) {
$url = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $asId));
$params = array('ErrorURL' => $url, 'ReturnTo' => $url);
$as->login($params);
}
/**
* Hook on the forward function to make sure we can logout on SimpleSAML
*
* @param string $hook 'forward'
* @param string $type 'system'
* @param bool $return_value the current url to forward to
* @param array $params supplied params
*
* @return void
*/
function simplesaml_forward_hook($hook, $type, $return_value, $params)
{
global $SIMPLESAML_SESSION_BACKUP;
global $SIMPLESAML_SOURCE;
if (!elgg_is_logged_in()) {
if (!empty($SIMPLESAML_SESSION_BACKUP) && !empty($SIMPLESAML_SOURCE)) {
$_SESSION["SimpleSAMLphp_SESSION"] = $SIMPLESAML_SESSION_BACKUP;
// do we have a logout source
try {
$source = new SimpleSAML_Auth_Simple($SIMPLESAML_SOURCE);
// logout of the external source
$source->logout(elgg_get_site_url());
} catch (Exception $e) {
// do nothing
}
}
}
}
<?php
$config = SimpleSAML_Configuration::getInstance();
if (!array_key_exists('as', $_REQUEST)) {
$t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php');
$t->data['sources'] = SimpleSAML_Auth_Source::getSources();
$t->show();
exit;
}
$asId = (string) $_REQUEST['as'];
$as = new SimpleSAML_Auth_Simple($asId);
if (array_key_exists('logout', $_REQUEST)) {
$as->logout($config->getBasePath() . 'logout.php');
}
if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) {
// This is just a simple example of an error
$state = SimpleSAML_Auth_State::loadExceptionState();
assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)');
$e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA];
throw $e;
}
if (!$as->isAuthenticated()) {
$url = SimpleSAML\Module::getModuleURL('core/authenticate.php', array('as' => $asId));
$params = array('ErrorURL' => $url, 'ReturnTo' => $url);
$as->login($params);
}
$attributes = $as->getAttributes();
$t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes');
$t->data['header'] = '{status:header_saml20_sp}';
$t->data['attributes'] = $attributes;
$t->data['nameid'] = !is_null($as->getAuthData('saml:sp:NameID')) ? $as->getAuthData('saml:sp:NameID') : false;
* limitations under the License.
*/
require '../simplesamlphp/lib/_autoload.php';
session_start();
$bootstrap_cdn_css_url = '//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/css/bootstrap.min.css';
$bootstrap_cdn_js_url = '//cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.2/js/bootstrap.min.js';
$jquery_cdn_url = '//cdnjs.cloudflare.com/ajax/libs/jquery/1.11.2/jquery.min.js';
$title = 'SimpleSAMLphp Example SAML SP';
$user_session_key = 'user_session';
$saml_sso = 'saml_sso';
// If the user is logged in and requesting a logout.
if (isset($_SESSION[$user_session_key]) && isset($_REQUEST['logout'])) {
$sp = $_SESSION[$user_session_key]['sp'];
unset($_SESSION[$user_session_key]);
$as = new SimpleSAML_Auth_Simple($sp);
$as->logout(["ReturnTo" => $_SERVER['PHP_SELF']]);
}
// If the user is logging in.
if (isset($_REQUEST[$saml_sso])) {
$sp = $_REQUEST[$saml_sso];
$as = new SimpleSAML_Auth_Simple($sp);
$as->requireAuth();
$user = array('sp' => $sp, 'authed' => $as->isAuthenticated(), 'idp' => $as->getAuthData('saml:sp:IdP'), 'nameId' => $as->getAuthData('saml:sp:NameID')['Value'], 'attributes' => $as->getAttributes());
$_SESSION[$user_session_key] = $user;
}
?>
<!DOCTYPE html>
<html>
<head>
<title><?php
}
$skipLogoutPage = $casconfig->getValue('skip_logout_page', false);
if ($skipLogoutPage && !array_key_exists('url', $_GET)) {
$message = 'Required URL query parameter [url] not provided. (CAS Server)';
SimpleSAML_Logger::debug('casserver:' . $message);
throw new Exception($message);
}
/* Load simpleSAMLphp metadata */
$as = new SimpleSAML_Auth_Simple($casconfig->getValue('authsource'));
$session = SimpleSAML_Session::getSession();
if (!is_null($session)) {
$ticketStoreConfig = $casconfig->getValue('ticketstore', array('class' => 'casserver:FileSystemTicketStore'));
$ticketStoreClass = SimpleSAML_Module::resolveClass($ticketStoreConfig['class'], 'Cas_Ticket');
$ticketStore = new $ticketStoreClass($casconfig);
$ticketStore->deleteTicket($session->getSessionId());
}
if ($as->isAuthenticated()) {
SimpleSAML_Logger::debug('casserver: performing a real logout');
if ($casconfig->getValue('skip_logout_page', false)) {
$as->logout($_GET['url']);
} else {
$as->logout(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
} else {
SimpleSAML_Logger::debug('casserver: no session to log out of, performing redirect');
if ($casconfig->getValue('skip_logout_page', false)) {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters($_GET['url'], array()));
} else {
SimpleSAML\Utils\HTTP::redirectTrustedURL(SimpleSAML\Utils\HTTP::addURLParameters(SimpleSAML_Module::getModuleURL('casserver/loggedOut.php'), array_key_exists('url', $_GET) ? array('url' => $_GET['url']) : array()));
}
}
$attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);
SimpleSAML_Logger::info('consentAdmin: user: '******'consentAdmin: target: ' . $targeted_id);
SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash);
/* Return values */
return array($targeted_id, $attribute_hash, $attributes);
}
// Get config object
$config = SimpleSAML_Configuration::getInstance();
$cA_config = SimpleSAML_Configuration::getConfig('module_consentAdmin.php');
$authority = $cA_config->getValue('authority');
$as = new SimpleSAML_Auth_Simple($authority);
// If request is a logout request
if (array_key_exists('logout', $_REQUEST)) {
$returnURL = $cA_config->getValue('returnURL');
$as->logout($returnURL);
}
$hashAttributes = $cA_config->getValue('attributes.hash');
/* Check if valid local session exists */
$as->requireAuth();
// Get released attributes
$attributes = $as->getAttributes();
// Get metadata storage handler
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
/*
* Get IdP id and metadata
*/
if ($as->getAuthData('saml:sp:IdP') !== NULL) {
/*
* From a remote idp (as bridge)
*/
/**
* SSO logout and destruction of the SAML session
*/
public function ssoLogout()
{
if ($this->_sso_settings['saml_integration_type'] == self::SSO_TYPE_SAML && trim($this->_sso_settings['saml_sign_out']) == '') {
$session = \SimpleSAML_Session::getInstance();
$session->doLogout($this->_domain);
} elseif ($this->_sso_settings['saml_integration_type'] == self::SSO_TYPE_SAML || $this->_sso_settings['saml_integration_type'] == self::SSO_TYPE_LDAP) {
$as = new \SimpleSAML_Auth_Simple($this->_domain);
$as->logout('index.php');
}
return $this;
}
$showFields[] = $name;
}
}
$readOnlyFields = $showFields;
$formGen = new sspmod_selfregister_XHTML_Form($formFields, 'delUser.php');
$formGen->fieldsToShow($showFields);
$formGen->setReadOnly($readOnlyFields);
$html = new SimpleSAML_XHTML_Template($config, 'selfregister:deluser.tpl.php', 'selfregister:selfregister');
if (array_key_exists('sender', $_POST)) {
try {
// Delete user object
$store->delUser($attributes[$store->userIdAttr][0]);
// Now when a User delete himself sucesfully, System log out him.
// In the future when admin delete a user a msg will be showed
// $html->data['userMessage'] = 'message_userdel';
$as->logout(SimpleSAML_Module::getModuleURL('selfregister/index.php?status=deleted'));
} catch (sspmod_selfregister_Error_UserException $e) {
// Some user error detected
$error = $html->t($e->getMesgId(), $e->getTrVars());
$html->data['error'] = htmlspecialchars($error);
}
} elseif (array_key_exists('logout', $_GET)) {
$as->logout(SimpleSAML_Module::getModuleURL('selfregister/index.php'));
} else {
// The GET access this endpoint
$values = sspmod_selfregister_Util::filterAsAttributes($attributes, $reviewAttr);
}
$formGen->setValues($values);
$formGen->setSubmitter('submit_delete');
$formHtml = $formGen->genFormHtml();
$html->data['formHtml'] = $formHtml;
public function processLogout()
{
require_once COPIX_UTILS_PATH . '../../simplesamlphp/lib/_autoload.php';
$asId = 'iconito-sql';
if (CopixConfig::exists('default|conf_Saml_authSource') && CopixConfig::get('default|conf_Saml_authSource')) {
$asId = CopixConfig::get('default|conf_Saml_authSource');
}
$as = new SimpleSAML_Auth_Simple($asId);
$ppo = new CopixPPO();
$ppo->user = _currentUser();
if ($ppo->user->isConnected()) {
CopixAuth::getCurrentUser()->logout(array());
CopixEventNotifier::notify('logout', array('login' => CopixAuth::getCurrentUser()->getLogin()));
CopixAuth::destroyCurrentUser();
CopixSession::destroyNamespace('default');
}
$as->logout(_url() . 'simplesaml/saml2/idp/initSLO.php?RelayState=' . urlencode(_url('auth|saml|logout_cas')));
// $as->logout(_url ().'simplesaml/saml2/idp/initSLO.php?RelayState='.urlencode(_url() . 'logout.php'));
}
<?php
/**
* Endpoint for logging out in with an authentication source.
*
* @package simpleSAMLphp
* @version $Id$
*/
if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->logout($_REQUEST['ReturnTo']);
$sp = "SPpruebas";
// Name of SP defined in config/authsources.php
} elseif ($_SERVER['SERVER_NAME'] == '10.20.0.19' || $_SERVER['SERVER_NAME'] == 'oas.udistrital.edu.co') {
$sp = "SPoas";
// Name of SP defined in config/authsources.php
}
try {
// Autoload simplesamlphp classes.
if (!file_exists("{$lib}/_autoload.php")) {
throw new Exception("simpleSAMLphp lib loader file does not exist: " . "{$lib}/_autoload.php");
}
include_once "{$lib}/_autoload.php";
$as = new SimpleSAML_Auth_Simple($sp);
// Take the user to IdP and authenticate.
$valid_saml_session = $as->isAuthenticated();
} catch (Exception $e) {
// SimpleSAMLphp is not configured correctly.
throw new Exception("SSO authentication failed: " . $e->getMessage());
return;
}
if ($valid_saml_session) {
// Not valid session. Redirect a user to Identity Provider
try {
//$as = new SimpleSAML_Auth_Simple($sp);
$as->logout();
} catch (Exception $e) {
// SimpleSAMLphp is not configured correctly.
throw new Exception("SSO authentication failed: " . $e->getMessage());
return;
}
}
<?php
require_once '/usr/share/simplesamlphp/lib/_autoload.php';
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
$as->logout('https://brain.lab.vvc.niif.hu');
/**
* Log the user out.
* Ajout : Efface la variable de la source d'authentification de la session
* Ajout : ne fait pas le logout de la source si c'est précisé dans la configuration. La fonction retourne dans ce cas là
*
* This function logs the user out. It will never return. By default,
* it will cause a redirect to the current page after logging the user
* out, but a different URL can be given with the $params parameter.
*
* Generic parameters are:
* - 'ReturnTo': The URL the user should be returned to after logout.
* - 'ReturnCallback': The function that should be called after logout.
* - 'ReturnStateParam': The parameter we should return the state in when redirecting.
* - 'ReturnStateStage': The stage the state array should be saved with.
*
* @param string|array|NULL $params Either the url the user should be redirected to after logging out,
* or an array with parameters for the logout. If this parameter is
* NULL, we will return to the current page.
*/
public function logout($params = NULL) {
unset($_SESSION['utilisateur_saml_source']);
if ($this->getDoSourceLogout()) {
parent::logout($params);
} else {
assert('is_array($params) || is_string($params) || is_null($params)');
if ($params === NULL) {
$params = SimpleSAML_Utilities::selfURL();
}
if (is_string($params)) {
$params = array(
'ReturnTo' => $params,
);
}
assert('is_array($params)');
assert('isset($params["ReturnTo"]) || isset($params["ReturnCallback"])');
if (isset($params['ReturnStateParam']) || isset($params['ReturnStateStage'])) {
assert('isset($params["ReturnStateParam"]) && isset($params["ReturnStateStage"])');
}
$session = SimpleSAML_Session::getInstance();
if ($session->isValid($this->authSource)) {
$state = $session->getAuthData($this->authSource, 'LogoutState');
if ($state !== NULL) {
$params = array_merge($state, $params);
}
$session->doLogout($this->authSource);
$params['LogoutCompletedHandler'] = array(get_class(), 'logoutCompleted');
}
//on rajoute dans la requet le portal_return_url, ça sera utilisé dans un refresh ultérieur (logout.php ou Session.class.php)
if (isset($params["ReturnTo"])) {
$portal_return_url = $this->getPortalReturnUrl();
//echo $portal_return_url;die;
if ($portal_return_url != null) {
if (strpos($params["ReturnTo"],'?') === false) {
$portal_parameter = '?portal_return_url='.$portal_return_url;
} else {
$portal_parameter = '&portal_return_url='.$portal_return_url;
}
$params["ReturnTo"] .= $portal_parameter;
}
}
self::logoutCompleted($params);
}
}
* We need access to the various simpleSAMLphp classes. These are loaded
* by the simpleSAMLphp autoloader.
*/
require_once '../../lib/_autoload.php';
/*
* We use the default-sp authentication source.
*/
$as = new SimpleSAML_Auth_Simple('default-sp');
/* This handles logout requests. */
if (array_key_exists('logout', $_REQUEST)) {
/*
* We redirect to the current URL _without_ the query parameter. This
* avoids a redirect loop, since otherwise it will access the logout
* endpoint again.
*/
$as->logout(SimpleSAML_Utilities::selfURLNoQuery());
/* The previous function will never return. */
}
if (array_key_exists('login', $_REQUEST)) {
/*
* If the login parameter is requested, it means that we should log
* the user in. We do that by requiring the user to be authenticated.
*
* Note that the requireAuth-function will preserve all GET-parameters
* and POST-parameters by default.
*/
$as->requireAuth();
/* The previous function will only return if the user is authenticated. */
}
if (array_key_exists('message', $_POST)) {
/*
// Always prevent changes on User identification param in DataSource and Session.
unset($userInfo[$store->userIdAttr]);
$store->updateUser($attributes[$store->userIdAttr][0], $userInfo);
// I must override the values with the userInfo values due in processInput i can change the values.
// But now atributes from the logged user is obsolete, So I can actualize it and get values from session
// but maybe we could have security problem if IdP isnt configured correctly.
foreach ($userInfo as $name => $value) {
$attributes[$name][0] = $value;
}
$session->setData('selfregister:updated', 'attributes', $attributes, SimpleSAML_Session::DATA_TIMEOUT_SESSION_END);
$values = sspmod_selfregister_Util::filterAsAttributes($attributes, $reviewAttr);
$html->data['userMessage'] = 'message_chuinfo';
} catch (sspmod_selfregister_Error_UserException $e) {
// Some user error detected
$values = $validator->getRawInput();
$values['mail'] = $attributes['mail'][0];
$error = $html->t($e->getMesgId(), $e->getTrVars());
$html->data['error'] = htmlspecialchars($error);
}
} elseif (array_key_exists('logout', $_GET)) {
$as->logout(SimpleSAML_Module::getModuleURL('selfregister/index.php'));
} else {
// The GET access this endpoint
$values = sspmod_selfregister_Util::filterAsAttributes($attributes, $reviewAttr);
}
$formGen->setValues($values);
$formGen->setSubmitter('submit_change');
$formHtml = $formGen->genFormHtml();
$html->data['formHtml'] = $formHtml;
$html->data['uid'] = $attributes[$store->userIdAttr][0];
$html->show();
<?php
include dirname(__FILE__) . "/bootstrap.php";
$returnTo = isset($_REQUEST["returnTo"]) ? $_REQUEST["returnTo"] : HOME_URL;
if (defined("ENV") && ENV !== "dev") {
$sp = defined("SIMPLE_SAML_SP") ? SIMPLE_SAML_SP : 'default-sp';
$saml = new SimpleSAML_Auth_Simple($sp);
$saml->logout($returnTo);
} else {
header("Location: " . $returnTo);
setcookie("beta_dev_loggedin", false);
die;
}
<?php
/**
* Endpoint for logging out in with an authentication source.
*
* @package simpleSAMLphp
*/
if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->logout(\SimpleSAML\Utils\HTTP::checkURLAllowed($_REQUEST['ReturnTo']));
require_once $samllib . '/lib/_autoload.php';
// point at the configured config directory
$samlconfig = get_config_plugin('auth', 'saml', 'simplesamlphpconfig');
// get all the things that we will need from the SAML authentication
// and then shutdown the session control
SimpleSAML_Configuration::init($samlconfig);
$saml_session = SimpleSAML_Session::getInstance();
// do we have a logout request?
if (param_variable("logout", false)) {
// logout the saml session
$sp = $saml_session->getAuthority();
if (!$sp) {
$sp = 'default-sp';
}
$as = new SimpleSAML_Auth_Simple($sp);
$as->logout($CFG->wwwroot);
}
$sp = param_alphanumext('as', 'default-sp');
if (!in_array($sp, SimpleSAML_Auth_Source::getSources())) {
$sp = 'default-sp';
}
$as = new SimpleSAML_Auth_Simple($sp);
// Check the SimpleSAMLphp config is compatible
$saml_config = SimpleSAML_Configuration::getInstance();
$session_handler = $saml_config->getString('session.handler', false);
$store_type = $saml_config->getString('store.type', false);
if ($store_type == 'phpsession' || $session_handler == 'phpsession' || empty($store_type) && empty($session_handler)) {
throw new AuthInstanceException(get_string('errorbadssphp', 'auth.saml'));
}
// what is the session like?
$valid_saml_session = $saml_session->isValid($sp);
public function postconnectedAction()
{
$this->_helper->layout->disableLayout();
$this->_helper->viewRenderer->setNoRender();
$source = $this->session->connectdaccountsource;
$referer = trim($this->session->connectreferer);
$connectedsource = str_replace("-sp", "-connect", strtolower(trim($source)));
if (trim($referer) === "") {
$referer = $_SERVER["HTTP_REFERER"];
$this->session->connectreferer = $referer;
}
if (trim($referer) === "") {
$referer = "https://" . $_SERVER["HTTP_HOST"];
}
unset($this->session->connectreferer);
unset($this->session->connectdaccountsource);
require_once SamlAuth::LIB_AUTOLOAD;
//Get SAML Authentication new user account for connection (-connect) and perform logout
$as = new SimpleSAML_Auth_Simple($connectedsource);
$as->logout($referer);
}
qui ensuite demande à l'IdP de tuer la session en cours.
*/
// Redirection mise en dure ici pour l'instant, tant que ça ne concerne que Bordeaux...
// Remarque : le code 307 peut causer des soucis ; le code 302 semble mieux. http://fr.wikipedia.org/wiki/Liste_des_codes_HTTP
header('Status: 302 Found', TRUE, 302);
header('Location: https://ent2d.ac-bordeaux.fr/Shibboleth.sso/Logout');
exit;
}
// ////////////////////////////////////////////////////////////////////////////////////////////////////
// Déconnexion de GEPI avec le protocole SAML
// ////////////////////////////////////////////////////////////////////////////////////////////////////
if ($connexion_mode == 'gepi') {
// Charger l'autoload de la librairie SimpleSAMLphp (qui ne peut être intégré de façon simple dans le _loader par un unique appel de classe (comme phpCAS).
require CHEMIN_DOSSIER_SACOCHE . '_lib' . DS . 'SimpleSAMLphp' . DS . 'lib' . DS . '_autoload.php';
// Mise en session d'informations dont SimpleSAMLphp a besoin ; utiliser des constantes ne va pas car Gepi fait un appel à SimpleSAMLphp en court-circuitant SACoche pour vérifier la légitimité de l'appel.
$_SESSION['SACoche-SimpleSAMLphp'] = array('GEPI_URL' => $gepi_url, 'GEPI_RNE' => $gepi_rne, 'GEPI_CERTIFICAT_EMPREINTE' => $gepi_certificat_empreinte, 'SIMPLESAMLPHP_BASEURLPATH' => substr($_SERVER['SCRIPT_NAME'], 1, -9) . '_lib/SimpleSAMLphp/www/', 'WEBMESTRE_NOM' => WEBMESTRE_NOM, 'WEBMESTRE_PRENOM' => WEBMESTRE_PRENOM, 'WEBMESTRE_COURRIEL' => WEBMESTRE_COURRIEL);
// Initialiser la classe
$auth = new SimpleSAML_Auth_Simple('distant-gepi-saml');
// Déconnexion de GEPI
if ($auth->isAuthenticated()) {
$auth->logout();
exit;
} elseif (isset($_SESSION['SimpleSAMLphp_SESSION'])) {
// On revient très probablement de la déconnexion de GEPI (en effet, au contraire de CAS, la page de déconnexion distante renvoie vers l'application au lieu de marquer un arrêt).
unset($_SESSION['SimpleSAMLphp_SESSION']);
exit_error('Deconnexion de Gepi', 'Déconnexion du service d\'authentification Gepi effectuée.<br />Fermez votre navigateur par sécurité.');
} else {
// Bizarre... a priori on n'était pas connecté à GEPI... appel direct ?
exit_error('Deconnexion de Gepi', 'Votre authentification sur Gepi n\'a pas été retrouvée.<br />Fermez votre navigateur par sécurité pour être certain d\'en être déconnecté.');
}
}
public static function post_login($parameters)
{
// Do nothing if we're sharding and not on the master
if (OCP\App::isEnabled('files_sharding') && !OCA\FilesSharding\Lib::isMaster()) {
return true;
}
$uid = '';
$userid = $parameters['uid'];
$samlBackend = new OC_USER_SAML();
$ocUserDatabase = new OC_User_Database();
// Redirect regardless of whether the user has authenticated with SAML or not.
// Since this is a post_login hook, he will have authenticated in some way and have a valid session.
if ($ocUserDatabase->userExists($userid)) {
// Set user attributes for sharding
$display_name = \OCP\User::getDisplayName($userid);
$email = \OCP\Config::getUserValue($userid, 'settings', 'email');
$groups = \OC_Group::getUserGroups($userid);
$quota = \OC_Preferences::getValue($userid, 'files', 'quota');
OC_Util::teardownFS($userid);
OC_Util::setupFS($userid);
OC_Log::write('saml', 'Setting user attributes: ' . $userid . ":" . $display_name . ":" . $email . ":" . join($groups) . ":" . $quota, OC_Log::INFO);
self::setAttributes($userid, $display_name, $email, $groups, $quota);
self::user_redirect($userid);
}
if (!$samlBackend->auth->isAuthenticated()) {
return false;
}
$attributes = $samlBackend->auth->getAttributes();
//$email = "<pre>" . print_r($attributes, 1) . "</pre>";
//$headers = 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
//error_log($email, 1, '*****@*****.**', $headers);
$usernameFound = false;
foreach ($samlBackend->usernameMapping as $usernameMapping) {
if (array_key_exists($usernameMapping, $attributes) && !empty($attributes[$usernameMapping][0])) {
$usernameFound = true;
$uid = $attributes[$usernameMapping][0];
OC_Log::write('saml', 'Authenticated user ' . $uid, OC_Log::INFO);
break;
}
}
if (!$usernameFound || $uid !== $userid) {
return false;
}
$attrs = self::get_user_attributes($uid, $samlBackend);
if (!$ocUserDatabase->userExists($uid)) {
// If autocreate is not enabled - back off
if (!$samlBackend->autocreate) {
return false;
}
// Apparently it is necessary to clear the uid first, to be able to create the user in the DB
$userManager = \OC_User::getManager();
$userManager->delete($uid);
// Reject invalid user names
if (preg_match('/[^a-zA-Z0-9 _\\.@\\-]/', $uid)) {
OC_Log::write('saml', 'Invalid username "' . $uid . '", allowed chars "a-zA-Z0-9" and "_.@-" ', OC_Log::DEBUG);
return false;
}
$cookiedomain = OCP\App::isEnabled('files_sharding') ? OCA\FilesSharding\Lib::getCookieDomain() : null;
// Reject users we don't allow to autocreate an account
if (isset($uid) && trim($uid) != '' && !OC_User::userExists($uid) && !self::check_user_attributes($attributes)) {
$failCookieName = 'saml_auth_fail';
$userCookieName = 'saml_auth_fail_user';
$expire = 0;
//time()+60*60*24*30;
$expired = time() - 3600;
$path = '/';
setcookie($failCookieName, "notallowed:" . $uid, $expire, $path, $cookiedomain, false, false);
setcookie($userCookieName, $uid, $expire, $path, $cookiedomain, false, false);
$spSource = 'default-sp';
$auth = new SimpleSAML_Auth_Simple($spSource);
OC_Log::write('saml', 'Rejected user "' . $uid, OC_Log::ERROR);
if (OCP\App::isEnabled('files_sharding') && !OCA\FilesSharding\Lib::isMaster()) {
$auth->logout(!OCA\FilesSharding\Lib::getMasterURL());
} else {
$auth->logout();
}
return false;
}
// Create new user
$random_password = OC_Util::generateRandomBytes(20);
OC_Log::write('saml', 'Creating new user: '******'/' . $uid . '/files';
\OC\Files\Filesystem::init($uid, $userDir);
if ($samlBackend->updateUserData) {
self::update_user_data($uid, $samlBackend, $attrs, true);
if (OCP\App::isEnabled('files_sharding') && OCA\FilesSharding\Lib::isMaster()) {
$master_site = OCA\FilesSharding\Lib::dbGetSite(null);
$server_id = OCA\FilesSharding\Lib::dbChooseServerForUser($uid, $master_site, 0, null);
OC_Log::write('saml', 'Setting server for new user: '******'display_name'], $attrs['email'], $attrs['groups'], $attrs['quota']);
}
} else {
if ($samlBackend->updateUserData) {
self::update_user_data($uid, $samlBackend, $attrs, false);
}
}
self::user_redirect($userid);
return true;
}
public function executeSignout($request)
{
$this->getUser()->signOut();
$signoutUrl = sfConfig::get('app_sf_guard_plugin_success_signout_url');
$simpleSAMLAuth = new SimpleSAML_Auth_Simple('default-sp');
//var_dump($signoutUrl,$this->generateUrl("default_loggedout"));exit;
$simpleSAMLAuth->logout($this->generateUrl('' != $signoutUrl ? $signoutUrl : 'homepage'), array(), true);
// Nothing happen after there
$this->redirect('' != $signoutUrl ? $signoutUrl : 'homepage');
}
public function actionSlo()
{
$returnUrl = $this->_request->getParam('return');
\utilities\Registry::clearRegistry();
$auth = new \SimpleSAML_Auth_Simple('authinstance');
$auth->logout($returnUrl);
assert('FALSE');
}
