public function actionSso()
{
$metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = \SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
\sspmod_saml_IdP_SAML2::receiveAuthnRequest($idp);
assert('FALSE');
}
public function actionSso()
{
//logout previous sso session
\utilities\Registry::clearRegistry();
$isRequestPost = $this->_request->isPost();
if ($isRequestPost) {
// check if every required parameter is set or not
$username = $this->_request->getParam('username', null);
$password = $this->_request->getParam('password', null);
$referrer = $this->_request->getParam('spentityid', null);
if (!$username) {
$this->_response->renderJson(array('message' => 'Username is not set'));
}
if (!$password) {
$this->_response->renderJson(array('message' => 'Password is not set'));
}
if (!$referrer) {
$this->_response->renderJson(array('message' => 'Referrer not set'));
}
$objDbUserauth = new \models\Users();
// check if user is authenticated or not
$userAuthenticationStatus = $objDbUserauth->authenticate($username, $password);
// user locked due to 5 invalid attempts
if (\models\Users::ERROR_USER_LOCKED === $userAuthenticationStatus) {
$this->_response->renderJson(array('message' => 'Your account is locked due to 5 invalid attempts', 'authstatus' => $userAuthenticationStatus));
}
//user password is expired
if (\models\Users::ERROR_USER_PWD_EXPIRED === $userAuthenticationStatus) {
$this->_response->renderJson(array('message' => 'Your password is expired', 'authstatus' => $userAuthenticationStatus));
}
//user authentication is successfull
if ($userAuthenticationStatus === true) {
$metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = \SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
\sspmod_saml_IdP_SAML2::receiveAuthnRequest($idp);
assert('FALSE');
} else {
//handle invalid attempts
$objInvalidAttempts = new \models\UserLoginAttempts();
$loginAttemptsLeft = $objInvalidAttempts->handleInvalidLoginAttempts($username);
$invalidAttempt = false;
// if attempt is invalid username is wrong
$message = "Invalid credentials";
if ($loginAttemptsLeft !== false) {
// if last attempt was hit then show that account is locked
if ($loginAttemptsLeft === 0) {
$this->_response->renderJson(array('message' => 'Your account is locked due to 5 invalid attempts', 'authstatus' => \models\Users::ERROR_USER_LOCKED));
}
$invalidAttempt = true;
$message = "Incorrect Password.You have {$loginAttemptsLeft} attempts left";
}
$this->_response->renderJson(array('message' => $message, 'invalidAttempt' => $invalidAttempt));
exit;
}
}
$this->_response->renderJson(array('message' => 'Only post request are accepted'));
}
<?php
/**
* This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses,
* and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP.
*
* @author Andreas Åkre Solberg, UNINETT AS. <*****@*****.**>
* @package SimpleSAMLphp
*/
require_once '../../_include.php';
SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
if (isset($_REQUEST['ReturnTo'])) {
$idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo']));
} else {
try {
sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp);
} catch (Exception $e) {
// TODO: look for a specific exception
/*
* This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should
* throw an specific exception when the binding is unknown, and we should capture that here
*/
if ($e->getMessage() === 'Unable to find the current binding.') {
throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400);
} else {
throw $e;
// do not ignore other exceptions!
}
<?php
/**
* ADFS PRP IDP protocol support for simpleSAMLphp.
*
* @author Hans Zandbelt, SURFnet bv, <*****@*****.**>
* @package simpleSAMLphp
*/
SimpleSAML_Logger::info('ADFS - IdP.prp: Accessing ADFS IdP endpoint prp');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('adfs-idp-hosted');
$idp = SimpleSAML_IdP::getById('adfs:' . $idpEntityId);
if (isset($_GET['wa'])) {
if ($_GET['wa'] === 'wsignout1.0') {
sspmod_adfs_IdP_ADFS::receiveLogoutMessage($idp);
} else {
if ($_GET['wa'] === 'wsignin1.0') {
sspmod_adfs_IdP_ADFS::receiveAuthnRequest($idp);
}
}
assert('FALSE');
} elseif (isset($_GET['assocId'])) {
// logout response from ADFS SP
$assocId = $_GET['assocId'];
/* Association ID of the SP that sent the logout response. */
$relayState = $_GET['relayState'];
/* Data that was sent in the logout request to the SP. Can be null. */
$logoutError = NULL;
/* NULL on success, or an instance of a SimpleSAML_Error_Exception on failure. */
$idp->handleLogoutResponse($assocId, $relayState, $logoutError);
}
/**
* Get a list of associated SAML 2 SPs.
*
* This function is just for backwards-compatibility. New code should
* use the SimpleSAML_IdP::getAssociations()-function.
*
* @return array Array of SAML 2 entityIDs.
* @deprecated Will be removed in the future.
*/
public function get_sp_list()
{
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
try {
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
} catch (Exception $e) {
/* No SAML 2 IdP configured? */
return array();
}
$ret = array();
foreach ($idp->getAssociations() as $assoc) {
if (isset($assoc['saml:entityID'])) {
$ret[] = $assoc['saml:entityID'];
}
}
return $ret;
}
* @author Jaime Pérez Crespo, UNINETT AS <*****@*****.**>
*
* @package SimpleSAMLphp
*/
// retrieve the authentication state
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState');
}
try {
// try to get the state
$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], 'saml:proxy:invalid_idp');
} catch (Exception $e) {
// the user probably hit the back button after starting the logout, try to recover the state with another stage
$state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], 'core:Logout:afterbridge');
// success! Try to continue with reauthentication, since we no longer have a valid session here
$idp = SimpleSAML_IdP::getById($state['core:IdP']);
sspmod_saml_Auth_Source_SP::reauthPostLogout($idp, $state);
}
if (isset($_POST['cancel'])) {
// the user does not want to logout, cancel login
SimpleSAML_Auth_State::throwException($state, new \SimpleSAML\Module\saml\Error\NoAvailableIDP(\SAML2\Constants::STATUS_RESPONDER, 'User refused to reauthenticate with any of the IdPs requested.'));
}
if (isset($_POST['continue'])) {
// log the user out before being able to login again
$as = SimpleSAML_Auth_Source::getById($state['saml:sp:AuthId'], 'sspmod_saml_Auth_Source_SP');
/** @var sspmod_saml_Auth_Source_SP $as */
$as->reauthLogout($state);
}
$cfg = SimpleSAML_Configuration::getInstance();
$template = new SimpleSAML_XHTML_Template($cfg, 'saml:proxy/invalid_session.php');
$translator = $template->getTranslator();
<?php
if (!isset($_REQUEST['idp'])) {
throw new SimpleSAML_Error_BadRequest('Missing "idp" parameter.');
}
$idp = (string) $_REQUEST['idp'];
$idp = SimpleSAML_IdP::getById($idp);
if (!isset($_REQUEST['association'])) {
throw new SimpleSAML_Error_BadRequest('Missing "association" parameter.');
}
$assocId = urldecode($_REQUEST['association']);
$relayState = NULL;
if (isset($_REQUEST['RelayState'])) {
$relayState = (string) $_REQUEST['RelayState'];
}
$associations = $idp->getAssociations();
if (!isset($associations[$assocId])) {
throw new SimpleSAML_Error_BadRequest('Invalid association id.');
}
$association = $associations[$assocId];
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
$lr = sspmod_saml_Message::buildLogoutRequest($idpMetadata, $spMetadata);
$lr->setSessionIndex($association['saml:SessionIndex']);
$lr->setNameId($association['saml:NameID']);
$assertionLifetime = $spMetadata->getInteger('assertion.lifetime', NULL);
if ($assertionLifetime === NULL) {
$assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300);
}
$lr->setNotOnOrAfter(time() + $assertionLifetime);
