/**
* Assertion Consumer Service
*
* The user gets sent back here after authenticating with the IdP, off-site.
* The earlier redirection to the IdP can be found in the SAMLAuthenticator::authenticate.
*
* After this handler completes, we end up with a rudimentary Member record (which will be created on-the-fly
* if not existent), with the user already logged in. Login triggers memberLoggedIn hooks, which allows
* LDAP side of this module to finish off loading Member data.
*
* @throws OneLogin_Saml2_Error
*/
public function acs()
{
$auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
$auth->processResponse();
$error = $auth->getLastErrorReason();
if (!empty($error)) {
SS_Log::log($error, SS_Log::ERR);
Form::messageForForm("SAMLLoginForm_LoginForm", "Authentication error: '{$error}'", 'bad');
Session::save();
return $this->getRedirect();
}
if (!$auth->isAuthenticated()) {
Form::messageForForm("SAMLLoginForm_LoginForm", _t('Member.ERRORWRONGCRED'), 'bad');
Session::save();
return $this->getRedirect();
}
$decodedNameId = base64_decode($auth->getNameId());
// check that the NameID is a binary string (which signals that it is a guid
if (ctype_print($decodedNameId)) {
Form::messageForForm("SAMLLoginForm_LoginForm", "Name ID provided by IdP is not a binary GUID.", 'bad');
Session::save();
return $this->getRedirect();
}
// transform the NameId to guid
$guid = LDAPUtil::bin_to_str_guid($decodedNameId);
if (!LDAPUtil::validGuid($guid)) {
$errorMessage = "Not a valid GUID '{$guid}' recieved from server.";
SS_Log::log($errorMessage, SS_Log::ERR);
Form::messageForForm("SAMLLoginForm_LoginForm", $errorMessage, 'bad');
Session::save();
return $this->getRedirect();
}
// Write a rudimentary member with basic fields on every login, so that we at least have something
// if LDAP synchronisation fails.
$member = Member::get()->filter('GUID', $guid)->limit(1)->first();
if (!($member && $member->exists())) {
$member = new Member();
$member->GUID = $guid;
}
$attributes = $auth->getAttributes();
foreach ($member->config()->claims_field_mappings as $claim => $field) {
if (!isset($attributes[$claim][0])) {
SS_Log::log(sprintf('Claim rule \'%s\' configured in LDAPMember.claims_field_mappings, but wasn\'t passed through. Please check IdP claim rules.', $claim), SS_Log::WARN);
continue;
}
$member->{$field} = $attributes[$claim][0];
}
$member->SAMLSessionIndex = $auth->getSessionIndex();
// This will throw an exception if there are two distinct GUIDs with the same email address.
// We are happy with a raw 500 here at this stage.
$member->write();
// This will trigger LDAP update through LDAPMemberExtension::memberLoggedIn.
// Both SAML and LDAP identify Members by the GUID field.
$member->logIn();
return $this->getRedirect();
}
public function handleForm($context, $action)
{
if ($action == "login") {
$ldapAuthed = LDAPUtil::authLDAPUser($_POST['username'], $_POST['password']);
if ($ldapAuthed) {
$user = WebAdUserDao::getWebAdUserByUsername($_POST['username']);
if ($user != null && $user instanceof WebAdUser) {
SessionUtil::setUsername($user->getUsername());
$context->setPageID("home");
} else {
$context->addError("Incorrect Login");
}
} else {
$context->addError("Incorrect Login");
}
} else {
$context->addError("Incorrect Action.");
}
}
public function handleForm($context, $action)
{
if ($action == "login") {
$authed = false;
if (Config::login_type == LOGIN_TYPE_LDAP) {
$authed = false;
if (Config::ldap_type == LDAP_TYPE_REMOTE) {
$authed = RemoteLDAPUtil::auth($_POST['username'], $_POST['password']);
} else {
if (Config::ldap_type == LDAP_TYPE_LOCAL) {
$authed = LDAPUtil::authLDAPUser($_POST['username'], $_POST['password']);
}
}
} else {
if (Config::login_type == LOGIN_TYPE_DB) {
$authed = UserDao::authUser($_POST['username'], $_POST['password']);
}
}
if ($authed) {
$user = UserDao::getUserByUsername($_POST['username']);
if ($user != null && $user instanceof User) {
SessionUtil::setUsername($user->username);
SessionUtil::setUserlevel($user->userlevel);
if (isset($_POST['redir']) && $_POST['redir'] != '' && !strpos($_POST['redir'], 'login') && !strpos($_POST['redir'], 'logout')) {
header("location: " . $_POST['redir']);
} else {
$context->setPageID("home");
}
} else {
$context->addError("Incorrect Login");
}
} else {
$context->addError("Incorrect Login");
}
} else {
$context->addError("Incorrect Action.");
}
}
public static function authLDAPUser($username, $password)
{
return LDAPUtil::checkNTuser($username, $password, Config::ldap_domain, Config::ldap_server);
}
/**
* Return a particular LDAP user by objectGUID value.
*
* @param string $guid
* @return array
*/
public function getUserByGUID($guid, $baseDn = null, $scope = Zend\Ldap\Ldap::SEARCH_SCOPE_SUB, $attributes = array())
{
return $this->search(sprintf('(&(objectClass=user)(objectGUID=%s))', LDAPUtil::str_to_hex_guid($guid, true)), $baseDn, $scope, $attributes);
}
public static function authLDAPUser($username, $password)
{
return LDAPUtil::checkNTuser($username, $password, Config::getVariable('ldap_domain'), Config::getVariable('ldap_server'));
}