Process authentication requests.
| public handleAuthenticationRequest ( array &$state ) | ||
| $state | array | |
public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
{
try {
// accomodate for disfunctional $_GET "windows" slash decoding in PHP
$wctx = $_GET['wctx'];
foreach (explode('&', $_SERVER['REQUEST_URI']) as $e) {
$a = explode('=', $e);
if ($a[0] == 'wctx') {
$wctx = urldecode($a[1]);
}
}
$requestid = $wctx;
$issuer = $_GET['wtrealm'];
$requestcache = array('RequestID' => $requestid, 'Issuer' => $issuer, 'RelayState' => $requestid);
$spEntityId = $requestcache['Issuer'];
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'adfs-sp-remote');
SimpleSAML_Logger::info('ADFS - IdP.prp: Incoming Authentication request: ' . $issuer . ' id ' . $requestid);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('PROCESSAUTHNREQUEST', $exception);
}
$sessionLostURL = NULL;
// TODO?
$forceAuthn = FALSE;
$isPassive = FALSE;
$state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'adfs:wctx' => $wctx);
$idp->handleAuthenticationRequest($state);
}
/**
* Receive an authentication request.
*
* @param SimpleSAML_IdP $idp The IdP we are receiving it for.
*/
public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
{
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$supportedBindings = array(SAML2_Const::BINDING_HTTP_POST);
if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) {
$supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT;
}
if ($idpMetadata->getBoolean('saml20.hok.assertion', FALSE)) {
$supportedBindings[] = SAML2_Const::BINDING_HOK_SSO;
}
if (isset($_REQUEST['spentityid'])) {
/* IdP initiated authentication. */
if (isset($_REQUEST['cookieTime'])) {
$cookieTime = (int) $_REQUEST['cookieTime'];
if ($cookieTime + 5 > time()) {
/*
* Less than five seconds has passed since we were
* here the last time. Cookies are probably disabled.
*/
\SimpleSAML\Utils\HTTP::checkSessionCookie(\SimpleSAML\Utils\HTTP::getSelfURL());
}
}
$spEntityId = (string) $_REQUEST['spentityid'];
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
if (isset($_REQUEST['RelayState'])) {
$relayState = (string) $_REQUEST['RelayState'];
} else {
$relayState = NULL;
}
if (isset($_REQUEST['binding'])) {
$protocolBinding = (string) $_REQUEST['binding'];
} else {
$protocolBinding = NULL;
}
if (isset($_REQUEST['NameIDFormat'])) {
$nameIDFormat = (string) $_REQUEST['NameIDFormat'];
} else {
$nameIDFormat = NULL;
}
$requestId = NULL;
$IDPList = array();
$ProxyCount = NULL;
$RequesterID = NULL;
$forceAuthn = FALSE;
$isPassive = FALSE;
$consumerURL = NULL;
$consumerIndex = NULL;
$extensions = NULL;
$allowCreate = TRUE;
$idpInit = TRUE;
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE));
} else {
$binding = SAML2_Binding::getCurrentBinding();
$request = $binding->receive();
if (!$request instanceof SAML2_AuthnRequest) {
throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.');
}
$spEntityId = $request->getIssuer();
if ($spEntityId === NULL) {
throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.');
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request);
$relayState = $request->getRelayState();
$requestId = $request->getId();
$IDPList = $request->getIDPList();
$ProxyCount = $request->getProxyCount();
if ($ProxyCount !== null) {
$ProxyCount--;
}
$RequesterID = $request->getRequesterID();
$forceAuthn = $request->getForceAuthn();
$isPassive = $request->getIsPassive();
$consumerURL = $request->getAssertionConsumerServiceURL();
$protocolBinding = $request->getProtocolBinding();
$consumerIndex = $request->getAssertionConsumerServiceIndex();
$extensions = $request->getExtensions();
$nameIdPolicy = $request->getNameIdPolicy();
if (isset($nameIdPolicy['Format'])) {
$nameIDFormat = $nameIdPolicy['Format'];
} else {
$nameIDFormat = NULL;
}
if (isset($nameIdPolicy['AllowCreate'])) {
$allowCreate = $nameIdPolicy['AllowCreate'];
} else {
$allowCreate = FALSE;
}
$idpInit = FALSE;
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: incoming authentication request: ' . var_export($spEntityId, TRUE));
}
SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'forceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'protocol' => 'saml2', 'idpInit' => $idpInit));
$acsEndpoint = self::getAssertionConsumerService($supportedBindings, $spMetadata, $consumerURL, $protocolBinding, $consumerIndex);
$IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array())));
if ($ProxyCount === null) {
$ProxyCount = $spMetadata->getInteger('ProxyCount', null);
}
if (!$forceAuthn) {
$forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE);
}
$sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time());
if ($relayState !== NULL) {
$sessionLostParams['RelayState'] = $relayState;
}
$sessionLostURL = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), $sessionLostParams);
$state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $acsEndpoint['Location'], 'saml:Binding' => $acsEndpoint['Binding'], 'saml:NameIDFormat' => $nameIDFormat, 'saml:AllowCreate' => $allowCreate, 'saml:Extensions' => $extensions, 'saml:AuthnRequestReceivedAt' => microtime(TRUE));
$idp->handleAuthenticationRequest($state);
}
/**
* Receive an authentication request.
*
* @param SimpleSAML_IdP $idp The IdP we are receiving it for.
*/
public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
{
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$supportedBindings = array(SAML2_Const::BINDING_HTTP_POST);
if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) {
$supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT;
}
if (isset($_REQUEST['spentityid'])) {
/* IdP initiated authentication. */
if (isset($_REQUEST['cookieTime'])) {
$cookieTime = (int) $_REQUEST['cookieTime'];
if ($cookieTime + 5 > time()) {
/*
* Less than five seconds has passed since we were
* here the last time. Cookies are probably disabled.
*/
SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL());
}
}
$spEntityId = (string) $_REQUEST['spentityid'];
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
if (isset($_REQUEST['RelayState'])) {
$relayState = (string) $_REQUEST['RelayState'];
} else {
$relayState = NULL;
}
if (isset($_REQUEST['binding'])) {
$protocolBinding = (string) $_REQUEST['binding'];
} else {
$protocolBinding = NULL;
}
if (isset($_REQUEST['NameIDFormat'])) {
$nameIDFormat = (string) $_REQUEST['NameIDFormat'];
} else {
$nameIDFormat = NULL;
}
$requestId = NULL;
$IDPList = array();
$ProxyCount = NULL;
$RequesterID = NULL;
$forceAuthn = FALSE;
$isPassive = FALSE;
$consumerURL = NULL;
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE));
} else {
$binding = SAML2_Binding::getCurrentBinding();
$request = $binding->receive();
if (!$request instanceof SAML2_AuthnRequest) {
throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.');
}
$spEntityId = $request->getIssuer();
if ($spEntityId === NULL) {
throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.');
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request);
$relayState = $request->getRelayState();
$requestId = $request->getId();
$IDPList = $request->getIDPList();
$ProxyCount = $request->getProxyCount();
if ($ProxyCount !== null) {
$ProxyCount--;
}
$RequesterID = $request->getRequesterID();
$forceAuthn = $request->getForceAuthn();
$isPassive = $request->getIsPassive();
$consumerURL = $request->getAssertionConsumerServiceURL();
$protocolBinding = $request->getProtocolBinding();
$nameIdPolicy = $request->getNameIdPolicy();
if (isset($nameIdPolicy['Format'])) {
$nameIDFormat = $nameIdPolicy['Format'];
} else {
$nameIDFormat = NULL;
}
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: ' . var_export($spEntityId, TRUE));
}
if ($protocolBinding === NULL || !in_array($protocolBinding, $supportedBindings, TRUE)) {
/*
* No binding specified or unsupported binding requested - default to HTTP-POST.
* TODO: Select any supported binding based on default endpoint?
*/
$protocolBinding = SAML2_Const::BINDING_HTTP_POST;
}
if ($consumerURL !== NULL) {
$found = FALSE;
foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
if ($ep['Binding'] !== $protocolBinding) {
continue;
}
if ($ep['Location'] !== $consumerURL) {
continue;
}
$found = TRUE;
break;
}
if (!$found) {
SimpleSAML_Logger::warning('Authentication request from ' . var_export($spEntityId, TRUE) . ' contains invalid AssertionConsumerService URL. Was ' . var_export($consumerURL, TRUE) . '.');
$consumerURL = NULL;
}
}
if ($consumerURL === NULL) {
/* Not specified or invalid. Use default. */
$consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array($protocolBinding));
$consumerURL = $consumerURL['Location'];
}
$IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array())));
if ($ProxyCount == null) {
$ProxyCount = $spMetadata->getInteger('ProxyCount', null);
}
if (!$forceAuthn) {
$forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE);
}
$sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time());
if ($relayState !== NULL) {
$sessionLostParams['RelayState'] = $relayState;
}
$sessionLostURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), $sessionLostParams);
$state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $consumerURL, 'saml:Binding' => $protocolBinding, 'saml:NameIDFormat' => $nameIDFormat);
$idp->handleAuthenticationRequest($state);
}
/**
* Receive an authentication request.
*
* @param SimpleSAML_IdP $idp The IdP we are receiving it for.
*/
public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
{
if (isset($_REQUEST['cookieTime'])) {
$cookieTime = (int) $_REQUEST['cookieTime'];
if ($cookieTime + 5 > time()) {
/*
* Less than five seconds has passed since we were
* here the last time. Cookies are probably disabled.
*/
\SimpleSAML\Utils\HTTP::checkSessionCookie(\SimpleSAML\Utils\HTTP::getSelfURL());
}
}
if (!isset($_REQUEST['providerId'])) {
throw new SimpleSAML_Error_BadRequest('Missing providerId parameter.');
}
$spEntityId = (string) $_REQUEST['providerId'];
if (!isset($_REQUEST['shire'])) {
throw new SimpleSAML_Error_BadRequest('Missing shire parameter.');
}
$shire = (string) $_REQUEST['shire'];
if (isset($_REQUEST['target'])) {
$target = $_REQUEST['target'];
} else {
$target = NULL;
}
SimpleSAML\Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest from ' . var_export($spEntityId, TRUE) . '.');
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'shib13-sp-remote');
$found = FALSE;
foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
if ($ep['Binding'] !== 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post') {
continue;
}
if ($ep['Location'] !== $shire) {
continue;
}
$found = TRUE;
break;
}
if (!$found) {
throw new Exception('Invalid AssertionConsumerService for SP ' . var_export($spEntityId, TRUE) . ': ' . var_export($shire, TRUE));
}
SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'protocol' => 'saml1'));
$sessionLostURL = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURL(), array('cookieTime' => time()));
$state = array('Responder' => array('sspmod_saml_IdP_SAML1', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'saml:shire' => $shire, 'saml:target' => $target, 'saml:AuthnRequestReceivedAt' => microtime(TRUE));
$idp->handleAuthenticationRequest($state);
}