handleAuthenticationRequest() public méthode

Process authentication requests.
public handleAuthenticationRequest ( array &$state )
$state array
Exemple #1
0
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     try {
         // accomodate for disfunctional $_GET "windows" slash decoding in PHP
         $wctx = $_GET['wctx'];
         foreach (explode('&', $_SERVER['REQUEST_URI']) as $e) {
             $a = explode('=', $e);
             if ($a[0] == 'wctx') {
                 $wctx = urldecode($a[1]);
             }
         }
         $requestid = $wctx;
         $issuer = $_GET['wtrealm'];
         $requestcache = array('RequestID' => $requestid, 'Issuer' => $issuer, 'RelayState' => $requestid);
         $spEntityId = $requestcache['Issuer'];
         $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'adfs-sp-remote');
         SimpleSAML_Logger::info('ADFS - IdP.prp: Incoming Authentication request: ' . $issuer . ' id ' . $requestid);
     } catch (Exception $exception) {
         throw new SimpleSAML_Error_Error('PROCESSAUTHNREQUEST', $exception);
     }
     $sessionLostURL = NULL;
     // TODO?
     $forceAuthn = FALSE;
     $isPassive = FALSE;
     $state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'adfs:wctx' => $wctx);
     $idp->handleAuthenticationRequest($state);
 }
Exemple #2
0
 /**
  * Receive an authentication request.
  *
  * @param SimpleSAML_IdP $idp  The IdP we are receiving it for.
  */
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $idpMetadata = $idp->getConfig();
     $supportedBindings = array(SAML2_Const::BINDING_HTTP_POST);
     if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) {
         $supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT;
     }
     if ($idpMetadata->getBoolean('saml20.hok.assertion', FALSE)) {
         $supportedBindings[] = SAML2_Const::BINDING_HOK_SSO;
     }
     if (isset($_REQUEST['spentityid'])) {
         /* IdP initiated authentication. */
         if (isset($_REQUEST['cookieTime'])) {
             $cookieTime = (int) $_REQUEST['cookieTime'];
             if ($cookieTime + 5 > time()) {
                 /*
                  * Less than five seconds has passed since we were
                  * here the last time. Cookies are probably disabled.
                  */
                 \SimpleSAML\Utils\HTTP::checkSessionCookie(\SimpleSAML\Utils\HTTP::getSelfURL());
             }
         }
         $spEntityId = (string) $_REQUEST['spentityid'];
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
         if (isset($_REQUEST['RelayState'])) {
             $relayState = (string) $_REQUEST['RelayState'];
         } else {
             $relayState = NULL;
         }
         if (isset($_REQUEST['binding'])) {
             $protocolBinding = (string) $_REQUEST['binding'];
         } else {
             $protocolBinding = NULL;
         }
         if (isset($_REQUEST['NameIDFormat'])) {
             $nameIDFormat = (string) $_REQUEST['NameIDFormat'];
         } else {
             $nameIDFormat = NULL;
         }
         $requestId = NULL;
         $IDPList = array();
         $ProxyCount = NULL;
         $RequesterID = NULL;
         $forceAuthn = FALSE;
         $isPassive = FALSE;
         $consumerURL = NULL;
         $consumerIndex = NULL;
         $extensions = NULL;
         $allowCreate = TRUE;
         $idpInit = TRUE;
         SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE));
     } else {
         $binding = SAML2_Binding::getCurrentBinding();
         $request = $binding->receive();
         if (!$request instanceof SAML2_AuthnRequest) {
             throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.');
         }
         $spEntityId = $request->getIssuer();
         if ($spEntityId === NULL) {
             throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.');
         }
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
         sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request);
         $relayState = $request->getRelayState();
         $requestId = $request->getId();
         $IDPList = $request->getIDPList();
         $ProxyCount = $request->getProxyCount();
         if ($ProxyCount !== null) {
             $ProxyCount--;
         }
         $RequesterID = $request->getRequesterID();
         $forceAuthn = $request->getForceAuthn();
         $isPassive = $request->getIsPassive();
         $consumerURL = $request->getAssertionConsumerServiceURL();
         $protocolBinding = $request->getProtocolBinding();
         $consumerIndex = $request->getAssertionConsumerServiceIndex();
         $extensions = $request->getExtensions();
         $nameIdPolicy = $request->getNameIdPolicy();
         if (isset($nameIdPolicy['Format'])) {
             $nameIDFormat = $nameIdPolicy['Format'];
         } else {
             $nameIDFormat = NULL;
         }
         if (isset($nameIdPolicy['AllowCreate'])) {
             $allowCreate = $nameIdPolicy['AllowCreate'];
         } else {
             $allowCreate = FALSE;
         }
         $idpInit = FALSE;
         SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: incoming authentication request: ' . var_export($spEntityId, TRUE));
     }
     SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'forceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'protocol' => 'saml2', 'idpInit' => $idpInit));
     $acsEndpoint = self::getAssertionConsumerService($supportedBindings, $spMetadata, $consumerURL, $protocolBinding, $consumerIndex);
     $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array())));
     if ($ProxyCount === null) {
         $ProxyCount = $spMetadata->getInteger('ProxyCount', null);
     }
     if (!$forceAuthn) {
         $forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE);
     }
     $sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time());
     if ($relayState !== NULL) {
         $sessionLostParams['RelayState'] = $relayState;
     }
     $sessionLostURL = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), $sessionLostParams);
     $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $acsEndpoint['Location'], 'saml:Binding' => $acsEndpoint['Binding'], 'saml:NameIDFormat' => $nameIDFormat, 'saml:AllowCreate' => $allowCreate, 'saml:Extensions' => $extensions, 'saml:AuthnRequestReceivedAt' => microtime(TRUE));
     $idp->handleAuthenticationRequest($state);
 }
Exemple #3
0
 /**
  * Receive an authentication request.
  *
  * @param SimpleSAML_IdP $idp  The IdP we are receiving it for.
  */
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $idpMetadata = $idp->getConfig();
     $supportedBindings = array(SAML2_Const::BINDING_HTTP_POST);
     if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) {
         $supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT;
     }
     if (isset($_REQUEST['spentityid'])) {
         /* IdP initiated authentication. */
         if (isset($_REQUEST['cookieTime'])) {
             $cookieTime = (int) $_REQUEST['cookieTime'];
             if ($cookieTime + 5 > time()) {
                 /*
                  * Less than five seconds has passed since we were
                  * here the last time. Cookies are probably disabled.
                  */
                 SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL());
             }
         }
         $spEntityId = (string) $_REQUEST['spentityid'];
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
         if (isset($_REQUEST['RelayState'])) {
             $relayState = (string) $_REQUEST['RelayState'];
         } else {
             $relayState = NULL;
         }
         if (isset($_REQUEST['binding'])) {
             $protocolBinding = (string) $_REQUEST['binding'];
         } else {
             $protocolBinding = NULL;
         }
         if (isset($_REQUEST['NameIDFormat'])) {
             $nameIDFormat = (string) $_REQUEST['NameIDFormat'];
         } else {
             $nameIDFormat = NULL;
         }
         $requestId = NULL;
         $IDPList = array();
         $ProxyCount = NULL;
         $RequesterID = NULL;
         $forceAuthn = FALSE;
         $isPassive = FALSE;
         $consumerURL = NULL;
         SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE));
     } else {
         $binding = SAML2_Binding::getCurrentBinding();
         $request = $binding->receive();
         if (!$request instanceof SAML2_AuthnRequest) {
             throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.');
         }
         $spEntityId = $request->getIssuer();
         if ($spEntityId === NULL) {
             throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.');
         }
         $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
         sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request);
         $relayState = $request->getRelayState();
         $requestId = $request->getId();
         $IDPList = $request->getIDPList();
         $ProxyCount = $request->getProxyCount();
         if ($ProxyCount !== null) {
             $ProxyCount--;
         }
         $RequesterID = $request->getRequesterID();
         $forceAuthn = $request->getForceAuthn();
         $isPassive = $request->getIsPassive();
         $consumerURL = $request->getAssertionConsumerServiceURL();
         $protocolBinding = $request->getProtocolBinding();
         $nameIdPolicy = $request->getNameIdPolicy();
         if (isset($nameIdPolicy['Format'])) {
             $nameIDFormat = $nameIdPolicy['Format'];
         } else {
             $nameIDFormat = NULL;
         }
         SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: ' . var_export($spEntityId, TRUE));
     }
     if ($protocolBinding === NULL || !in_array($protocolBinding, $supportedBindings, TRUE)) {
         /*
          * No binding specified or unsupported binding requested - default to HTTP-POST.
          * TODO: Select any supported binding based on default endpoint?
          */
         $protocolBinding = SAML2_Const::BINDING_HTTP_POST;
     }
     if ($consumerURL !== NULL) {
         $found = FALSE;
         foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
             if ($ep['Binding'] !== $protocolBinding) {
                 continue;
             }
             if ($ep['Location'] !== $consumerURL) {
                 continue;
             }
             $found = TRUE;
             break;
         }
         if (!$found) {
             SimpleSAML_Logger::warning('Authentication request from ' . var_export($spEntityId, TRUE) . ' contains invalid AssertionConsumerService URL. Was ' . var_export($consumerURL, TRUE) . '.');
             $consumerURL = NULL;
         }
     }
     if ($consumerURL === NULL) {
         /* Not specified or invalid. Use default. */
         $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array($protocolBinding));
         $consumerURL = $consumerURL['Location'];
     }
     $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array())));
     if ($ProxyCount == null) {
         $ProxyCount = $spMetadata->getInteger('ProxyCount', null);
     }
     if (!$forceAuthn) {
         $forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE);
     }
     $sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time());
     if ($relayState !== NULL) {
         $sessionLostParams['RelayState'] = $relayState;
     }
     $sessionLostURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), $sessionLostParams);
     $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $consumerURL, 'saml:Binding' => $protocolBinding, 'saml:NameIDFormat' => $nameIDFormat);
     $idp->handleAuthenticationRequest($state);
 }
Exemple #4
0
 /**
  * Receive an authentication request.
  *
  * @param SimpleSAML_IdP $idp  The IdP we are receiving it for.
  */
 public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
 {
     if (isset($_REQUEST['cookieTime'])) {
         $cookieTime = (int) $_REQUEST['cookieTime'];
         if ($cookieTime + 5 > time()) {
             /*
              * Less than five seconds has passed since we were
              * here the last time. Cookies are probably disabled.
              */
             \SimpleSAML\Utils\HTTP::checkSessionCookie(\SimpleSAML\Utils\HTTP::getSelfURL());
         }
     }
     if (!isset($_REQUEST['providerId'])) {
         throw new SimpleSAML_Error_BadRequest('Missing providerId parameter.');
     }
     $spEntityId = (string) $_REQUEST['providerId'];
     if (!isset($_REQUEST['shire'])) {
         throw new SimpleSAML_Error_BadRequest('Missing shire parameter.');
     }
     $shire = (string) $_REQUEST['shire'];
     if (isset($_REQUEST['target'])) {
         $target = $_REQUEST['target'];
     } else {
         $target = NULL;
     }
     SimpleSAML\Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest from ' . var_export($spEntityId, TRUE) . '.');
     $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
     $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'shib13-sp-remote');
     $found = FALSE;
     foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) {
         if ($ep['Binding'] !== 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post') {
             continue;
         }
         if ($ep['Location'] !== $shire) {
             continue;
         }
         $found = TRUE;
         break;
     }
     if (!$found) {
         throw new Exception('Invalid AssertionConsumerService for SP ' . var_export($spEntityId, TRUE) . ': ' . var_export($shire, TRUE));
     }
     SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'protocol' => 'saml1'));
     $sessionLostURL = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURL(), array('cookieTime' => time()));
     $state = array('Responder' => array('sspmod_saml_IdP_SAML1', 'sendResponse'), 'SPMetadata' => $spMetadata->toArray(), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'saml:shire' => $shire, 'saml:target' => $target, 'saml:AuthnRequestReceivedAt' => microtime(TRUE));
     $idp->handleAuthenticationRequest($state);
 }