| public static redirectUntrustedURL ( $url, $parameters = [] ) |
/**
* Handle a unsolicited login operations.
*
* This function creates a session from the received information. It
* will then redirect to the given URL.
*
* This is used to handle IdP initiated SSO.
*
* @param string $authId The id of the authentication source that received
* the request.
* @param array $state A state array.
* @param string $redirectTo The URL we should redirect the user to after
* updating the session. The function will check if the URL is allowed, so
* there is no need to manually check the URL on beforehand. Please refer
* to the 'trusted.url.domains' configuration directive for more
* information about allowing (or disallowing) URLs.
*/
public static function handleUnsolicitedAuth($authId, array $state, $redirectTo)
{
assert('is_string($authId)');
assert('is_string($redirectTo)');
$session = SimpleSAML_Session::getSessionFromRequest();
$session->doLogin($authId, self::extractPersistentAuthState($state));
SimpleSAML_Utilities::redirectUntrustedURL($redirectTo);
}
$userid = null;
if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.');
}
if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) {
throw new SimpleSAML_Error_Error('NOTVALIDCERT', $e);
}
$userid = $_SERVER['SSL_CLIENT_S_DN'];
$attributes['CertificateDN'] = array($userid);
$attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']);
$session->doLogin('tlsclient');
$session->setAttributes($attributes);
#echo '<pre>';
#print_r($_SERVER);
#echo '</pre>'; exit;
SimpleSAML_Logger::info('AUTH - tlsclient: ' . $userid . ' successfully authenticated');
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-tlsclient OK');
}
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']);
} catch (Exception $e) {
throw new SimpleSAML_Error_Error('CONFIG', $e);
}
$notBefore = $condition->getAttribute('NotBefore');
$notOnOrAfter = $condition->getAttribute('NotOnOrAfter');
if (!SimpleSAML_Utilities::checkDateConditions($notBefore, $notOnOrAfter)) {
throw new Exception('The response has expired.');
}
}
/* Extract the name identifier from the response. */
$nameid = $xpath->query('./saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', $assertion);
if ($nameid->length === 0) {
throw new Exception('Could not find the name identifier in the response from the WS-Fed IdP \'' . $idpEntityId . '\'.');
}
$nameid = array('Format' => $nameid->item(0)->getAttribute('Format'), 'Value' => $nameid->item(0)->textContent);
/* Extract the attributes from the response. */
$attributes = array();
$attributeValues = $xpath->query('./saml:AttributeStatement/saml:Attribute/saml:AttributeValue', $assertion);
foreach ($attributeValues as $attribute) {
$name = $attribute->parentNode->getAttribute('AttributeName');
$value = $attribute->textContent;
if (!array_key_exists($name, $attributes)) {
$attributes[$name] = array();
}
$attributes[$name][] = $value;
}
/* Mark the user as logged in. */
$authData = array('Attributes' => $attributes, 'saml:sp:NameID' => $nameid, 'saml:sp:IdP' => $idpEntityId);
$session->doLogin('wsfed', $authData);
/* Redirect the user back to the page which requested the login. */
SimpleSAML_Utilities::redirectUntrustedURL($wctx);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);
}
/**
* Apply SimpleTOTP 2fa filter
*
* @param array &$state The current state
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("Attributes", $state)');
$attributes =& $state['Attributes'];
// check for secret_attr coming from user store and make sure it is not empty
if (array_key_exists($this->secret_attr, $attributes) && !empty($attributes[$this->secret_attr])) {
$this->secret_val = $attributes[$this->secret_attr][0];
}
if ($this->secret_val === NULL && $this->enforce_2fa === true) {
#2f is enforced and user does not have it configured..
SimpleSAML_Logger::debug('User with ID xxx does not have 2f configured when it is
mandatory for xxxSP');
//send user to custom error page if configured
if ($this->not_configured_url !== NULL) {
SimpleSAML_Utilities::redirectUntrustedURL($this->not_configured_url);
} else {
SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Module::getModuleURL('simpletotp/not_configured.php'));
}
} elseif ($this->secret_val === NULL && $this->enforce_2fa === false) {
SimpleSAML_Logger::debug('User with ID xxx does not have 2f configured but SP does not
require it. Continue.');
return;
}
//as the attribute is configurable, we need to store it in a consistent location
$state['2fa_secret'] = $this->secret_val;
//this means we have secret_val configured for this session, time to 2fa
$id = SimpleSAML_Auth_State::saveState($state, 'simpletotp:request');
$url = SimpleSAML_Module::getModuleURL('simpletotp/authenticate.php');
SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
return;
}
$attributes = $ldap->getAttributes($dn, $ldapconfig->getValue('auth.ldap.attributes', null));
SimpleSAML_Logger::info('AUTH - ldap: ' . $ldapusername . ' successfully authenticated');
$session->doLogin('login');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login OK');
}
$returnto = $_REQUEST['RelayState'];
SimpleSAML_Utilities::redirectUntrustedURL($returnto);
} catch (Exception $e) {
SimpleSAML_Logger::error('AUTH - ldap: User: '******'na') . ':' . $e->getMessage());
SimpleSAML_Logger::stats('AUTH-login Failed');
$error = $e->getMessage();
}
}
$t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $relaystate;
$t->data['error'] = $error;
if (isset($error)) {
$t->data['username'] = $username;
}
$t->show();
*/
if (array_key_exists('idpdisco.url', $spmetadata)) {
$discservice = $spmetadata['idpdisco.url'];
} elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) {
$discservice = $config->getString('idpdisco.url.shib13');
} else {
$discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php';
}
SimpleSAML_Utilities::redirectTrustedURL($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid'));
}
try {
$ar = new SimpleSAML_XML_Shib13_AuthnRequest();
$ar->setIssuer($spentityid);
if (isset($_GET['RelayState'])) {
$ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']));
}
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
$url = $ar->createRedirect($idpentityid);
SimpleSAML_Utilities::redirectTrustedURL($url);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
}
} else {
$relaystate = $_GET['RelayState'];
if (isset($relaystate) && !empty($relaystate)) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState');
SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} else {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
}
$t->data['urlAgree'] = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURL(), array("consent" => "yes"));
$t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout';
$t->show();
exit;
// and be done.
}
$attributes = $session->getAttributes();
// Assume user consent at this point and proceed with authorizing the token
list($url, $verifier) = $store->authorize($requestToken, $attributes);
if ($url) {
// If authorize() returns a URL, take user there (oauth1.0a)
SimpleSAML_Utilities::redirectTrustedURL($url);
} else {
if (isset($_REQUEST['oauth_callback'])) {
// If callback was provided in the request (oauth1.0)
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['oauth_callback']);
} else {
// No callback provided, display standard template
$t = new SimpleSAML_XHTML_Template($config, 'oauth:authorized.php');
$t->data['header'] = '{status:header_saml20_sp}';
$t->data['remaining'] = $session->remainingTime();
$t->data['sessionsize'] = $session->getSize();
$t->data['attributes'] = $attributes;
$t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout';
$t->data['oauth_verifier'] = $verifier;
$t->show();
}
}
} catch (Exception $e) {
header('Content-type: text/plain; utf-8', TRUE, 500);
header('OAuth-Error: ' . $e->getMessage());
<?php
/*
* Helper page for starting a admin login. Can be used as a target for links.
*/
if (!array_key_exists('ReturnTo', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
SimpleSAML_Utilities::requireAdmin();
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);
