/**
* Take some actions during the login event of a user
*
* @param string $event 'login' is the event this function handles
* @param string $type 'user' is the type for this event
* @param ElggUser $object the current user trying to login
*
* @return void
*/
function simplesaml_login_event_handler($event, $type, $object)
{
if (empty($object) || !elgg_instanceof($object, "user")) {
return;
}
if (!isset($_SESSION["saml_attributes"]) || !isset($_SESSION["saml_source"])) {
return;
}
$saml_attributes = $_SESSION["saml_attributes"];
$source = $_SESSION["saml_source"];
if (!simplesaml_is_enabled_source($source)) {
return;
}
if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) {
return;
}
$saml_uid = elgg_extract("elgg:external_id", $saml_attributes);
if (!empty($saml_uid)) {
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
// save the external id so the next login will go faster
simplesaml_link_user($object, $source, $saml_uid);
}
// save the attributes to the user
simplesaml_save_authentication_attributes($object, $source, $saml_attributes);
// save source name for single logout
$_SESSION["saml_login_source"] = $source;
unset($_SESSION["saml_attributes"]);
unset($_SESSION["saml_source"]);
}
/**
* Take some actions during the login event of a user
*
* @param string $event the name of the event
* @param string $type type of the event
* @param ElggUser $object the current user trying to login
*
* @return void
*/
public static function loginEvent($event, $type, $object)
{
if (!$object instanceof \ElggUser) {
return;
}
$saml_attributes = simplesaml_get_from_session('saml_attributes');
$source = simplesaml_get_from_session('saml_source');
// simplesaml login?
if (!isset($saml_attributes) || !isset($source)) {
return;
}
// source enabled
if (!simplesaml_is_enabled_source($source)) {
return;
}
// validate additional authentication rules
if (!simplesaml_validate_authentication_attributes($source, $saml_attributes)) {
return;
}
// link the user to this source
$saml_uid = elgg_extract('elgg:external_id', $saml_attributes);
if (!empty($saml_uid)) {
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
// save the external id so the next login will go faster
simplesaml_link_user($object, $source, $saml_uid);
}
// save the attributes to the user
simplesaml_save_authentication_attributes($object, $source, $saml_attributes);
// save source name for single logout
simplesaml_store_in_session('saml_login_source', $source);
// cleanup
simplesaml_remove_from_session('saml_attributes');
simplesaml_remove_from_session('saml_source');
}
if ($error) {
forward(REFERER);
}
// register user
$user = simplesaml_register_user($name, $email, $source, $validate, $username);
if (!empty($user)) {
// link user to the saml source
// make sure we can find hidden (unvalidated) users
$hidden = access_get_show_hidden_status();
access_show_hidden_entities(true);
$saml_uid = elgg_extract('elgg:external_id', $saml_attributes);
if (!empty($saml_uid)) {
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
simplesaml_link_user($user, $source, $saml_uid);
}
// save attributes
simplesaml_save_authentication_attributes($user, $source, $saml_attributes);
// restore hidden setting
access_show_hidden_entities($hidden);
// notify user about registration
system_message(elgg_echo('registerok', [elgg_get_site_entity()->name]));
// cleanup session
simplesaml_remove_from_session('saml_source');
simplesaml_remove_from_session('saml_attributes');
// try to login the user
try {
// check for the persistent login plugin setting
$persistent = false;
if (elgg_get_plugin_setting($source . '_remember_me', 'simplesaml')) {
/**
* Check if we can find a user that is linked to the user provided by the Service Provider (SP).
*
* @param string $source the name of the SP
* @param array $saml_attributes an array with the attributes provided by the SP configuration
*
* @return bool|ElggUser the user that is linked, false if no user could be found
*/
function simplesaml_find_user($source, $saml_attributes)
{
$result = false;
if (!empty($source) && !empty($saml_attributes) && is_array($saml_attributes)) {
$saml_uid = elgg_extract("elgg:external_id", $saml_attributes);
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
if (!empty($saml_uid)) {
// first check if we can find a user based on an existing link
$options = array("type" => "user", "limit" => 1, "site_guids" => false, "plugin_id" => "simplesaml", "plugin_user_setting_name_value_pairs" => array($source . "_uid" => $saml_uid));
$users = elgg_get_entities_from_plugin_user_settings($options);
if (!empty($users)) {
$result = $users[0];
}
// no user found, can we auto link
if (empty($result)) {
// are we allowed to link an existing account based on information from the IDP
$profile_field = elgg_get_plugin_setting($source . "_auto_link", "simplesaml");
// is the external information provided
$auto_link_value = elgg_extract("elgg:auto_link", $saml_attributes);
if (is_array($auto_link_value)) {
$auto_link_value = $auto_link_value[0];
}
$auto_link_value = strtolower($auto_link_value);
if (!empty($profile_field) && !empty($auto_link_value)) {
switch ($profile_field) {
case "username":
// find user based on username
$user = get_user_by_username($auto_link_value);
if (!empty($user)) {
$result = $user;
}
break;
case "email":
// find user based on email address
$users = get_user_by_email($auto_link_value);
if (!empty($users) && count($users) == 1) {
$result = $users[0];
}
break;
default:
// find user based on profile information
$ia = elgg_set_ignore_access(true);
$options = array("type" => "user", "limit" => false, "site_guids" => false, "metadata_name_value_pairs" => array("name" => $profile_field, "value" => $auto_link_value));
$users = elgg_get_entities_from_metadata($options);
if (!empty($users) && count($users) == 1) {
// only found 1 user so this is ok
$result = $users[0];
}
// restore access
elgg_set_ignore_access($ia);
}
if (!empty($result)) {
// we have a result, so link the user for future use
simplesaml_link_user($result, $source, $saml_uid);
}
}
}
}
}
return $result;
}
/**
* Check if we can find a user that is linked to the user provided by the Service Provider (SP).
*
* @param string $source the name of the SP
* @param array $saml_attributes an array with the attributes provided by the SP configuration
*
* @return false|ElggUser
*/
function simplesaml_find_user($source, $saml_attributes)
{
if (empty($source) || empty($saml_attributes) || !is_array($saml_attributes)) {
return false;
}
$saml_uid = elgg_extract('elgg:external_id', $saml_attributes);
if (is_array($saml_uid)) {
$saml_uid = $saml_uid[0];
}
if (empty($saml_uid)) {
return false;
}
// first check if we can find a user based on an existing link
$options = ['type' => 'user', 'limit' => 1, 'site_guids' => false, 'plugin_id' => 'simplesaml', 'plugin_user_setting_name_value_pairs' => ["{$source}_uid" => $saml_uid]];
$users = elgg_get_entities_from_plugin_user_settings($options);
if (!empty($users)) {
return $users[0];
}
// no user found, can we auto link
// are we allowed to link an existing account based on information from the IDP
$profile_field = elgg_get_plugin_setting("{$source}_auto_link", 'simplesaml');
// is the external information provided
$auto_link_value = elgg_extract('elgg:auto_link', $saml_attributes);
if (is_array($auto_link_value)) {
$auto_link_value = $auto_link_value[0];
}
if (empty($profile_field) || empty($auto_link_value)) {
return false;
}
$result = false;
switch ($profile_field) {
case 'username':
// find user based on username
$user = get_user_by_username($auto_link_value);
if (!empty($user)) {
$result = $user;
}
break;
case 'email':
// find user based on email address
$users = get_user_by_email($auto_link_value);
if (!empty($users) && count($users) == 1) {
$result = $users[0];
}
break;
default:
// find user based on profile information
$ia = elgg_set_ignore_access(true);
$options = ['type' => 'user', 'limit' => false, 'site_guids' => false, 'metadata_name_value_pairs' => ['name' => $profile_field, 'value' => $auto_link_value]];
$users = elgg_get_entities_from_metadata($options);
if (!empty($users) && count($users) == 1) {
// only found 1 user so this is ok
$result = $users[0];
}
// restore access
elgg_set_ignore_access($ia);
}
if (!$result instanceof ElggUser) {
return false;
}
// we have a result, so link the user for future use
simplesaml_link_user($result, $source, $saml_uid);
return $result;
}