/* Load simpleSAMLphp, configuration and metadata */ $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache')); $ticketcontent = retrieveTicket($ticket, $path); $usernamefield = $casconfig->getValue('attrname', 'eduPersonPrincipalName'); $dosendattributes = $casconfig->getValue('attributes', FALSE); $attributes = $ticketcontent['attributes']; $pgtiouxml = ""; if ($ticketcontent['service'] == $service && $ticketcontent['forceAuthn'] == $forceAuthn && array_key_exists($usernamefield, $attributes) && $ticketcontent['validbefore'] > time()) { if (isset($_GET['pgtUrl'])) { $pgtUrl = $_GET['pgtUrl']; $pgtiou = str_replace('_', 'PGTIOU-', SimpleSAML_Utilities::generateID()); $pgt = str_replace('_', 'PGT-', SimpleSAML_Utilities::generateID()); $content = array('attributes' => $attributes, 'forceAuthn' => false, 'proxies' => array_merge(array($service), $ticketcontent['proxies']), 'validbefore' => time() + 60); SimpleSAML_Utilities::fetch($pgtUrl . '?pgtIou=' . $pgtiou . '&pgtId=' . $pgt); storeTicket($pgt, $path, $content); $pgtiouxml = "\n<cas:proxyGrantingTicket>{$pgtiou}</cas:proxyGrantingTicket>\n"; } $proxiesxml = join("\n", array_map(create_function('$a', 'return "<cas:proxy>$a</cas:proxy>";'), $ticketcontent['proxies'])); if ($proxiesxml) { $proxiesxml = "<cas:proxies>\n{$proxiesxml}\n</cas:proxies>\n"; } returnResponse('YES', $function, $attributes[$usernamefield][0], $dosendattributes ? $attributes : array(), $pgtiouxml . $proxiesxml); } else { returnResponse('NO', $function); } } catch (Exception $e) { returnResponse('NO', $function, $e->getMessage()); } function returnResponse($value, $function, $usrname = '', $attributes = array(), $xtraxml = "") {
if (array_key_exists('targetService', $_GET)) { $targetService = $_GET['targetService']; $pgt = $_GET['pgt']; } else { throw new Exception('Required URL query parameter [targetService] not provided. (CAS Server)'); } $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (!checkServiceURL($targetService, $legal_service_urls)) { throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service); } $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache')); $ticket = retrieveTicket($pgt, $path, false); if ($ticket['validbefore'] > time()) { $pt = str_replace('_', 'PT-', SimpleSAML\Utils\Random::generateID()); storeTicket($pt, $path, array('service' => $targetService, 'forceAuthn' => false, 'attributes' => $ticket['attributes'], 'proxies' => $ticket['proxies'], 'validbefore' => time() + 5)); print <<<eox <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>{$pt}</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse> eox; } else { print <<<eox <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxyFailure code="INVALID_REQUEST"> Proxygranting ticket to old - ssp casserver only supports shortlived (30 secs) pgts. </cas:proxyFailure> </cas:serviceResponse> eox;
* service * renew * gateway * */ if (!array_key_exists('service', $_GET)) { throw new Exception('Required URL query parameter [service] not provided. (CAS Server)'); } $service = $_GET['service']; $forceAuthn = isset($_GET['renew']) && $_GET['renew']; $isPassive = isset($_GET['gateway']) && $_GET['gateway']; $config = SimpleSAML_Configuration::getInstance(); $casconfig = SimpleSAML_Configuration::getConfig('module_casserver.php'); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (!checkServiceURL($service, $legal_service_urls)) { throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service); } $auth = $casconfig->getValue('auth', 'saml2'); if (!in_array($auth, array('saml2', 'shib13'))) { throw new Exception('CAS Service configured to use [auth] = ' . $auth . ' only [saml2,shib13] is legal.'); } $as = new SimpleSAML_Auth_Simple($auth); if (!$as->isAuthenticated()) { $params = array('ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive); $as->login($params); } $attributes = $as->getAttributes(); $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', '/tmp')); $ticket = str_replace('_', 'ST-', SimpleSAML_Utilities::generateID()); storeTicket($ticket, $path, array('service' => $service, 'forceAuthn' => $forceAuthn, 'attributes' => $attributes, 'proxies' => array(), 'validbefore' => time() + 5)); SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::addURLparameter($service, array('ticket' => $ticket)));
$session = SimpleSAML_Session::getInstance(); $legal_service_urls = $casconfig->getValue('legal_service_urls'); if (!checkServiceURL($service, $legal_service_urls)) { throw new Exception('Service parameter provided to CAS server is not listed as a legal service: [service] = ' . $service); } $auth = $casconfig->getValue('auth', 'saml2'); if (!in_array($auth, array('saml2', 'shib13'))) { throw new Exception('CAS Service configured to use [auth] = ' . $auth . ' only [saml2,shib13] is legal.'); } if (!$session->isValid($auth)) { SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . $auth . '/sp/initSSO.php', array('RelayState' => SimpleSAML_Utilities::selfURL())); } $attributes = $session->getAttributes(); $path = $casconfig->resolvePath($casconfig->getValue('ticketcache', 'ticketcache')); $ticket = SimpleSAML_Utilities::generateID(); storeTicket($ticket, $path, $attributes); // $test = retrieveTicket($ticket, $path); SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::addURLparameter($service, array('ticket' => $ticket))); function storeTicket($ticket, $path, &$value) { if (!is_dir($path)) { throw new Exception('Directory for CAS Server ticket storage [' . $path . '] does not exists. '); } if (!is_writable($path)) { throw new Exception('Directory for CAS Server ticket storage [' . $path . '] is not writable. '); } $filename = $path . '/' . $ticket; file_put_contents($filename, serialize($value)); } function retrieveTicket($ticket, $path) {