function verificar_acceso($datos_iniciales = null) { $auth = $this->instanciar_pedido_onelogin(); if (!is_null(toba::memoria()->get_parametro('acs'))) { //Se verifica la respuesta y se chequea la autenticacion $auth->processResponse(); $this->verificar_errores_onelogin($auth); if (!$auth->isAuthenticated()) { throw new toba_error_autenticacion('No ha sido posible autenticar al usuario'); } $this->set_atributos_usuario($auth->getAttributes()); $id_usuario = $this->recuperar_usuario_toba(); //Recupero usr y verifico existencia en toba, excepcion si no existe try { toba::manejador_sesiones()->login($id_usuario, 'foobar', $datos_iniciales); //La clave no importa porque se autentifica via token } catch (toba_reset_nucleo $e) { if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { $auth->redirectTo($_POST['RelayState']); } else { throw $e; } } return $id_usuario; } else { $this->procesar_logout($auth); //Se hace el redirect hacia el idp $parametros_url = array(); if (isset($this->parametros_url) && is_array($this->parametros_url)) { $parametros_url = $this->parametros_url; } $auth->login($this->generar_url($parametros_url)); } }
public function acsAction(Request $req) { $auth = $this->get('arcanys_sso_auth.saml2'); $auth->processResponse(); $errors = $auth->getErrors(); if (!empty($errors)) { throw new \Exception(implode(', ', $errors)); } if (!$auth->isAuthenticated()) { throw new AccessDeniedHttpException(); } $session = $this->get('session'); $session->getFlashBag()->set('arcanys_sso_auth.user_data', $auth->getAttributes()); $session->getFlashBag()->set('arcanys_sso_auth.name_id', $auth->getNameId()); $session->getFlashBag()->set('arcanys_sso_auth.session_index', $auth->getSessionIndex()); if ($req->request->get('RelayState') && \OneLogin_Saml2_Utils::getSelfURL() != $req->request->get('RelayState')) { // $auth->redirectTo($req->request->get('RelayState')); return $this->redirect($req->request->get('RelayState')); } }
$requestID = null; } $auth->processResponse($requestID); $errors = $auth->getErrors(); if (!empty($errors)) { print_r('<p>' . implode(', ', $errors) . '</p>'); } if (!$auth->isAuthenticated()) { echo "<p>Not authenticated</p>"; exit; } $_SESSION['samlUserdata'] = $auth->getAttributes(); $_SESSION['samlNameId'] = $auth->getNameId(); $_SESSION['samlSessionIndex'] = $auth->getSessionIndex(); unset($_SESSION['AuthNRequestID']); if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { $auth->redirectTo($_POST['RelayState']); } } else { if (isset($_GET['sls'])) { if (isset($_SESSION) && isset($_SESSION['LogoutRequestID'])) { $requestID = $_SESSION['LogoutRequestID']; } else { $requestID = null; } $auth->processSLO(false, $requestID); $errors = $auth->getErrors(); if (empty($errors)) { print_r('<p>Sucessfully logged out</p>'); } else { print_r('<p>' . implode(', ', $errors) . '</p>');
/** * Tests the getSelfURL method of the OneLogin_Saml2_Utils * * @covers OneLogin_Saml2_Utils::getSelfURL */ public function testGetSelfURL() { $url = OneLogin_Saml2_Utils::getSelfURLhost(); $this->assertEquals($url, OneLogin_Saml2_Utils::getSelfURL()); $_SERVER['REQUEST_URI'] = '/index.php'; $this->assertEquals($url . '/index.php', OneLogin_Saml2_Utils::getSelfURL()); $_SERVER['REQUEST_URI'] = '/test/index.php?testing'; $this->assertEquals($url . '/test/index.php?testing', OneLogin_Saml2_Utils::getSelfURL()); $_SERVER['REQUEST_URI'] = '/test/index.php?testing'; $this->assertEquals($url . '/test/index.php?testing', OneLogin_Saml2_Utils::getSelfURL()); $_SERVER['REQUEST_URI'] = 'https://example.com/testing'; $this->assertEquals($url . '/testing', OneLogin_Saml2_Utils::getSelfURL()); }
/** * SAML 2.0 Auth test endpoint * * FIXME remove termporary saml2 acs endpoint */ public function samlAction() { /* FIXME We'll enable \Scalr::config('scalr.auth_mode') !== 'saml' when it is production ready if (\Scalr::config('scalr.auth_mode') !== 'saml') { $this->response->setHttpResponseCode(404); return; } */ @session_start(); //This is necessary for test container as OneLogin_Saml2_Utils::getSelfHost() method relies on HTTP_HOST / SERVER_PORT $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST']; $auth = $this->getContainer()->saml; $body = ''; if (isset($_GET['sso'])) { $auth->login(); } else { if (isset($_GET['slo'])) { $auth->logout(null, [], isset($_SESSION['samlNameId']) ? $_SESSION['samlNameId'] : null, isset($_SESSION['samlSessionIndex']) ? $_SESSION['samlSessionIndex'] : null); } else { if (isset($_GET['acs'])) { $auth->processResponse(); $errors = $auth->getErrors(); if (!empty($errors)) { $body .= '<p>' . implode(', ', $errors) . '</p>'; } if (!$auth->isAuthenticated()) { $body .= "<p>Not authenticated</p>"; $this->response->body = $body; return; } $_SESSION['samlUserdata'] = $auth->getAttributes(); $_SESSION['samlNameId'] = $auth->getNameId(); $_SESSION['samlSessionIndex'] = $auth->getSessionIndex(); if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { $auth->redirectTo($_POST['RelayState']); return; } } else { if (isset($_GET['sls'])) { $auth->processSLO(); $errors = $auth->getErrors(); if (empty($errors)) { $body .= '<p>Sucessfully logged out</p>'; } else { $body .= '<p>' . implode(', ', $errors) . '</p>'; } } else { if (isset($_GET['metadata'])) { $settings = $auth->getSettings(); // Now we only validate SP settings $metadata = $settings->getSPMetadata(); $errors = $settings->validateMetadata($metadata); if (empty($errors)) { $this->response->setHeader('Content-Type', 'text/xml'); $this->response->body = $metadata; return; } else { throw new OneLogin_Saml2_Error('Invalid SP metadata: ' . implode(', ', $errors), OneLogin_Saml2_Error::METADATA_SP_INVALID); } } } } } } if (isset($_SESSION['samlUserdata'])) { if (!empty($_SESSION['samlUserdata'])) { $attributes = $_SESSION['samlUserdata']; $body .= '<style type="text/css">' . ' th, td { border: 1px solid black; padding: 2px 4px; }' . ' ul { padding: 1px 2px; margin: 0px; }' . ' ul li { list-style-type: none; }' . '</style>'; $body .= 'Scalr requires following attributes:<br>'; $body .= '<table><thead><th>Name</th><th>Values</th></thead><tbody>'; $body .= '<tr><td>Email</td><td><ul><li>' . htmlentities($_SESSION['samlNameId']) . '</li></ul></td></tr>'; $body .= '<tr><td>Groups</td><td><ul><li>' . (!empty($_SESSION['samlUserdata']['Groups']) ? join(', ', array_map('htmlentities', (array) $_SESSION['samlUserdata']['Groups'])) : '<b color="red">not provided</b>') . '</li></ul></td></tr>'; $body .= '</tbody></table>'; $body .= "<br><br>"; $body .= 'Your Identity Provider responded with attributes:<br>'; $body .= '<table><thead><th>Name</th><th>Values</th></thead><tbody>'; $body .= '<tr><td>Email</td><td><ul><li>' . htmlentities($_SESSION['samlNameId']) . '</li></ul></td></tr>'; foreach ($attributes as $attributeName => $attributeValues) { $body .= '<tr><td>' . htmlentities($attributeName) . '</td><td><ul>'; foreach ($attributeValues as $attributeValue) { $body .= '<li>' . htmlentities($attributeValue) . '</li>'; } $body .= '</ul></td></tr>'; } $body .= '</tbody></table>'; } else { $body .= "<p>You don't have any attribute</p>"; } $body .= '<p><a href="?slo">single logout</a></p>'; } else { $body .= '<p><a href="?sso">single sign on</a></p>'; } $this->response->body = $body; }
* http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ session_start(); require_once '_toolkit_loader.php'; if (!isset($_SESSION['samlUserdata'])) { $settings = new OneLogin_Saml2_Settings(); $authRequest = new OneLogin_Saml2_AuthnRequest($settings); $samlRequest = $authRequest->getRequest(); $parameters = array('SAMLRequest' => $samlRequest); $parameters['RelayState'] = OneLogin_Saml2_Utils::getSelfURL(); //echo str_replace("\n", "<BR>", str_replace(" ", " ", print_r($settings, true))); //echo str_replace("\n", "<BR>", str_replace(" ", " ", print_r($parameters, true))); $idpData = $settings->getIdPData(); $ssoUrl = $idpData['singleSignOnService']['url']; $url = OneLogin_Saml2_Utils::redirect($ssoUrl, $parameters, true); header("Location: {$url}"); } else { if (!empty($_SESSION['samlUserdata'])) { $xertedata = array(); // echo str_replace("\n", "<BR>", str_replace(" ", " ", print_r($_SESSION['samlUserdata'], true))); // echo str_replace("\n", "<BR>", str_replace(" ", " ", print_r($_REQUEST, true))); $xertedata['IdPSessionIndex'] = $_SESSION['IdPSessionIndex']; $xertedata['username'] = $_SESSION['samlUserdata']['urn:oid:0.9.2342.19200300.100.1.1'][0]; // uid $xertedata['firstname'] = $_SESSION['samlUserdata']['urn:oid:2.5.4.42'][0];