public static function handleLogin($authStateId, $xmlToken) { assert('is_string($authStateId)'); $config = SimpleSAML_Configuration::getInstance(); $autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); $idp_key = $autoconfig->getValue('idp_key'); $idp_pass = $autoconfig->getValue('idp_key_pass', NULL); $sts_crt = $autoconfig->getValue('sts_crt'); $Infocard = $autoconfig->getValue('InfoCard'); $infocard = new sspmod_InfoCard_RP_InfoCard(); $infocard->addIDPKey($idp_key, $idp_pass); $infocard->addSTSCertificate($sts_crt); if (!$xmlToken) { SimpleSAML_Logger::debug("XMLtoken: " . $xmlToken); } else { SimpleSAML_Logger::debug("NOXMLtoken: " . $xmlToken); } $claims = $infocard->process($xmlToken); if ($claims->isValid()) { $attributes = array(); foreach ($Infocard['requiredClaims'] as $claim => $data) { $attributes[$claim] = array($claims->{$claim}); } foreach ($Infocard['optionalClaims'] as $claim => $data) { $attributes[$claim] = array($claims->{$claim}); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } $state['Attributes'] = $attributes; unset($infocard); unset($claims); SimpleSAML_Auth_Source::completeAuth($state); } else { unset($infocard); unset($claims); return 'wrong_IC'; } }
/** * Check the credentials that the user got from the A-Select server. * This function is called after the user returns from the A-Select server. * * @author Wessel Dankers, Tilburg University */ function check_credentials() { if (!array_key_exists('ssp_state', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing ssp_state parameter")); } $id = $_REQUEST['ssp_state']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($id); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'aselect:login'); if (!array_key_exists('a-select-server', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter")); } $server_id = $_REQUEST['a-select-server']; if (!array_key_exists('aselect_credentials', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing aselect_credentials parameter")); } $credentials = $_REQUEST['aselect_credentials']; if (!array_key_exists('rid', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing rid parameter")); } $rid = $_REQUEST['rid']; try { if (!array_key_exists('aselect::authid', $state)) { throw new SimpleSAML_Error_Exception("ASelect authentication source missing in state"); } $authid = $state['aselect::authid']; $aselect = SimpleSAML_Auth_Source::getById($authid); if (is_null($aselect)) { throw new SimpleSAML_Error_Exception("Could not find authentication source with id {$authid}"); } $creds = $aselect->verify_credentials($server_id, $credentials, $rid); if (array_key_exists('attributes', $creds)) { $state['Attributes'] = $creds['attributes']; } else { $res = $creds['res']; $state['Attributes'] = array('uid' => array($res['uid']), 'organization' => array($res['organization'])); } } catch (Exception $e) { SimpleSAML_Auth_State::throwException($state, $e); } SimpleSAML_Auth_Source::completeAuth($state); SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Internal error in A-Select component")); }
/** * Continue the logout operation. * * This function will never return. * * @param string $assocId The association that is terminated. * @param string|NULL $relayState The RelayState from the start of the logout. * @param SimpleSAML_Error_Exception|NULL $error The error that occurred during session termination (if any). */ public function onResponse($assocId, $relayState, SimpleSAML_Error_Exception $error = NULL) { assert('is_string($assocId)'); assert('is_string($relayState) || is_null($relayState)'); if ($relayState === NULL) { throw new SimpleSAML_Error_Exception('RelayState lost during logout.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($relayState); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional'); if ($error === NULL) { SimpleSAML_Logger::info('Logged out of ' . var_export($assocId, TRUE) . '.'); $this->idp->terminateAssociation($assocId); } else { SimpleSAML_Logger::warning('Error received from ' . var_export($assocId, TRUE) . ' during logout:'); $error->logWarning(); $state['core:Failed'] = TRUE; } self::logoutNextSP($state); }
<?php /** * Handle linkback() response from CAS. */ if (!isset($_GET['stateID'])) { throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.'); } $stateId = (string) $_GET['stateID']; if (!isset($_GET['ticket'])) { throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT); $state['cas:ticket'] = (string) $_GET['ticket']; /* Find authentication source. */ assert('array_key_exists(sspmod_cas_Auth_Source_CAS::AUTHID, $state)'); $sourceId = $state[sspmod_cas_Auth_Source_CAS::AUTHID]; $source = SimpleSAML_Auth_Source::getById($sourceId); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $sourceId); } $source->finalStep($state);
/** * Retrieve saved state. * * This function retrieves saved state information. If the state information has been lost, * it will attempt to restart the request by calling the restart URL which is embedded in the * state information. If there is no restart information available, an exception will be thrown. * * @param string $id State identifier (with embedded restart information). * @param string $stage The stage the state should have been saved in. * @param bool $allowMissing Whether to allow the state to be missing. * @return array|NULL State information, or NULL if the state is missing and $allowMissing is TRUE. */ public static function loadState($id, $stage, $allowMissing = FALSE) { assert('is_string($id)'); assert('is_string($stage)'); assert('is_bool($allowMissing)'); SimpleSAML_Logger::debug('Loading state: ' . var_export($id, TRUE)); $sid = SimpleSAML_Utilities::parseStateID($id); $session = SimpleSAML_Session::getSessionFromRequest(); $state = $session->getData('SimpleSAML_Auth_State', $sid['id']); if ($state === NULL) { /* Could not find saved data. */ if ($allowMissing) { return NULL; } if ($sid['url'] === NULL) { throw new SimpleSAML_Error_NoState(); } SimpleSAML_Utilities::redirectTrustedURL($sid['url']); } $state = unserialize($state); assert('is_array($state)'); assert('array_key_exists(self::ID, $state)'); assert('array_key_exists(self::STAGE, $state)'); /* Verify stage. */ if ($state[self::STAGE] !== $stage) { /* This could be a user trying to bypass security, but most likely it is just * someone using the back-button in the browser. We try to restart the * request if that is possible. If not, show an error. */ $msg = 'Wrong stage in state. Was \'' . $state[self::STAGE] . '\', should be \'' . $stage . '\'.'; SimpleSAML_Logger::warning($msg); if ($sid['url'] === NULL) { throw new Exception($msg); } SimpleSAML_Utilities::redirectTrustedURL($sid['url']); } return $state; }
assert('array_key_exists("Source", $authProcState)'); assert('array_key_exists("entityid", $authProcState["Source"])'); $authData = array('Attributes' => $authProcState['Attributes'], 'saml:sp:NameID' => $authProcState['core:shib13-sp:NameID'], 'saml:sp:SessionIndex' => $authProcState['core:shib13-sp:SessionIndex'], 'saml:sp:IdP' => $authProcState['Source']['entityid']); global $session; $session->doLogin('shib13', $authData); SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:shib13-sp:TargetURL']); } SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Accessing Shibboleth 1.3 SP endpoint AssertionConsumerService'); if (!$config->getBoolean('enable.shib13-sp', false)) { throw new SimpleSAML_Error_Error('NOACCESS'); } if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) { /* We have returned from the authentication processing filters. */ $authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM]; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authProcId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); finishLogin($authProcState); } if (empty($_POST['SAMLResponse'])) { throw new SimpleSAML_Error_Error('ACSPARAMS', $exception); } try { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $authnResponse = $binding->decodeResponse($_POST); $authnResponse->validate(); /* Successfully authenticated. */
<?php /* Find the authentication state. */ if (!array_key_exists('AuthState', $_REQUEST) || empty($_REQUEST['AuthState'])) { throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState'); } $authState = $_REQUEST['AuthState']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authState); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($authState, 'openid:auth'); $sourceId = $state['openid:AuthId']; $authSource = SimpleSAML_Auth_Source::getById($sourceId); if ($authSource === NULL) { throw new SimpleSAML_Error_BadRequest('Invalid AuthId \'' . $sourceId . '\' - not found.'); } try { $authSource->postAuth($state); /* postAuth() should never return. */ assert('FALSE'); } catch (SimpleSAML_Error_Exception $e) { SimpleSAML_Auth_State::throwException($state, $e); } catch (Exception $e) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_AuthSource($sourceId, 'Error on OpenID linkback endpoint.', $e)); }
/** * Resume authentication process. * * This function resumes the authentication process after the user has * entered his or her credentials. * * @param array &$state The authentication state. */ public static function resume() { /* * First we need to restore the $state-array. We should have the identifier for * it in the 'State' request parameter. */ if (!isset($_REQUEST['State'])) { throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.'); } $stateId = (string) $_REQUEST['State']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* * Once again, note the second parameter to the loadState function. This must * match the string we used in the saveState-call above. */ $state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External'); /* * Now we have the $state-array, and can use it to locate the authentication * source. */ $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']); if ($source === NULL) { /* * The only way this should fail is if we remove or rename the authentication source * while the user is at the login page. */ throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * Make sure that we haven't switched the source type while the * user was at the authentication page. This can only happen if we * change config/authsources.php while an user is logging in. */ if (!$source instanceof self) { throw new SimpleSAML_Error_Exception('Authentication source type changed.'); } /* * OK, now we know that our current state is sane. Time to actually log the user in. * * First we check that the user is acutally logged in, and didn't simply skip the login page. */ $attributes = $source->getUser(); if ($attributes === NULL) { /* * The user isn't authenticated. * * Here we simply throw an exception, but we could also redirect the user back to the * login page. */ throw new SimpleSAML_Error_Exception('User not authenticated after login page.'); } /* * So, we have a valid user. Time to resume the authentication process where we * paused it in the authenticate()-function above. */ $state['Attributes'] = $attributes; SimpleSAML_Auth_Source::completeAuth($state); /* * The completeAuth-function never returns, so we never get this far. */ assert('FALSE'); }
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, and other errors, it will throw an exception. * * @param string $authStateId The identifier of the authentication state. * @param string $username The username the user wrote. * @param string $password The password the user wrote. */ public static function handleLogin($authStateId, $username, $password) { assert('is_string($authStateId)'); assert('is_string($username)'); assert('is_string($password)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Here we retrieve the state array we saved in the authenticate-function. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Retrieve the authentication source we are executing. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * $source now contains the authentication source on which authenticate() * was called. We should call login() on the same authentication source. */ /* Attempt to log in. */ try { $attributes = $source->login($username, $password); } catch (Exception $e) { SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.'); throw $e; } SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.'); /* Save the attributes we received from the login-function in the $state-array. */ assert('is_array($attributes)'); $state['Attributes'] = $attributes; /* Return control to simpleSAMLphp after successful authentication. */ SimpleSAML_Auth_Source::completeAuth($state); }
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, it will return the error code. Other failures will throw an * exception. * * @param string $authStateId The identifier of the authentication state. * @param string $otp The one time password entered- * @return string Error code in the case of an error. */ public static function handleLogin($authStateId, $otp) { assert('is_string($authStateId)'); assert('is_string($otp)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } try { /* Attempt to log in. */ $attributes = $source->login($otp); } catch (SimpleSAML_Error_Error $e) { /* An error occurred during login. Check if it is because of the wrong * username/password - if it is, we pass that error up to the login form, * if not, we let the generic error handler deal with it. */ if ($e->getErrorCode() === 'WRONGUSERPASS') { return 'WRONGUSERPASS'; } /* Some other error occurred. Rethrow exception and let the generic error * handler deal with it. */ throw $e; } $state['Attributes'] = $attributes; SimpleSAML_Auth_Source::completeAuth($state); }
/** * Retrieve state by ID. * * @param string $stateId The state ID. * @return array The state array. */ public function loadState($stateId) { assert('is_string($stateId)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState'); }
sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message); $destination = $message->getDestination(); if ($destination !== NULL && $destination !== SimpleSAML_Utilities::selfURLNoQuery()) { throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.'); } if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($relayState); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); $state['saml:sp:LogoutStatus'] = $message->getStatus(); SimpleSAML_Auth_Source::completeLogout($state); } elseif ($message instanceof SAML2_LogoutRequest) { SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId); SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId); if ($message->isNameIdEncrypted()) { try { $keys = sspmod_saml_Message::getDecryptionKeys($idpMetadata, $spMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); }
/** * Log out from this authentication source. * * This function should be overridden if the authentication source requires special * steps to complete a logout operation. * * If the logout process requires a redirect, the state should be saved. Once the * logout operation is completed, the state should be restored, and completeLogout * should be called with the state. If this operation can be completed without * showing the user a page, or redirecting, this function should return. * * @param array &$state Information about the current logout operation. */ public function logout(&$state) { assert('is_array($state)'); // check first if we have a valid session if ($this->_poa->isAuthenticated()) { /* We are will need the authId in order to retrieve this authentication source later. */ $state[self::AUTHID] = $this->authId; $this->_stateId = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); // TODO: pending on phpPoA adding PAPI_SLO_REDIRECT_URL_FINISH hook $this->_poa->addHook("PAPI_SLO_REDIRECT_URL_FINISH", new Hook(array($this, "modifyParams"))); // perform single logout, this won't return $this->_poa->logout(true); } else { if (isset($_REQUEST['SSPStateID'])) { $this->_stateId = (string) $_REQUEST['SSPStateID']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($this->_stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT); } else { return; } } self::completeLogout($state); }
/** * Get available organizations. * * This function is used by the login form to get the available organizations. * * @param string $authStateId The identifier of the authentication state. * @return array|NULL Array of organizations. NULL if the user must enter the * organization as part of the username. */ public static function listOrganizations($authStateId) { assert('is_string($authStateId)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } $orgMethod = $source->getUsernameOrgMethod(); if ($orgMethod === 'force') { return NULL; } return $source->getOrganizations(); }
<?php if (!array_key_exists('domain', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing domain to CDC resume handler.'); } $domain = (string) $_REQUEST['domain']; $client = new sspmod_cdc_Client($domain); $response = $client->getResponse(); if ($response === NULL) { throw new SimpleSAML_Error_BadRequest('Missing CDC response to CDC resume handler.'); } if (!isset($response['id'])) { throw new SimpleSAML_Error_BadRequest('CDCResponse without id.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($response['id']); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($response['id'], 'cdc:resume'); SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);