function handleResponse() { try { $binding = SAML2_Binding::getCurrentBinding(); $response = $binding->receive(); } catch (Exception $e) { return; } SimpleSAML_Logger::debug('attributequery - received message.'); if (!$response instanceof SAML2_Response) { throw new SimpleSAML_Error_Exception('Unexpected message received to attribute query example.'); } $idpEntityId = $response->getIssuer(); if ($idpEntityId === NULL) { throw new SimpleSAML_Error_Exception('Missing issuer in response.'); } $idpMetadata = $GLOBALS['metadata']->getMetaDataConfig($idpEntityId, 'saml20-idp-remote'); $spMetadata = $GLOBALS['metadata']->getMetaDataConfig($GLOBALS['spEntityId'], 'saml20-sp-hosted'); $assertion = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response); if (count($assertion) > 1) { throw new SimpleSAML_Error_Exception('More than one assertion in received response.'); } $assertion = $assertion[0]; $dataId = $response->getRelayState(); if ($dataId === NULL) { throw new SimpleSAML_Error_Exception('RelayState was lost during request.'); } $data = $GLOBALS['session']->getData('attributequeryexample:data', $dataId); $data['attributes'] = $assertion->getAttributes(); $GLOBALS['session']->setData('attributequeryexample:data', $dataId, $data, 3600); SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(), array('dataId' => $dataId)); }
$store = new sspmod_oauth_OAuthStore(); $server = new sspmod_oauth_OAuthServer($store); $hmac_method = new OAuthSignatureMethod_HMAC_SHA1(); $plaintext_method = new OAuthSignatureMethod_PLAINTEXT(); $server->add_signature_method($hmac_method); $server->add_signature_method($plaintext_method); $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); $as = 'saml2'; if (!$session->isValid($as)) { SimpleSAML_Auth_Default::initLogin($as, SimpleSAML_Utilities::selfURL()); } $attributes = $session->getAttributes(); #print_r($attributes); $store->authorize($requestToken, $attributes); if (isset($_REQUEST['oauth_callback'])) { SimpleSAML_Utilities::redirect($_REQUEST['oauth_callback']); } else { $t = new SimpleSAML_XHTML_Template($config, 'oauth:authorized.php'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['remaining'] = $session->remainingTime(); $t->data['sessionsize'] = $session->getSize(); $t->data['attributes'] = $attributes; $t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout'; $t->data['icon'] = 'bino.png'; $t->show(); } // // $req = OAuthRequest::from_request(); // $token = $server->fetch_request_token($req); // echo $token;
/** * Receive an authentication request. * * @param SimpleSAML_IdP $idp The IdP we are receiving it for. */ public static function receiveAuthnRequest(SimpleSAML_IdP $idp) { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $supportedBindings = array(SAML2_Const::BINDING_HTTP_POST); if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) { $supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT; } if ($idpMetadata->getBoolean('saml20.hok.assertion', FALSE)) { $supportedBindings[] = SAML2_Const::BINDING_HOK_SSO; } if (isset($_REQUEST['spentityid'])) { /* IdP initiated authentication. */ if (isset($_REQUEST['cookieTime'])) { $cookieTime = (int) $_REQUEST['cookieTime']; if ($cookieTime + 5 > time()) { /* * Less than five seconds has passed since we were * here the last time. Cookies are probably disabled. */ SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL()); } } $spEntityId = (string) $_REQUEST['spentityid']; $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); if (isset($_REQUEST['RelayState'])) { $relayState = (string) $_REQUEST['RelayState']; } else { $relayState = NULL; } if (isset($_REQUEST['binding'])) { $protocolBinding = (string) $_REQUEST['binding']; } else { $protocolBinding = NULL; } if (isset($_REQUEST['NameIDFormat'])) { $nameIDFormat = (string) $_REQUEST['NameIDFormat']; } else { $nameIDFormat = NULL; } $requestId = NULL; $IDPList = array(); $ProxyCount = NULL; $RequesterID = NULL; $forceAuthn = FALSE; $isPassive = FALSE; $consumerURL = NULL; $consumerIndex = NULL; $extensions = NULL; $allowCreate = TRUE; $idpInit = TRUE; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE)); } else { $binding = SAML2_Binding::getCurrentBinding(); $request = $binding->receive(); if (!$request instanceof SAML2_AuthnRequest) { throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.'); } $spEntityId = $request->getIssuer(); if ($spEntityId === NULL) { throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request); $relayState = $request->getRelayState(); $requestId = $request->getId(); $IDPList = $request->getIDPList(); $ProxyCount = $request->getProxyCount(); if ($ProxyCount !== null) { $ProxyCount--; } $RequesterID = $request->getRequesterID(); $forceAuthn = $request->getForceAuthn(); $isPassive = $request->getIsPassive(); $consumerURL = $request->getAssertionConsumerServiceURL(); $protocolBinding = $request->getProtocolBinding(); $consumerIndex = $request->getAssertionConsumerServiceIndex(); $extensions = $request->getExtensions(); $nameIdPolicy = $request->getNameIdPolicy(); if (isset($nameIdPolicy['Format'])) { $nameIDFormat = $nameIdPolicy['Format']; } else { $nameIDFormat = NULL; } if (isset($nameIdPolicy['AllowCreate'])) { $allowCreate = $nameIdPolicy['AllowCreate']; } else { $allowCreate = FALSE; } $idpInit = FALSE; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: ' . var_export($spEntityId, TRUE)); } SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'forceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'protocol' => 'saml2', 'idpInit' => $idpInit)); $acsEndpoint = self::getAssertionConsumerService($supportedBindings, $spMetadata, $consumerURL, $protocolBinding, $consumerIndex); $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array()))); if ($ProxyCount == null) { $ProxyCount = $spMetadata->getInteger('ProxyCount', null); } if (!$forceAuthn) { $forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE); } $sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time()); if ($relayState !== NULL) { $sessionLostParams['RelayState'] = $relayState; } $sessionLostURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), $sessionLostParams); $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $acsEndpoint['Location'], 'saml:Binding' => $acsEndpoint['Binding'], 'saml:NameIDFormat' => $nameIDFormat, 'saml:AllowCreate' => $allowCreate, 'saml:Extensions' => $extensions); $idp->handleAuthenticationRequest($state); }
$assertion = $assertion[0]; } catch (sspmod_saml_Error $e) { /* The status of the response wasn't "success". */ $status = $response->getStatus(); if (array_key_exists('OnError', $info)) { /* We have an error handler. Return the error to it. */ SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code'])); } /* We don't have an error handler. Show an error page. */ throw new SimpleSAML_Error_Error('RESPONSESTATUSNOSUCCESS', $e); } SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successful response from IdP'); /* * Attribute handling */ $attributes = $assertion->getAttributes(); SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadataHandler->getMetaDataCurrentEntityID() . ' ' . $idp . ' NA'); $nameId = $assertion->getNameId(); /* Begin module attribute processing */ $spMetadataArray = $spMetadata->toArray(); $idpMetadataArray = $idpMetadata->toArray(); $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp'); $authProcState = array('core:saml20-sp:NameID' => $nameId, 'core:saml20-sp:SessionIndex' => $assertion->getSessionIndex(), 'core:saml20-sp:TargetURL' => $info['RelayState'], 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray); $pc->processState($authProcState); /* Since this function returns, processing has completed and attributes have * been updated. */ finishLogin($authProcState); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception); }
*/ } else { try { $spentityid = $requestcache['Issuer']; $spmetadata = $metadata->getMetaData($spentityid, 'saml20-sp-remote'); $sp_name = isset($spmetadata['name']) ? $spmetadata['name'] : $spentityid; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Sending back AuthnResponse to ' . $spentityid); /* * Attribute handling */ $attributes = $session->getAttributes(); /* Authentication processing operations. */ if (!isset($authProcState)) { /* Not processed. */ $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'idp'); $authProcState = array('core:saml20-idp:requestcache' => $requestcache, 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spmetadata, 'Source' => $idpmetadata, 'isPassive' => $isPassive, SimpleSAML_Auth_State::EXCEPTION_HANDLER_URL => SimpleSAML_Utilities::selfURLNoQuery()); /* * Check whether the user has been authenticated to this SP previously * during this session. If the SP is authenticated earlier, we include * the timestamp to the authentication processing filters. */ $previousSSOTime = $session->getData('saml2-idp-ssotime', $spentityid); if ($previousSSOTime !== NULL) { $authProcState['PreviousSSOTimestamp'] = $previousSSOTime; } try { $pc->processState($authProcState); } catch (Exception $e) { handleError($e); } $requestcache['AuthProcState'] = $authProcState;
SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(), array('selectedtab' => $selectedtab)); } } else { $msg = 'error_entity_not_url'; $old_entityid = $_POST['entityid']; $old_entitytype = $_POST['entitytype']; } } } if (isset($_POST['usersubmit'])) { $user->setData($_POST['userdata']); $user->setEmail($_POST['user_email']); $user->setSecret($_POST['user_secret']); $user->save(); $pm->post('Userinfo update', 'User info updated:<br /><br />' . $_POST['userdata'] . '<br /><br />E-mail: ' . $_POST['user_email'], 'USER-' . $user->getUid(), $user->getUid()); SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(), array('selectedtab' => $selectedtab)); } if (isset($_POST['arp_delete'])) { $arp = new sspmod_janus_ARP(); $arp->setAid((int) $_POST['arp_delete']); $arp->delete(); } if (isset($_POST['arp_edit'])) { $arp = new sspmod_janus_ARP(); if (isset($_POST['arp_id'])) { $arp->setAid((int) $_POST['arp_id']); } if (isset($_POST['arp_name'])) { $arp->setName($_POST['arp_name']); } if (isset($_POST['arp_description'])) {
<p>Version: <tt>' . $data['version'] . '</tt></p> <p>Report ID: <tt>' . $data['reportId'] . '</tt></p> <p>Referer: <tt>' . htmlspecialchars($data['referer']) . '</tt></p> <hr /> <div class="footer">This message was sent using simpleSAMLphp. Visit the <a href="http://simplesamlphp.org/">simpleSAMLphp homepage</a>.</div> '; /* Add the email address of the submitter as the Reply-To address. */ $email = trim($email); /* Check that it looks like a valid email address. */ if (!preg_match('/\\s/', $email) && strpos($email, '@') !== FALSE) { $replyto = $email; $from = $email; } else { $replyto = NULL; $from = '*****@*****.**'; } /* Send the email. */ $toAddress = $config->getString('technicalcontact_email', '*****@*****.**'); if ($config->getBoolean('errorreporting', TRUE) && $toAddress !== '*****@*****.**') { $email = new SimpleSAML_XHTML_EMail($toAddress, 'simpleSAMLphp error report', $from); $email->setBody($message); $email->send(); SimpleSAML_Logger::error('Report with id ' . $reportId . ' sent to <' . $toAddress . '>.'); } /* Redirect the user back to this page to clear the POST request. */ SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Utilities::selfURLNoQuery());
/** * Receive an authentication request. * * @param SimpleSAML_IdP $idp The IdP we are receiving it for. */ public static function receiveAuthnRequest(SimpleSAML_IdP $idp) { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $supportedBindings = array(SAML2_Const::BINDING_HTTP_POST); if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) { $supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT; } if (isset($_REQUEST['spentityid'])) { /* IdP initiated authentication. */ if (isset($_REQUEST['cookieTime'])) { $cookieTime = (int) $_REQUEST['cookieTime']; if ($cookieTime + 5 > time()) { /* * Less than five seconds has passed since we were * here the last time. Cookies are probably disabled. */ SimpleSAML_Utilities::checkCookie(SimpleSAML_Utilities::selfURL()); } } $spEntityId = (string) $_REQUEST['spentityid']; $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); if (isset($_REQUEST['RelayState'])) { $relayState = (string) $_REQUEST['RelayState']; } else { $relayState = NULL; } if (isset($_REQUEST['binding'])) { $protocolBinding = (string) $_REQUEST['binding']; } else { $protocolBinding = NULL; } if (isset($_REQUEST['NameIDFormat'])) { $nameIDFormat = (string) $_REQUEST['NameIDFormat']; } else { $nameIDFormat = NULL; } $requestId = NULL; $IDPList = array(); $ProxyCount = NULL; $RequesterID = NULL; $forceAuthn = FALSE; $isPassive = FALSE; $consumerURL = NULL; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE)); } else { $binding = SAML2_Binding::getCurrentBinding(); $request = $binding->receive(); if (!$request instanceof SAML2_AuthnRequest) { throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.'); } $spEntityId = $request->getIssuer(); if ($spEntityId === NULL) { throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request); $relayState = $request->getRelayState(); $requestId = $request->getId(); $IDPList = $request->getIDPList(); $ProxyCount = $request->getProxyCount(); if ($ProxyCount !== null) { $ProxyCount--; } $RequesterID = $request->getRequesterID(); $forceAuthn = $request->getForceAuthn(); $isPassive = $request->getIsPassive(); $consumerURL = $request->getAssertionConsumerServiceURL(); $protocolBinding = $request->getProtocolBinding(); $nameIdPolicy = $request->getNameIdPolicy(); if (isset($nameIdPolicy['Format'])) { $nameIDFormat = $nameIdPolicy['Format']; } else { $nameIDFormat = NULL; } SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: ' . var_export($spEntityId, TRUE)); } if ($protocolBinding === NULL || !in_array($protocolBinding, $supportedBindings, TRUE)) { /* * No binding specified or unsupported binding requested - default to HTTP-POST. * TODO: Select any supported binding based on default endpoint? */ $protocolBinding = SAML2_Const::BINDING_HTTP_POST; } if ($consumerURL !== NULL) { $found = FALSE; foreach ($spMetadata->getEndpoints('AssertionConsumerService') as $ep) { if ($ep['Binding'] !== $protocolBinding) { continue; } if ($ep['Location'] !== $consumerURL) { continue; } $found = TRUE; break; } if (!$found) { SimpleSAML_Logger::warning('Authentication request from ' . var_export($spEntityId, TRUE) . ' contains invalid AssertionConsumerService URL. Was ' . var_export($consumerURL, TRUE) . '.'); $consumerURL = NULL; } } if ($consumerURL === NULL) { /* Not specified or invalid. Use default. */ $consumerURL = $spMetadata->getDefaultEndpoint('AssertionConsumerService', array($protocolBinding)); $consumerURL = $consumerURL['Location']; } $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array()))); if ($ProxyCount == null) { $ProxyCount = $spMetadata->getInteger('ProxyCount', null); } if (!$forceAuthn) { $forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE); } $sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time()); if ($relayState !== NULL) { $sessionLostParams['RelayState'] = $relayState; } $sessionLostURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), $sessionLostParams); $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $consumerURL, 'saml:Binding' => $protocolBinding, 'saml:NameIDFormat' => $nameIDFormat); $idp->handleAuthenticationRequest($state); }
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $idp = $this->getTargetIdp(); if ($idp !== NULL) { $extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL); if ($extDiscoveryStorage !== NULL) { $this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)'); SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array('entityID' => $this->spEntityId, 'IdPentityID' => $idp, 'returnIDParam' => $this->returnIdParam, 'isPassive' => 'true', 'return' => $this->returnURL)); } else { $this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp)); } return; } if ($this->isPassive) { $this->log('Choice not made. (Redirecting the user back without answer)'); SimpleSAML_Utilities::redirectTrustedURL($this->returnURL); return; } /* No choice made. Show discovery service page. */ $idpList = $this->getIdPList(); $preferredIdP = $this->getRecommendedIdP(); $idpintersection = array_intersect(array_keys($idpList), $this->getScopedIDPList()); if (sizeof($idpintersection) > 0) { $idpList = array_intersect_key($idpList, array_fill_keys($idpintersection, NULL)); } $idpintersection = array_values($idpintersection); if (sizeof($idpintersection) == 1) { $this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0])); } /* * Make use of an XHTML template to present the select IdP choice to the user. * Currently the supported options is either a drop down menu or a list view. */ switch ($this->config->getString('idpdisco.layout', 'links')) { case 'dropdown': $templateFile = 'selectidp-dropdown.php'; break; case 'links': $templateFile = 'selectidp-links.php'; break; default: throw new Exception('Invalid value for the \'idpdisco.layout\' option.'); } $t = new SimpleSAML_XHTML_Template($this->config, $templateFile, 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(SimpleSAML_Utilities::selfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', FALSE); $t->show(); }
} if (!array_key_exists('token', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing authToken.'); } $token = $_REQUEST['token']; if ($token !== $authTokenContactsSP) { throw new SimpleSAML_Error_Exception('Invalid AuthToken'); } $ldapconfig = SimpleSAML_Configuration::getConfig('config-login-feide.php'); $ldapStatusConfig = SimpleSAML_Configuration::getConfig('module_ldapstatus.php'); $debug = $ldapconfig->getValue('ldapDebug', FALSE); $orgs = $ldapconfig->getValue('organizations'); $locationTemplate = $ldapconfig->getValue('locationTemplate'); $isAdmin = FALSE; $secretURL = NULL; $ignore = ''; if (array_key_exists('ignore', $_REQUEST)) { $ignore = '&ignore=' . $_REQUEST['ignore']; } $secretKey = sha1('ldapstatus|' . SimpleSAML_Utilities::getSecretSalt() . '|hobbit'); $secretURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('key' => $secretKey)); function generateSecret($salt, $orgtest) { $secretKey = sha1('ldapstatus|' . $salt . '|' . $orgtest); return $secretKey; } header('Content-Type: text/plain'); foreach ($orgs as $orgkey => $org) { $url = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLhost() . SimpleSAML_Utilities::getFirstPathElement() . '/module.php/ldapstatus/', array('orgtest' => $orgkey, 'output' => 'text', 'key' => generateSecret(SimpleSAML_Utilities::getSecretSalt(), $orgkey))); echo "0.0.0.0 " . $orgkey . " # noconn feidesjekk:" . $url . $ignore . ";OOOKKK\n"; }
SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL()); } } # module.php/virtualorg/data_oauth_json.php $baseurl = 'http://vo.rnd.feide.no/simplesaml/'; $key = 'key'; $secret = 'secret'; $consumer = new sspmod_oauth_Consumer($key, $secret); if (isset($_REQUEST['step']) && $_REQUEST['step'] == '1') { $oauthsess = SimpleSAML_Utilities::generateID(); // Get the request token $requestToken = $consumer->getRequestToken($baseurl . '/module.php/oauth/requestToken.php'); #print_r($requestToken); exit; $session->setData('oauthSess', $oauthsess, serialize($requestToken)); # echo "Got a request token from the OAuth service provider [" . $requestToken->key . "] with the secret [" . $requestToken->secret . "]\n"; $callback = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('step' => '2', 'oauthsess' => $oauthsess)); // Authorize the request token $url = $consumer->getAuthorizeRequest($baseurl . '/module.php/oauth/authorize.php', $requestToken, TRUE, $callback); # echo('Go to this URL to authenticate/authorize the request: ' . $url . "\n"); } elseif (isset($_REQUEST['step']) && $_REQUEST['step'] == '2') { $requestToken = unserialize($session->getData('oauthSess', $_REQUEST['oauthsess'])); # print_r($requestToken); exit; // Replace the request token with an access token $accessToken = $consumer->getAccessToken($baseurl . '/module.php/oauth/accessToken.php', $requestToken); $session->setData('accessToken', 'accesstoken', serialize($accessToken)); SimpleSAML_Utilities::redirect('index.php?step=3'); exit; } if ($adata = $session->getData('accessToken', 'accesstoken')) { $accessToken = unserialize($adata); $vomemberships = $consumer->getUserInfo($baseurl . '/module.php/virtualorg/data_oauth_json.php?method=memberOf', $accessToken);
throw new SimpleSAML_Error_Exception('Source type changed?'); } $binding = SAML2_Binding::getCurrentBinding(); $message = $binding->receive(); $idpEntityId = $message->getIssuer(); if ($idpEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $spEntityId = $source->getEntityId(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $source->getIdPMetadata($idpEntityId); $spMetadata = $source->getMetadata(); sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message); $destination = $message->getDestination(); if ($destination !== NULL && $destination !== SimpleSAML_Utilities::selfURLNoQuery()) { throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.'); } if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($relayState); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']);
} } } /* END TAB ENTITIES POST HANDLER **************************************************************************************/ /* START TAB USERDATA POST HANDLER ************************************************************************************/ if (isset($_POST['usersubmit'])) { if (!isset($_POST['csrf_token']) || !$csrf_provider->isCsrfTokenValid('update_user', $_POST['csrf_token'])) { SimpleSAML_Logger::warning('Janus: [SECURITY] CSRF token not found or invalid'); throw new SimpleSAML_Error_BadRequest('Missing valid csrf token!'); } $selectedtab = SELECTED_TAB_USERDATA; $user->setData($_POST['userdata']); $user->setSecret($_POST['user_secret']); $user->save(); $pm->post('Userinfo update', 'User info updated:<br /><br />' . htmlspecialchars($_POST['userdata']) . '<br /><br />E-mail: ' . htmlspecialchars($_POST['user_email']), 'USER-' . $user->getUid(), $user->getUid()); redirectTrustedUrl(SimpleSAML_Utilities::selfURLNoQuery(), array(), IS_AJAX); } /* END TAB USERDATA POST HANDLER **************************************************************************************/ /* START TAB MESSAGE PROVISIONING *************************************************************************************/ if ($selectedtab == SELECTED_TAB_MESSAGE) { $subscriptions = $pm->getSubscriptions($user->getUid()); $subscriptionList = $pm->getSubscriptionList(); if (isset($_GET['page'])) { $page = $_GET['page']; $messages = $pm->getMessages($user->getUid(), $page); } else { $page = 1; $messages = $pm->getMessages($user->getUid()); } $messages_total = $pm->countMessages($user->getUid()); }
$t->show(); exit; } $asId = (string) $_REQUEST['as']; $as = new SimpleSAML_Auth_Simple($asId); if (array_key_exists('logout', $_REQUEST)) { $as->logout('/' . $config->getBaseURL() . 'logout.php'); } if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) { /* This is just a simple example of an error. */ $state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!$as->isAuthenticated()) { $url = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $asId)); $params = array('ErrorURL' => $url, 'ReturnTo' => $url); $as->login($params); } $attributes = $as->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['attributes'] = $attributes; $t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?as=' . urlencode($asId) . '&logout'; $t->show();
/** * Process an assertion in a response. * * Will throw an exception if it is invalid. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. * @param SAML2_Response $response The response containing the assertion. * @param SAML2_Assertion|SAML2_EncryptedAssertion $assertion The assertion. * @param bool $responseSigned Whether the response is signed. * @return SAML2_Assertion The assertion, if it is valid. */ private static function processAssertion(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, SAML2_Response $response, $assertion, $responseSigned) { assert('$assertion instanceof SAML2_Assertion || $assertion instanceof SAML2_EncryptedAssertion'); assert('is_bool($responseSigned)'); $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion); if (!self::checkSign($idpMetadata, $assertion)) { if (!$responseSigned) { throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.'); } } /* At least one valid signature found. */ $currentURL = SimpleSAML_Utilities::selfURLNoQuery(); /* Check various properties of the assertion. */ $notBefore = $assertion->getNotBefore(); if ($notBefore > time() + 60) { throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'); } $notOnOrAfter = $assertion->getNotOnOrAfter(); if ($notOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.'); } $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter(); if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'); } $validAudiences = $assertion->getValidAudiences(); if ($validAudiences !== NULL) { $spEntityId = $spMetadata->getString('entityid'); if (!in_array($spEntityId, $validAudiences, TRUE)) { $candidates = '[' . implode('], [', $validAudiences) . ']'; throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . '] is not a valid audience for the assertion. Candidates were: ' . $candidates); } } $found = FALSE; $lastError = 'No SubjectConfirmation element in Subject.'; foreach ($assertion->getSubjectConfirmation() as $sc) { if ($sc->Method !== SAML2_Const::CM_BEARER) { $lastError = 'Invalid Method on SubjectConfirmation: ' . var_export($sc->Method, TRUE); continue; } $scd = $sc->SubjectConfirmationData; if ($scd->NotBefore && $scd->NotBefore > time() + 60) { $lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore; continue; } if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) { $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: ' . $scd->NotOnOrAfter; continue; } if ($scd->Recipient !== NULL && $scd->Recipient !== $currentURL) { $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is ' . var_export($scd->Recipient, TRUE) . ', current URL is ' . var_export($currentURL, TRUE) . '.'; continue; } if ($scd->InResponseTo !== NULL && $response->getInResponseTo() !== NULL && $scd->InResponseTo !== $response->getInResponseTo()) { $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has ' . var_export($response->getInResponseTo(), TRUE) . ', SubjectConfirmationData has ' . var_export($scd->InResponseTo, TRUE) . '.'; continue; } $found = TRUE; break; } if (!$found) { throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: ' . $lastError); } /* As far as we can tell, the assertion is valid. */ /* Maybe we need to base64 decode the attributes in the assertion? */ if ($idpMetadata->getBoolean('base64attributes', FALSE)) { $attributes = $assertion->getAttributes(); $newAttributes = array(); foreach ($attributes as $name => $values) { $newAttributes[$name] = array(); foreach ($values as $value) { foreach (explode('_', $value) as $v) { $newAttributes[$name][] = base64_decode($v); } } } $assertion->setAttributes($newAttributes); } /* Decrypt the NameID element if it is encrypted. */ if ($assertion->isNameIdEncrypted()) { try { $keys = self::getDecryptionKeys($idpMetadata, $spMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); } $lastException = NULL; foreach ($keys as $i => $key) { try { $assertion->decryptNameId($key); SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.'); $lastException = NULL; break; } catch (Exception $e) { SimpleSAML_Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage()); $lastException = $e; } } if ($lastException !== NULL) { throw $lastException; } } return $assertion; }
/** * Process a response message. * * If the response is an error response, we will throw a sspmod_saml2_Error * exception with the error. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. * @param SAML2_Response $response The response. * @return SAML2_Assertion The assertion in the response, if it is valid. */ public static function processResponse(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, SAML2_Response $response) { if (!$response->isSuccess()) { throw self::getResponseError($response); } /* * When we get this far, the response itself is valid. * We only need to check signatures and conditions of the response. */ $assertion = $response->getAssertions(); if (empty($assertion)) { throw new SimpleSAML_Error_Exception('No assertions found in response from IdP.'); } elseif (count($assertion) > 1) { throw new SimpleSAML_Error_Exception('More than one assertion found in response from IdP.'); } $assertion = $assertion[0]; $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion); if (!self::checkSign($idpMetadata, $assertion)) { if (!self::checkSign($idpMetadata, $response)) { throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.'); } } /* At least one valid signature found. */ /* Make sure that some fields in the assertion matches the same fields in the message. */ $asrtInResponseTo = $assertion->getInResponseTo(); $msgInResponseTo = $response->getInResponseTo(); if ($asrtInResponseTo !== NULL && $msgInResponseTo !== NULL) { if ($asrtInResponseTo !== $msgInResponseTo) { throw new SimpleSAML_Error_Exception('InResponseTo in assertion did not match InResponseTo in message.'); } } $asrtDestination = $assertion->getDestination(); $msgDestination = $response->getDestination(); if ($asrtDestination !== NULL && $msgDestination !== NULL) { if ($asrtDestination !== $msgDestination) { throw new SimpleSAML_Error_Exception('Destination in assertion did not match Destination in message.'); } } /* Check various properties of the assertion. */ $notBefore = $assertion->getNotBefore(); if ($notBefore > time() + 60) { throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'); } $notOnOrAfter = $assertion->getNotOnOrAfter(); if ($notOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.'); } $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter(); if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'); } $destination = $assertion->getDestination(); $currentURL = SimpleSAML_Utilities::selfURLNoQuery(); if ($destination !== $currentURL) { throw new Exception('Recipient in assertion doesn\'t match the current URL. Recipient is "' . $destination . '", current URL is "' . $currentURL . '".'); } $validAudiences = $assertion->getValidAudiences(); if ($validAudiences !== NULL) { $spEntityId = $spMetadata->getString('entityid'); if (!in_array($spEntityId, $validAudiences, TRUE)) { $candidates = '[' . implode('], [', $validAudiences) . ']'; throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . '] is not a valid audience for the assertion. Candidates were: ' . $candidates); } } /* As far as we can tell, the assertion is valid. */ /* Maybe we need to base64 decode the attributes in the assertion? */ if ($idpMetadata->getBoolean('base64attributes', FALSE)) { $attributes = $assertion->getAttributes(); $newAttributes = array(); foreach ($attributes as $name => $values) { $newAttributes[$name] = array(); foreach ($values as $value) { foreach (explode('_', $value) as $v) { $newAttributes[$name][] = base64_decode($v); } } } $assertion->setAttributes($newAttributes); } /* Decrypt the NameID element if it is encrypted. */ if ($assertion->isNameIdEncrypted()) { try { $key = self::getDecryptionKey($idpMetadata, $spMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); } $assertion->decryptNameId($key); } return $assertion; }
<?php require_once '../_include.php'; /* Load simpleSAMLphp, configuration */ $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); /* Check if valid local session exists.. */ SimpleSAML_Utilities::requireAdmin(); $attributes = array(); $attributes['HTTP_HOST'] = array($_SERVER['HTTP_HOST']); $attributes['HTTPS'] = array($_SERVER['HTTPS']); $attributes['SERVER_PROTOCOL'] = array($_SERVER['SERVER_PROTOCOL']); $attributes['SERVER_PORT'] = array($_SERVER['SERVER_PORT']); $attributes['Utilities_getBaseURL()'] = array(SimpleSAML_Utilities::getBaseURL()); $attributes['Utilities_getSelfHost()'] = array(SimpleSAML_Utilities::getSelfHost()); $attributes['Utilities_selfURLhost()'] = array(SimpleSAML_Utilities::selfURLhost()); $attributes['Utilities_selfURLNoQuery()'] = array(SimpleSAML_Utilities::selfURLNoQuery()); $attributes['Utilities_getSelfHostWithPath()'] = array(SimpleSAML_Utilities::getSelfHostWithPath()); $attributes['Utilities_getFirstPathElement()'] = array(SimpleSAML_Utilities::getFirstPathElement()); $attributes['Utilities_selfURL()'] = array(SimpleSAML_Utilities::selfURL()); $et = new SimpleSAML_XHTML_Template($config, 'status.php'); $et->data['header'] = '{status:header_diagnostics}'; $et->data['remaining'] = 'na'; $et->data['attributes'] = $attributes; $et->data['valid'] = 'na'; $et->data['logout'] = null; $et->show();
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']); if (!$idpmeta->hasValue('OrganizationURL')) { throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.'); } $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL'); } $metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';'; $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid); $metaBuilder->addMetadataIdP11($metaArray); $metaBuilder->addOrganizationInfo($metaArray); $metaBuilder->addContact('technical', array('emailAddress' => $config->getString('technicalcontact_email', NULL), 'name' => $config->getString('technicalcontact_name', NULL))); $metaxml = $metaBuilder->getEntityDescriptorText(); /* Sign the metadata if enabled. */ $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'Shib 1.3 IdP'); if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') { $defaultidp = $config->getString('default-shib13-idp', NULL); $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); $t->data['header'] = 'shib13-idp'; $t->data['metaurl'] = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('output' => 'xml')); $t->data['metadata'] = htmlspecialchars($metaxml); $t->data['metadataflat'] = htmlspecialchars($metaflat); $t->data['defaultidp'] = $defaultidp; $t->show(); } else { header('Content-Type: application/xml'); echo $metaxml; exit(0); } } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception); }
<p>Version: <tt>' . $data['version'] . '</tt></p> <p>Report ID: <tt>' . $data['reportId'] . '</tt></p> <p>Referer: <tt>' . htmlspecialchars($data['referer']) . '</tt></p> <hr /> <div class="footer">This message was sent using simpleSAMLphp. Visit <a href="http://rnd.feide.no/simplesamlphp">simpleSAMLphp homepage</a>.</div> '; /* Add the email address of the submitter as the Reply-To address. */ $email = trim($email); /* Check that it looks like a valid email address. */ if (!preg_match('/\\s/', $email) && strpos($email, '@') !== FALSE) { $replyto = $email; $from = $email; } else { $replyto = NULL; $from = '*****@*****.**'; } /* Send the email. */ $toAddress = $config->getString('technicalcontact_email', '*****@*****.**'); if ($toAddress !== '*****@*****.**') { $email = new SimpleSAML_XHTML_EMail($toAddress, 'simpleSAMLphp error report', $from); $email->setBody($message); $email->send(); SimpleSAML_Logger::error('Report with id ' . $reportId . ' sent to <' . $toAddress . '>.'); } /* Redirect the user back to this page to clear the POST request. */ SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery());
$config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); $ldapconfig = SimpleSAML_Configuration::getConfig('config-login-feide.php'); $ldapStatusConfig = SimpleSAML_Configuration::getConfig('module_ldapstatus.php'); $debug = $ldapconfig->getValue('ldapDebug', FALSE); $orgs = $ldapconfig->getValue('organizations'); $locationTemplate = $ldapconfig->getValue('locationTemplate'); if (array_key_exists('orgtest', $_REQUEST)) { $orgtest = $_REQUEST['orgtest']; if (!array_key_exists($orgtest, $orgs)) { throw new SimpleSAML_Error_NotFound('The organization ' . var_export($orgtest, TRUE) . ' could not be found.'); } $orgConfig = SimpleSAML_Configuration::loadFromArray($orgs[$orgtest], 'org:[' . $orgtest . ']'); $secretKey = sha1('ldapstatus|' . SimpleSAML_Utilities::getSecretSalt() . '|' . $_REQUEST['orgtest']); $secretURL = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('orgtest' => $_REQUEST['orgtest'], 'key' => $secretKey)); } else { $orgtest = NULL; $orgConfig = NULL; $secretKey = NULL; $secretURL = NULL; } $authsource = $ldapconfig->getString('ldapstatusAuth', NULL); if ($session->isValid($authsource)) { $attributes = $session->getAttributes(); } else { $attributes = array(); } $useridattr = $ldapconfig->getString('useridattr', 'eduPersonPrincipalName'); if (isset($attributes[$useridattr][0])) { $userId = $attributes[$useridattr][0];
/* We have a ReturnTo - this is IdP initialized SLO. */ $logoutInfo['RelayState'] = $_GET['ReturnTo']; } else { /* * We have no idea what to do here. It is neither a logout request, a logout * response nor a response from bridged SLO. */ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: No request, response or bridge'); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); } /* First, log out of the current authentication source. */ $authority = $session->getAuthority(); if ($authority !== NULL) { /* We are logged in. */ $bridgedId = SimpleSAML_Utilities::generateID(); $returnTo = SimpleSAML_Utilities::selfURLNoQuery() . '?LogoutID=' . $bridgedId; /* Save the $logoutInfo until we return from the SP. */ saveLogoutInfo($bridgedId); if ($authority === $idpMetadata->getString('auth')) { /* This is probably an authentication source. */ SimpleSAML_Auth_Default::initLogoutReturn($returnTo); } elseif ($authority === 'saml2') { /* SAML 2 SP which isn't an authentication source. */ SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php', array('RelayState' => $returnTo)); } else { /* A different old-style authentication file. */ $session->doLogout(); } } /* * Find the next SP we should log out from. We will search through the list of
/** * Save an error report. * * @return array The array with the error report data. */ protected function saveError() { $data = $this->format(); $emsg = array_shift($data); $etrace = implode("\n", $data); $reportId = SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(4)); SimpleSAML_Logger::error('Error report with id ' . $reportId . ' generated.'); $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); if (isset($_SERVER['HTTP_REFERER'])) { $referer = $_SERVER['HTTP_REFERER']; /* * Remove anything after the first '?' or ';', just * in case it contains any sensitive data. */ $referer = explode('?', $referer, 2); $referer = $referer[0]; $referer = explode(';', $referer, 2); $referer = $referer[0]; } else { $referer = 'unknown'; } $errorData = array('exceptionMsg' => $emsg, 'exceptionTrace' => $etrace, 'reportId' => $reportId, 'trackId' => $session->getTrackID(), 'url' => SimpleSAML_Utilities::selfURLNoQuery(), 'version' => $config->getVersion(), 'referer' => $referer); $session->setData('core:errorreport', $reportId, $errorData); return $errorData; }
$metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints'); } $metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';'; $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid); $metaBuilder->addMetadataIdP20($metaArray); $metaBuilder->addOrganizationInfo($metaArray); $technicalContactEmail = $config->getString('technicalcontact_email', NULL); if ($technicalContactEmail && $technicalContactEmail !== '*****@*****.**') { $metaBuilder->addContact('technical', array('emailAddress' => $technicalContactEmail, 'name' => $config->getString('technicalcontact_name', NULL))); } $metaxml = $metaBuilder->getEntityDescriptorText(); /* Sign the metadata if enabled. */ $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP'); if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') { $defaultidp = $config->getString('default-saml20-idp', NULL); $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); $t->data['available_certs'] = $availableCerts; $t->data['header'] = 'saml20-idp'; $t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery(); $t->data['metadata'] = htmlspecialchars($metaxml); $t->data['metadataflat'] = htmlspecialchars($metaflat); $t->data['defaultidp'] = $defaultidp; $t->show(); } else { header('Content-Type: application/xml'); echo $metaxml; exit(0); } } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception); }
} </style>'; $this->includeAtTemplateBase('includes/header.php'); $util = new sspmod_janus_AdminUtil(); $wfstate = $this->data['entity_state']; $states = $janus_config->getArray('workflowstates'); /** @var sspmod_janus_Entity $entity */ $entity = $this->data['entity']; /** @var \Symfony\Component\Security\Core\SecurityContext $securityContext */ $securityContext = $this->data['security.context']; // @todo Define these in some sort of form helper class define('JANUS_FORM_ELEMENT_CHECKED', 'checked="checked"'); define('JANUS_FORM_ELEMENT_DISABLED', 'disabled="disabled"'); ?> <form id="mainform" method="post" action="<?php echo SimpleSAML_Utilities::selfURLNoQuery(); ?> " data-revision-required="<?php echo $janus_config->getBoolean('revision.notes.required', false); ?> "> <input type="hidden" name="eid" value="<?php echo htmlspecialchars($entity->getEid()); ?> " /> <input type="hidden" name="revisionid" value="<?php echo htmlspecialchars($entity->getRevisionid()); ?> " /> <input type="hidden" name="selectedtab" value="<?php echo htmlspecialchars($this->data['selectedtab']);
/** * Process an assertion in a response. * * Will throw an exception if it is invalid. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. * @param SAML2_Response $response The response containing the assertion. * @param SAML2_Assertion|SAML2_EncryptedAssertion $assertion The assertion. * @param bool $responseSigned Whether the response is signed. * @return SAML2_Assertion The assertion, if it is valid. */ private static function processAssertion(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, SAML2_Response $response, $assertion, $responseSigned) { assert('$assertion instanceof SAML2_Assertion || $assertion instanceof SAML2_EncryptedAssertion'); assert('is_bool($responseSigned)'); $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion); if (!self::checkSign($idpMetadata, $assertion)) { if (!$responseSigned) { throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.'); } } /* At least one valid signature found. */ $currentURL = SimpleSAML_Utilities::selfURLNoQuery(); /* Check various properties of the assertion. */ $notBefore = $assertion->getNotBefore(); if ($notBefore !== NULL && $notBefore > time() + 60) { throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'); } $notOnOrAfter = $assertion->getNotOnOrAfter(); if ($notOnOrAfter !== NULL && $notOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.'); } $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter(); if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'); } $validAudiences = $assertion->getValidAudiences(); if ($validAudiences !== NULL) { $spEntityId = $spMetadata->getString('entityid'); if (!in_array($spEntityId, $validAudiences, TRUE)) { $candidates = '[' . implode('], [', $validAudiences) . ']'; throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . '] is not a valid audience for the assertion. Candidates were: ' . $candidates); } } $found = FALSE; $lastError = 'No SubjectConfirmation element in Subject.'; foreach ($assertion->getSubjectConfirmation() as $sc) { if ($sc->Method !== SAML2_Const::CM_BEARER && $sc->Method !== SAML2_Const::CM_HOK) { $lastError = 'Invalid Method on SubjectConfirmation: ' . var_export($sc->Method, TRUE); continue; } /* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */ $hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL); if ($hok === NULL) { $hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE); } if ($sc->Method === SAML2_Const::CM_BEARER && $hok) { $lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed'; continue; } if ($sc->Method === SAML2_Const::CM_HOK && !$hok) { $lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.'; continue; } $scd = $sc->SubjectConfirmationData; if ($sc->Method === SAML2_Const::CM_HOK) { /* Check HoK Assertion */ if (SimpleSAML_Utilities::isHTTPS() === FALSE) { $lastError = 'No HTTPS connection, but required for Holder-of-Key SSO'; continue; } if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) { $lastError = 'No client certificate provided during TLS Handshake with SP'; continue; } /* Extract certificate data (if this is a certificate). */ $clientCert = $_SERVER['SSL_CLIENT_CERT']; $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m'; if (preg_match($pattern, $clientCert, $matches) === FALSE) { $lastError = 'No valid client certificate provided during TLS Handshake with SP'; continue; } /* We have a valid client certificate from the browser. */ $clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]); foreach ($scd->info as $thing) { if ($thing instanceof SAML2_XML_ds_KeyInfo) { $keyInfo[] = $thing; } } if (count($keyInfo) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in <SubjectConfirmationData> allowed'; continue; } foreach ($keyInfo[0]->info as $thing) { if ($thing instanceof SAML2_XML_ds_X509Data) { $x509data[] = $thing; } } if (count($x509data) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in <ds:KeyInfo> within <SubjectConfirmationData> allowed'; continue; } foreach ($x509data[0]->data as $thing) { if ($thing instanceof SAML2_XML_ds_X509Certificate) { $x509cert[] = $thing; } } if (count($x509cert) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in <ds:X509Data> within <SubjectConfirmationData> allowed'; continue; } $HoKCertificate = $x509cert[0]->certificate; if ($HoKCertificate !== $clientCert) { $lastError = 'Provided client certificate does not match the certificate bound to the Holder-of-Key assertion'; continue; } } if ($scd->NotBefore && $scd->NotBefore > time() + 60) { $lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore; continue; } if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) { $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: ' . $scd->NotOnOrAfter; continue; } if ($scd->Recipient !== NULL && $scd->Recipient !== $currentURL) { $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is ' . var_export($scd->Recipient, TRUE) . ', current URL is ' . var_export($currentURL, TRUE) . '.'; continue; } if ($scd->InResponseTo !== NULL && $response->getInResponseTo() !== NULL && $scd->InResponseTo !== $response->getInResponseTo()) { $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has ' . var_export($response->getInResponseTo(), TRUE) . ', SubjectConfirmationData has ' . var_export($scd->InResponseTo, TRUE) . '.'; continue; } $found = TRUE; break; } if (!$found) { throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: ' . $lastError); } /* As far as we can tell, the assertion is valid. */ /* Maybe we need to base64 decode the attributes in the assertion? */ if ($idpMetadata->getBoolean('base64attributes', FALSE)) { $attributes = $assertion->getAttributes(); $newAttributes = array(); foreach ($attributes as $name => $values) { $newAttributes[$name] = array(); foreach ($values as $value) { foreach (explode('_', $value) as $v) { $newAttributes[$name][] = base64_decode($v); } } } $assertion->setAttributes($newAttributes); } /* Decrypt the NameID element if it is encrypted. */ if ($assertion->isNameIdEncrypted()) { try { $keys = self::getDecryptionKeys($idpMetadata, $spMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); } $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata); $lastException = NULL; foreach ($keys as $i => $key) { try { $assertion->decryptNameId($key, $blacklist); SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.'); $lastException = NULL; break; } catch (Exception $e) { SimpleSAML_Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage()); $lastException = $e; } } if ($lastException !== NULL) { throw $lastException; } } return $assertion; }
* We need access to the various simpleSAMLphp classes. These are loaded * by the simpleSAMLphp autoloader. */ require_once '../../lib/_autoload.php'; /* * We use the default-sp authentication source. */ $as = new SimpleSAML_Auth_Simple('default-sp'); /* This handles logout requests. */ if (array_key_exists('logout', $_REQUEST)) { /* * We redirect to the current URL _without_ the query parameter. This * avoids a redirect loop, since otherwise it will access the logout * endpoint again. */ $as->logout(SimpleSAML_Utilities::selfURLNoQuery()); /* The previous function will never return. */ } if (array_key_exists('login', $_REQUEST)) { /* * If the login parameter is requested, it means that we should log * the user in. We do that by requiring the user to be authenticated. * * Note that the requireAuth-function will preserve all GET-parameters * and POST-parameters by default. */ $as->requireAuth(); /* The previous function will only return if the user is authenticated. */ } if (array_key_exists('message', $_POST)) { /*
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); finishLogin($authProcState); } if (empty($_POST['SAMLResponse'])) { throw new SimpleSAML_Error_Error('ACSPARAMS', $exception); } try { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $authnResponse = $binding->decodeResponse($_POST); $authnResponse->validate(); /* Successfully authenticated. */ $idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote'); SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']); SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA'); $relayState = $authnResponse->getRelayState(); if (!isset($relayState)) { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } $spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted'); /* Begin module attribute processing */ $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp'); $authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata); $pc->processState($authProcState); /* Since this function returns, processing has completed and attributes have * been updated. */ finishLogin($authProcState); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception); }
<?php /** * Main template for JANUS. * * @author Jacob Christiansen, <*****@*****.**> * @author Sixto Martín, <*****@*****.**> * @package simpleSAMLphp * @subpackage JANUS * @version $Id: janus-main.php 11 2009-03-27 13:51:02Z jach@wayf.dk $ */ define('MODULE_JANUS_URL', '/' . $this->data['baseurlpath'] . 'module.php/janus'); define('DASHBOARD_URL', MODULE_JANUS_URL . '/dashboard.php'); define('FORM_ACTION_URL', SimpleSAML_Utilities::selfURLNoQuery()); $pageJs = array(); $this->data['head'] = ' <script type="text/javascript"> var moduleJanusUrl = \'' . MODULE_JANUS_URL . '\'; </script> <base href="' . MODULE_JANUS_URL . '/"></base> '; if (IS_AJAX) { $pageJs[] = <<<JAVASCRIPT // Bind event handler to each form var forms = \$('form'); forms.each(function(index, form) { \$(form).submit(formSubmitHandler); }); /** * Submits the form via ajax
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $idp = $this->getTargetIdp(); if ($idp !== NULL) { $extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL); if ($extDiscoveryStorage !== NULL) { $this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)'); SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array('entityID' => $this->spEntityId, 'IdPentityID' => $idp, 'returnIDParam' => $this->returnIdParam, 'isPassive' => 'true', 'return' => $this->returnURL)); } else { $this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); SimpleSAML_Utilities::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp)); } return; } if ($this->isPassive) { $this->log('Choice not made. (Redirecting the user back without answer)'); SimpleSAML_Utilities::redirectTrustedURL($this->returnURL); return; } /* No choice made. Show discovery service page. */ $idpList = $this->getIdPList(); $idpList = $this->idplistStructured($this->filterList($idpList)); $preferredIdP = $this->getRecommendedIdP(); $t = new SimpleSAML_XHTML_Template($this->config, 'discopower:disco-tpl.php', 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(SimpleSAML_Utilities::selfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', FALSE); $t->data['rememberchecked'] = $this->config->getBoolean('idpdisco.rememberchecked', FALSE); $t->data['defaulttab'] = $this->discoconfig->getValue('defaulttab', 0); $t->data['score'] = $this->discoconfig->getValue('score', 'quicksilver'); $t->show(); }
$idpap = $adfsconfig->getValue('authproc'); if ($idpap) { $idpap = array('authproc' => $idpap); } else { $idpap = array(); } $idpap['entityid'] = $idpentityid; $spap = $spmetadata->getValue('authproc'); if ($spap) { $spap = array('authproc' => $spap); } else { $spap = array(); } $spap['entityid'] = $spentityid; $pc = new SimpleSAML_Auth_ProcessingChain($idpap, $spap, 'idp'); $authProcState = array('core:adfs-idp:requestcache' => $requestcache, 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spap, 'Source' => $idpap, 'isPassive' => false); $previousSSOTime = $session->getData('adfs-idp-ssotime', $spentityid); if ($previousSSOTime !== NULL) { $authProcState['PreviousSSOTimestamp'] = $previousSSOTime; } try { $pc->processState($authProcState); } catch (SimpleSAML_Error_NoPassive $e) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'GENERATEAUTHNRESPONSE', $exception); } $requestcache['AuthProcState'] = $authProcState; } $attributes = $authProcState['Attributes']; $session->setData('adfs-idp-ssotime', $spentityid, time(), SimpleSAML_Session::DATA_TIMEOUT_LOGOUT); $requestID = NULL; $relayState = NULL;