$SESSION->set('wantsurl', preg_replace('/\\&login$/', '', $wantsurl));
}
// now start the hunt for the associated authinstance for the organisation attached to the saml_attributes
global $instance;
$instance = auth_saml_find_authinstance($saml_attributes);
// if we don't have an auth instance then this is a serious failure
if (!$instance) {
throw new UserNotFoundException(get_string('errorbadinstitution', 'auth.saml'));
}
// stash the existing logged in user - if we have one
$current_user = $USER;
$is_loggedin = $USER->is_logged_in();
// check the instance and do a test login
$can_login = false;
try {
$auth = new AuthSaml($instance->id);
$can_login = $auth->request_user_authorise($saml_attributes);
} catch (AccessDeniedException $e) {
throw new UserNotFoundException(get_string('errnosamluser', 'auth.saml'));
} catch (XmlrpcClientException $e) {
throw new AccessDeniedException($e->getMessage());
} catch (AuthInstanceException $e) {
throw new AccessDeniedException(get_string('errormissinguserattributes1', 'auth.saml', get_config('sitename')));
}
// if we can login with SAML - then let them go
if ($can_login) {
// they are logged in, so they dont need to be here
if ($SESSION->get('wantsurl')) {
$wantsurl = $SESSION->get('wantsurl');
$SESSION->set('wantsurl', null);
}
/**
* check the validity of the users current SAML 2.0 session
* if its bad, force log them out of Mahara, and redirect them to the IdP
* if it's good, find an applicable saml auth instance, and try logging them in with it
* passing in the attributes found from the IdP
*
* @param object $saml_config saml configuration object
* @param boolean $valid_saml_session is there a valid saml2 session
* @param array $saml_attributes saml attributes passed in by the IdP
* @param object $as new saml user object
* @return nothing
*/
function simplesaml_init($saml_config, $valid_saml_session, $saml_attributes, $as)
{
global $CFG, $USER, $SESSION;
// $idp = get_config_plugin('auth', 'saml', 'idpidentity');
$retry = $SESSION->get('retry');
if ($retry > SAML_RETRIES) {
throw new AccessTotallyDeniedException(get_string('errorretryexceeded', 'auth.saml', $retry));
} else {
if (!$valid_saml_session) {
#
if ($USER->is_logged_in()) {
$USER->logout();
}
$SESSION->set('messages', array());
$SESSION->set('retry', $retry + 1);
// not valid session. Ship user off to the Identity Provider
$as->requireAuth();
} else {
// find all the possible institutions/auth instances
$instances = recordset_to_array(get_recordset_sql("SELECT * FROM {auth_instance_config} aic, {auth_instance} ai WHERE ai.id = aic.instance AND ai.authname = 'saml' AND aic.field = 'institutionattribute'"));
// find the one (it should be only one) that has the right field, and the right field value for institution
$instance = false;
$institutions = array();
foreach ($instances as $row) {
$institutions[] = $row->instance . ':' . $row->institution . ':' . $row->value;
if (isset($saml_attributes[$row->value])) {
// does this institution use a regex match against the institution check value?
if ($configvalue = get_record('auth_instance_config', 'instance', $row->instance, 'field', 'institutionregex')) {
$is_regex = (bool) $configvalue->value;
} else {
$is_regex = false;
}
if ($configvalue = get_record('auth_instance_config', 'instance', $row->instance, 'field', 'institutionvalue')) {
$institution_value = $configvalue->value;
} else {
$institution_value = $row->institution;
}
if ($is_regex) {
foreach ($saml_attributes[$row->value] as $attr) {
if (preg_match('/' . trim($institution_value) . '/', $attr)) {
$instance = $row;
break;
}
}
} else {
foreach ($saml_attributes[$row->value] as $attr) {
if ($attr == $institution_value) {
$instance = $row;
break;
}
}
}
}
}
if (!$instance) {
log_warn("auth/saml: could not find an authinstance from: " . join(", ", $institutions));
log_warn("auth/saml: could not find the saml institutionattribute for user: " . var_export($saml_attributes, true));
throw new UserNotFoundException(get_string('errorbadinstitution', 'auth.saml'));
}
try {
$auth = new AuthSaml($instance->id);
if ($auth->request_user_authorise($saml_attributes)) {
session_write_close();
redirect($CFG->wwwroot);
} else {
throw new UserNotFoundException(get_string('errnosamluser', 'auth.saml'));
}
} catch (AccessDeniedException $e) {
throw new UserNotFoundException(get_string('errnosamluser', 'auth.saml'));
}
}
}
}