/** * @param string saml_response * @param WP_User $user * * @return WP_User */ private function handle_saml_response($saml_response, $user) { try { $this->saml_response_service->load_saml_response($saml_response); if (!$this->saml_response_service->is_entity_in_audience($this->entity_id)) { throw new Exception(sprintf("Entity \"%s\" is not in allowed audience", $this->entity_id)); } elseif (!$this->saml_response_service->is_timestamp_within_restrictions($this->wp_facade->time())) { throw new Exception("Response has expired"); } elseif (!$this->saml_response_service->is_valid_destination($this->wp_facade->wp_login_url())) { throw new Exception("Invalid response destination"); } elseif ($this->saml_response_service->is_session_index_registered()) { throw new Exception(sprintf("Session index %s already registered. Possible replay attack.", $this->saml_response_service->get_session_index())); } // Find the user by login $user = $this->wp_facade->get_user_by('login', $this->saml_response_service->get_name()); // If we don't have a user, create one if (!$user instanceof WP_User) { $role = $this->get_sso_attribute('role'); $role = $role ? $this->translate_role($role) : false; $user_data = array('user_login' => $this->saml_response_service->get_name(), 'user_pass' => '', 'role' => $role, 'user_email' => $this->get_sso_attribute('user_email'), 'first_name' => $this->get_sso_attribute('first_name'), 'last_name' => $this->get_sso_attribute('last_name')); $user_id = $this->wp_facade->wp_insert_user($user_data); // Unset the password - wp_insert_user always generates a hash - it's misleading $this->wp_facade->wp_update_user(array('ID' => $user_id, 'user_pass' => '')); $user = new WP_User($user_id); } // Set the SSO session so we know we are logged in via SSO $this->wp_facade->update_user_meta($user->ID, 'launchkey_sso_session', $this->saml_response_service->get_session_index()); $this->wp_facade->update_user_meta($user->ID, 'launchkey_authorized', 'true'); $this->saml_response_service->register_session_index(); } catch (Exception $e) { $this->wp_facade->wp_redirect($this->error_url); $this->wp_facade->_exit(); } return $user; }
/** * Init filter to see if a LaunchKey authenticated user has been de-orbited and log them out if that is the case * * @since 1.0.0 */ public function launchkey_still_authenticated_page_load() { /** * If the current session */ if ($this->wp_facade->is_user_logged_in()) { // Get the current user $user = $this->wp_facade->wp_get_current_user(); // If they have been de-authorized if (false === $this->get_user_authorized($user->ID)) { // Log out the user $this->wp_facade->wp_logout(); // Reset the LaunchKey auth properties $this->reset_auth($user->ID); $this->wp_facade->wp_redirect($this->wp_facade->wp_login_url()); $this->wp_facade->_exit(); } } }