/**
* Calls the logoutRemoteUser method within SSO plug-in if the user
* was logged on with SSO.
*
* @return void
*
* @since 2.0
*/
public function logout()
{
$session = JFactory::getSession();
$app = JFactory::getApplication();
// Get the SSO plug-in name from login if we used SSO
if ($class = $session->get(SHSsoHelper::SESSION_PLUGIN_KEY, false)) {
// Lets disable SSO until the user requests login
SHSsoHelper::disable();
$router = $app->getRouter();
// We need to add a callback on the router to tell the routed page we just logged out from SSO
$router->setVar('ssologoutkey', SHFactory::getConfig()->get('sso.bypasskey', 'nosso'));
$router->setVar('ssologoutval', $session->get(SHSsoHelper::SESSION_STATUS_KEY, SHSsoHelper::STATUS_ENABLE));
$router->attachBuildRule('SHSso::logoutRouterRule');
$index = array_search($class, $this->_observers);
// Ensure the SSO plug-in is still available
if ($index !== false && method_exists($this->_observers[$index], 'logoutRemoteUser')) {
$this->_observers[$index]->logoutRemoteUser();
}
}
}
/**
* Method for attempting single sign on.
*
* @return boolean True on successful SSO or False on failure.
*
* @since 2.0
*/
protected function _attemptSSO()
{
// Check the required SSO libraries exist
if (!(class_exists('SHSsoHelper') && class_exists('SHSso'))) {
// Error: classes missing
SHLog::add(JText::_('LIB_SHSSOMONITOR_ERR_15001'), 15001, JLog::ERROR, 'sso');
return;
}
try {
$config = SHFactory::getConfig();
// Check if SSO is disabled via the session
if (SHSsoHelper::status() !== SHSsoHelper::STATUS_ENABLE) {
// It is disabled so do not continue
return;
}
SHSsoHelper::enable();
$forceLogin = false;
$userId = JFactory::getUser()->get('id');
if ($config->get('sso.forcelogin', false)) {
if ($userId) {
// Log out current user if detect user is not equal
$forceLogin = true;
}
} else {
if ($userId) {
// User already logged in and no forcelogout
return;
}
}
/*
* Lets check the IP rule is valid before we continue -
* if the IP rule is false then SSO is not allowed here.
*/
jimport('joomla.application.input');
$input = new JInput($_SERVER);
// Get the IP address of this client
$myIp = $input->get('REMOTE_ADDR', false, 'string');
// Get a list of the IP addresses specific to the specified rule
$ipList = json_decode($config->get('sso.iplist'));
// Get the rule value
$ipRule = $config->get('sso.iprule', SHSsoHelper::RULE_ALLOW_ALL);
if (!SHSsoHelper::doIPCheck($myIp, $ipList, $ipRule)) {
if (!$forceLogin) {
// This IP isn't allowed
SHLog::add(JText::_('LIB_SHSSO_DEBUG_15004'), 15004, JLog::DEBUG, 'sso');
}
return;
}
/*
* We are going to check if we are in backend.
* If so then we need to check if sso is allowed
* to execute on the backend.
*/
if (JFactory::getApplication()->isAdmin()) {
if (!$config->get('sso.backend', false)) {
if (!$forceLogin) {
// Not allowed to SSO on backend
SHLog::add(JText::_('LIB_SHSSO_DEBUG_15006'), 15006, JLog::DEBUG, 'sso');
}
return;
}
}
// Instantiate the main SSO library for detection & authentication
$sso = new SHSso($config->get('sso.plugintype', 'sso'));
$detection = $sso->detect();
if ($detection) {
// Check the detected user is not blacklisted
$blacklist = (array) json_decode($config->get('user.blacklist'));
if (in_array($detection['username'], $blacklist)) {
SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15007', $detection['username']), 15007, JLog::DEBUG, 'sso');
// Detected user is blacklisted
return;
}
// Check if the current logged in user matches the detection
if ($forceLogin && strtolower($detection['username']) != strtolower(JFactory::getUser()->get('username'))) {
SHLog::add(JText::sprintf('LIB_SHSSO_DEBUG_15008', $detection['username']), 15008, JLog::DEBUG, 'sso');
// Need to logout the current user
JFactory::getApplication()->logout();
}
}
// Attempt the login
return $sso->login($detection);
} catch (Exception $e) {
SHLog::add($e, 15002, JLog::ERROR, 'sso');
}
}
