This function accepts an array $params, which controls some parts of the authentication. The accepted parameters
depends on the authentication source being used. Some parameters are generic:
- 'ErrorURL': A URL that should receive errors from the authentication.
- 'KeepPost': If the current request is a POST request, keep the POST data until after the authentication.
- 'ReturnTo': The URL the user should be returned to after authentication.
- 'ReturnCallback': The function we should call after the user has finished authentication.
Please note: this function never returns.
public function executeSignin($request) { $user = $this->getUser(); if ($user->isAuthenticated()) { return $this->redirect('@homepage'); } // Create SimpleSAML module $simpleSAMLAuth = new SimpleSAML_Auth_Simple('default-sp'); // If the user is authenticated from the IdP if ($simpleSAMLAuth->isAuthenticated()) { $attributes = $simpleSAMLAuth->getAttributes(); // save the referer $user_referer = $user->getReferer($request->getReferer()); // Try to find the user with his uid $query = Doctrine_Core::getTable('sfGuardUser')->createQuery('u')->where('u.username = ?', $attributes['eduPersonPrincipalName'][0]); // If the sGuardUser already exists in the database, it's OK if ($query->count() >= 1) { $guard_user = $query->fetchOne(); $guard_user->setEmailAddress($attributes['mail'][0]); $guard_user->setLastName($attributes['cn'][0]); $guard_user->save(); } else { // the user doesn't exist, we create a new one with random password $guard_user = new sfGuardUser(); $guard_user->setUsername($attributes['eduPersonPrincipalName'][0]); $guard_user->setPassword(md5(microtime() . $attributes['eduPersonPrincipalName'][0] . mt_rand())); $guard_user->setEmailAddress($attributes['mail'][0]); $guard_user->setLastName($attributes['cn'][0]); $guard_user->setIsActive(true); $guard_user->save(); } // Let the User signin // The auth is not rembered : the IdP can decide that $this->getUser()->signin($guard_user, $remember = false); // always redirect to a URL set in app.yml // or to the referer // or to the homepage $signinUrl = sfConfig::get('app_sf_guard_plugin_success_signin_url', $user_referer); return $this->redirect('' != $signinUrl ? $signinUrl : '@homepage'); } else { if ($request->isXmlHttpRequest()) { $this->getResponse()->setHeaderOnly(true); $this->getResponse()->setStatusCode(401); return sfView::NONE; } // if we have been forwarded, then the referer is the current URL // if not, this is the referer of the current request $user->setReferer($this->getContext()->getActionStack()->getSize() > 1 ? $request->getUri() : $request->getReferer()); /* gyufi $this->url_idp = $simpleSAMLAuth->login(array( //'saml:idp' => 'https://openidp.feide.no', 'saml:idp' => 'https://aai.sztaki.hu/idp-partners', 'saml:idp' => 'https://aai.sztaki.hu/idp', )); */ $this->url_idp = $simpleSAMLAuth->login(); // Nothing happened after there, $simpleSAMLAuth->login() calls exit() /* $module = sfConfig::get('sf_login_module'); if ($this->getModuleName() != $module) { return $this->redirect($module.'/'.sfConfig::get('sf_login_action')); } $this->getResponse()->setStatusCode(401); */ } }
/** * Authenticate the user. * * This function authenticates the user. * * @param array &$state The authentication request state. */ private function authenticate(array &$state) { if (isset($state['isPassive']) && (bool) $state['isPassive']) { throw new SimpleSAML_Error_NoPassive('Passive authentication not supported.'); } $this->authSource->login($state); }
/** * Authenticate the user. * * This function authenticates the user. * * @param array &$state The authentication request state. */ private function authenticate(array &$state) { if (isset($state['isPassive']) && (bool) $state['isPassive']) { throw new SimpleSAML_Error_NoPassive('Passive authentication not supported.'); } $state['IdPMetadata'] = $this->getConfig()->toArray(); $state['ReturnCallback'] = array('SimpleSAML_IdP', 'postAuth'); $this->authSource->login($state); }
/** * Require admin access to the current page. * * This is a helper function for limiting a page to those with administrative access. It will redirect the user to * a login page if the current user doesn't have admin access. * * @return void This function will only return if the user is admin. * @throws \SimpleSAML_Error_Exception If no "admin" authentication source was configured. * * @author Olav Morken, UNINETT AS <*****@*****.**> * @author Jaime Perez, UNINETT AS <*****@*****.**> */ public static function requireAdmin() { if (self::isAdmin()) { return; } // not authenticated as admin user, start authentication if (\SimpleSAML_Auth_Source::getById('admin') !== null) { $as = new \SimpleSAML_Auth_Simple('admin'); $as->login(); } else { throw new \SimpleSAML_Error_Exception('Cannot find "admin" auth source, and admin privileges are required.'); } }
/** * Require admin access for current page. * * This is a helper-function for limiting a page to admin access. It will redirect * the user to a login page if the current user doesn't have admin access. */ public static function requireAdmin() { if (self::isAdmin()) { return; } $returnTo = self::selfURL(); /* Not authenticated as admin user. Start authentication. */ if (SimpleSAML_Auth_Source::getById('admin') !== NULL) { $as = new SimpleSAML_Auth_Simple('admin'); $as->login(); } else { /* For backwards-compatibility. */ $config = SimpleSAML_Configuration::getInstance(); self::redirectTrustedURL('/' . $config->getBaseURL() . 'auth/login-admin.php', array('RelayState' => $returnTo)); } }
$_SESSION["last_forward_from"] = $_SERVER["REFERER"]; } // login with SAML if (!$saml_auth->isAuthenticated()) { if (subsite_manager_on_subsite()) { $site = elgg_get_site_entity(); $main_site = $site->getOwnerEntity(); $main_url = str_ireplace($site->url, $main_site->url, current_page_url()); $redirect_url = $site->url . "mod/subsite_manager/procedures/simplesaml/redirect.php"; SimpleSAML_Utilities::redirect($main_url, array("from" => $redirect_url)); } else { if (get_input("from")) { $_SESSION["last_forward_from"] = $source; } // not logged in on IDP, so do that $saml_auth->login(); } } else { // user is authenticated with IDP, so check in Elgg $saml_attributes = simplesaml_get_authentication_attributes($saml_auth, $source); // save the attributes for further use $_SESSION["saml_attributes"] = $saml_attributes; $_SESSION["saml_source"] = $source; // make sure we can find all users (even unvalidated) $hidden = access_get_show_hidden_status(); access_show_hidden_entities(true); if ($user = simplesaml_find_user($source, $saml_attributes)) { // found a user, so login try { login($user); if (!empty($_SESSION["last_forward_from"]) && $_SESSION["last_forward_from"] == $source) {
/** * Saves the chosen method name in the session and initialises * the external login process. * * @param $methodName * Name of the chosen login method */ private function initLogin($methodName) { $method = $this->multiAuthPlugin->getMethod($methodName); if (!empty($method)) { // save selected method name $_SESSION['MA_methodName'] = $methodName; wfDebugLog('MultiAuthPlugin', __METHOD__ . ': ' . ': ' . "SESSION['MA_methodName'] = {$methodName}"); $libName = $this->multiAuthPlugin->getAuthLib($methodName); wfDebugLog('MultiAuthPlugin', __METHOD__ . ': ' . ': ' . "Method auth settings: " . print_r($method['auth'], true)); switch ($libName) { case 'simplesamlphp': // init the external login $ssphpPath = $this->multiAuthPlugin->config['paths']['libs']['simplesamlphp']; require_once $ssphpPath . "/lib/_autoload.php"; $as = new SimpleSAML_Auth_Simple($method['auth']['spentityid']); $return_url = $this->buildReturnURL($methodName); wfDebugLog('MultiAuthPlugin', __METHOD__ . ': ' . ': ' . "Redirecting to SSO login process: [SimpleSamlPHP] ReturnTo = {$return_url}"); if (isset($method['auth']['idpentityid'])) { $as->login(array('ReturnTo' => $return_url, 'saml:idp' => $method['auth']['idpentityid'])); } else { $as->login(array('ReturnTo' => $return_url)); } exit; break; default: $target = $this->buildLink($methodName); wfDebugLog('MultiAuthPlugin', __METHOD__ . ': ' . ': ' . "Redirecting to SSO login process: [URL] {$target}"); header("Location: " . $target); exit; break; } } }
} $asId = (string) $_REQUEST['as']; $as = new SimpleSAML_Auth_Simple($asId); if (array_key_exists('logout', $_REQUEST)) { $as->logout('/' . $config->getBaseURL() . 'logout.php'); } if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) { // This is just a simple example of an error $state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!$as->isAuthenticated()) { $url = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $asId)); $params = array('ErrorURL' => $url, 'ReturnTo' => $url); $as->login($params); } $attributes = $as->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['attributes'] = $attributes; // if saml:sp:IdP is set, this is SAML auth so we can pass a NameId $t->data['nameid'] = !is_null($as->getAuthData('saml:sp:IdP')) ? $as->getAuthData('saml:sp:NameID') : FALSE; $t->data['logouturl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery() . '?as=' . urlencode($asId) . '&logout'; $t->show();
public function connectAction() { $this->_helper->layout->disableLayout(); $this->_helper->viewRenderer->setNoRender(); $referer = trim($this->session->connectreferer); if (trim($referer) === "") { $referer = $_SERVER["HTTP_REFERER"]; $this->session->connectreferer = $referer; } if (trim($referer) === "") { $referer = "https://" . $_SERVER["HTTP_HOST"]; } //check if user is loggedin if (isset($this->session->userid) === false || is_numeric($this->session->userid) === false || intval($this->session->userid) <= 0) { header("Location: " . $referer); unset($this->session->connectreferer); return; } //Check if source is given $source = trim($this->_getParam("source")); if ($source == "") { header("Location: " . $referer); unset($this->session->connectreferer); return; } $authsource = str_replace("-sp", "", strtolower(trim($source))); $connectsource = str_replace("-sp", "-connect", $source); require_once SamlAuth::LIB_AUTOLOAD; //Initialize SAML $config = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php'); $t->data['sources'] = SimpleSAML_Auth_Source::getSourcesMatch('-connect'); if (!in_array($connectsource, $t->data['sources'])) { header("Location: " . $referer); unset($this->session->connectreferer); $this->session->userError = array("title" => "Could not proceed with user account connection", "message" => "You tried to connect to a " . $authsource . " account. This type of connection is not supported."); exit; } //Check if SAML Authentication user account for connection is already authenticated $as = new SimpleSAML_Auth_Simple($connectsource); //In case a user is already authenticated with the source logout and redirect here again if ($as->isAuthenticated()) { $as->logout('https://' . $_SERVER["SERVER_NAME"] . '/saml/connect?source=' . $source); return; } //SAML Authentication new user account for connection //$as = new SimpleSAML_Auth_Simple($connectsource); //Do the login $as->login(array("ReturnTo" => "https://" . $_SERVER["HTTP_HOST"] . "/saml/postconnect?source=" . $source, "ErrorUrl" => "https://" . $_SERVER["HTTP_HOST"] . "/saml/postconnecterror?source=" . $source)); return; }
/** * Ajouter pour gepi : utilisation des cookies et requetes organisation * Start an authentication process. * * This function never returns. * * This function accepts an array $params, which controls some parts of * the authentication. The accepted parameters depends on the authentication * source being used. Some parameters are generic: * - 'ErrorURL': An URL that should receive errors from the authentication. * - 'KeepPost': If the current request is a POST request, keep the POST * data until after the authentication. * - 'ReturnTo': The URL the user should be returned to after authentication. * - 'ReturnCallback': The function we should call after the user has * finished authentication. * * @param array $params Various options to the authentication request. */ public function login(array $params = array()) { if (!isset($params['multiauth:preselect'])) { if (isset($_REQUEST['source'])) { $params['multiauth:preselect'] = $_REQUEST['source']; } else if (isset($_COOKIE['source'])) { $params['multiauth:preselect'] = $_COOKIE['source']; } } if (!isset($params['core:organization'])) { if (isset($_REQUEST['organization'])) { $params['core:organization'] = $_REQUEST['organization']; } else if (isset($_COOKIE['organization'])) { $params['core:organization'] = $_COOKIE['organization']; } else if (isset($_REQUEST['rne'])) { $params['core:organization'] = $_REQUEST['rne']; } else if (isset($_COOKIE['RNE'])) { $params['core:organization'] = $_COOKIE['RNE']; } } parent::login($params); }