/**
* Log line.
*
* @param array &$state The current state.
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("Attributes", $state)');
$logAttribute = 'NA';
$source = 'NA';
$dest = 'NA';
if (array_key_exists($this->attribute, $state['Attributes'])) {
$logAttribute = $state['Attributes'][$this->attribute][0];
}
if (array_key_exists('Source', $state)) {
if (isset($state['Source']['core:statistics-id'])) {
$source = $state['Source']['core:statistics-id'];
} else {
$source = $state['Source']['entityid'];
}
}
if (array_key_exists('Destination', $state)) {
if (isset($state['Destination']['core:statistics-id'])) {
$dest = $state['Destination']['core:statistics-id'];
} else {
$dest = $state['Destination']['entityid'];
}
}
if (!array_key_exists('PreviousSSOTimestamp', $state)) {
/* The user hasn't authenticated with this SP earlier in this session. */
SimpleSAML_Logger::stats($this->typeTag . '-first ' . $dest . ' ' . $source . ' ' . $logAttribute);
}
SimpleSAML_Logger::stats($this->typeTag . ' ' . $dest . ' ' . $source . ' ' . $logAttribute);
}
/**
* Log line.
*
* @param array &$state The current state.
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("Attributes", $state)');
$TS = time();
$AP = 'NA';
$RP = 'NA';
$PN = 'NA';
$AM = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password';
if (array_key_exists($this->attribute, $state['Attributes'])) {
$PN = hash('sha256', $state['Attributes'][$this->attribute][0] . $this->secretsalt);
}
if (array_key_exists('Source', $state)) {
$AP = $state['Source']['entityid'];
}
if (array_key_exists('Destination', $state)) {
$RP = $state['Destination']['entityid'];
}
SimpleSAML_Logger::stats($this->typeTag . '#TS=' . $TS . '#AP=' . $AP . '#RP=' . $RP . '#PN=' . $PN . '#AM=' . $AM . '#');
}
$userid = null;
if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.');
}
if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) {
throw new SimpleSAML_Error_Error('NOTVALIDCERT', $e);
}
$userid = $_SERVER['SSL_CLIENT_S_DN'];
$attributes['CertificateDN'] = array($userid);
$attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']);
$session->doLogin('tlsclient');
$session->setAttributes($attributes);
#echo '<pre>';
#print_r($_SERVER);
#echo '</pre>'; exit;
SimpleSAML_Logger::info('AUTH - tlsclient: ' . $userid . ' successfully authenticated');
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-tlsclient OK');
}
SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']);
} catch (Exception $e) {
throw new SimpleSAML_Error_Error('CONFIG', $e);
}
}
// end of contribution
//$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username']));
SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' successfully authenticated');
$session->doLogin('login-radius');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-radius OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-radius OK');
}
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
case RADIUS_ACCESS_REJECT:
SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' failed to authenticate');
throw new Exception('Radius authentication error: Bad credentials ');
break;
case RADIUS_ACCESS_CHALLENGE:
SimpleSAML_Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius));
throw new Exception('Radius authentication error: Challenge requested');
break;
default:
SimpleSAML_Logger::critical('AUTH -radius: General radius error: ' . radius_strerror($radius));
throw new Exception('Error during radius authentication: ' . radius_strerror($radius));
}
} catch (Exception $e) {
/**
* Process a authentication response
*
* This function saves the state, and redirects the user to the page where
* the user can authorize the release of the attributes.
* If storage is used and the consent has already been given the user is
* passed on.
*
* @param array &$state The state of the response.
*
* @return void
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("UserID", $state)');
assert('array_key_exists("Destination", $state)');
assert('array_key_exists("entityid", $state["Destination"])');
assert('array_key_exists("metadata-set", $state["Destination"])');
assert('array_key_exists("entityid", $state["Source"])');
assert('array_key_exists("metadata-set", $state["Source"])');
$spEntityId = $state['Destination']['entityid'];
$idpEntityId = $state['Source']['entityid'];
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
/**
* If the consent module is active on a bridge $state['saml:sp:IdP']
* will contain an entry id for the remote IdP. If not, then the
* consent module is active on a local IdP and nothing needs to be
* done.
*/
if (isset($state['saml:sp:IdP'])) {
$idpEntityId = $state['saml:sp:IdP'];
$idpmeta = $metadata->getMetaData($idpEntityId, 'saml20-idp-remote');
$state['Source'] = $idpmeta;
}
$statsData = array('spEntityID' => $spEntityId);
// Do not use consent if disabled
if (isset($state['Source']['consent.disable']) && self::checkDisable($state['Source']['consent.disable'], $spEntityId)) {
SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
SimpleSAML_Stats::log('consent:disabled', $statsData);
return;
}
if (isset($state['Destination']['consent.disable']) && self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)) {
SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId);
SimpleSAML_Stats::log('consent:disabled', $statsData);
return;
}
if ($this->_store !== null) {
$source = $state['Source']['metadata-set'] . '|' . $idpEntityId;
$destination = $state['Destination']['metadata-set'] . '|' . $spEntityId;
$attributes = $state['Attributes'];
// Remove attributes that do not require consent
foreach ($attributes as $attrkey => $attrval) {
if (in_array($attrkey, $this->_noconsentattributes)) {
unset($attributes[$attrkey]);
}
}
SimpleSAML_Logger::debug('Consent: userid: ' . $state['UserID']);
SimpleSAML_Logger::debug('Consent: source: ' . $source);
SimpleSAML_Logger::debug('Consent: destination: ' . $destination);
$userId = self::getHashedUserID($state['UserID'], $source);
$targetedId = self::getTargetedID($state['UserID'], $source, $destination);
$attributeSet = self::getAttributeHash($attributes, $this->_includeValues);
SimpleSAML_Logger::debug('Consent: hasConsent() [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']');
try {
if ($this->_store->hasConsent($userId, $targetedId, $attributeSet)) {
// Consent already given
SimpleSAML_Logger::stats('Consent: Consent found');
SimpleSAML_Stats::log('consent:found', $statsData);
return;
}
SimpleSAML_Logger::stats('Consent: Consent notfound');
SimpleSAML_Stats::log('consent:notfound', $statsData);
$state['consent:store'] = $this->_store;
$state['consent:store.userId'] = $userId;
$state['consent:store.destination'] = $targetedId;
$state['consent:store.attributeSet'] = $attributeSet;
} catch (Exception $e) {
SimpleSAML_Logger::error('Consent: Error reading from storage: ' . $e->getMessage());
SimpleSAML_Logger::stats('Consent: Failed');
SimpleSAML_Stats::log('consent:failed', $statsData);
}
} else {
SimpleSAML_Logger::stats('Consent: No storage');
SimpleSAML_Stats::log('consent:nostorage', $statsData);
}
$state['consent:focus'] = $this->_focus;
$state['consent:checked'] = $this->_checked;
$state['consent:hiddenAttributes'] = $this->_hiddenAttributes;
$state['consent:noconsentattributes'] = $this->_noconsentattributes;
$state['consent:showNoConsentAboutService'] = $this->_showNoConsentAboutService;
// User interaction nessesary. Throw exception on isPassive request
if (isset($state['isPassive']) && $state['isPassive'] == true) {
SimpleSAML_Stats::log('consent:nopassive', $statsData);
throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.');
}
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
$url = SimpleSAML_Module::getModuleURL('consent/getconsent.php');
SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id));
}
}
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
finishLogin($authProcState);
}
if (empty($_POST['SAMLResponse'])) {
throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
}
try {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$authnResponse = $binding->decodeResponse($_POST);
$authnResponse->validate();
/* Successfully authenticated. */
$idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote');
SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']);
SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA');
$relayState = $authnResponse->getRelayState();
if (!isset($relayState)) {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted');
/* Begin module attribute processing */
$pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp');
$authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata);
$pc->processState($authProcState);
/* Since this function returns, processing has completed and attributes have
* been updated.
*/
finishLogin($authProcState);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
/**
* Process a authentication response.
*
* This function saves the state, and redirects the user to the page where the user
* can authorize the release of the attributes.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("UserID", $state)');
assert('array_key_exists("Destination", $state)');
assert('array_key_exists("entityid", $state["Destination"])');
assert('array_key_exists("metadata-set", $state["Destination"])');
assert('array_key_exists("entityid", $state["Source"])');
assert('array_key_exists("metadata-set", $state["Source"])');
$session = SimpleSAML_Session::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
/* If the consent module is active on a bridge $state['saml:sp:IdP'] will contain
* an entry id for the remote IdP. If not, then the
* consent module is active on a local IdP and nothing needs to be done.
*/
if (isset($state['saml:sp:IdP'])) {
$idpmeta = $metadata->getMetaData($state['saml:sp:IdP'], 'saml20-idp-remote');
$state['Source'] = $idpmeta;
} elseif ($session->getIdP() !== NULL) {
/* For backwards compatibility. TODO: Remove in version 1.8. */
$idpmeta = $metadata->getMetaData($session->getIdP(), 'saml20-idp-remote');
$state['Source'] = $idpmeta;
}
if ($this->store !== NULL) {
// Do not use consent if disabled on source entity
if (isset($state['Source']['consent.disable']) && in_array($state['Destination']['entityid'], $state['Source']['consent.disable'])) {
SimpleSAML_Logger::debug('Consent - Consent disabled for entity ' . $state['Destination']['entityid']);
return;
}
$source = $state['Source']['metadata-set'] . '|' . $state['Source']['entityid'];
$destination = $state['Destination']['metadata-set'] . '|' . $state['Destination']['entityid'];
SimpleSAML_Logger::debug('Consent - userid : ' . $state['UserID']);
SimpleSAML_Logger::debug('Consent - source : ' . $source);
SimpleSAML_Logger::debug('Consent - destination : ' . $destination);
$userId = self::getHashedUserID($state['UserID'], $source);
$targetedId = self::getTargetedID($state['UserID'], $source, $destination);
$attributeSet = self::getAttributeHash($state['Attributes'], $this->includeValues);
SimpleSAML_Logger::debug('Consent - hasConsent() : [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']');
if ($this->store->hasConsent($userId, $targetedId, $attributeSet)) {
SimpleSAML_Logger::stats('consent found');
/* Consent already given. */
return;
}
SimpleSAML_Logger::stats('consent notfound');
$state['consent:store'] = $this->store;
$state['consent:store.userId'] = $userId;
$state['consent:store.destination'] = $targetedId;
$state['consent:store.attributeSet'] = $attributeSet;
} else {
SimpleSAML_Logger::stats('consent nostorage');
}
$state['consent:focus'] = $this->focus;
$state['consent:checked'] = $this->checked;
$state['consent:hiddenAttributes'] = $this->hiddenAttributes;
/* User interaction nessesary. Throw exception on isPassive request */
if (isset($state['isPassive']) && $state['isPassive'] == TRUE) {
throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.');
}
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'consent:request');
$url = SimpleSAML_Module::getModuleURL('consent/getconsent.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
$assertion = $assertion[0];
} catch (sspmod_saml_Error $e) {
/* The status of the response wasn't "success". */
$status = $response->getStatus();
if (array_key_exists('OnError', $info)) {
/* We have an error handler. Return the error to it. */
SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code']));
}
/* We don't have an error handler. Show an error page. */
throw new SimpleSAML_Error_Error('RESPONSESTATUSNOSUCCESS', $e);
}
SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successful response from IdP');
/*
* Attribute handling
*/
$attributes = $assertion->getAttributes();
SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadataHandler->getMetaDataCurrentEntityID() . ' ' . $idp . ' NA');
$nameId = $assertion->getNameId();
/* Begin module attribute processing */
$spMetadataArray = $spMetadata->toArray();
$idpMetadataArray = $idpMetadata->toArray();
$pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
$authProcState = array('core:saml20-sp:NameID' => $nameId, 'core:saml20-sp:SessionIndex' => $assertion->getSessionIndex(), 'core:saml20-sp:TargetURL' => $info['RelayState'], 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray);
$pc->processState($authProcState);
/* Since this function returns, processing has completed and attributes have
* been updated.
*/
finishLogin($authProcState);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);
}
throw new Exception('Wrong username or password');
}
$attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated');
$session->doLogin('login-ldapmulti');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK');
}
$returnto = $_REQUEST['RelayState'];
SimpleSAML_Utilities::redirect($returnto);
} catch (Exception $e) {
$error = $e->getMessage();
}
}
$t = new SimpleSAML_XHTML_Template($config, 'login-ldapmulti.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $_REQUEST['RelayState'];
$t->data['ldapconfig'] = $ldapmulti;
$t->data['org'] = $_REQUEST['org'];
$t->data['error'] = $error;
if (isset($error)) {
$t->data['username'] = $_POST['username'];
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-feide OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-feide OK');
}
$returnto = $_REQUEST['RelayState'];
SimpleSAML_Utilities::redirect($returnto);
} catch (Exception $e) {
SimpleSAML_Logger::error('AUTH - ldap-feide: User: '******'na') . ':' . $e->getMessage());
SimpleSAML_Logger::stats('AUTH-login-feide Failed');
$error = $e->getMessage();
}
}
$t = new SimpleSAML_XHTML_Template($config, 'login-feide.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $_REQUEST['RelayState'];
$t->data['ldapconfig'] = $ldaporgconfig;
$t->data['protocol'] = $protocol;
$t->data['authid'] = $authid;
if (array_key_exists('logo', $spmetadata)) {
$t->data['splogo'] = $spmetadata['logo'];
} else {
$t->data['splogo'] = NULL;
}
if (array_key_exists('description', $spmetadata)) {
/* Find the status of all SPs. */
foreach ($SPs as $assocId => &$sp) {
$spId = 'logout-iframe-' . sha1($assocId);
if (isset($_REQUEST[$spId])) {
$spStatus = $_REQUEST[$spId];
if ($spStatus === 'completed' || $spStatus === 'failed') {
$sp['core:Logout-IFrame:State'] = $spStatus;
}
}
if (!isset($associations[$assocId])) {
$sp['core:Logout-IFrame:State'] = 'completed';
}
}
/* Terminate the associations. */
foreach ($SPs as $assocId => $sp) {
if ($sp['core:Logout-IFrame:State'] === 'completed') {
$idp->terminateAssociation($assocId);
} else {
SimpleSAML_Logger::warning('Unable to terminate association with ' . var_export($assocId, TRUE) . '.');
if (isset($sp['saml:entityID'])) {
$spId = $sp['saml:entityID'];
} else {
$spId = $assocId;
}
SimpleSAML_Logger::stats('slo-iframe-fail ' . $spId);
SimpleSAML_Stats::log('core:idp:logout-iframe:spfail', array('sp' => $spId));
$state['core:Failed'] = TRUE;
}
}
/* We are done. */
$idp->finishLogout($state);
/**
* Handle login request.
*
* This function is used by the login form (core/www/loginuserpass.php) when the user
* enters a username and password. On success, it will not return. On wrong
* username/password failure, and other errors, it will throw an exception.
*
* @param string $authStateId The identifier of the authentication state.
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
*/
public static function handleLogin($authStateId, $username, $password)
{
assert('is_string($authStateId)');
assert('is_string($username)');
assert('is_string($password)');
/* Here we retrieve the state array we saved in the authenticate-function. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Retrieve the authentication source we are executing. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
/*
* $source now contains the authentication source on which authenticate()
* was called. We should call login() on the same authentication source.
*/
/* Attempt to log in. */
try {
$attributes = $source->login($username, $password);
} catch (Exception $e) {
SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.');
throw $e;
}
SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.');
/* Save the attributes we received from the login-function in the $state-array. */
assert('is_array($attributes)');
$state['Attributes'] = $attributes;
/* Return control to simpleSAMLphp after successful authentication. */
SimpleSAML_Auth_Source::completeAuth($state);
}
/**
* Handle login request.
*
* This function is used by the login form (core/www/loginuserpass.php) when the user
* enters a username and password. On success, it will not return. On wrong
* username/password failure, and other errors, it will throw an exception.
*
* @param string $authStateId The identifier of the authentication state.
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @param $transaction_id
* @param $signaturedata
* @param $clientdata
* @throws Exception
*/
public static function handleLogin($authStateId, $username, $password, $transaction_id, $signaturedata, $clientdata)
{
assert('is_string($authStateId)');
assert('is_string($username)');
assert('is_string($password)');
assert('is_string($transaction_id)');
SimpleSAML_Logger::debug("calling privacyIDEA handleLogin with authState: " . $authStateId . " for user " . $username);
if (array_key_exists("OTP", $_REQUEST)) {
$otp = $_REQUEST["OTP"];
$password = $password . $otp;
SimpleSAML_Logger::stats('Found OTP in Auth request. Concatenating passwords.');
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Here we retrieve the state array we saved in the authenticate-function. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Retrieve the authentication source we are executing. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
/*
* $source now contains the authentication source on which authenticate()
* was called. We should call login() on the same authentication source.
*/
/* Attempt to log in. */
try {
$attributes = $source->login_chal_resp($username, $password, $transaction_id, $signaturedata, $clientdata);
} catch (Exception $e) {
SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.');
throw $e;
}
SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.');
/* Save the attributes we received from the login-function in the $state-array. */
assert('is_array($attributes)');
$state['Attributes'] = $attributes;
/* Return control to simpleSAMLphp after successful authentication. */
SimpleSAML_Auth_Source::completeAuth($state);
}
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
SimpleSAML_Logger::info('AUTH - admin: ' . $username . ' successfully authenticated');
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-admin OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-admin OK');
}
SimpleSAML_Utilities::redirect($relaystate);
exit(0);
} else {
SimpleSAML_Logger::stats('AUTH-login-admin Failed');
$error = 'error_wrongpassword';
SimpleSAML_Logger::info($error);
}
}
$t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $relaystate;
$t->data['admin'] = TRUE;
$t->data['autofocus'] = 'password';
$t->data['error'] = $error;
if (isset($error)) {
$t->data['username'] = $username;
}
$t->show();
$spEntityId = $logoutrequest->getIssuer();
if ($spEntityId === NULL) {
throw new Exception('Missing issuer in logout request.');
}
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutrequest);
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception);
}
// Extract some parameters from the logout request
#$requestid = $logoutrequest->getRequestID();
$requester = $logoutrequest->getIssuer();
#$relayState = $logoutrequest->getRelayState();
$responder = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer());
SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $requester . ' ' . $responder);
$session->doLogout();
/* Fill in the $logoutInfo associative array with information about this logout request. */
$logoutInfo['Issuer'] = $logoutrequest->getIssuer();
$logoutInfo['RequestID'] = $logoutrequest->getId();
$relayState = $logoutrequest->getRelayState();
if ($relayState !== NULL) {
$logoutInfo['RelayState'] = $relayState;
}
SimpleSAML_Logger::debug('SAML2.0 - IDP.SingleLogoutService: Setting cached request with issuer ' . $logoutrequest->getIssuer());
$session->set_sp_logout_completed($logoutrequest->getIssuer());
/*
* We receive a Logout Response to a Logout Request that we have issued earlier.
* If so, there is a misconfiguration.
*/
} elseif (isset($_REQUEST['SAMLResponse'])) {
/**
* Receive a logout message.
*
* @param SimpleSAML_IdP $idp The IdP we are receiving it for.
*/
public static function receiveLogoutMessage(SimpleSAML_IdP $idp)
{
$binding = SAML2_Binding::getCurrentBinding();
$message = $binding->receive();
$spEntityId = $message->getIssuer();
if ($spEntityId === NULL) {
/* Without an issuer we have no way to respond to the message. */
throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
}
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $message);
if ($message instanceof SAML2_LogoutResponse) {
SimpleSAML_Logger::info('Received SAML 2.0 LogoutResponse from: ' . var_export($spEntityId, TRUE));
$statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'));
if (!$message->isSuccess()) {
$statsData['error'] = $message->getStatus();
}
SimpleSAML_Stats::log('saml:idp:LogoutResponse:recv', $statsData);
$relayState = $message->getRelayState();
if (!$message->isSuccess()) {
$logoutError = sspmod_saml_Message::getResponseError($message);
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . $logoutError);
} else {
$logoutError = NULL;
}
$assocId = 'saml:' . $spEntityId;
$idp->handleLogoutResponse($assocId, $relayState, $logoutError);
} elseif ($message instanceof SAML2_LogoutRequest) {
SimpleSAML_Logger::info('Received SAML 2.0 LogoutRequest from: ' . var_export($spEntityId, TRUE));
SimpleSAML_Stats::log('saml:idp:LogoutRequest:recv', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid')));
$spStatsId = $spMetadata->getString('core:statistics-id', $spEntityId);
SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $spStatsId . ' ' . $idpMetadata->getString('entityid'));
$state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendLogoutResponse'), 'saml:SPEntityId' => $spEntityId, 'saml:RelayState' => $message->getRelayState(), 'saml:RequestId' => $message->getId());
$assocId = 'saml:' . $spEntityId;
$idp->handleLogoutRequest($state, $assocId);
} else {
throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message));
}
}
/**
* Initialize processing
*
* @param array &$state The state we should update.
*/
public function process(&$state)
{
assert('is_array($state)');
SimpleSAML_Logger::stats("TwoFactorAttrFilter start");
}
// throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.');
//}
if ($message instanceof SAML2_LogoutResponse) {
$relayState = $message->getRelayState();
if ($relayState === NULL) {
/* Somehow, our RelayState has been lost. */
throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.');
}
if (!$message->isSuccess()) {
SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message));
}
$state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent');
SimpleSAML_Auth_Source::completeLogout($state);
} elseif ($message instanceof SAML2_LogoutRequest) {
SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId);
SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
if ($message->isNameIdEncrypted()) {
try {
$keys = sspmod_saml_Message::getDecryptionKeys($srcMetadata, $dstMetadata);
} catch (Exception $e) {
throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage());
}
$lastException = NULL;
foreach ($keys as $i => $key) {
try {
$message->decryptNameId($key);
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.');
} catch (Exception $e) {
SimpleSAML_Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage());
$lastException = $e;
}
/**
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password)
{
assert('is_string($username)');
assert('is_string($password)');
$principal = $this->stripScope($username) . $this->realm;
try {
$this->krb5->initPassword($principal, $password);
$uid = $this->stripRealm ? $this->stripScope($this->krb5->getPrincipal()) : $this->krb5->getPrincipal();
$attributes = array('uid' => array($uid));
SimpleSAML_Logger::stats('User \'' . $username . '\' successfully authenticated from ' . $_SERVER['REMOTE_ADDR'] . '.');
return $attributes;
} catch (Exception $error) {
SimpleSAML_Logger::stats('User \'' . $username . '\' failed authentication from ' . $_SERVER['REMOTE_ADDR'] . '.');
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
<?php
if (!isset($_REQUEST['id'])) {
throw new SimpleSAML_Error_BadRequest('Missing required parameter: id');
}
if (isset($_REQUEST['type'])) {
$type = (string) $_REQUEST['type'];
if (!in_array($type, array('init', 'js', 'nojs', 'embed'), TRUE)) {
throw new SimpleSAML_Error_BadRequest('Invalid value for type.');
}
} else {
$type = 'init';
}
if ($type !== 'embed' && $type !== 'async') {
SimpleSAML_Logger::stats('slo-iframe ' . $type);
SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type));
}
$state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame');
$idp = SimpleSAML_IdP::getByState($state);
if ($type !== 'init') {
/* Update association state. */
$associations = $idp->getAssociations();
foreach ($state['core:Logout-IFrame:Associations'] as $assocId => &$sp) {
$spId = sha1($assocId);
/* Move SPs from 'onhold' to 'inprogress'. */
if ($sp['core:Logout-IFrame:State'] === 'onhold') {
$sp['core:Logout-IFrame:State'] = 'inprogress';
}
/* Check for update through request. */
if (isset($_REQUEST[$spId])) {
$s = $_REQUEST[$spId];
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request');
if (array_key_exists('core:SP', $state)) {
$spentityid = $state['core:SP'];
} else {
if (array_key_exists('saml:sp:State', $state)) {
$spentityid = $state['saml:sp:State']['core:SP'];
} else {
$spentityid = 'UNKNOWN';
}
}
// The user has pressed the yes-button
if (array_key_exists('yes', $_REQUEST)) {
if (array_key_exists('saveconsent', $_REQUEST)) {
SimpleSAML_Logger::stats('consentResponse remember');
} else {
SimpleSAML_Logger::stats('consentResponse rememberNot');
}
$statsInfo = array('remember' => array_key_exists('saveconsent', $_REQUEST));
if (isset($state['Destination']['entityid'])) {
$statsInfo['spEntityID'] = $state['Destination']['entityid'];
}
SimpleSAML_Stats::log('consent:accept', $statsInfo);
if (array_key_exists('consent:store', $state) && array_key_exists('saveconsent', $_REQUEST) && $_REQUEST['saveconsent'] === '1') {
/* Save consent. */
$store = $state['consent:store'];
$userId = $state['consent:store.userId'];
$targetedId = $state['consent:store.destination'];
$attributeSet = $state['consent:store.attributeSet'];
SimpleSAML_Logger::debug('Consent - saveConsent() : [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']');
try {
$store->saveConsent($userId, $targetedId, $attributeSet);
