/** * Initialize the filter. * * @param array $config Configuration information about this filter. * @param mixed $reserved For future use */ public function __construct($config, $reserved) { parent::__construct($config, $reserved); assert('is_array($config)'); if (array_key_exists('enforce_2fa', $config)) { $this->enforce_2fa = $config['enforce_2fa']; if (!is_bool($this->enforce_2fa)) { throw new Exception('Invalid attribute name given to simpletotp::2fa filter: enforce_2fa must be a boolean.'); } } if (array_key_exists('secret_attr', $config)) { $this->secret_attr = $config['secret_attr']; if (!is_string($this->secret_attr)) { throw new Exception('Invalid attribute name given to simpletotp::2fa filter: secret_attr must be a string'); } } if (array_key_exists('not_configured_url', $config)) { $this->not_configured_url = $config['not_configured_url']; if (!is_string($config['not_configured_url'])) { throw new Exception('Invalid attribute value given to simpletotp::2fa filter: not_configured_url must be a string'); } //validate URL to ensure it's we will be able to redirect to $this->not_configured_url = SimpleSAML_Utilities::checkURLAllowed($config['not_configured_url']); } }
public static function handleLogin($authStateId, $xmlToken) { assert('is_string($authStateId)'); $config = SimpleSAML_Configuration::getInstance(); $autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php'); $idp_key = $autoconfig->getValue('idp_key'); $idp_pass = $autoconfig->getValue('idp_key_pass', NULL); $sts_crt = $autoconfig->getValue('sts_crt'); $Infocard = $autoconfig->getValue('InfoCard'); $infocard = new sspmod_InfoCard_RP_InfoCard(); $infocard->addIDPKey($idp_key, $idp_pass); $infocard->addSTSCertificate($sts_crt); if (!$xmlToken) { SimpleSAML_Logger::debug("XMLtoken: " . $xmlToken); } else { SimpleSAML_Logger::debug("NOXMLtoken: " . $xmlToken); } $claims = $infocard->process($xmlToken); if ($claims->isValid()) { $attributes = array(); foreach ($Infocard['requiredClaims'] as $claim => $data) { $attributes[$claim] = array($claims->{$claim}); } foreach ($Infocard['optionalClaims'] as $claim => $data) { $attributes[$claim] = array($claims->{$claim}); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } $state['Attributes'] = $attributes; unset($infocard); unset($claims); SimpleSAML_Auth_Source::completeAuth($state); } else { unset($infocard); unset($claims); return 'wrong_IC'; } }
/** * Check the credentials that the user got from the A-Select server. * This function is called after the user returns from the A-Select server. * * @author Wessel Dankers, Tilburg University */ function check_credentials() { if (!array_key_exists('ssp_state', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing ssp_state parameter")); } $id = $_REQUEST['ssp_state']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($id); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($id, 'aselect:login'); if (!array_key_exists('a-select-server', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter")); } $server_id = $_REQUEST['a-select-server']; if (!array_key_exists('aselect_credentials', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing aselect_credentials parameter")); } $credentials = $_REQUEST['aselect_credentials']; if (!array_key_exists('rid', $_REQUEST)) { SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing rid parameter")); } $rid = $_REQUEST['rid']; try { if (!array_key_exists('aselect::authid', $state)) { throw new SimpleSAML_Error_Exception("ASelect authentication source missing in state"); } $authid = $state['aselect::authid']; $aselect = SimpleSAML_Auth_Source::getById($authid); if (is_null($aselect)) { throw new SimpleSAML_Error_Exception("Could not find authentication source with id {$authid}"); } $creds = $aselect->verify_credentials($server_id, $credentials, $rid); if (array_key_exists('attributes', $creds)) { $state['Attributes'] = $creds['attributes']; } else { $res = $creds['res']; $state['Attributes'] = array('uid' => array($res['uid']), 'organization' => array($res['organization'])); } } catch (Exception $e) { SimpleSAML_Auth_State::throwException($state, $e); } SimpleSAML_Auth_Source::completeAuth($state); SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Internal error in A-Select component")); }
/** * Continue the logout operation. * * This function will never return. * * @param string $assocId The association that is terminated. * @param string|NULL $relayState The RelayState from the start of the logout. * @param SimpleSAML_Error_Exception|NULL $error The error that occurred during session termination (if any). */ public function onResponse($assocId, $relayState, SimpleSAML_Error_Exception $error = NULL) { assert('is_string($assocId)'); assert('is_string($relayState) || is_null($relayState)'); if ($relayState === NULL) { throw new SimpleSAML_Error_Exception('RelayState lost during logout.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($relayState); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional'); if ($error === NULL) { SimpleSAML_Logger::info('Logged out of ' . var_export($assocId, TRUE) . '.'); $this->idp->terminateAssociation($assocId); } else { SimpleSAML_Logger::warning('Error received from ' . var_export($assocId, TRUE) . ' during logout:'); $error->logWarning(); $state['core:Failed'] = TRUE; } self::logoutNextSP($state); }
<?php /* * This endpoint is provided for backwards compatibility, * and should not be used. * * Use SingleLogoutService.php?ReturnTo=... instead. */ require_once '../../_include.php'; $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); if (!isset($_REQUEST['RelayState'])) { throw new SimpleSAML_Error_BadRequest('Missing required RelayState parameter.'); } $idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed((string) $_REQUEST['RelayState'])); assert('FALSE');
/** * Log out from this authentication source. * * This function should be overridden if the authentication source requires special * steps to complete a logout operation. * * If the logout process requires a redirect, the state should be saved. Once the * logout operation is completed, the state should be restored, and completeLogout * should be called with the state. If this operation can be completed without * showing the user a page, or redirecting, this function should return. * * @param array &$state Information about the current logout operation. */ public function logout(&$state) { assert('is_array($state)'); // check first if we have a valid session if ($this->_poa->isAuthenticated()) { /* We are will need the authId in order to retrieve this authentication source later. */ $state[self::AUTHID] = $this->authId; $this->_stateId = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); // TODO: pending on phpPoA adding PAPI_SLO_REDIRECT_URL_FINISH hook $this->_poa->addHook("PAPI_SLO_REDIRECT_URL_FINISH", new Hook(array($this, "modifyParams"))); // perform single logout, this won't return $this->_poa->logout(true); } else { if (isset($_REQUEST['SSPStateID'])) { $this->_stateId = (string) $_REQUEST['SSPStateID']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($this->_stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT); } else { return; } } self::completeLogout($state); }
} if (array_key_exists('IDPList', $spmetadata)) { $IDPList = array_unique(array_merge($IDPList, $spmetadata['IDPList'])); } if (isset($_GET['IDPList']) && !empty($_GET['IDPList'])) { $providers = $_GET['IDPList']; if (!is_array($providers)) { $providers = array($providers); } $IDPList = array_merge($IDPList, $providers); } $ar->setIDPList($IDPList); /* Save request information. */ $info = array(); $info['RelayState'] = $returnTo; if (array_key_exists('OnError', $_REQUEST)) { $info['OnError'] = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['OnError']); } $session->setData('SAML2:SP:SSO:Info', $ar->getId(), $info); /* Select appropriate SSO endpoint */ if ($ar->getProtocolBinding() === SAML2_Const::BINDING_HOK_SSO) { $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HOK_SSO)); } else { $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST)); } $ar->setDestination($dst['Location']); $b = SAML2_Binding::getBinding($dst['Binding']); $b->send($ar); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception); }
/** * Resume authentication process. * * This function resumes the authentication process after the user has * entered his or her credentials. * * @param array &$state The authentication state. */ public static function resume() { /* * First we need to restore the $state-array. We should have the identifier for * it in the 'State' request parameter. */ if (!isset($_REQUEST['State'])) { throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.'); } $stateId = (string) $_REQUEST['State']; // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* * Once again, note the second parameter to the loadState function. This must * match the string we used in the saveState-call above. */ $state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External'); /* * Now we have the $state-array, and can use it to locate the authentication * source. */ $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']); if ($source === NULL) { /* * The only way this should fail is if we remove or rename the authentication source * while the user is at the login page. */ throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * Make sure that we haven't switched the source type while the * user was at the authentication page. This can only happen if we * change config/authsources.php while an user is logging in. */ if (!$source instanceof self) { throw new SimpleSAML_Error_Exception('Authentication source type changed.'); } /* * OK, now we know that our current state is sane. Time to actually log the user in. * * First we check that the user is acutally logged in, and didn't simply skip the login page. */ $attributes = $source->getUser(); if ($attributes === NULL) { /* * The user isn't authenticated. * * Here we simply throw an exception, but we could also redirect the user back to the * login page. */ throw new SimpleSAML_Error_Exception('User not authenticated after login page.'); } /* * So, we have a valid user. Time to resume the authentication process where we * paused it in the authenticate()-function above. */ $state['Attributes'] = $attributes; SimpleSAML_Auth_Source::completeAuth($state); /* * The completeAuth-function never returns, so we never get this far. */ assert('FALSE'); }
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, it will return the error code. Other failures will throw an * exception. * * @param string $authStateId The identifier of the authentication state. * @param string $otp The one time password entered- * @return string Error code in the case of an error. */ public static function handleLogin($authStateId, $otp) { assert('is_string($authStateId)'); assert('is_string($otp)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } try { /* Attempt to log in. */ $attributes = $source->login($otp); } catch (SimpleSAML_Error_Error $e) { /* An error occurred during login. Check if it is because of the wrong * username/password - if it is, we pass that error up to the login form, * if not, we let the generic error handler deal with it. */ if ($e->getErrorCode() === 'WRONGUSERPASS') { return 'WRONGUSERPASS'; } /* Some other error occurred. Rethrow exception and let the generic error * handler deal with it. */ throw $e; } $state['Attributes'] = $attributes; SimpleSAML_Auth_Source::completeAuth($state); }
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, and other errors, it will throw an exception. * * @param string $authStateId The identifier of the authentication state. * @param string $username The username the user wrote. * @param string $password The password the user wrote. */ public static function handleLogin($authStateId, $username, $password) { assert('is_string($authStateId)'); assert('is_string($username)'); assert('is_string($password)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Here we retrieve the state array we saved in the authenticate-function. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Retrieve the authentication source we are executing. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * $source now contains the authentication source on which authenticate() * was called. We should call login() on the same authentication source. */ /* Attempt to log in. */ try { $attributes = $source->login($username, $password); } catch (Exception $e) { SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.'); throw $e; } SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.'); /* Save the attributes we received from the login-function in the $state-array. */ assert('is_array($attributes)'); $state['Attributes'] = $attributes; /* Return control to simpleSAMLphp after successful authentication. */ SimpleSAML_Auth_Source::completeAuth($state); }
require_once $ldapconfigfile; if (!array_key_exists($idpentityid, $casldapconfig)) { throw new Exception('No LDAP authentication configuration for this SAML 2.0 entity ID [' . $idpentityid . ']'); } $ldapconfig = $casldapconfig[$idpentityid]['ldap']; } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception); } /* * Load the RelayState argument. The RelayState argument contains the address * we should redirect the user to after a successful authentication. */ if (!array_key_exists('RelayState', $_REQUEST)) { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } $relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']); if ($username = $_POST['username']) { try { $ldap = new SimpleSAML_Auth_LDAP($ldapconfig['servers'], $ldapconfig['enable_tls']); $attributes = $ldap->validate($ldapconfig, $username, $_POST['password']); if ($attributes === FALSE) { $error = "LDAP_INVALID_CREDENTIALS"; } else { $session->doLogin('login-wayf-ldap'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); SimpleSAML_Utilities::redirectTrustedURL($relaystate); } } catch (Exception $e) { throw new SimpleSAML_Error_Error('LDAPERROR', $e); }
/** * Get available organizations. * * This function is used by the login form to get the available organizations. * * @param string $authStateId The identifier of the authentication state. * @return array|NULL Array of organizations. NULL if the user must enter the * organization as part of the username. */ public static function listOrganizations($authStateId) { assert('is_string($authStateId)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Retrieve the authentication state. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Find authentication source. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } $orgMethod = $source->getUsernameOrgMethod(); if ($orgMethod === 'force') { return NULL; } return $source->getOrganizations(); }
assert('array_key_exists("saml:sp:AuthId", $state)'); if ($state['saml:sp:AuthId'] !== $sourceId) { throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.'); } /* Check that the issuer is the one we are expecting. */ assert('array_key_exists("ExpectedIssuer", $state)'); if ($state['ExpectedIssuer'] !== $idp) { $idpMetadata = $source->getIdPMetadata($idp); $idplist = $idpMetadata->getArrayize('IDPList', array()); if (!in_array($state['ExpectedIssuer'], $idplist)) { throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.'); } } } else { /* This is an unsolicited response. */ $state = array('saml:sp:isUnsolicited' => TRUE, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($response->getRelayState())); } SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.'); if (empty($idpMetadata)) { $idpMetadata = $source->getIdPmetadata($idp); } try { $assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response); } catch (sspmod_saml_Error $e) { /* The status of the response wasn't "success". */ $e = $e->toException(); SimpleSAML_Auth_State::throwException($state, $e); } $authenticatingAuthority = NULL; $nameId = NULL; $sessionIndex = NULL;
$response = $b->receive(); if (!$response instanceof SAML2_Response) { throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.'); } $idp = $response->getIssuer(); if ($idp === NULL) { throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.'); } $idpMetadata = $metadataHandler->getMetaDataConfig($idp, 'saml20-idp-remote'); /* Fetch the request information if it exists, fall back to RelayState if not. */ $requestId = $response->getInResponseTo(); $info = $session->getData('SAML2:SP:SSO:Info', $requestId); if ($info === NULL) { /* Fall back to RelayState. */ $info = array(); $info['RelayState'] = SimpleSAML_Utilities::checkURLAllowed($response->getRelayState()); if (empty($info['RelayState'])) { $info['RelayState'] = $spMetadata->getString('RelayState', NULL); } if (empty($info['RelayState'])) { /* RelayState missing. */ throw new SimpleSAML_Error_Error('NORELAYSTATE'); } } try { $assertion = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response); if (count($assertion) > 1) { throw new SimpleSAML_Error_Exception('More than one assertion in received response.'); } $assertion = $assertion[0]; } catch (sspmod_saml_Error $e) {
<?php require_once '_include.php'; /** * This page clears the user's IdP discovery choices. */ /* The base path for cookies. This should be the installation directory for simpleSAMLphp. */ $config = SimpleSAML_Configuration::getInstance(); $cookiePath = '/' . $config->getBaseUrl(); /* We delete all cookies which starts with 'idpdisco_' */ foreach ($_COOKIE as $cookieName => $value) { if (substr($cookieName, 0, 9) !== 'idpdisco_') { /* Not a idpdisco cookie. */ continue; } /* Delete the cookie. We delete it once without the secure flag and once with the secure flag. This * ensures that the cookie will be deleted in any case. */ SimpleSAML_Utilities::setCookie($cookieName, NULL, array('path' => $cookiePath, 'httponly' => FALSE), FALSE); } /* Find where we should go now. */ if (array_key_exists('ReturnTo', $_REQUEST)) { $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']); } else { /* Return to the front page if no other destination is given. This is the same as the base cookie path. */ $returnTo = $cookiePath; } /* Redirect to destination. */ SimpleSAML_Utilities::redirectTrustedURL($returnTo);
public static function receiveLogoutMessage(SimpleSAML_IdP $idp) { // if a redirect is to occur based on wreply, we will redirect to url as // this implies an override to normal sp notification. if (isset($_GET['wreply']) && !empty($_GET['wreply'])) { $idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed($_GET['wreply'])); assert(FALSE); } $state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse')); //$spEntityId = NULL; //$assocId = 'adfs:' . $spEntityId; $assocId = NULL; // TODO: verify that this is really no problem for: // a) SSP, because there's no caller SP... // b) ADFS SP because caller will be called back... $idp->handleLogoutRequest($state, $assocId); }
<?php /** * Endpoint for logging out in with an authentication source. * * @package simpleSAMLphp * @version $Id$ */ if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) { throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.'); } if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) { throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.'); } $as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']); $as->logout(SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']));
/** * Initializes this discovery service. * * The constructor does the parsing of the request. If this is an invalid request, it will * throw an exception. * * @param array $metadataSets Array with metadata sets we find remote entities in. * @param string $instance The name of this instance of the discovery service. */ public function __construct(array $metadataSets, $instance) { assert('is_string($instance)'); /* Initialize standard classes. */ $this->config = SimpleSAML_Configuration::getInstance(); $this->metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $this->session = SimpleSAML_Session::getSessionFromRequest(); $this->instance = $instance; $this->metadataSets = $metadataSets; $this->log('Accessing discovery service.'); /* Standard discovery service parameters. */ if (!array_key_exists('entityID', $_GET)) { throw new Exception('Missing parameter: entityID'); } else { $this->spEntityId = $_GET['entityID']; } if (!array_key_exists('returnIDParam', $_GET)) { $this->returnIdParam = 'entityID'; } else { $this->returnIdParam = $_GET['returnIDParam']; } $this->log('returnIdParam initially set to [' . $this->returnIdParam . ']'); if (!array_key_exists('return', $_GET)) { throw new Exception('Missing parameter: return'); } else { $this->returnURL = SimpleSAML_Utilities::checkURLAllowed($_GET['return']); } $this->isPassive = FALSE; if (array_key_exists('isPassive', $_GET)) { if ($_GET['isPassive'] === 'true') { $this->isPassive = TRUE; } } $this->log('isPassive initially set to [' . ($this->isPassive ? 'TRUE' : 'FALSE') . ']'); if (array_key_exists('IdPentityID', $_GET)) { $this->setIdPentityID = $_GET['IdPentityID']; } else { $this->setIdPentityID = NULL; } if (array_key_exists('IDPList', $_REQUEST)) { $this->scopedIDPList = $_REQUEST['IDPList']; } }
<?php /** * Endpoint for logging in with an authentication source. * * @package simpleSAMLphp */ if (!is_string($_REQUEST['ReturnTo'])) { throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.'); } if (!is_string($_REQUEST['AuthId'])) { throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.'); } /* * Setting up the options for the requireAuth() call later.. */ $options = array('ReturnTo' => SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo'])); /* * Allows a saml:idp query string parameter specify the IdP entity ID to be used * as used by the DiscoJuice embedded client. */ if (!empty($_REQUEST['saml:idp'])) { $options['saml:idp'] = $_REQUEST['saml:idp']; } $as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']); $as->requireAuth($options); SimpleSAML_Utilities::redirectTrustedURL($options['ReturnTo']);
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); finishLogin($authProcState); } if (empty($_POST['SAMLResponse'])) { throw new SimpleSAML_Error_Error('ACSPARAMS', $exception); } try { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $authnResponse = $binding->decodeResponse($_POST); $authnResponse->validate(); /* Successfully authenticated. */ $idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote'); SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']); SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA'); $relayState = $authnResponse->getRelayState(); if (!isset($relayState)) { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } $spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted'); /* Begin module attribute processing */ $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp'); $authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata); $pc->processState($authProcState); /* Since this function returns, processing has completed and attributes have * been updated. */ finishLogin($authProcState); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception); }
/** * Retrieve state by ID. * * @param string $stateId The state ID. * @return array The state array. */ public function loadState($stateId) { assert('is_string($stateId)'); // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState'); }
<?php /** * Handle linkback() response from CAS. */ if (!isset($_GET['stateID'])) { throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.'); } $stateId = (string) $_GET['stateID']; if (!isset($_GET['ticket'])) { throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($stateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } $state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT); $state['cas:ticket'] = (string) $_GET['ticket']; /* Find authentication source. */ assert('array_key_exists(sspmod_cas_Auth_Source_CAS::AUTHID, $state)'); $sourceId = $state[sspmod_cas_Auth_Source_CAS::AUTHID]; $source = SimpleSAML_Auth_Source::getById($sourceId); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $sourceId); } $source->finalStep($state);
* Falling back to builtin discovery service. */ if (array_key_exists('idpdisco.url', $spmetadata)) { $discservice = $spmetadata['idpdisco.url']; } elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) { $discservice = $config->getString('idpdisco.url.shib13'); } else { $discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php'; } SimpleSAML_Utilities::redirectTrustedURL($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid')); } try { $ar = new SimpleSAML_XML_Shib13_AuthnRequest(); $ar->setIssuer($spentityid); if (isset($_GET['RelayState'])) { $ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState'])); } SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); $url = $ar->createRedirect($idpentityid); SimpleSAML_Utilities::redirectTrustedURL($url); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception); } } else { $relaystate = $_GET['RelayState']; if (isset($relaystate) && !empty($relaystate)) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState'); SimpleSAML_Utilities::redirectUntrustedURL($relaystate); } else { throw new SimpleSAML_Error_Error('NORELAYSTATE'); }