/** * @param SamlToken|TokenInterface $token * @return TokenInterface|void */ public function authenticate(TokenInterface $token) { $translatedAssertion = $this->attributeDictionary->translate($token->assertion); $nameId = $translatedAssertion->getNameID(); $institution = $translatedAssertion->getAttribute('schacHomeOrganization'); $identity = $this->identityService->findByNameIdAndInstitution($nameId, $institution); // if no identity can be found, we're done. if ($identity === null) { throw new BadCredentialsException('Unable to find Identity matching the criteria. Has the identity been registered before?'); } $raCredentials = $this->identityService->getRaCredentials($identity); // if no credentials can be found, we're done. if (!$raCredentials) { throw new BadCredentialsException('The Identity is not registered as (S)RA(A) and therefor does not have access to this application'); } // determine the role based on the credentials given $roles = []; if ($raCredentials->isSraa) { $roles[] = 'ROLE_SRAA'; } if ($raCredentials->isRaa) { $roles[] = 'ROLE_RAA'; } else { $roles[] = 'ROLE_RA'; } // set the token $authenticatedToken = new SamlToken($token->getLoa(), $roles); $authenticatedToken->setUser($identity); return $authenticatedToken; }