/** * Process an authentication response. * * This function saves the state, and if necessary redirects the user to the page where the user * is informed about the expiry date of his/her certificate. * * @param array $state The state of the response. */ public function process(&$state) { assert('is_array($state)'); if (isset($state['isPassive']) && $state['isPassive'] === TRUE) { // We have a passive request. Skip the warning return; } if (!isset($_SERVER['SSL_CLIENT_CERT']) || $_SERVER['SSL_CLIENT_CERT'] == '') { return; } $client_cert = $_SERVER['SSL_CLIENT_CERT']; $client_cert_data = openssl_x509_parse($client_cert); if ($client_cert_data == FALSE) { SimpleSAML\Logger::error('authX509: invalid cert'); return; } $validTo = $client_cert_data['validTo_time_t']; $now = time(); $daysleft = (int) (($validTo - $now) / (24 * 60 * 60)); if ($daysleft > $this->warndaysbefore) { // We have a certificate that will be valid for some time. Skip the warning return; } SimpleSAML\Logger::warning('authX509: user certificate expires in ' . $daysleft . ' days'); $state['daysleft'] = $daysleft; $state['renewurl'] = $this->renewurl; /* Save state and redirect. */ $id = SimpleSAML_Auth_State::saveState($state, 'warning:expire'); $url = SimpleSAML\Module::getModuleURL('authX509/expirywarning.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); }
/** * When the process logic determines that the user is not * authorized for this service, then forward the user to * an 403 unauthorized page. * * Separated this code into its own method so that child * classes can override it and change the action. Forward * thinking in case a "chained" ACL is needed, more complex * permission logic. * * @param array $request */ protected function unauthorized(&$request) { SimpleSAML\Logger::error('ExpectedAuthnContextClassRef: Invalid authentication context: ' . $this->AuthnContextClassRef . '. Accepted values are: ' . var_export($this->accepted, true)); $id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized'); $url = SimpleSAML\Module::getModuleURL('saml/sp/wrong_authncontextclassref.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); }
/** * Hook to add the modinfo module to the frontpage. * * @param array &$links The links on the frontpage, split into sections. */ function statistics_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['config']['statistics'] = array('href' => SimpleSAML\Module::getModuleURL('statistics/showstats.php'), 'text' => array('en' => 'Show statistics', 'no' => 'Vis statistikk'), 'shorttext' => array('en' => 'Statistics', 'no' => 'Statistikk')); $links['config']['statisticsmeta'] = array('href' => SimpleSAML\Module::getModuleURL('statistics/statmeta.php'), 'text' => array('en' => 'Show statistics metadata', 'no' => 'Vis statistikk metadata'), 'shorttext' => array('en' => 'Statistics metadata', 'no' => 'Statistikk metadata')); }
/** * Process a authentication response. * * This function checks how long it is since the last time the user was authenticated. * If it is to short a while since, we will show a warning to the user. * * @param array $state The state of the response. */ public function process(&$state) { assert('is_array($state)'); if (!array_key_exists('PreviousSSOTimestamp', $state)) { /* * No timestamp from the previous SSO to this SP. This is the first * time during this session. */ return; } $timeDelta = time() - $state['PreviousSSOTimestamp']; if ($timeDelta >= 10) { // At least 10 seconds since last attempt return; } if (array_key_exists('Destination', $state) && array_key_exists('entityid', $state['Destination'])) { $entityId = $state['Destination']['entityid']; } else { $entityId = 'UNKNOWN'; } SimpleSAML\Logger::warning('WarnShortSSOInterval: Only ' . $timeDelta . ' seconds since last SSO for this user from the SP ' . var_export($entityId, TRUE)); // Save state and redirect $id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval'); $url = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); }
/** * Start the logout operation. * * @param array &$state The logout state. * @param string|null $assocId The SP we are logging out from. */ public function startLogout(array &$state, $assocId) { assert('is_string($assocId) || is_null($assocId)'); $associations = $this->idp->getAssociations(); if (count($associations) === 0) { $this->idp->finishLogout($state); } foreach ($associations as $id => &$association) { $idp = SimpleSAML_IdP::getByState($association); $association['core:Logout-IFrame:Name'] = $idp->getSPName($id); $association['core:Logout-IFrame:State'] = 'onhold'; } $state['core:Logout-IFrame:Associations'] = $associations; if (!is_null($assocId)) { $spName = $this->idp->getSPName($assocId); if ($spName === null) { $spName = array('en' => $assocId); } $state['core:Logout-IFrame:From'] = $spName; } else { $state['core:Logout-IFrame:From'] = null; } $params = array('id' => SimpleSAML_Auth_State::saveState($state, 'core:Logout-IFrame')); if (isset($state['core:Logout-IFrame:InitType'])) { $params['type'] = $state['core:Logout-IFrame:InitType']; } $url = SimpleSAML\Module::getModuleURL('core/idp/logout-iframe.php', $params); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); }
public function authenticate(&$state) { assert('is_array($state)'); // We are going to need the authId in order to retrieve this authentication source later $state[self::AUTHID] = $this->authId; $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID); $url = SimpleSAML\Module::getModuleURL('InfoCard/login-infocard.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id)); }
/** * Hook to add the modinfo module to the frontpage. * * @param array &$links The links on the frontpage, split into sections. */ function core_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['links']['frontpage_welcome'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_welcome.php'), 'text' => '{core:frontpage:welcome}', 'shorttext' => '{core:frontpage:welcome}'); $links['links']['frontpage_config'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_config.php'), 'text' => '{core:frontpage:configuration}', 'shorttext' => '{core:frontpage:configuration}'); $links['links']['frontpage_auth'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_auth.php'), 'text' => '{core:frontpage:auth}', 'shorttext' => '{core:frontpage:auth}'); $links['links']['frontpage_federation'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_federation.php'), 'text' => '{core:frontpage:federation}', 'shorttext' => '{core:frontpage:federation}'); }
/** * Initialize processing of the redirect test. * * @param array &$state The state we should update. */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("Attributes", $state)'); // To check whether the state is saved correctly $state['Attributes']['RedirectTest1'] = array('OK'); // Save state and redirect $id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test'); $url = SimpleSAML\Module::getModuleURL('exampleauth/redirecttest.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); }
/** * Process a authentication response. * * This function saves the state, and redirects the user to the page where the user * can authorize the release of the attributes. * * @param array $state The state of the response. */ public function process(&$state) { assert('is_array($state)'); if (isset($state['isPassive']) && $state['isPassive'] === TRUE) { // We have a passive request. Skip the warning return; } // Save state and redirect. $id = SimpleSAML_Auth_State::saveState($state, 'warning:request'); $url = SimpleSAML\Module::getModuleURL('preprodwarning/showwarning.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id)); }
/** * Redirect to page setting CDC. * * @param array &$state The request state. */ public function process(&$state) { assert('is_array($state)'); if (!isset($state['Source']['entityid'])) { SimpleSAML\Logger::warning('saml:CDC: Could not find IdP entityID.'); return; } // Save state and build request $id = SimpleSAML_Auth_State::saveState($state, 'cdc:resume'); $returnTo = SimpleSAML\Module::getModuleURL('cdc/resume.php', array('domain' => $this->domain)); $params = array('id' => $id, 'entityID' => $state['Source']['entityid']); $this->client->sendRequest($returnTo, 'append', $params); }
/** * Log-in using Facebook platform * * @param array &$state Information about the current authentication. */ public function authenticate(&$state) { assert('is_array($state)'); // We are going to need the authId in order to retrieve this authentication source later $state[self::AUTHID] = $this->authId; $stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); $facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state); $facebook->destroySession(); $linkback = SimpleSAML\Module::getModuleURL('authfacebook/linkback.php', array('AuthState' => $stateID)); $url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms)); SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); }
/** * The inner workings of the module. Check client's subnet and redirect * to an authentication page protected with "HTTP Negotiate" authentication * or a fallback authentication source. * * @param array &$state Information about the current authentication. */ public function authenticate(&$state) { assert('is_array($state)'); $state['negotiateserver:AuthID'] = $this->authId; $state['negotiateserver:AuthFallback'] = $this->auth_fallback; if (!$this->checkClientSubnet()) { $this->fallback($state); } $stateId = SimpleSAML_Auth_State::saveState($state, 'negotiateserver:Negotiate'); $returnTo = SimpleSAML\Module::getModuleURL('negotiateserver/resume.php', array('State' => $stateId)); $authPage = SimpleSAML\Module::getModuleURL('negotiateserver/preauth.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array('State' => $stateId, 'ReturnTo' => $returnTo)); assert('FALSE'); }
/** * Log-in using Twitter platform * * @param array &$state Information about the current authentication. */ public function authenticate(&$state) { assert('is_array($state)'); // We are going to need the authId in order to retrieve this authentication source later $state[self::AUTHID] = $this->authId; $stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); $consumer = new sspmod_oauth_Consumer($this->key, $this->secret); // Get the request token $linkback = SimpleSAML\Module::getModuleURL('authtwitter/linkback.php', array('AuthState' => $stateID)); $requestToken = $consumer->getRequestToken('https://api.twitter.com/oauth/request_token', array('oauth_callback' => $linkback)); SimpleSAML\Logger::debug("Got a request token from the OAuth service provider [" . $requestToken->key . "] with the secret [" . $requestToken->secret . "]"); $state['authtwitter:authdata:requestToken'] = $requestToken; SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT); // Authorize the request token $url = 'https://api.twitter.com/oauth/authenticate'; if ($this->force_login) { $url = \SimpleSAML\Utils\HTTP::addURLParameters($url, array('force_login' => 'true')); } $consumer->getAuthorizeRequest($url, $requestToken); }
public static function postLogout(SimpleSAML_IdP $idp, array $state) { $url = SimpleSAML\Module::getModuleURL('consent/logout_completed.php'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); }
<?php /** * This script warns a user that his/her certificate is about to expire. * * @package SimpleSAMLphp */ SimpleSAML\Logger::info('AuthX509 - Showing expiry warning to user'); if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } $id = $_REQUEST['StateId']; $state = SimpleSAML_Auth_State::loadState($id, 'warning:expire'); if (array_key_exists('proceed', $_REQUEST)) { // The user has pressed the proceed-button SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'authX509:X509warning.php'); $t->data['target'] = SimpleSAML\Module::getModuleURL('authX509/expirywarning.php'); $t->data['data'] = array('StateId' => $id); $t->data['daysleft'] = $state['daysleft']; $t->data['renewurl'] = $state['renewurl']; $t->data['errorcodes'] = SimpleSAML\Error\Errorcodes::getAllErrorCodeMessages(); $t->show();
$availableCerts['new_idp.crt'] = $certInfo; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => true, 'X509Certificate' => $certInfo['certData']); $hasNewCert = true; } else { $hasNewCert = false; } $certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true); $availableCerts['idp.crt'] = $certInfo; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => $hasNewCert ? false : true, 'X509Certificate' => $certInfo['certData']); if ($idpmeta->hasValue('https.certificate')) { $httpsCert = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true, 'https.'); assert('isset($httpsCert["certData"])'); $availableCerts['https.crt'] = $httpsCert; $keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $httpsCert['certData']); } $adfs_service_location = SimpleSAML\Module::getModuleURL('adfs') . '/idp/prp.php'; $metaArray = array('metadata-set' => 'adfs-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)), 'SingleLogoutService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location))); if (count($keys) === 1) { $metaArray['certData'] = $keys[0]['X509Certificate']; } else { $metaArray['keys'] = $keys; } $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'); if ($idpmeta->hasValue('OrganizationName')) { $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName'); $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']); if (!$idpmeta->hasValue('OrganizationURL')) { throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.'); } $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL'); }
/** * Hook to add the modinfo module to the frontpage. * * @param array &$links The links on the frontpage, split into sections. */ function modinfo_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['config'][] = array('href' => SimpleSAML\Module::getModuleURL('modinfo/'), 'text' => '{modinfo:modinfo:modlist_header}'); }
/** * Ask the user to log out before being able to log in again with a different identity provider. Note that this * method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP * and an IdP at the same time. * * This method will never return. * * @param array $state The state array. The following keys must be defined in the array: * - 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated * the user in the current session. * - 'saml:sp:AuthId': the identifier of the current authentication source. * - 'core:IdP': the identifier of the local IdP. * - 'SPMetadata': an array with the metadata of this local SP. * * @throws SimpleSAML_Error_NoPassive In case the authentication request was passive. */ public static function askForIdPChange(array &$state) { assert('array_key_exists("saml:sp:IdPMetadata", $state)'); assert('array_key_exists("saml:sp:AuthId", $state)'); assert('array_key_exists("core:IdP", $state)'); assert('array_key_exists("SPMetadata", $state)'); if (isset($state['isPassive']) && (bool) $state['isPassive']) { // passive request, we cannot authenticate the user throw new SimpleSAML_Error_NoPassive('Reauthentication required'); } // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true); $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php'); SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id)); assert('false'); }
* This page shows a username/password login form, and passes information from it * to the sspmod_core_Auth_UserPassBase class, which is a generic class for * username/password authentication. * * @author Olav Morken, UNINETT AS. * @package SimpleSAMLphp */ if (!array_key_exists('AuthState', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.'); } $authStateId = $_REQUEST['AuthState']; if (array_key_exists('otp', $_REQUEST)) { $otp = $_REQUEST['otp']; } else { $otp = ''; } if (!empty($otp)) { // attempt to log in $errorCode = sspmod_authYubiKey_Auth_Source_YubiKey::handleLogin($authStateId, $otp); } else { $errorCode = NULL; } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'authYubiKey:yubikeylogin.php'); $t->data['stateparams'] = array('AuthState' => $authStateId); $t->data['errorcode'] = $errorCode; $t->data['errorcodes'] = SimpleSAML\Error\Errorcodes::getAllErrorCodeMessages(); $t->data['logo_url'] = SimpleSAML\Module::getModuleURL('authYubiKey/resources/logo.jpg'); $t->data['devicepic_url'] = SimpleSAML\Module::getModuleURL('authYubiKey/resources/yubikey.jpg'); $t->show(); exit;
/** * Hook to add links to the frontpage. * * @param array &$links The links on the frontpage, split into sections. */ function metarefresh_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['federation'][] = array('href' => SimpleSAML\Module::getModuleURL('metarefresh/fetch.php'), 'text' => array('en' => 'Metarefresh: fetch metadata')); }
/** * Retrieve a logout URL for a given logout association. * * @param SimpleSAML_IdP $idp The IdP we are sending a logout request from. * @param array $association The association that should be terminated. * @param string|NULL $relayState An id that should be carried across the logout. */ public static function getLogoutURL(SimpleSAML_IdP $idp, array $association, $relayState) { assert('is_string($relayState) || is_null($relayState)'); SimpleSAML\Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], TRUE)); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote'); $bindings = array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST); $dst = $spMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', $bindings); if ($dst['Binding'] === SAML2_Const::BINDING_HTTP_POST) { $params = array('association' => $association['id'], 'idp' => $idp->getId()); if ($relayState !== NULL) { $params['RelayState'] = $relayState; } return SimpleSAML\Module::getModuleURL('core/idp/logout-iframe-post.php', $params); } $lr = self::buildLogoutRequest($idpMetadata, $spMetadata, $association, $relayState); $lr->setDestination($dst['Location']); $binding = new SAML2_HTTPRedirect(); return $binding->getRedirectURL($lr); }
/** * Hook to add the OpenID provider to the authentication tab. * * @param array &$links The links on the frontpage, split into sections. */ function openidProvider_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['auth'][] = array('href' => SimpleSAML\Module::getModuleURL('openidProvider/user.php'), 'text' => '{openidProvider:openidProvider:title_no_user}'); }
<?php /** * Show a 403 Forbidden page about not authorized to access an application. * * @package SimpleSAMLphp */ if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } $state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'authorize:Authorize'); $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php'); if (isset($state['Source']['auth'])) { $t->data['LogoutURL'] = SimpleSAML\Module::getModuleURL('core/authenticate.php', array('as' => $state['Source']['auth'])) . "&logout"; } header('HTTP/1.0 403 Forbidden'); $t->show();
continue; } $site = $op[1]; $site = pack("H*", $site); $server->removeTrustRoot($identity, $site); } } \SimpleSAML\Utils\HTTP::redirectTrustedURL($identity); } if ($ownPage) { $trustedSites = $server->getTrustRoots($identity); } else { $trustedSites = array(); } $userBase = SimpleSAML\Module::getModuleURL('openidProvider/user.php'); $xrds = SimpleSAML\Module::getModuleURL('openidProvider/xrds.php'); if ($userId !== FALSE) { $xrds = \SimpleSAML\Utils\HTTP::addURLParameters($xrds, array('user' => $userId)); } $as = $server->getAuthSource(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'openidProvider:user.tpl.php'); $t->data['identity'] = $identity; $t->data['loggedInAs'] = $server->getUserId(); $t->data['loginURL'] = $as->getLoginURL($userBase); $t->data['logoutURL'] = $as->getLogoutURL(); $t->data['ownPage'] = $ownPage; $t->data['serverURL'] = $server->getServerURL(); $t->data['trustedSites'] = $trustedSites; $t->data['userId'] = $userId; $t->data['userIdURL'] = $userBase . '/' . $userId; $t->data['xrdsURL'] = $xrds;
/** * Prompt the user with a list of authentication sources. * * This method saves the information about the configured sources, * and redirects to a page where the user must select one of these * authentication sources. * * This method never return. The authentication process is finished * in the delegateAuthentication method. * * @param array &$state Information about the current authentication. */ public function authenticate(&$state) { assert('is_array($state)'); $state[self::AUTHID] = $this->authId; $state[self::SOURCESID] = $this->sources; /* Save the $state array, so that we can restore if after a redirect */ $id = SimpleSAML_Auth_State::saveState($state, self::STAGEID); /* Redirect to the select source page. We include the identifier of the saved state array as a parameter to the login form */ $url = SimpleSAML\Module::getModuleURL('multiauth/selectsource.php'); $params = array('AuthState' => $id); // Allowes the user to specify the auth souce to be used if (isset($_GET['source'])) { $params['source'] = $_GET['source']; } \SimpleSAML\Utils\HTTP::redirectTrustedURL($url, $params); /* The previous function never returns, so this code is never executed */ assert('FALSE'); }
/** * Retrieve a URL that can be used to log the user out. * * @param string|NULL $returnTo The page the user should be returned to afterwards. * If this parameter is NULL, the user will be returned to the current page. * @return string A URL which is suitable for use in link-elements. */ public function getLogoutURL($returnTo = NULL) { assert('is_null($returnTo) || is_string($returnTo)'); if ($returnTo === NULL) { $returnTo = \SimpleSAML\Utils\HTTP::getSelfURL(); } $logout = SimpleSAML\Module::getModuleURL('core/as_logout.php', array('AuthId' => $this->authSource, 'ReturnTo' => $returnTo)); return $logout; }
/** * Hook to add the modinfo module to the frontpage. * * @param array &$links The links on the frontpage, split into sections. */ function sanitycheck_hook_frontpage(&$links) { assert('is_array($links)'); assert('array_key_exists("links", $links)'); $links['config']['santitycheck'] = array('href' => SimpleSAML\Module::getModuleURL('sanitycheck/index.php'), 'text' => array('en' => 'Sanity check of your SimpleSAMLphp setup'), 'shorttext' => array('en' => 'SanityCheck')); }
/** * Log in using an external authentication helper. * * @param array &$state Information about the current authentication. */ public function authenticate(&$state) { assert('is_array($state)'); $attributes = $this->getUser(); if ($attributes !== NULL) { /* * The user is already authenticated. * * Add the users attributes to the $state-array, and return control * to the authentication process. */ $state['Attributes'] = $attributes; return; } /* * The user isn't authenticated. We therefore need to * send the user to the login page. */ /* * First we add the identifier of this authentication source * to the state array, so that we know where to resume. */ $state['exampleauth:AuthID'] = $this->authId; /* * We need to save the $state-array, so that we can resume the * login process after authentication. * * Note the second parameter to the saveState-function. This is a * unique identifier for where the state was saved, and must be used * again when we retrieve the state. * * The reason for it is to prevent * attacks where the user takes a $state-array saved in one location * and restores it in another location, and thus bypasses steps in * the authentication process. */ $stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External'); /* * Now we generate a URL the user should return to after authentication. * We assume that whatever authentication page we send the user to has an * option to return the user to a specific page afterwards. */ $returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array('State' => $stateId)); /* * Get the URL of the authentication page. * * Here we use the getModuleURL function again, since the authentication page * is also part of this module, but in a real example, this would likely be * the absolute URL of the login page for the site. */ $authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php'); /* * The redirect to the authentication page. * * Note the 'ReturnTo' parameter. This must most likely be replaced with * the real name of the parameter for the login page. */ \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array('ReturnTo' => $returnTo)); /* * The redirect function never returns, so we never get this far. */ assert('FALSE'); }
<?php /** * Show a warning to an user about the SP requesting SSO a short time after * doing it previously. * * @package SimpleSAMLphp */ if (!array_key_exists('StateId', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.'); } $id = $_REQUEST['StateId']; $state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval'); $session = SimpleSAML_Session::getSessionFromRequest(); if (array_key_exists('continue', $_REQUEST)) { // The user has pressed the continue/retry-button SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'core:short_sso_interval.php'); $t->data['target'] = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php'); $t->data['params'] = array('StateId' => $id); $t->data['trackId'] = $session->getTrackID(); $t->show();
/** * Start an IdP discovery service operation. * * @param array $state The state array. */ private function startDisco(array $state) { $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso'); $config = SimpleSAML_Configuration::getInstance(); $discoURL = $this->discoURL; if ($discoURL === NULL) { /* Fallback to internal discovery service. */ $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php'); } $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id)); $params = array('entityID' => $this->entityId, 'return' => $returnTo, 'returnIDParam' => 'idpentityid'); if (isset($state['saml:IDPList'])) { $params['IDPList'] = $state['saml:IDPList']; } if (isset($state['isPassive']) && $state['isPassive']) { $params['isPassive'] = 'true'; } \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params); }