/**
* Process an authentication response.
*
* This function saves the state, and if necessary redirects the user to the page where the user
* is informed about the expiry date of his/her certificate.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
if (isset($state['isPassive']) && $state['isPassive'] === TRUE) {
// We have a passive request. Skip the warning
return;
}
if (!isset($_SERVER['SSL_CLIENT_CERT']) || $_SERVER['SSL_CLIENT_CERT'] == '') {
return;
}
$client_cert = $_SERVER['SSL_CLIENT_CERT'];
$client_cert_data = openssl_x509_parse($client_cert);
if ($client_cert_data == FALSE) {
SimpleSAML\Logger::error('authX509: invalid cert');
return;
}
$validTo = $client_cert_data['validTo_time_t'];
$now = time();
$daysleft = (int) (($validTo - $now) / (24 * 60 * 60));
if ($daysleft > $this->warndaysbefore) {
// We have a certificate that will be valid for some time. Skip the warning
return;
}
SimpleSAML\Logger::warning('authX509: user certificate expires in ' . $daysleft . ' days');
$state['daysleft'] = $daysleft;
$state['renewurl'] = $this->renewurl;
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'warning:expire');
$url = SimpleSAML\Module::getModuleURL('authX509/expirywarning.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
}
/**
* When the process logic determines that the user is not
* authorized for this service, then forward the user to
* an 403 unauthorized page.
*
* Separated this code into its own method so that child
* classes can override it and change the action. Forward
* thinking in case a "chained" ACL is needed, more complex
* permission logic.
*
* @param array $request
*/
protected function unauthorized(&$request)
{
SimpleSAML\Logger::error('ExpectedAuthnContextClassRef: Invalid authentication context: ' . $this->AuthnContextClassRef . '. Accepted values are: ' . var_export($this->accepted, true));
$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
$url = SimpleSAML\Module::getModuleURL('saml/sp/wrong_authncontextclassref.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
}
/**
* Hook to add the modinfo module to the frontpage.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function statistics_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['config']['statistics'] = array('href' => SimpleSAML\Module::getModuleURL('statistics/showstats.php'), 'text' => array('en' => 'Show statistics', 'no' => 'Vis statistikk'), 'shorttext' => array('en' => 'Statistics', 'no' => 'Statistikk'));
$links['config']['statisticsmeta'] = array('href' => SimpleSAML\Module::getModuleURL('statistics/statmeta.php'), 'text' => array('en' => 'Show statistics metadata', 'no' => 'Vis statistikk metadata'), 'shorttext' => array('en' => 'Statistics metadata', 'no' => 'Statistikk metadata'));
}
/**
* Process a authentication response.
*
* This function checks how long it is since the last time the user was authenticated.
* If it is to short a while since, we will show a warning to the user.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
if (!array_key_exists('PreviousSSOTimestamp', $state)) {
/*
* No timestamp from the previous SSO to this SP. This is the first
* time during this session.
*/
return;
}
$timeDelta = time() - $state['PreviousSSOTimestamp'];
if ($timeDelta >= 10) {
// At least 10 seconds since last attempt
return;
}
if (array_key_exists('Destination', $state) && array_key_exists('entityid', $state['Destination'])) {
$entityId = $state['Destination']['entityid'];
} else {
$entityId = 'UNKNOWN';
}
SimpleSAML\Logger::warning('WarnShortSSOInterval: Only ' . $timeDelta . ' seconds since last SSO for this user from the SP ' . var_export($entityId, TRUE));
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval');
$url = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
}
/**
* Start the logout operation.
*
* @param array &$state The logout state.
* @param string|null $assocId The SP we are logging out from.
*/
public function startLogout(array &$state, $assocId)
{
assert('is_string($assocId) || is_null($assocId)');
$associations = $this->idp->getAssociations();
if (count($associations) === 0) {
$this->idp->finishLogout($state);
}
foreach ($associations as $id => &$association) {
$idp = SimpleSAML_IdP::getByState($association);
$association['core:Logout-IFrame:Name'] = $idp->getSPName($id);
$association['core:Logout-IFrame:State'] = 'onhold';
}
$state['core:Logout-IFrame:Associations'] = $associations;
if (!is_null($assocId)) {
$spName = $this->idp->getSPName($assocId);
if ($spName === null) {
$spName = array('en' => $assocId);
}
$state['core:Logout-IFrame:From'] = $spName;
} else {
$state['core:Logout-IFrame:From'] = null;
}
$params = array('id' => SimpleSAML_Auth_State::saveState($state, 'core:Logout-IFrame'));
if (isset($state['core:Logout-IFrame:InitType'])) {
$params['type'] = $state['core:Logout-IFrame:InitType'];
}
$url = SimpleSAML\Module::getModuleURL('core/idp/logout-iframe.php', $params);
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
}
public function authenticate(&$state)
{
assert('is_array($state)');
// We are going to need the authId in order to retrieve this authentication source later
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML\Module::getModuleURL('InfoCard/login-infocard.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
}
/**
* Hook to add the modinfo module to the frontpage.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function core_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['links']['frontpage_welcome'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_welcome.php'), 'text' => '{core:frontpage:welcome}', 'shorttext' => '{core:frontpage:welcome}');
$links['links']['frontpage_config'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_config.php'), 'text' => '{core:frontpage:configuration}', 'shorttext' => '{core:frontpage:configuration}');
$links['links']['frontpage_auth'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_auth.php'), 'text' => '{core:frontpage:auth}', 'shorttext' => '{core:frontpage:auth}');
$links['links']['frontpage_federation'] = array('href' => SimpleSAML\Module::getModuleURL('core/frontpage_federation.php'), 'text' => '{core:frontpage:federation}', 'shorttext' => '{core:frontpage:federation}');
}
/**
* Initialize processing of the redirect test.
*
* @param array &$state The state we should update.
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("Attributes", $state)');
// To check whether the state is saved correctly
$state['Attributes']['RedirectTest1'] = array('OK');
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test');
$url = SimpleSAML\Module::getModuleURL('exampleauth/redirecttest.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
}
/**
* Process a authentication response.
*
* This function saves the state, and redirects the user to the page where the user
* can authorize the release of the attributes.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
if (isset($state['isPassive']) && $state['isPassive'] === TRUE) {
// We have a passive request. Skip the warning
return;
}
// Save state and redirect.
$id = SimpleSAML_Auth_State::saveState($state, 'warning:request');
$url = SimpleSAML\Module::getModuleURL('preprodwarning/showwarning.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('StateId' => $id));
}
/**
* Redirect to page setting CDC.
*
* @param array &$state The request state.
*/
public function process(&$state)
{
assert('is_array($state)');
if (!isset($state['Source']['entityid'])) {
SimpleSAML\Logger::warning('saml:CDC: Could not find IdP entityID.');
return;
}
// Save state and build request
$id = SimpleSAML_Auth_State::saveState($state, 'cdc:resume');
$returnTo = SimpleSAML\Module::getModuleURL('cdc/resume.php', array('domain' => $this->domain));
$params = array('id' => $id, 'entityID' => $state['Source']['entityid']);
$this->client->sendRequest($returnTo, 'append', $params);
}
/**
* Log-in using Facebook platform
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
// We are going to need the authId in order to retrieve this authentication source later
$state[self::AUTHID] = $this->authId;
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
$facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state);
$facebook->destroySession();
$linkback = SimpleSAML\Module::getModuleURL('authfacebook/linkback.php', array('AuthState' => $stateID));
$url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms));
SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
}
/**
* The inner workings of the module. Check client's subnet and redirect
* to an authentication page protected with "HTTP Negotiate" authentication
* or a fallback authentication source.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$state['negotiateserver:AuthID'] = $this->authId;
$state['negotiateserver:AuthFallback'] = $this->auth_fallback;
if (!$this->checkClientSubnet()) {
$this->fallback($state);
}
$stateId = SimpleSAML_Auth_State::saveState($state, 'negotiateserver:Negotiate');
$returnTo = SimpleSAML\Module::getModuleURL('negotiateserver/resume.php', array('State' => $stateId));
$authPage = SimpleSAML\Module::getModuleURL('negotiateserver/preauth.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array('State' => $stateId, 'ReturnTo' => $returnTo));
assert('FALSE');
}
/**
* Log-in using Twitter platform
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
// We are going to need the authId in order to retrieve this authentication source later
$state[self::AUTHID] = $this->authId;
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
$consumer = new sspmod_oauth_Consumer($this->key, $this->secret);
// Get the request token
$linkback = SimpleSAML\Module::getModuleURL('authtwitter/linkback.php', array('AuthState' => $stateID));
$requestToken = $consumer->getRequestToken('https://api.twitter.com/oauth/request_token', array('oauth_callback' => $linkback));
SimpleSAML\Logger::debug("Got a request token from the OAuth service provider [" . $requestToken->key . "] with the secret [" . $requestToken->secret . "]");
$state['authtwitter:authdata:requestToken'] = $requestToken;
SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
// Authorize the request token
$url = 'https://api.twitter.com/oauth/authenticate';
if ($this->force_login) {
$url = \SimpleSAML\Utils\HTTP::addURLParameters($url, array('force_login' => 'true'));
}
$consumer->getAuthorizeRequest($url, $requestToken);
}
public static function postLogout(SimpleSAML_IdP $idp, array $state)
{
$url = SimpleSAML\Module::getModuleURL('consent/logout_completed.php');
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
}
<?php
/**
* This script warns a user that his/her certificate is about to expire.
*
* @package SimpleSAMLphp
*/
SimpleSAML\Logger::info('AuthX509 - Showing expiry warning to user');
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
$state = SimpleSAML_Auth_State::loadState($id, 'warning:expire');
if (array_key_exists('proceed', $_REQUEST)) {
// The user has pressed the proceed-button
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'authX509:X509warning.php');
$t->data['target'] = SimpleSAML\Module::getModuleURL('authX509/expirywarning.php');
$t->data['data'] = array('StateId' => $id);
$t->data['daysleft'] = $state['daysleft'];
$t->data['renewurl'] = $state['renewurl'];
$t->data['errorcodes'] = SimpleSAML\Error\Errorcodes::getAllErrorCodeMessages();
$t->show();
$availableCerts['new_idp.crt'] = $certInfo;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => true, 'X509Certificate' => $certInfo['certData']);
$hasNewCert = true;
} else {
$hasNewCert = false;
}
$certInfo = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true);
$availableCerts['idp.crt'] = $certInfo;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => $hasNewCert ? false : true, 'X509Certificate' => $certInfo['certData']);
if ($idpmeta->hasValue('https.certificate')) {
$httpsCert = SimpleSAML\Utils\Crypto::loadPublicKey($idpmeta, true, 'https.');
assert('isset($httpsCert["certData"])');
$availableCerts['https.crt'] = $httpsCert;
$keys[] = array('type' => 'X509Certificate', 'signing' => true, 'encryption' => false, 'X509Certificate' => $httpsCert['certData']);
}
$adfs_service_location = SimpleSAML\Module::getModuleURL('adfs') . '/idp/prp.php';
$metaArray = array('metadata-set' => 'adfs-idp-remote', 'entityid' => $idpentityid, 'SingleSignOnService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)), 'SingleLogoutService' => array(0 => array('Binding' => \SAML2\Constants::BINDING_HTTP_REDIRECT, 'Location' => $adfs_service_location)));
if (count($keys) === 1) {
$metaArray['certData'] = $keys[0]['X509Certificate'];
} else {
$metaArray['keys'] = $keys;
}
$metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
if ($idpmeta->hasValue('OrganizationName')) {
$metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
if (!$idpmeta->hasValue('OrganizationURL')) {
throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
}
$metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
}
/**
* Hook to add the modinfo module to the frontpage.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function modinfo_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['config'][] = array('href' => SimpleSAML\Module::getModuleURL('modinfo/'), 'text' => '{modinfo:modinfo:modlist_header}');
}
/**
* Ask the user to log out before being able to log in again with a different identity provider. Note that this
* method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP
* and an IdP at the same time.
*
* This method will never return.
*
* @param array $state The state array. The following keys must be defined in the array:
* - 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated
* the user in the current session.
* - 'saml:sp:AuthId': the identifier of the current authentication source.
* - 'core:IdP': the identifier of the local IdP.
* - 'SPMetadata': an array with the metadata of this local SP.
*
* @throws SimpleSAML_Error_NoPassive In case the authentication request was passive.
*/
public static function askForIdPChange(array &$state)
{
assert('array_key_exists("saml:sp:IdPMetadata", $state)');
assert('array_key_exists("saml:sp:AuthId", $state)');
assert('array_key_exists("core:IdP", $state)');
assert('array_key_exists("SPMetadata", $state)');
if (isset($state['isPassive']) && (bool) $state['isPassive']) {
// passive request, we cannot authenticate the user
throw new SimpleSAML_Error_NoPassive('Reauthentication required');
}
// save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
$id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
$url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
assert('false');
}
* This page shows a username/password login form, and passes information from it
* to the sspmod_core_Auth_UserPassBase class, which is a generic class for
* username/password authentication.
*
* @author Olav Morken, UNINETT AS.
* @package SimpleSAMLphp
*/
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
if (array_key_exists('otp', $_REQUEST)) {
$otp = $_REQUEST['otp'];
} else {
$otp = '';
}
if (!empty($otp)) {
// attempt to log in
$errorCode = sspmod_authYubiKey_Auth_Source_YubiKey::handleLogin($authStateId, $otp);
} else {
$errorCode = NULL;
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'authYubiKey:yubikeylogin.php');
$t->data['stateparams'] = array('AuthState' => $authStateId);
$t->data['errorcode'] = $errorCode;
$t->data['errorcodes'] = SimpleSAML\Error\Errorcodes::getAllErrorCodeMessages();
$t->data['logo_url'] = SimpleSAML\Module::getModuleURL('authYubiKey/resources/logo.jpg');
$t->data['devicepic_url'] = SimpleSAML\Module::getModuleURL('authYubiKey/resources/yubikey.jpg');
$t->show();
exit;
/**
* Hook to add links to the frontpage.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function metarefresh_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['federation'][] = array('href' => SimpleSAML\Module::getModuleURL('metarefresh/fetch.php'), 'text' => array('en' => 'Metarefresh: fetch metadata'));
}
/**
* Retrieve a logout URL for a given logout association.
*
* @param SimpleSAML_IdP $idp The IdP we are sending a logout request from.
* @param array $association The association that should be terminated.
* @param string|NULL $relayState An id that should be carried across the logout.
*/
public static function getLogoutURL(SimpleSAML_IdP $idp, array $association, $relayState)
{
assert('is_string($relayState) || is_null($relayState)');
SimpleSAML\Logger::info('Sending SAML 2.0 LogoutRequest to: ' . var_export($association['saml:entityID'], TRUE));
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpMetadata = $idp->getConfig();
$spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote');
$bindings = array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST);
$dst = $spMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', $bindings);
if ($dst['Binding'] === SAML2_Const::BINDING_HTTP_POST) {
$params = array('association' => $association['id'], 'idp' => $idp->getId());
if ($relayState !== NULL) {
$params['RelayState'] = $relayState;
}
return SimpleSAML\Module::getModuleURL('core/idp/logout-iframe-post.php', $params);
}
$lr = self::buildLogoutRequest($idpMetadata, $spMetadata, $association, $relayState);
$lr->setDestination($dst['Location']);
$binding = new SAML2_HTTPRedirect();
return $binding->getRedirectURL($lr);
}
/**
* Hook to add the OpenID provider to the authentication tab.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function openidProvider_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['auth'][] = array('href' => SimpleSAML\Module::getModuleURL('openidProvider/user.php'), 'text' => '{openidProvider:openidProvider:title_no_user}');
}
<?php
/**
* Show a 403 Forbidden page about not authorized to access an application.
*
* @package SimpleSAMLphp
*/
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$state = SimpleSAML_Auth_State::loadState($_REQUEST['StateId'], 'authorize:Authorize');
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'authorize:authorize_403.php');
if (isset($state['Source']['auth'])) {
$t->data['LogoutURL'] = SimpleSAML\Module::getModuleURL('core/authenticate.php', array('as' => $state['Source']['auth'])) . "&logout";
}
header('HTTP/1.0 403 Forbidden');
$t->show();
continue;
}
$site = $op[1];
$site = pack("H*", $site);
$server->removeTrustRoot($identity, $site);
}
}
\SimpleSAML\Utils\HTTP::redirectTrustedURL($identity);
}
if ($ownPage) {
$trustedSites = $server->getTrustRoots($identity);
} else {
$trustedSites = array();
}
$userBase = SimpleSAML\Module::getModuleURL('openidProvider/user.php');
$xrds = SimpleSAML\Module::getModuleURL('openidProvider/xrds.php');
if ($userId !== FALSE) {
$xrds = \SimpleSAML\Utils\HTTP::addURLParameters($xrds, array('user' => $userId));
}
$as = $server->getAuthSource();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'openidProvider:user.tpl.php');
$t->data['identity'] = $identity;
$t->data['loggedInAs'] = $server->getUserId();
$t->data['loginURL'] = $as->getLoginURL($userBase);
$t->data['logoutURL'] = $as->getLogoutURL();
$t->data['ownPage'] = $ownPage;
$t->data['serverURL'] = $server->getServerURL();
$t->data['trustedSites'] = $trustedSites;
$t->data['userId'] = $userId;
$t->data['userIdURL'] = $userBase . '/' . $userId;
$t->data['xrdsURL'] = $xrds;
/**
* Prompt the user with a list of authentication sources.
*
* This method saves the information about the configured sources,
* and redirects to a page where the user must select one of these
* authentication sources.
*
* This method never return. The authentication process is finished
* in the delegateAuthentication method.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$state[self::AUTHID] = $this->authId;
$state[self::SOURCESID] = $this->sources;
/* Save the $state array, so that we can restore if after a redirect */
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
/* Redirect to the select source page. We include the identifier of the
saved state array as a parameter to the login form */
$url = SimpleSAML\Module::getModuleURL('multiauth/selectsource.php');
$params = array('AuthState' => $id);
// Allowes the user to specify the auth souce to be used
if (isset($_GET['source'])) {
$params['source'] = $_GET['source'];
}
\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, $params);
/* The previous function never returns, so this code is never
executed */
assert('FALSE');
}
/**
* Retrieve a URL that can be used to log the user out.
*
* @param string|NULL $returnTo The page the user should be returned to afterwards.
* If this parameter is NULL, the user will be returned to the current page.
* @return string A URL which is suitable for use in link-elements.
*/
public function getLogoutURL($returnTo = NULL)
{
assert('is_null($returnTo) || is_string($returnTo)');
if ($returnTo === NULL) {
$returnTo = \SimpleSAML\Utils\HTTP::getSelfURL();
}
$logout = SimpleSAML\Module::getModuleURL('core/as_logout.php', array('AuthId' => $this->authSource, 'ReturnTo' => $returnTo));
return $logout;
}
/**
* Hook to add the modinfo module to the frontpage.
*
* @param array &$links The links on the frontpage, split into sections.
*/
function sanitycheck_hook_frontpage(&$links)
{
assert('is_array($links)');
assert('array_key_exists("links", $links)');
$links['config']['santitycheck'] = array('href' => SimpleSAML\Module::getModuleURL('sanitycheck/index.php'), 'text' => array('en' => 'Sanity check of your SimpleSAMLphp setup'), 'shorttext' => array('en' => 'SanityCheck'));
}
/**
* Log in using an external authentication helper.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$attributes = $this->getUser();
if ($attributes !== NULL) {
/*
* The user is already authenticated.
*
* Add the users attributes to the $state-array, and return control
* to the authentication process.
*/
$state['Attributes'] = $attributes;
return;
}
/*
* The user isn't authenticated. We therefore need to
* send the user to the login page.
*/
/*
* First we add the identifier of this authentication source
* to the state array, so that we know where to resume.
*/
$state['exampleauth:AuthID'] = $this->authId;
/*
* We need to save the $state-array, so that we can resume the
* login process after authentication.
*
* Note the second parameter to the saveState-function. This is a
* unique identifier for where the state was saved, and must be used
* again when we retrieve the state.
*
* The reason for it is to prevent
* attacks where the user takes a $state-array saved in one location
* and restores it in another location, and thus bypasses steps in
* the authentication process.
*/
$stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External');
/*
* Now we generate a URL the user should return to after authentication.
* We assume that whatever authentication page we send the user to has an
* option to return the user to a specific page afterwards.
*/
$returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array('State' => $stateId));
/*
* Get the URL of the authentication page.
*
* Here we use the getModuleURL function again, since the authentication page
* is also part of this module, but in a real example, this would likely be
* the absolute URL of the login page for the site.
*/
$authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php');
/*
* The redirect to the authentication page.
*
* Note the 'ReturnTo' parameter. This must most likely be replaced with
* the real name of the parameter for the login page.
*/
\SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array('ReturnTo' => $returnTo));
/*
* The redirect function never returns, so we never get this far.
*/
assert('FALSE');
}
<?php
/**
* Show a warning to an user about the SP requesting SSO a short time after
* doing it previously.
*
* @package SimpleSAMLphp
*/
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
$state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
$session = SimpleSAML_Session::getSessionFromRequest();
if (array_key_exists('continue', $_REQUEST)) {
// The user has pressed the continue/retry-button
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:short_sso_interval.php');
$t->data['target'] = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php');
$t->data['params'] = array('StateId' => $id);
$t->data['trackId'] = $session->getTrackID();
$t->show();
/**
* Start an IdP discovery service operation.
*
* @param array $state The state array.
*/
private function startDisco(array $state)
{
$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
$config = SimpleSAML_Configuration::getInstance();
$discoURL = $this->discoURL;
if ($discoURL === NULL) {
/* Fallback to internal discovery service. */
$discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
}
$returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
$params = array('entityID' => $this->entityId, 'return' => $returnTo, 'returnIDParam' => 'idpentityid');
if (isset($state['saml:IDPList'])) {
$params['IDPList'] = $state['saml:IDPList'];
}
if (isset($state['isPassive']) && $state['isPassive']) {
$params['isPassive'] = 'true';
}
\SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
}
