function driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes = FALSE)
{
/*
* Create a new processing chain
*/
$pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');
/*
* Construct the state.
* REMEMBER: Do not set Return URL if you are calling processStatePassive
*/
$authProcState = array('Attributes' => $attributes, 'Destination' => $sp_metadata, 'Source' => $idp_metadata, 'isPassive' => TRUE);
/*
* Call processStatePAssive.
* We are not interested in any user interaction, only modifications to the attributes
*/
$pc->processStatePassive($authProcState);
$attributes = $authProcState['Attributes'];
/*
* Generate identifiers and hashes
*/
$destination = $sp_metadata['metadata-set'] . '|' . $sp_entityid;
$targeted_id = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination);
$attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);
SimpleSAML_Logger::info('consentAdmin: user: '******'consentAdmin: target: ' . $targeted_id);
SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash);
/* Return values */
return array($targeted_id, $attribute_hash, $attributes);
}
<?php
/**
* Show a warning to an user about the SP requesting SSO a short time after
* doing it previously.
*
* @package SimpleSAMLphp
*/
if (!array_key_exists('StateId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
$state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
$session = SimpleSAML_Session::getSessionFromRequest();
if (array_key_exists('continue', $_REQUEST)) {
// The user has pressed the continue/retry-button
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:short_sso_interval.php');
$t->data['target'] = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php');
$t->data['params'] = array('StateId' => $id);
$t->data['trackId'] = $session->getTrackID();
$t->show();
/**
* The user is authenticated.
*
* @param array $state The authentication request state arrray.
*/
public static function postAuth(array $state)
{
$idp = SimpleSAML_IdP::getByState($state);
if (!$idp->isAuthenticated()) {
throw new SimpleSAML_Error_Exception('Not authenticated.');
}
$state['Attributes'] = $idp->authSource->getAttributes();
if (isset($state['SPMetadata'])) {
$spMetadata = $state['SPMetadata'];
} else {
$spMetadata = array();
}
if (isset($state['core:SP'])) {
$session = SimpleSAML_Session::getSessionFromRequest();
$previousSSOTime = $session->getData('core:idp-ssotime', $state['core:IdP'] . ';' . $state['core:SP']);
if ($previousSSOTime !== NULL) {
$state['PreviousSSOTimestamp'] = $previousSSOTime;
}
}
$idpMetadata = $idp->getConfig()->toArray();
$pc = new SimpleSAML_Auth_ProcessingChain($idpMetadata, $spMetadata, 'idp');
$state['ReturnCall'] = array('SimpleSAML_IdP', 'postAuthProc');
$state['Destination'] = $spMetadata;
$state['Source'] = $idpMetadata;
$pc->processState($state);
self::postAuthProc($state);
}
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
finishLogin($authProcState);
}
if (empty($_POST['SAMLResponse'])) {
throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
}
try {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$authnResponse = $binding->decodeResponse($_POST);
$authnResponse->validate();
/* Successfully authenticated. */
$idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote');
SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']);
SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA');
$relayState = $authnResponse->getRelayState();
if (!isset($relayState)) {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted');
/* Begin module attribute processing */
$pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp');
$authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata);
$pc->processState($authProcState);
/* Since this function returns, processing has completed and attributes have
* been updated.
*/
finishLogin($authProcState);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
}
/**
* Handle a response from a SSO operation.
*
* @param array $state The authentication state.
* @param string $idp The entity id of the IdP.
* @param array $attributes The attributes.
*/
public function handleResponse(array $state, $idp, array $attributes)
{
assert('is_string($idp)');
assert('array_key_exists("LogoutState", $state)');
assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
$idpMetadata = $this->getIdpMetadata($idp);
$spMetadataArray = $this->metadata->toArray();
$idpMetadataArray = $idpMetadata->toArray();
/* Save the IdP in the state array. */
$state['saml:sp:IdP'] = $idp;
$state['PersistentAuthData'][] = 'saml:sp:IdP';
$authProcState = array('saml:sp:IdP' => $idp, 'saml:sp:State' => $state, 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray);
if (isset($state['saml:sp:NameID'])) {
$authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
}
if (isset($state['saml:sp:SessionIndex'])) {
$authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
}
$pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
$pc->processState($authProcState);
self::onProcessingCompleted($authProcState);
}
/**
* Process a request.
*
* This function never returns.
*
* @param Auth_OpenID_Request $request The request we are processing.
*/
public function processRequest(array $state)
{
assert('isset($state["request"])');
$request = $state['request'];
$sreg_req = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
$ax_req = Auth_OpenId_AX_FetchRequest::fromOpenIDRequest($request);
/* In resume.php there should be a way to display data requested through sreg or ax. */
if (!$this->authSource->isAuthenticated()) {
if ($request->immediate) {
/* Not logged in, and we cannot show a login form. */
$this->sendResponse($request->answer(FALSE));
}
$resumeURL = $this->getStateURL('resume.php', $state);
$this->authSource->requireAuth(array('ReturnTo' => $resumeURL));
}
$identity = $this->getIdentity();
assert('$identity !== FALSE');
/* Should always be logged in here. */
if (!$request->idSelect() && $identity !== $request->identity) {
/* The identity in the request doesn't match the one of the logged in user. */
throw new SimpleSAML_Error_Exception('Logged in as different user than the one requested.');
}
if ($this->isTrusted($identity, $request->trust_root)) {
$trusted = TRUE;
} elseif (isset($state['TrustResponse'])) {
$trusted = (bool) $state['TrustResponse'];
} else {
if ($request->immediate) {
/* Not trusted, and we cannot show a trust-form. */
$this->sendResponse($request->answer(FALSE));
}
$trustURL = $this->getStateURL('trust.php', $state);
SimpleSAML_Utilities::redirectTrustedURL($trustURL);
}
if (!$trusted) {
/* The user doesn't trust this site. */
$this->sendResponse($request->answer(FALSE));
}
$response = $request->answer(TRUE, NULL, $identity);
//Process attributes
$attributes = $this->authSource->getAttributes();
foreach ($attributes as $key => $attr) {
if (is_array($attr) && count($attr) === 1) {
$attributes[$key] = $attr[0];
}
}
$pc = new SimpleSAML_Auth_ProcessingChain($this->authProc, array(), 'idp');
$state = array('Attributes' => $attributes, 'isPassive' => TRUE);
$pc->processStatePassive(&$state);
$attributes = $state['Attributes'];
//Process SREG requests
$sreg_resp = Auth_OpenID_SRegResponse::extractResponse($sreg_req, $attributes);
$sreg_resp->toMessage($response->fields);
//Process AX requests
$ax_resp = new Auth_OpenID_AX_FetchResponse();
foreach ($ax_req->iterTypes() as $type_uri) {
if (isset($attributes[$type_uri])) {
$ax_resp->addValue($type_uri, $attributes[$type_uri]);
}
}
$ax_resp->toMessage($response->fields);
/* The user is authenticated, and trusts this site. */
$this->sendResponse($response);
}
private function processFilters(&$attributes)
{
$spMetadataArray = $this->spMetadata->toArray();
$aaMetadataArray = $this->aaMetadata->toArray();
$pc = new SimpleSAML_Auth_ProcessingChain($aaMetadataArray, $spMetadataArray, 'aa');
$authProcState = array('Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $aaMetadataArray);
$pc->processStatePassive($authProcState);
// backend, passive processing, no user interaction
$attributes = $authProcState['Attributes'];
}
/**
* Handle a response from a SSO operation.
*
* @param array $state The authentication state.
* @param string $idp The entity id of the IdP.
* @param array $attributes The attributes.
*/
public function handleResponse(array $state, $idp, array $attributes)
{
assert('is_string($idp)');
assert('array_key_exists("LogoutState", $state)');
assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
$idpMetadata = $this->getIdpMetadata($idp);
$spMetadataArray = $this->metadata->toArray();
$idpMetadataArray = $idpMetadata->toArray();
$authProcState = array('saml:sp:IdP' => $idp, 'saml:sp:State' => $state, 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray);
$pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
$pc->processState($authProcState);
self::onProcessingCompleted($authProcState);
}
*/
if (isset($_POST['sig_response'])) {
/*
* Verify sig response and log in user. Make sure that verifyResponse
* does not return NULL, if it is NOT NULL then it will return a username.
* You can then set any cookies/session data for that username and complete
* the login process.
*/
$resp = Duo::verifyResponse(IKEY, SKEY, AKEY, $_POST['sig_response']);
if (isset($attributes[$username_attribute])) {
$username = $attributes[$username_attribute][0];
} else {
throw new SimpleSAML_Error_BadRequest('Missing required username attribute.');
}
if ($resp != NULL and $resp === $username) {
SimpleSAML_Auth_ProcessingChain::resumeProcessing($this->data['state']);
} else {
throw new SimpleSAML_Error_BadRequest('Response verification failed.');
}
}
/*
* Verify username and password. If the user and pass are good, then generate
* a sig_request and load up the Duo iframe for secondary authentication.
*/
if (isset($attributes[$username_attribute])) {
$username = $attributes[$username_attribute][0];
// Generate sig request and then load up Duo javascript and iframe
$sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $username);
?>
<script src="Duo-Web-v2.min.js"></script>
<link rel="stylesheet" type="text/css" href="Duo-Frame.css">
public static function completeLogin($authStateId)
{
$state = self::_validateAuthState($authStateId);
$server = self::getServer(false);
$session = SimpleSAML_Session::getSessionFromRequest();
$sessionId = $session->getSessionId();
$user = $server->getAuthenticatedUser($sessionId);
if (empty($user)) {
$url = SimpleSAML_Module::getModuleURL('authTiqr/login.php');
SimpleSAML_Utilities::redirect($url, array('AuthState' => $authStateId));
} else {
if (!isset($state["tiqrUser"])) {
// Single factor. We can now continue to login.
$attributes = array('uid' => array($user), 'displayName' => array(self::getUserStorage()->getDisplayName($user)));
$attributes = array_merge($attributes, self::getUserStorage()->getAdditionalAttributes($user));
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
} else {
// Two factor, we can now complete the processing filter process.
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
}
}
/**
* Process a authentication response
*
* This function saves the state, and redirects the user to the Attribute Authority for
* entitlements.
*
* @param array &$state The state of the response.
*
* @return void
*/
public function process(&$state)
{
assert('is_array($state)');
$state['attributeaggregator:authsourceId'] = $state["saml:sp:State"]["saml:sp:AuthId"];
$state['attributeaggregator:entityId'] = $this->entityId;
$state['attributeaggregator:attributeId'] = $state['Attributes'][$this->attributeId];
$state['attributeaggregator:nameIdFormat'] = $this->nameIdFormat;
$state['attributeaggregator:attributes'] = $this->attributes;
$state['attributeaggregator:attributeNameFormat'] = $this->attributeNameFormat;
if (!$state['attributeaggregator:attributeId']) {
if (!$this->required) {
SimpleSAML_Logger::info('[attributeaggregator] This user session does not have ' . $this->attributeId . ', which is required for querying the AA! Continue processing.');
SimpleSAML_Logger::debug('[attributeaggregator] Attributes are: ' . var_export($state['Attributes'], true));
SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
throw new SimpleSAML_Error_Exception("This user session does not have " . $this->attributeId . ", which is required for querying the AA! Attributes are: " . var_export($state['Attributes'], 1));
}
// Save state and redirect
$id = SimpleSAML_Auth_State::saveState($state, 'attributeaggregator:request');
$url = SimpleSAML_Module::getModuleURL('attributeaggregator/attributequery.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
// FIXME: redirect is deprecated
}
