if ($idpentityid == null) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: No chosen or default IdP, go to Shib13disco'); /* Which IdP discovery service should we use? Can be set in SP metadata or in global configuration. * Falling back to builtin discovery service. */ if (array_key_exists('idpdisco.url', $spmetadata)) { $discservice = $spmetadata['idpdisco.url']; } elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) { $discservice = $config->getString('idpdisco.url.shib13'); } else { $discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php'; } SimpleSAML_Utilities::redirect($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid')); } try { $ar = new SimpleSAML_XML_Shib13_AuthnRequest(); $ar->setIssuer($spentityid); if (isset($_GET['RelayState'])) { $ar->setRelayState($_GET['RelayState']); } SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); $url = $ar->createRedirect($idpentityid); SimpleSAML_Utilities::redirect($url); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception); } } else { $relaystate = $session->getRelayState(); if (isset($relaystate) && !empty($relaystate)) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState'); SimpleSAML_Utilities::redirect($relaystate);
if ($idpentityid == null) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: No chosen or default IdP, go to Shib13disco'); /* Which IdP discovery service should we use? Can be set in SP metadata or in global configuration. * Falling back to builtin discovery service. */ if (array_key_exists('idpdisco.url', $spmetadata)) { $discservice = $spmetadata['idpdisco.url']; } elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) { $discservice = $config->getString('idpdisco.url.shib13'); } else { $discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php'; } SimpleSAML_Utilities::redirectTrustedURL($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid')); } try { $ar = new SimpleSAML_XML_Shib13_AuthnRequest(); $ar->setIssuer($spentityid); if (isset($_GET['RelayState'])) { $ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState'])); } SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); $url = $ar->createRedirect($idpentityid); SimpleSAML_Utilities::redirectTrustedURL($url); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception); } } else { $relaystate = $_GET['RelayState']; if (isset($relaystate) && !empty($relaystate)) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState'); SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
/** * Send a SAML1 SSO request to an IdP. * * @param SimpleSAML_Configuration $idpMetadata The metadata of the IdP. * @param array $state The state array for the current authentication. */ private function startSSO1(SimpleSAML_Configuration $idpMetadata, array $state) { $idpEntityId = $idpMetadata->getString('entityid'); $state['saml:idp'] = $idpEntityId; $ar = new SimpleSAML_XML_Shib13_AuthnRequest(); $ar->setIssuer($this->entityId); $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso'); $ar->setRelayState($id); $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', NULL); if ($useArtifact === NULL) { $useArtifact = $this->metadata->getBoolean('saml1.useartifact', FALSE); } if ($useArtifact) { $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact'); } else { $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId); } $url = $ar->createRedirect($idpEntityId, $shire); SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) . ' from ' . var_export($this->entityId, TRUE) . '.'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($url); }
try { $idpmetadata = $metadata->getMetaDataCurrent('shib13-idp-hosted'); } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception); } /* * If the shire query parameter is set, we got an incoming Authentication Request * at this interface. * * In this case, what we should do is to process the request and set the neccessary information * from the request into the session object to be used later. * */ if (isset($_GET['shire'])) { try { $authnrequest = new SimpleSAML_XML_Shib13_AuthnRequest($config, $metadata); $authnrequest->parseGet($_GET); $requestid = $authnrequest->getRequestID(); /* * Create an assoc array of the request to store in the session cache. */ $requestcache = array('RequestID' => $requestid, 'Issuer' => $authnrequest->getIssuer(), 'shire' => $authnrequest->getShire(), 'RelayState' => $authnrequest->getRelayState()); SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incoming Shib authnRequest requestid: ' . $requestid); if (empty($requestcache['Issuer'])) { throw new Exception('Could not retrieve issuer of the AuthNRequest (ProviderID)'); } } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception); } /* * If we did not get an incoming Authenticaiton Request, we need a RequestID parameter.