| public static checkURLAllowed ( $url, array $trustedSites = null ) | ||
| $trustedSites | array | |
/**
* Initialize the filter.
*
* @param array $config Configuration information about this filter.
* @param mixed $reserved For future use
*/
public function __construct($config, $reserved)
{
parent::__construct($config, $reserved);
assert('is_array($config)');
if (array_key_exists('enforce_2fa', $config)) {
$this->enforce_2fa = $config['enforce_2fa'];
if (!is_bool($this->enforce_2fa)) {
throw new Exception('Invalid attribute name given to simpletotp::2fa filter:
enforce_2fa must be a boolean.');
}
}
if (array_key_exists('secret_attr', $config)) {
$this->secret_attr = $config['secret_attr'];
if (!is_string($this->secret_attr)) {
throw new Exception('Invalid attribute name given to simpletotp::2fa filter:
secret_attr must be a string');
}
}
if (array_key_exists('not_configured_url', $config)) {
$this->not_configured_url = $config['not_configured_url'];
if (!is_string($config['not_configured_url'])) {
throw new Exception('Invalid attribute value given to simpletotp::2fa filter:
not_configured_url must be a string');
}
//validate URL to ensure it's we will be able to redirect to
$this->not_configured_url = SimpleSAML_Utilities::checkURLAllowed($config['not_configured_url']);
}
}
public static function handleLogin($authStateId, $xmlToken)
{
assert('is_string($authStateId)');
$config = SimpleSAML_Configuration::getInstance();
$autoconfig = $config->copyFromBase('logininfocard', 'config-login-infocard.php');
$idp_key = $autoconfig->getValue('idp_key');
$idp_pass = $autoconfig->getValue('idp_key_pass', NULL);
$sts_crt = $autoconfig->getValue('sts_crt');
$Infocard = $autoconfig->getValue('InfoCard');
$infocard = new sspmod_InfoCard_RP_InfoCard();
$infocard->addIDPKey($idp_key, $idp_pass);
$infocard->addSTSCertificate($sts_crt);
if (!$xmlToken) {
SimpleSAML_Logger::debug("XMLtoken: " . $xmlToken);
} else {
SimpleSAML_Logger::debug("NOXMLtoken: " . $xmlToken);
}
$claims = $infocard->process($xmlToken);
if ($claims->isValid()) {
$attributes = array();
foreach ($Infocard['requiredClaims'] as $claim => $data) {
$attributes[$claim] = array($claims->{$claim});
}
foreach ($Infocard['optionalClaims'] as $claim => $data) {
$attributes[$claim] = array($claims->{$claim});
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Find authentication source. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
$state['Attributes'] = $attributes;
unset($infocard);
unset($claims);
SimpleSAML_Auth_Source::completeAuth($state);
} else {
unset($infocard);
unset($claims);
return 'wrong_IC';
}
}
/**
* Check the credentials that the user got from the A-Select server.
* This function is called after the user returns from the A-Select server.
*
* @author Wessel Dankers, Tilburg University
*/
function check_credentials()
{
if (!array_key_exists('ssp_state', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing ssp_state parameter"));
}
$id = $_REQUEST['ssp_state'];
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($id);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($id, 'aselect:login');
if (!array_key_exists('a-select-server', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing a-select-server parameter"));
}
$server_id = $_REQUEST['a-select-server'];
if (!array_key_exists('aselect_credentials', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing aselect_credentials parameter"));
}
$credentials = $_REQUEST['aselect_credentials'];
if (!array_key_exists('rid', $_REQUEST)) {
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Missing rid parameter"));
}
$rid = $_REQUEST['rid'];
try {
if (!array_key_exists('aselect::authid', $state)) {
throw new SimpleSAML_Error_Exception("ASelect authentication source missing in state");
}
$authid = $state['aselect::authid'];
$aselect = SimpleSAML_Auth_Source::getById($authid);
if (is_null($aselect)) {
throw new SimpleSAML_Error_Exception("Could not find authentication source with id {$authid}");
}
$creds = $aselect->verify_credentials($server_id, $credentials, $rid);
if (array_key_exists('attributes', $creds)) {
$state['Attributes'] = $creds['attributes'];
} else {
$res = $creds['res'];
$state['Attributes'] = array('uid' => array($res['uid']), 'organization' => array($res['organization']));
}
} catch (Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
}
SimpleSAML_Auth_Source::completeAuth($state);
SimpleSAML_Auth_State::throwException($state, new SimpleSAML_Error_Exception("Internal error in A-Select component"));
}
/**
* Continue the logout operation.
*
* This function will never return.
*
* @param string $assocId The association that is terminated.
* @param string|NULL $relayState The RelayState from the start of the logout.
* @param SimpleSAML_Error_Exception|NULL $error The error that occurred during session termination (if any).
*/
public function onResponse($assocId, $relayState, SimpleSAML_Error_Exception $error = NULL)
{
assert('is_string($assocId)');
assert('is_string($relayState) || is_null($relayState)');
if ($relayState === NULL) {
throw new SimpleSAML_Error_Exception('RelayState lost during logout.');
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($relayState);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($relayState, 'core:LogoutTraditional');
if ($error === NULL) {
SimpleSAML_Logger::info('Logged out of ' . var_export($assocId, TRUE) . '.');
$this->idp->terminateAssociation($assocId);
} else {
SimpleSAML_Logger::warning('Error received from ' . var_export($assocId, TRUE) . ' during logout:');
$error->logWarning();
$state['core:Failed'] = TRUE;
}
self::logoutNextSP($state);
}
<?php
/*
* This endpoint is provided for backwards compatibility,
* and should not be used.
*
* Use SingleLogoutService.php?ReturnTo=... instead.
*/
require_once '../../_include.php';
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
$idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId);
if (!isset($_REQUEST['RelayState'])) {
throw new SimpleSAML_Error_BadRequest('Missing required RelayState parameter.');
}
$idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed((string) $_REQUEST['RelayState']));
assert('FALSE');
/**
* Log out from this authentication source.
*
* This function should be overridden if the authentication source requires special
* steps to complete a logout operation.
*
* If the logout process requires a redirect, the state should be saved. Once the
* logout operation is completed, the state should be restored, and completeLogout
* should be called with the state. If this operation can be completed without
* showing the user a page, or redirecting, this function should return.
*
* @param array &$state Information about the current logout operation.
*/
public function logout(&$state)
{
assert('is_array($state)');
// check first if we have a valid session
if ($this->_poa->isAuthenticated()) {
/* We are will need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$this->_stateId = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
// TODO: pending on phpPoA adding PAPI_SLO_REDIRECT_URL_FINISH hook
$this->_poa->addHook("PAPI_SLO_REDIRECT_URL_FINISH", new Hook(array($this, "modifyParams")));
// perform single logout, this won't return
$this->_poa->logout(true);
} else {
if (isset($_REQUEST['SSPStateID'])) {
$this->_stateId = (string) $_REQUEST['SSPStateID'];
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($this->_stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($this->_stateId, self::STAGE_INIT);
} else {
return;
}
}
self::completeLogout($state);
}
}
if (array_key_exists('IDPList', $spmetadata)) {
$IDPList = array_unique(array_merge($IDPList, $spmetadata['IDPList']));
}
if (isset($_GET['IDPList']) && !empty($_GET['IDPList'])) {
$providers = $_GET['IDPList'];
if (!is_array($providers)) {
$providers = array($providers);
}
$IDPList = array_merge($IDPList, $providers);
}
$ar->setIDPList($IDPList);
/* Save request information. */
$info = array();
$info['RelayState'] = $returnTo;
if (array_key_exists('OnError', $_REQUEST)) {
$info['OnError'] = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['OnError']);
}
$session->setData('SAML2:SP:SSO:Info', $ar->getId(), $info);
/* Select appropriate SSO endpoint */
if ($ar->getProtocolBinding() === SAML2_Const::BINDING_HOK_SSO) {
$dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HOK_SSO));
} else {
$dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST));
}
$ar->setDestination($dst['Location']);
$b = SAML2_Binding::getBinding($dst['Binding']);
$b->send($ar);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
}
/**
* Resume authentication process.
*
* This function resumes the authentication process after the user has
* entered his or her credentials.
*
* @param array &$state The authentication state.
*/
public static function resume()
{
/*
* First we need to restore the $state-array. We should have the identifier for
* it in the 'State' request parameter.
*/
if (!isset($_REQUEST['State'])) {
throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
}
$stateId = (string) $_REQUEST['State'];
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/*
* Once again, note the second parameter to the loadState function. This must
* match the string we used in the saveState-call above.
*/
$state = SimpleSAML_Auth_State::loadState($stateId, 'exampleauth:External');
/*
* Now we have the $state-array, and can use it to locate the authentication
* source.
*/
$source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']);
if ($source === NULL) {
/*
* The only way this should fail is if we remove or rename the authentication source
* while the user is at the login page.
*/
throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
/*
* Make sure that we haven't switched the source type while the
* user was at the authentication page. This can only happen if we
* change config/authsources.php while an user is logging in.
*/
if (!$source instanceof self) {
throw new SimpleSAML_Error_Exception('Authentication source type changed.');
}
/*
* OK, now we know that our current state is sane. Time to actually log the user in.
*
* First we check that the user is acutally logged in, and didn't simply skip the login page.
*/
$attributes = $source->getUser();
if ($attributes === NULL) {
/*
* The user isn't authenticated.
*
* Here we simply throw an exception, but we could also redirect the user back to the
* login page.
*/
throw new SimpleSAML_Error_Exception('User not authenticated after login page.');
}
/*
* So, we have a valid user. Time to resume the authentication process where we
* paused it in the authenticate()-function above.
*/
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
/*
* The completeAuth-function never returns, so we never get this far.
*/
assert('FALSE');
}
/**
* Handle login request.
*
* This function is used by the login form (core/www/loginuserpass.php) when the user
* enters a username and password. On success, it will not return. On wrong
* username/password failure, it will return the error code. Other failures will throw an
* exception.
*
* @param string $authStateId The identifier of the authentication state.
* @param string $otp The one time password entered-
* @return string Error code in the case of an error.
*/
public static function handleLogin($authStateId, $otp)
{
assert('is_string($authStateId)');
assert('is_string($otp)');
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Find authentication source. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
try {
/* Attempt to log in. */
$attributes = $source->login($otp);
} catch (SimpleSAML_Error_Error $e) {
/* An error occurred during login. Check if it is because of the wrong
* username/password - if it is, we pass that error up to the login form,
* if not, we let the generic error handler deal with it.
*/
if ($e->getErrorCode() === 'WRONGUSERPASS') {
return 'WRONGUSERPASS';
}
/* Some other error occurred. Rethrow exception and let the generic error
* handler deal with it.
*/
throw $e;
}
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
}
/**
* Handle login request.
*
* This function is used by the login form (core/www/loginuserpass.php) when the user
* enters a username and password. On success, it will not return. On wrong
* username/password failure, and other errors, it will throw an exception.
*
* @param string $authStateId The identifier of the authentication state.
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
*/
public static function handleLogin($authStateId, $username, $password)
{
assert('is_string($authStateId)');
assert('is_string($username)');
assert('is_string($password)');
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Here we retrieve the state array we saved in the authenticate-function. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Retrieve the authentication source we are executing. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
/*
* $source now contains the authentication source on which authenticate()
* was called. We should call login() on the same authentication source.
*/
/* Attempt to log in. */
try {
$attributes = $source->login($username, $password);
} catch (Exception $e) {
SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.');
throw $e;
}
SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.');
/* Save the attributes we received from the login-function in the $state-array. */
assert('is_array($attributes)');
$state['Attributes'] = $attributes;
/* Return control to simpleSAMLphp after successful authentication. */
SimpleSAML_Auth_Source::completeAuth($state);
}
require_once $ldapconfigfile;
if (!array_key_exists($idpentityid, $casldapconfig)) {
throw new Exception('No LDAP authentication configuration for this SAML 2.0 entity ID [' . $idpentityid . ']');
}
$ldapconfig = $casldapconfig[$idpentityid]['ldap'];
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('METADATA', $exception);
}
/*
* Load the RelayState argument. The RelayState argument contains the address
* we should redirect the user to after a successful authentication.
*/
if (!array_key_exists('RelayState', $_REQUEST)) {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$relaystate = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
if ($username = $_POST['username']) {
try {
$ldap = new SimpleSAML_Auth_LDAP($ldapconfig['servers'], $ldapconfig['enable_tls']);
$attributes = $ldap->validate($ldapconfig, $username, $_POST['password']);
if ($attributes === FALSE) {
$error = "LDAP_INVALID_CREDENTIALS";
} else {
$session->doLogin('login-wayf-ldap');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
SimpleSAML_Utilities::redirectTrustedURL($relaystate);
}
} catch (Exception $e) {
throw new SimpleSAML_Error_Error('LDAPERROR', $e);
}
/**
* Get available organizations.
*
* This function is used by the login form to get the available organizations.
*
* @param string $authStateId The identifier of the authentication state.
* @return array|NULL Array of organizations. NULL if the user must enter the
* organization as part of the username.
*/
public static function listOrganizations($authStateId)
{
assert('is_string($authStateId)');
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($authStateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Find authentication source. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
$orgMethod = $source->getUsernameOrgMethod();
if ($orgMethod === 'force') {
return NULL;
}
return $source->getOrganizations();
}
assert('array_key_exists("saml:sp:AuthId", $state)');
if ($state['saml:sp:AuthId'] !== $sourceId) {
throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
}
/* Check that the issuer is the one we are expecting. */
assert('array_key_exists("ExpectedIssuer", $state)');
if ($state['ExpectedIssuer'] !== $idp) {
$idpMetadata = $source->getIdPMetadata($idp);
$idplist = $idpMetadata->getArrayize('IDPList', array());
if (!in_array($state['ExpectedIssuer'], $idplist)) {
throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
}
}
} else {
/* This is an unsolicited response. */
$state = array('saml:sp:isUnsolicited' => TRUE, 'saml:sp:AuthId' => $sourceId, 'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($response->getRelayState()));
}
SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.');
if (empty($idpMetadata)) {
$idpMetadata = $source->getIdPmetadata($idp);
}
try {
$assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
} catch (sspmod_saml_Error $e) {
/* The status of the response wasn't "success". */
$e = $e->toException();
SimpleSAML_Auth_State::throwException($state, $e);
}
$authenticatingAuthority = NULL;
$nameId = NULL;
$sessionIndex = NULL;
$response = $b->receive();
if (!$response instanceof SAML2_Response) {
throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
}
$idp = $response->getIssuer();
if ($idp === NULL) {
throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
}
$idpMetadata = $metadataHandler->getMetaDataConfig($idp, 'saml20-idp-remote');
/* Fetch the request information if it exists, fall back to RelayState if not. */
$requestId = $response->getInResponseTo();
$info = $session->getData('SAML2:SP:SSO:Info', $requestId);
if ($info === NULL) {
/* Fall back to RelayState. */
$info = array();
$info['RelayState'] = SimpleSAML_Utilities::checkURLAllowed($response->getRelayState());
if (empty($info['RelayState'])) {
$info['RelayState'] = $spMetadata->getString('RelayState', NULL);
}
if (empty($info['RelayState'])) {
/* RelayState missing. */
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
}
try {
$assertion = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
if (count($assertion) > 1) {
throw new SimpleSAML_Error_Exception('More than one assertion in received response.');
}
$assertion = $assertion[0];
} catch (sspmod_saml_Error $e) {
<?php
require_once '_include.php';
/**
* This page clears the user's IdP discovery choices.
*/
/* The base path for cookies. This should be the installation directory for simpleSAMLphp. */
$config = SimpleSAML_Configuration::getInstance();
$cookiePath = '/' . $config->getBaseUrl();
/* We delete all cookies which starts with 'idpdisco_' */
foreach ($_COOKIE as $cookieName => $value) {
if (substr($cookieName, 0, 9) !== 'idpdisco_') {
/* Not a idpdisco cookie. */
continue;
}
/* Delete the cookie. We delete it once without the secure flag and once with the secure flag. This
* ensures that the cookie will be deleted in any case.
*/
SimpleSAML_Utilities::setCookie($cookieName, NULL, array('path' => $cookiePath, 'httponly' => FALSE), FALSE);
}
/* Find where we should go now. */
if (array_key_exists('ReturnTo', $_REQUEST)) {
$returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']);
} else {
/* Return to the front page if no other destination is given. This is the same as the base cookie path. */
$returnTo = $cookiePath;
}
/* Redirect to destination. */
SimpleSAML_Utilities::redirectTrustedURL($returnTo);
public static function receiveLogoutMessage(SimpleSAML_IdP $idp)
{
// if a redirect is to occur based on wreply, we will redirect to url as
// this implies an override to normal sp notification.
if (isset($_GET['wreply']) && !empty($_GET['wreply'])) {
$idp->doLogoutRedirect(SimpleSAML_Utilities::checkURLAllowed($_GET['wreply']));
assert(FALSE);
}
$state = array('Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse'));
//$spEntityId = NULL;
//$assocId = 'adfs:' . $spEntityId;
$assocId = NULL;
// TODO: verify that this is really no problem for:
// a) SSP, because there's no caller SP...
// b) ADFS SP because caller will be called back...
$idp->handleLogoutRequest($state, $assocId);
}
<?php
/**
* Endpoint for logging out in with an authentication source.
*
* @package simpleSAMLphp
* @version $Id$
*/
if (!isset($_REQUEST['ReturnTo']) || !is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!isset($_REQUEST['AuthId']) || !is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->logout(SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']));
/**
* Initializes this discovery service.
*
* The constructor does the parsing of the request. If this is an invalid request, it will
* throw an exception.
*
* @param array $metadataSets Array with metadata sets we find remote entities in.
* @param string $instance The name of this instance of the discovery service.
*/
public function __construct(array $metadataSets, $instance)
{
assert('is_string($instance)');
/* Initialize standard classes. */
$this->config = SimpleSAML_Configuration::getInstance();
$this->metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$this->session = SimpleSAML_Session::getSessionFromRequest();
$this->instance = $instance;
$this->metadataSets = $metadataSets;
$this->log('Accessing discovery service.');
/* Standard discovery service parameters. */
if (!array_key_exists('entityID', $_GET)) {
throw new Exception('Missing parameter: entityID');
} else {
$this->spEntityId = $_GET['entityID'];
}
if (!array_key_exists('returnIDParam', $_GET)) {
$this->returnIdParam = 'entityID';
} else {
$this->returnIdParam = $_GET['returnIDParam'];
}
$this->log('returnIdParam initially set to [' . $this->returnIdParam . ']');
if (!array_key_exists('return', $_GET)) {
throw new Exception('Missing parameter: return');
} else {
$this->returnURL = SimpleSAML_Utilities::checkURLAllowed($_GET['return']);
}
$this->isPassive = FALSE;
if (array_key_exists('isPassive', $_GET)) {
if ($_GET['isPassive'] === 'true') {
$this->isPassive = TRUE;
}
}
$this->log('isPassive initially set to [' . ($this->isPassive ? 'TRUE' : 'FALSE') . ']');
if (array_key_exists('IdPentityID', $_GET)) {
$this->setIdPentityID = $_GET['IdPentityID'];
} else {
$this->setIdPentityID = NULL;
}
if (array_key_exists('IDPList', $_REQUEST)) {
$this->scopedIDPList = $_REQUEST['IDPList'];
}
}
<?php
/**
* Endpoint for logging in with an authentication source.
*
* @package simpleSAMLphp
*/
if (!is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
/*
* Setting up the options for the requireAuth() call later..
*/
$options = array('ReturnTo' => SimpleSAML_Utilities::checkURLAllowed($_REQUEST['ReturnTo']));
/*
* Allows a saml:idp query string parameter specify the IdP entity ID to be used
* as used by the DiscoJuice embedded client.
*/
if (!empty($_REQUEST['saml:idp'])) {
$options['saml:idp'] = $_REQUEST['saml:idp'];
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->requireAuth($options);
SimpleSAML_Utilities::redirectTrustedURL($options['ReturnTo']);
$authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
finishLogin($authProcState);
}
if (empty($_POST['SAMLResponse'])) {
throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
}
try {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
$authnResponse = $binding->decodeResponse($_POST);
$authnResponse->validate();
/* Successfully authenticated. */
$idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote');
SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']);
SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA');
$relayState = $authnResponse->getRelayState();
if (!isset($relayState)) {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
$spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted');
/* Begin module attribute processing */
$pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp');
$authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata);
$pc->processState($authProcState);
/* Since this function returns, processing has completed and attributes have
* been updated.
*/
finishLogin($authProcState);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
}
/**
* Retrieve state by ID.
*
* @param string $stateId The state ID.
* @return array The state array.
*/
public function loadState($stateId)
{
assert('is_string($stateId)');
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
return SimpleSAML_Auth_State::loadState($stateId, 'openidProvider:resumeState');
}
<?php
/**
* Handle linkback() response from CAS.
*/
if (!isset($_GET['stateID'])) {
throw new SimpleSAML_Error_BadRequest('Missing stateID parameter.');
}
$stateId = (string) $_GET['stateID'];
if (!isset($_GET['ticket'])) {
throw new SimpleSAML_Error_BadRequest('Missing ticket parameter.');
}
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
$state = SimpleSAML_Auth_State::loadState($stateId, sspmod_cas_Auth_Source_CAS::STAGE_INIT);
$state['cas:ticket'] = (string) $_GET['ticket'];
/* Find authentication source. */
assert('array_key_exists(sspmod_cas_Auth_Source_CAS::AUTHID, $state)');
$sourceId = $state[sspmod_cas_Auth_Source_CAS::AUTHID];
$source = SimpleSAML_Auth_Source::getById($sourceId);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $sourceId);
}
$source->finalStep($state);
* Falling back to builtin discovery service.
*/
if (array_key_exists('idpdisco.url', $spmetadata)) {
$discservice = $spmetadata['idpdisco.url'];
} elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) {
$discservice = $config->getString('idpdisco.url.shib13');
} else {
$discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php';
}
SimpleSAML_Utilities::redirectTrustedURL($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid'));
}
try {
$ar = new SimpleSAML_XML_Shib13_AuthnRequest();
$ar->setIssuer($spentityid);
if (isset($_GET['RelayState'])) {
$ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']));
}
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
$url = $ar->createRedirect($idpentityid);
SimpleSAML_Utilities::redirectTrustedURL($url);
} catch (Exception $exception) {
throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
}
} else {
$relaystate = $_GET['RelayState'];
if (isset($relaystate) && !empty($relaystate)) {
SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState');
SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
} else {
throw new SimpleSAML_Error_Error('NORELAYSTATE');
}
