Retrieve authentication data.
/** * Process authentication requests. * * @param array &$state The authentication request state. */ public function handleAuthenticationRequest(array &$state) { assert('isset($state["Responder"])'); $state['core:IdP'] = $this->id; if (isset($state['SPMetadata']['entityid'])) { $spEntityId = $state['SPMetadata']['entityid']; } elseif (isset($state['SPMetadata']['entityID'])) { $spEntityId = $state['SPMetadata']['entityID']; } else { $spEntityId = NULL; } $state['core:SP'] = $spEntityId; /* First, check whether we need to authenticate the user. */ if (isset($state['ForceAuthn']) && (bool) $state['ForceAuthn']) { /* Force authentication is in effect. */ $needAuth = TRUE; } elseif (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) { $needAuth = !in_array($this->authSource->getAuthData('saml:sp:IdP'), $state['saml:IDPList'], TRUE); } else { $needAuth = !$this->isAuthenticated(); } $state['IdPMetadata'] = $this->getConfig()->toArray(); $state['ReturnCallback'] = array('SimpleSAML_IdP', 'postAuth'); try { if ($needAuth) { $this->authenticate($state); assert('FALSE'); } else { $this->reauthenticate($state); } $this->postAuth($state); } catch (SimpleSAML_Error_Exception $e) { SimpleSAML_Auth_State::throwException($state, $e); } catch (Exception $e) { $e = new SimpleSAML_Error_UnserializableException($e); SimpleSAML_Auth_State::throwException($state, $e); } }
// If request is a logout request if (array_key_exists('logout', $_REQUEST)) { $returnURL = $cA_config->getValue('returnURL'); $as->logout($returnURL); } $hashAttributes = $cA_config->getValue('attributes.hash'); /* Check if valid local session exists */ $as->requireAuth(); // Get released attributes $attributes = $as->getAttributes(); // Get metadata storage handler $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /* * Get IdP id and metadata */ if ($as->getAuthData('saml:sp:IdP') !== NULL) { /* * From a remote idp (as bridge) */ $idp_entityid = $as->getAuthData('saml:sp:IdP'); $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote'); } else { /* * from the local idp */ $idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-hosted'); } // Get user ID $userid_attributename = isset($idp_metadata['userid.attribute']) && is_string($idp_metadata['userid.attribute']) ? $idp_metadata['userid.attribute'] : 'eduPersonPrincipalName'; $userids = $attributes[$userid_attributename];
$as = new SimpleSAML_Auth_Simple($as); $as->requireAuth(); // Get all attributes $attributes = $as->getAttributes(); // Get user ID $userid_attributename = $consentconfig->getValue('userid', 'eduPersonPrincipalName'); if (empty($attributes[$userid_attributename])) { throw new Exception('Could not generate useridentifier for storing consent. Attribute [' . $userid_attributename . '] was not available.'); } $userid = $attributes[$userid_attributename][0]; // Get metadata storage handler $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /* * Get IdP id and metadata */ if ($as->getAuthData('saml:sp:IdP') != null) { // From a remote idp (as bridge) $idp_entityid = $as->getAuthData('saml:sp:IdP'); $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-remote'); } else { // from the local idp $idp_entityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp_metadata = $metadata->getMetaData($idp_entityid, 'saml20-idp-hosted'); } SimpleSAML_Logger::debug('consentAdmin: IdP is [' . $idp_entityid . ']'); $source = $idp_metadata['metadata-set'] . '|' . $idp_entityid; // Parse consent config $consent_storage = sspmod_consent_Store::parseStoreConfig($consentconfig->getValue('store')); // Calc correct user ID hash $hashed_user_id = sspmod_consent_Auth_Process_Consent::getHashedUserID($userid, $source); // Check if button with withdraw all consent was clicked.
} $asId = (string) $_REQUEST['as']; $as = new SimpleSAML_Auth_Simple($asId); if (array_key_exists('logout', $_REQUEST)) { $as->logout('/' . $config->getBaseURL() . 'logout.php'); } if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) { // This is just a simple example of an error $state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!$as->isAuthenticated()) { $url = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $asId)); $params = array('ErrorURL' => $url, 'ReturnTo' => $url); $as->login($params); } $attributes = $as->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['attributes'] = $attributes; // if saml:sp:IdP is set, this is SAML auth so we can pass a NameId $t->data['nameid'] = !is_null($as->getAuthData('saml:sp:IdP')) ? $as->getAuthData('saml:sp:NameID') : FALSE; $t->data['logouturl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery() . '?as=' . urlencode($asId) . '&logout'; $t->show();
/** * Get the attributes from an SAML authentication exchange. * * These attributes can include all kinds of information, for example: * - firstname * - lastname * - email address * - etc. * * @param SimpleSAML_Auth_Simple $saml_auth the Authentication object from the SimpleSAMLPHP library * @param string $source the name of the Service Provider * * @return bool|array an array with the provided attributes, false on failure */ function simplesaml_get_authentication_attributes(SimpleSAML_Auth_Simple $saml_auth, $source) { $result = false; if (!empty($saml_auth) && $saml_auth instanceof SimpleSAML_Auth_Simple && !empty($source)) { $result = $saml_auth->getAttributes(); $auth_source = $saml_auth->getAuthSource(); if ($auth_source instanceof sspmod_saml_Auth_Source_SP) { // only check extra data for SAML sources $setting = elgg_get_plugin_setting($source . "_external_id", "simplesaml"); if (!empty($setting)) { $external_id = $saml_auth->getAuthData($setting); if (!empty($external_id)) { $result["elgg:external_id"] = array($external_id["Value"]); } } } } return $result; }
if ($groupsAttr !== null) { if (!array_key_exists($groupsAttr, $attributes)) { throw new Exception("The user doesn't have an attribute named '" . $groupsAttr . "'. This attribute is expected to contain the groups the user is a member of."); } $authData['Groups'] = $attributes[$groupsAttr]; } else { $authData['Groups'] = array(); } $authData['RemoteIP'] = $_SERVER['REMOTE_ADDR']; foreach ($attributes as $n => $v) { $authData['ATTR_' . $n] = $v; } // store the authentication data in the memcache server $data = ''; foreach ($authData as $n => $v) { if (is_array($v)) { $v = implode(':', $v); } $data .= $n . '=' . $v . "\r\n"; } $memcache = $amc->getMemcache(); $expirationTime = $s->getAuthData('Expire'); $memcache->set($sessionID, $data, 0, $expirationTime); // register logout handler $session = SimpleSAML_Session::getSessionFromRequest(); $session->registerLogoutHandler($sourceId, 'SimpleSAML_AuthMemCookie', 'logoutHandler'); // redirect the user back to this page to signal that the login is completed \SimpleSAML\Utils\HTTP::redirectTrustedURL(\SimpleSAML\Utils\HTTP::getSelfURL()); } catch (Exception $e) { throw new SimpleSAML_Error_Error('CONFIG', $e); }
exit; } $asId = (string) $_REQUEST['as']; $as = new SimpleSAML_Auth_Simple($asId); if (array_key_exists('logout', $_REQUEST)) { $as->logout('/' . $config->getBaseURL() . 'logout.php'); } if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) { // This is just a simple example of an error $state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!$as->isAuthenticated()) { $url = SimpleSAML\Module::getModuleURL('core/authenticate.php', array('as' => $asId)); $params = array('ErrorURL' => $url, 'ReturnTo' => $url); $as->login($params); } $attributes = $as->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['attributes'] = $attributes; $t->data['nameid'] = !is_null($as->getAuthData('saml:sp:NameID')) ? $as->getAuthData('saml:sp:NameID') : false; $t->data['logouturl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery() . '?as=' . urlencode($asId) . '&logout'; $t->show();
private function getAttributesInitToken() { require_once '/var/simplesamlphp/lib/_autoload.php'; $auth = new \SimpleSAML_Auth_Simple('default-sp'); $auth->requireAuth(); \Factory::$properties['LOGOUTURL'] = $auth->getLogoutURL('https://' . gethostname()); $attributes = $auth->getAttributes(); if (!empty($attributes)) { // which idp did the user select? $idp = $auth->getAuthData('saml:sp:IdP'); // EGI IdP if ($idp == 'https://www.egi.eu/idp/shibboleth') { // For EGI federated id: //$dnAttribute = $attributes['urn:oid:1.3.6.1.4.1.11433.2.2.1.9'][0]; //if (!empty($dnAttribute)) { // $this->principle = str_replace("emailAddress=", "Email=", $dnAttribute); // $this->userDetails = array('AuthenticationRealm' => array('EGI_SSO_IDP')); //} $nameID = $auth->getAuthData('saml:sp:NameID'); $this->principle = $nameID['Value']; $this->userDetails = array('AuthenticationRealm' => array('EGI_SSO_IDP')); // iterate the attributes and store in the userDetails // Each attribute name can be used as an index into $attributes to obtain the value. // Every attribute value is an array - a single-valued attribute is an array of a single element. foreach ($attributes as $key => $valArray) { $this->userDetails[$key] = $valArray; } } else { if ($idp == 'https://unity.eudat-aai.fz-juelich.de:8443/saml-idp/metadata') { // For EUDAT federated id: //$dnAttribute = $attributes['urn:oid:2.5.4.49'][0]; //$dnAttribute = $attributes['unity:identity:persistent'][0]; //print_r($attributes); $nameID = $auth->getAuthData('saml:sp:NameID'); $this->principle = $nameID['Value']; $this->userDetails = array('AuthenticationRealm' => array('EUDAT_SSO_IDP')); // iterate the attributes and store in the userDetails // Each attribute name can be used as an index into $attributes to obtain the value. // Every attribute value is an array - a single-valued attribute is an array of a single element. foreach ($attributes as $key => $valArray) { $this->userDetails[$key] = $valArray; } } } } }
} $returnUrl = SimpleSAML\Utils\HTTP::getSelfURLNoQuery() . '?' . http_build_query($query); $params = array('ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'ReturnTo' => $returnUrl); if (isset($_GET['entityId'])) { $params['saml:idp'] = $_GET['entityId']; } if (isset($idpList)) { if (sizeof($idpList) > 1) { $params['saml:IDPList'] = $idpList; } else { $params['saml:idp'] = $idpList[0]; } } $as->login($params); } $sessionExpiry = $as->getAuthData('Expire'); if (!is_array($sessionTicket) || $forceAuthn) { $sessionTicket = $ticketFactory->createSessionTicket($session->getSessionId(), $sessionExpiry); $ticketStore->addTicket($sessionTicket); } $parameters = array(); if (array_key_exists('language', $_GET)) { $oldLanguagePreferred = SimpleSAML_XHTML_Template::getLanguageCookie(); if (isset($oldLanguagePreferred)) { $parameters['language'] = $oldLanguagePreferred; } else { if (is_string($_GET['language'])) { $parameters['language'] = $_GET['language']; } } }
$title = 'SimpleSAMLphp Example SAML SP'; $user_session_key = 'user_session'; $saml_sso = 'saml_sso'; // If the user is logged in and requesting a logout. if (isset($_SESSION[$user_session_key]) && isset($_REQUEST['logout'])) { $sp = $_SESSION[$user_session_key]['sp']; unset($_SESSION[$user_session_key]); $as = new SimpleSAML_Auth_Simple($sp); $as->logout(["ReturnTo" => $_SERVER['PHP_SELF']]); } // If the user is logging in. if (isset($_REQUEST[$saml_sso])) { $sp = $_REQUEST[$saml_sso]; $as = new SimpleSAML_Auth_Simple($sp); $as->requireAuth(); $user = array('sp' => $sp, 'authed' => $as->isAuthenticated(), 'idp' => $as->getAuthData('saml:sp:IdP'), 'nameId' => $as->getAuthData('saml:sp:NameID')['Value'], 'attributes' => $as->getAttributes()); $_SESSION[$user_session_key] = $user; } ?> <!DOCTYPE html> <html> <head> <title><?php echo $title; ?> </title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <!-- Bootstrap --> <link href="<?php echo $bootstrap_cdn_css_url;