/** * Log line. * * @param array &$state The current state. */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("Attributes", $state)'); $logAttribute = 'NA'; $source = 'NA'; $dest = 'NA'; if (array_key_exists($this->attribute, $state['Attributes'])) { $logAttribute = $state['Attributes'][$this->attribute][0]; } if (array_key_exists('Source', $state)) { if (isset($state['Source']['core:statistics-id'])) { $source = $state['Source']['core:statistics-id']; } else { $source = $state['Source']['entityid']; } } if (array_key_exists('Destination', $state)) { if (isset($state['Destination']['core:statistics-id'])) { $dest = $state['Destination']['core:statistics-id']; } else { $dest = $state['Destination']['entityid']; } } if (!array_key_exists('PreviousSSOTimestamp', $state)) { /* The user hasn't authenticated with this SP earlier in this session. */ SimpleSAML_Logger::stats($this->typeTag . '-first ' . $dest . ' ' . $source . ' ' . $logAttribute); } SimpleSAML_Logger::stats($this->typeTag . ' ' . $dest . ' ' . $source . ' ' . $logAttribute); }
/** * Log line. * * @param array &$state The current state. */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("Attributes", $state)'); $TS = time(); $AP = 'NA'; $RP = 'NA'; $PN = 'NA'; $AM = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'; if (array_key_exists($this->attribute, $state['Attributes'])) { $PN = hash('sha256', $state['Attributes'][$this->attribute][0] . $this->secretsalt); } if (array_key_exists('Source', $state)) { $AP = $state['Source']['entityid']; } if (array_key_exists('Destination', $state)) { $RP = $state['Destination']['entityid']; } SimpleSAML_Logger::stats($this->typeTag . '#TS=' . $TS . '#AP=' . $AP . '#RP=' . $RP . '#PN=' . $PN . '#AM=' . $AM . '#'); }
$userid = null; if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) { throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.'); } if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) { throw new SimpleSAML_Error_Error('NOTVALIDCERT', $e); } $userid = $_SERVER['SSL_CLIENT_S_DN']; $attributes['CertificateDN'] = array($userid); $attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']); $session->doLogin('tlsclient'); $session->setAttributes($attributes); #echo '<pre>'; #print_r($_SERVER); #echo '</pre>'; exit; SimpleSAML_Logger::info('AUTH - tlsclient: ' . $userid . ' successfully authenticated'); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-tlsclient OK'); } SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']); } catch (Exception $e) { throw new SimpleSAML_Error_Error('CONFIG', $e); }
} // end of contribution //$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username'])); SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' successfully authenticated'); $session->doLogin('login-radius'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login-radius OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login-radius OK'); } SimpleSAML_Utilities::redirectTrustedURL($relaystate); case RADIUS_ACCESS_REJECT: SimpleSAML_Logger::info('AUTH - radius: ' . $_POST['username'] . ' failed to authenticate'); throw new Exception('Radius authentication error: Bad credentials '); break; case RADIUS_ACCESS_CHALLENGE: SimpleSAML_Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius)); throw new Exception('Radius authentication error: Challenge requested'); break; default: SimpleSAML_Logger::critical('AUTH -radius: General radius error: ' . radius_strerror($radius)); throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } } catch (Exception $e) {
/** * Process a authentication response * * This function saves the state, and redirects the user to the page where * the user can authorize the release of the attributes. * If storage is used and the consent has already been given the user is * passed on. * * @param array &$state The state of the response. * * @return void */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("UserID", $state)'); assert('array_key_exists("Destination", $state)'); assert('array_key_exists("entityid", $state["Destination"])'); assert('array_key_exists("metadata-set", $state["Destination"])'); assert('array_key_exists("entityid", $state["Source"])'); assert('array_key_exists("metadata-set", $state["Source"])'); $spEntityId = $state['Destination']['entityid']; $idpEntityId = $state['Source']['entityid']; $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /** * If the consent module is active on a bridge $state['saml:sp:IdP'] * will contain an entry id for the remote IdP. If not, then the * consent module is active on a local IdP and nothing needs to be * done. */ if (isset($state['saml:sp:IdP'])) { $idpEntityId = $state['saml:sp:IdP']; $idpmeta = $metadata->getMetaData($idpEntityId, 'saml20-idp-remote'); $state['Source'] = $idpmeta; } $statsData = array('spEntityID' => $spEntityId); // Do not use consent if disabled if (isset($state['Source']['consent.disable']) && self::checkDisable($state['Source']['consent.disable'], $spEntityId)) { SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId); SimpleSAML_Stats::log('consent:disabled', $statsData); return; } if (isset($state['Destination']['consent.disable']) && self::checkDisable($state['Destination']['consent.disable'], $idpEntityId)) { SimpleSAML_Logger::debug('Consent: Consent disabled for entity ' . $spEntityId . ' with IdP ' . $idpEntityId); SimpleSAML_Stats::log('consent:disabled', $statsData); return; } if ($this->_store !== null) { $source = $state['Source']['metadata-set'] . '|' . $idpEntityId; $destination = $state['Destination']['metadata-set'] . '|' . $spEntityId; $attributes = $state['Attributes']; // Remove attributes that do not require consent foreach ($attributes as $attrkey => $attrval) { if (in_array($attrkey, $this->_noconsentattributes)) { unset($attributes[$attrkey]); } } SimpleSAML_Logger::debug('Consent: userid: ' . $state['UserID']); SimpleSAML_Logger::debug('Consent: source: ' . $source); SimpleSAML_Logger::debug('Consent: destination: ' . $destination); $userId = self::getHashedUserID($state['UserID'], $source); $targetedId = self::getTargetedID($state['UserID'], $source, $destination); $attributeSet = self::getAttributeHash($attributes, $this->_includeValues); SimpleSAML_Logger::debug('Consent: hasConsent() [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']'); try { if ($this->_store->hasConsent($userId, $targetedId, $attributeSet)) { // Consent already given SimpleSAML_Logger::stats('Consent: Consent found'); SimpleSAML_Stats::log('consent:found', $statsData); return; } SimpleSAML_Logger::stats('Consent: Consent notfound'); SimpleSAML_Stats::log('consent:notfound', $statsData); $state['consent:store'] = $this->_store; $state['consent:store.userId'] = $userId; $state['consent:store.destination'] = $targetedId; $state['consent:store.attributeSet'] = $attributeSet; } catch (Exception $e) { SimpleSAML_Logger::error('Consent: Error reading from storage: ' . $e->getMessage()); SimpleSAML_Logger::stats('Consent: Failed'); SimpleSAML_Stats::log('consent:failed', $statsData); } } else { SimpleSAML_Logger::stats('Consent: No storage'); SimpleSAML_Stats::log('consent:nostorage', $statsData); } $state['consent:focus'] = $this->_focus; $state['consent:checked'] = $this->_checked; $state['consent:hiddenAttributes'] = $this->_hiddenAttributes; $state['consent:noconsentattributes'] = $this->_noconsentattributes; $state['consent:showNoConsentAboutService'] = $this->_showNoConsentAboutService; // User interaction nessesary. Throw exception on isPassive request if (isset($state['isPassive']) && $state['isPassive'] == true) { SimpleSAML_Stats::log('consent:nopassive', $statsData); throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.'); } // Save state and redirect $id = SimpleSAML_Auth_State::saveState($state, 'consent:request'); $url = SimpleSAML_Module::getModuleURL('consent/getconsent.php'); SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id)); }
} $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId); finishLogin($authProcState); } if (empty($_POST['SAMLResponse'])) { throw new SimpleSAML_Error_Error('ACSPARAMS', $exception); } try { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata); $authnResponse = $binding->decodeResponse($_POST); $authnResponse->validate(); /* Successfully authenticated. */ $idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote'); SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']); SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA'); $relayState = $authnResponse->getRelayState(); if (!isset($relayState)) { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } $spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted'); /* Begin module attribute processing */ $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp'); $authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata); $pc->processState($authProcState); /* Since this function returns, processing has completed and attributes have * been updated. */ finishLogin($authProcState); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
/** * Process a authentication response. * * This function saves the state, and redirects the user to the page where the user * can authorize the release of the attributes. * * @param array $state The state of the response. */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("UserID", $state)'); assert('array_key_exists("Destination", $state)'); assert('array_key_exists("entityid", $state["Destination"])'); assert('array_key_exists("metadata-set", $state["Destination"])'); assert('array_key_exists("entityid", $state["Source"])'); assert('array_key_exists("metadata-set", $state["Source"])'); $session = SimpleSAML_Session::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); /* If the consent module is active on a bridge $state['saml:sp:IdP'] will contain * an entry id for the remote IdP. If not, then the * consent module is active on a local IdP and nothing needs to be done. */ if (isset($state['saml:sp:IdP'])) { $idpmeta = $metadata->getMetaData($state['saml:sp:IdP'], 'saml20-idp-remote'); $state['Source'] = $idpmeta; } elseif ($session->getIdP() !== NULL) { /* For backwards compatibility. TODO: Remove in version 1.8. */ $idpmeta = $metadata->getMetaData($session->getIdP(), 'saml20-idp-remote'); $state['Source'] = $idpmeta; } if ($this->store !== NULL) { // Do not use consent if disabled on source entity if (isset($state['Source']['consent.disable']) && in_array($state['Destination']['entityid'], $state['Source']['consent.disable'])) { SimpleSAML_Logger::debug('Consent - Consent disabled for entity ' . $state['Destination']['entityid']); return; } $source = $state['Source']['metadata-set'] . '|' . $state['Source']['entityid']; $destination = $state['Destination']['metadata-set'] . '|' . $state['Destination']['entityid']; SimpleSAML_Logger::debug('Consent - userid : ' . $state['UserID']); SimpleSAML_Logger::debug('Consent - source : ' . $source); SimpleSAML_Logger::debug('Consent - destination : ' . $destination); $userId = self::getHashedUserID($state['UserID'], $source); $targetedId = self::getTargetedID($state['UserID'], $source, $destination); $attributeSet = self::getAttributeHash($state['Attributes'], $this->includeValues); SimpleSAML_Logger::debug('Consent - hasConsent() : [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']'); if ($this->store->hasConsent($userId, $targetedId, $attributeSet)) { SimpleSAML_Logger::stats('consent found'); /* Consent already given. */ return; } SimpleSAML_Logger::stats('consent notfound'); $state['consent:store'] = $this->store; $state['consent:store.userId'] = $userId; $state['consent:store.destination'] = $targetedId; $state['consent:store.attributeSet'] = $attributeSet; } else { SimpleSAML_Logger::stats('consent nostorage'); } $state['consent:focus'] = $this->focus; $state['consent:checked'] = $this->checked; $state['consent:hiddenAttributes'] = $this->hiddenAttributes; /* User interaction nessesary. Throw exception on isPassive request */ if (isset($state['isPassive']) && $state['isPassive'] == TRUE) { throw new SimpleSAML_Error_NoPassive('Unable to give consent on passive request.'); } /* Save state and redirect. */ $id = SimpleSAML_Auth_State::saveState($state, 'consent:request'); $url = SimpleSAML_Module::getModuleURL('consent/getconsent.php'); SimpleSAML_Utilities::redirect($url, array('StateId' => $id)); }
$assertion = $assertion[0]; } catch (sspmod_saml_Error $e) { /* The status of the response wasn't "success". */ $status = $response->getStatus(); if (array_key_exists('OnError', $info)) { /* We have an error handler. Return the error to it. */ SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code'])); } /* We don't have an error handler. Show an error page. */ throw new SimpleSAML_Error_Error('RESPONSESTATUSNOSUCCESS', $e); } SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successful response from IdP'); /* * Attribute handling */ $attributes = $assertion->getAttributes(); SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadataHandler->getMetaDataCurrentEntityID() . ' ' . $idp . ' NA'); $nameId = $assertion->getNameId(); /* Begin module attribute processing */ $spMetadataArray = $spMetadata->toArray(); $idpMetadataArray = $idpMetadata->toArray(); $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp'); $authProcState = array('core:saml20-sp:NameID' => $nameId, 'core:saml20-sp:SessionIndex' => $assertion->getSessionIndex(), 'core:saml20-sp:TargetURL' => $info['RelayState'], 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray); $pc->processState($authProcState); /* Since this function returns, processing has completed and attributes have * been updated. */ finishLogin($authProcState); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception); }
throw new Exception('Wrong username or password'); } $attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']); SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated'); $session->doLogin('login-ldapmulti'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK'); } $returnto = $_REQUEST['RelayState']; SimpleSAML_Utilities::redirect($returnto); } catch (Exception $e) { $error = $e->getMessage(); } } $t = new SimpleSAML_XHTML_Template($config, 'login-ldapmulti.php', 'login'); $t->data['header'] = 'simpleSAMLphp: Enter username and password'; $t->data['relaystate'] = $_REQUEST['RelayState']; $t->data['ldapconfig'] = $ldapmulti; $t->data['org'] = $_REQUEST['org']; $t->data['error'] = $error; if (isset($error)) { $t->data['username'] = $_POST['username'];
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login-feide OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login-feide OK'); } $returnto = $_REQUEST['RelayState']; SimpleSAML_Utilities::redirect($returnto); } catch (Exception $e) { SimpleSAML_Logger::error('AUTH - ldap-feide: User: '******'na') . ':' . $e->getMessage()); SimpleSAML_Logger::stats('AUTH-login-feide Failed'); $error = $e->getMessage(); } } $t = new SimpleSAML_XHTML_Template($config, 'login-feide.php', 'login'); $t->data['header'] = 'simpleSAMLphp: Enter username and password'; $t->data['relaystate'] = $_REQUEST['RelayState']; $t->data['ldapconfig'] = $ldaporgconfig; $t->data['protocol'] = $protocol; $t->data['authid'] = $authid; if (array_key_exists('logo', $spmetadata)) { $t->data['splogo'] = $spmetadata['logo']; } else { $t->data['splogo'] = NULL; } if (array_key_exists('description', $spmetadata)) {
/* Find the status of all SPs. */ foreach ($SPs as $assocId => &$sp) { $spId = 'logout-iframe-' . sha1($assocId); if (isset($_REQUEST[$spId])) { $spStatus = $_REQUEST[$spId]; if ($spStatus === 'completed' || $spStatus === 'failed') { $sp['core:Logout-IFrame:State'] = $spStatus; } } if (!isset($associations[$assocId])) { $sp['core:Logout-IFrame:State'] = 'completed'; } } /* Terminate the associations. */ foreach ($SPs as $assocId => $sp) { if ($sp['core:Logout-IFrame:State'] === 'completed') { $idp->terminateAssociation($assocId); } else { SimpleSAML_Logger::warning('Unable to terminate association with ' . var_export($assocId, TRUE) . '.'); if (isset($sp['saml:entityID'])) { $spId = $sp['saml:entityID']; } else { $spId = $assocId; } SimpleSAML_Logger::stats('slo-iframe-fail ' . $spId); SimpleSAML_Stats::log('core:idp:logout-iframe:spfail', array('sp' => $spId)); $state['core:Failed'] = TRUE; } } /* We are done. */ $idp->finishLogout($state);
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, and other errors, it will throw an exception. * * @param string $authStateId The identifier of the authentication state. * @param string $username The username the user wrote. * @param string $password The password the user wrote. */ public static function handleLogin($authStateId, $username, $password) { assert('is_string($authStateId)'); assert('is_string($username)'); assert('is_string($password)'); /* Here we retrieve the state array we saved in the authenticate-function. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Retrieve the authentication source we are executing. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * $source now contains the authentication source on which authenticate() * was called. We should call login() on the same authentication source. */ /* Attempt to log in. */ try { $attributes = $source->login($username, $password); } catch (Exception $e) { SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.'); throw $e; } SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.'); /* Save the attributes we received from the login-function in the $state-array. */ assert('is_array($attributes)'); $state['Attributes'] = $attributes; /* Return control to simpleSAMLphp after successful authentication. */ SimpleSAML_Auth_Source::completeAuth($state); }
/** * Handle login request. * * This function is used by the login form (core/www/loginuserpass.php) when the user * enters a username and password. On success, it will not return. On wrong * username/password failure, and other errors, it will throw an exception. * * @param string $authStateId The identifier of the authentication state. * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @param $transaction_id * @param $signaturedata * @param $clientdata * @throws Exception */ public static function handleLogin($authStateId, $username, $password, $transaction_id, $signaturedata, $clientdata) { assert('is_string($authStateId)'); assert('is_string($username)'); assert('is_string($password)'); assert('is_string($transaction_id)'); SimpleSAML_Logger::debug("calling privacyIDEA handleLogin with authState: " . $authStateId . " for user " . $username); if (array_key_exists("OTP", $_REQUEST)) { $otp = $_REQUEST["OTP"]; $password = $password . $otp; SimpleSAML_Logger::stats('Found OTP in Auth request. Concatenating passwords.'); } // sanitize the input $sid = SimpleSAML_Utilities::parseStateID($authStateId); if (!is_null($sid['url'])) { SimpleSAML_Utilities::checkURLAllowed($sid['url']); } /* Here we retrieve the state array we saved in the authenticate-function. */ $state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID); /* Retrieve the authentication source we are executing. */ assert('array_key_exists(self::AUTHID, $state)'); $source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]); } /* * $source now contains the authentication source on which authenticate() * was called. We should call login() on the same authentication source. */ /* Attempt to log in. */ try { $attributes = $source->login_chal_resp($username, $password, $transaction_id, $signaturedata, $clientdata); } catch (Exception $e) { SimpleSAML_Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.'); throw $e; } SimpleSAML_Logger::stats('User \'' . $username . '\' has been successfully authenticated.'); /* Save the attributes we received from the login-function in the $state-array. */ assert('is_array($attributes)'); $state['Attributes'] = $attributes; /* Return control to simpleSAMLphp after successful authentication. */ SimpleSAML_Auth_Source::completeAuth($state); }
$session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); SimpleSAML_Logger::info('AUTH - admin: ' . $username . ' successfully authenticated'); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login-admin OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login-admin OK'); } SimpleSAML_Utilities::redirect($relaystate); exit(0); } else { SimpleSAML_Logger::stats('AUTH-login-admin Failed'); $error = 'error_wrongpassword'; SimpleSAML_Logger::info($error); } } $t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login'); $t->data['header'] = 'simpleSAMLphp: Enter username and password'; $t->data['relaystate'] = $relaystate; $t->data['admin'] = TRUE; $t->data['autofocus'] = 'password'; $t->data['error'] = $error; if (isset($error)) { $t->data['username'] = $username; } $t->show();
$spEntityId = $logoutrequest->getIssuer(); if ($spEntityId === NULL) { throw new Exception('Missing issuer in logout request.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml2_Message::validateMessage($spMetadata, $idpMetadata, $logoutrequest); } catch (Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'LOGOUTREQUEST', $exception); } // Extract some parameters from the logout request #$requestid = $logoutrequest->getRequestID(); $requester = $logoutrequest->getIssuer(); #$relayState = $logoutrequest->getRelayState(); $responder = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer()); SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $requester . ' ' . $responder); $session->doLogout(); /* Fill in the $logoutInfo associative array with information about this logout request. */ $logoutInfo['Issuer'] = $logoutrequest->getIssuer(); $logoutInfo['RequestID'] = $logoutrequest->getId(); $relayState = $logoutrequest->getRelayState(); if ($relayState !== NULL) { $logoutInfo['RelayState'] = $relayState; } SimpleSAML_Logger::debug('SAML2.0 - IDP.SingleLogoutService: Setting cached request with issuer ' . $logoutrequest->getIssuer()); $session->set_sp_logout_completed($logoutrequest->getIssuer()); /* * We receive a Logout Response to a Logout Request that we have issued earlier. * If so, there is a misconfiguration. */ } elseif (isset($_REQUEST['SAMLResponse'])) {
/** * Receive a logout message. * * @param SimpleSAML_IdP $idp The IdP we are receiving it for. */ public static function receiveLogoutMessage(SimpleSAML_IdP $idp) { $binding = SAML2_Binding::getCurrentBinding(); $message = $binding->receive(); $spEntityId = $message->getIssuer(); if ($spEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $message); if ($message instanceof SAML2_LogoutResponse) { SimpleSAML_Logger::info('Received SAML 2.0 LogoutResponse from: ' . var_export($spEntityId, TRUE)); $statsData = array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid')); if (!$message->isSuccess()) { $statsData['error'] = $message->getStatus(); } SimpleSAML_Stats::log('saml:idp:LogoutResponse:recv', $statsData); $relayState = $message->getRelayState(); if (!$message->isSuccess()) { $logoutError = sspmod_saml_Message::getResponseError($message); SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . $logoutError); } else { $logoutError = NULL; } $assocId = 'saml:' . $spEntityId; $idp->handleLogoutResponse($assocId, $relayState, $logoutError); } elseif ($message instanceof SAML2_LogoutRequest) { SimpleSAML_Logger::info('Received SAML 2.0 LogoutRequest from: ' . var_export($spEntityId, TRUE)); SimpleSAML_Stats::log('saml:idp:LogoutRequest:recv', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'))); $spStatsId = $spMetadata->getString('core:statistics-id', $spEntityId); SimpleSAML_Logger::stats('saml20-idp-SLO spinit ' . $spStatsId . ' ' . $idpMetadata->getString('entityid')); $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendLogoutResponse'), 'saml:SPEntityId' => $spEntityId, 'saml:RelayState' => $message->getRelayState(), 'saml:RequestId' => $message->getId()); $assocId = 'saml:' . $spEntityId; $idp->handleLogoutRequest($state, $assocId); } else { throw new SimpleSAML_Error_BadRequest('Unknown message received on logout endpoint: ' . get_class($message)); } }
/** * Initialize processing * * @param array &$state The state we should update. */ public function process(&$state) { assert('is_array($state)'); SimpleSAML_Logger::stats("TwoFactorAttrFilter start"); }
// throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.'); //} if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); SimpleSAML_Auth_Source::completeLogout($state); } elseif ($message instanceof SAML2_LogoutRequest) { SimpleSAML_Logger::debug('module/saml2/sp/logout: Request from ' . $idpEntityId); SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId); if ($message->isNameIdEncrypted()) { try { $keys = sspmod_saml_Message::getDecryptionKeys($srcMetadata, $dstMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); } $lastException = NULL; foreach ($keys as $i => $key) { try { $message->decryptNameId($key); SimpleSAML_Logger::debug('Decryption with key #' . $i . ' succeeded.'); } catch (Exception $e) { SimpleSAML_Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage()); $lastException = $e; }
/** * Attempt to log in using the given username and password. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $principal = $this->stripScope($username) . $this->realm; try { $this->krb5->initPassword($principal, $password); $uid = $this->stripRealm ? $this->stripScope($this->krb5->getPrincipal()) : $this->krb5->getPrincipal(); $attributes = array('uid' => array($uid)); SimpleSAML_Logger::stats('User \'' . $username . '\' successfully authenticated from ' . $_SERVER['REMOTE_ADDR'] . '.'); return $attributes; } catch (Exception $error) { SimpleSAML_Logger::stats('User \'' . $username . '\' failed authentication from ' . $_SERVER['REMOTE_ADDR'] . '.'); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } }
<?php if (!isset($_REQUEST['id'])) { throw new SimpleSAML_Error_BadRequest('Missing required parameter: id'); } if (isset($_REQUEST['type'])) { $type = (string) $_REQUEST['type']; if (!in_array($type, array('init', 'js', 'nojs', 'embed'), TRUE)) { throw new SimpleSAML_Error_BadRequest('Invalid value for type.'); } } else { $type = 'init'; } if ($type !== 'embed' && $type !== 'async') { SimpleSAML_Logger::stats('slo-iframe ' . $type); SimpleSAML_Stats::log('core:idp:logout-iframe:page', array('type' => $type)); } $state = SimpleSAML_Auth_State::loadState($_REQUEST['id'], 'core:Logout-IFrame'); $idp = SimpleSAML_IdP::getByState($state); if ($type !== 'init') { /* Update association state. */ $associations = $idp->getAssociations(); foreach ($state['core:Logout-IFrame:Associations'] as $assocId => &$sp) { $spId = sha1($assocId); /* Move SPs from 'onhold' to 'inprogress'. */ if ($sp['core:Logout-IFrame:State'] === 'onhold') { $sp['core:Logout-IFrame:State'] = 'inprogress'; } /* Check for update through request. */ if (isset($_REQUEST[$spId])) { $s = $_REQUEST[$spId];
$state = SimpleSAML_Auth_State::loadState($id, 'consent:request'); if (array_key_exists('core:SP', $state)) { $spentityid = $state['core:SP']; } else { if (array_key_exists('saml:sp:State', $state)) { $spentityid = $state['saml:sp:State']['core:SP']; } else { $spentityid = 'UNKNOWN'; } } // The user has pressed the yes-button if (array_key_exists('yes', $_REQUEST)) { if (array_key_exists('saveconsent', $_REQUEST)) { SimpleSAML_Logger::stats('consentResponse remember'); } else { SimpleSAML_Logger::stats('consentResponse rememberNot'); } $statsInfo = array('remember' => array_key_exists('saveconsent', $_REQUEST)); if (isset($state['Destination']['entityid'])) { $statsInfo['spEntityID'] = $state['Destination']['entityid']; } SimpleSAML_Stats::log('consent:accept', $statsInfo); if (array_key_exists('consent:store', $state) && array_key_exists('saveconsent', $_REQUEST) && $_REQUEST['saveconsent'] === '1') { /* Save consent. */ $store = $state['consent:store']; $userId = $state['consent:store.userId']; $targetedId = $state['consent:store.destination']; $attributeSet = $state['consent:store.attributeSet']; SimpleSAML_Logger::debug('Consent - saveConsent() : [' . $userId . '|' . $targetedId . '|' . $attributeSet . ']'); try { $store->saveConsent($userId, $targetedId, $attributeSet);