Retrieve the current URL using the base URL in the configuration, without the query parameters.
public static getSelfURLNoQuery ( ) : string | ||
Результат | string | The current URL, not including query parameters. |
/** * Save an error report. * * @return array The array with the error report data. */ protected function saveError() { $data = $this->format(); $emsg = array_shift($data); $etrace = implode("\n", $data); $reportId = bin2hex(openssl_random_pseudo_bytes(4)); SimpleSAML_Logger::error('Error report with id ' . $reportId . ' generated.'); $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getSessionFromRequest(); if (isset($_SERVER['HTTP_REFERER'])) { $referer = $_SERVER['HTTP_REFERER']; // remove anything after the first '?' or ';', just in case it contains any sensitive data $referer = explode('?', $referer, 2); $referer = $referer[0]; $referer = explode(';', $referer, 2); $referer = $referer[0]; } else { $referer = 'unknown'; } $errorData = array('exceptionMsg' => $emsg, 'exceptionTrace' => $etrace, 'reportId' => $reportId, 'trackId' => $session->getTrackID(), 'url' => \SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), 'version' => $config->getVersion(), 'referer' => $referer); $session->setData('core:errorreport', $reportId, $errorData); return $errorData; }
$output_xhtml = array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml'; $metaxml = $metaBuilder->getEntityDescriptorText($output_xhtml); if (!$output_xhtml) { $metaxml = str_replace("\n", '', $metaxml); } // sign the metadata if enabled $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP'); if ($output_xhtml) { $defaultidp = $config->getString('default-adfs-idp', null); $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); $t->data['clipboard.js'] = true; $t->data['available_certs'] = $availableCerts; $t->data['header'] = 'adfs-idp'; // TODO: Replace with headerString in 2.0 $t->data['headerString'] = $t->noop('metadata_adfs-idp'); $t->data['metaurl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery(); $t->data['metadata'] = htmlspecialchars($metaxml); $t->data['metadataflat'] = htmlspecialchars($metaflat); $t->data['defaultidp'] = $defaultidp; $t->show(); } else { header('Content-Type: application/xml'); // make sure to export only the md:EntityDescriptor $metaxml = substr($metaxml, strpos($metaxml, '<md:EntityDescriptor')); // 22 = strlen('</md:EntityDescriptor>') $metaxml = substr($metaxml, 0, strrpos($metaxml, '</md:EntityDescriptor>') + 22); echo $metaxml; exit(0); } } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception);
if (!$idpmeta->hasValue('OrganizationURL')) { throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.'); } $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL'); } $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';'; $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid); $metaBuilder->addMetadataIdP11($metaArray); $metaBuilder->addOrganizationInfo($metaArray); $metaBuilder->addContact('technical', \SimpleSAML\Utils\Config\Metadata::getContact(array('emailAddress' => $config->getString('technicalcontact_email', null), 'name' => $config->getString('technicalcontact_name', null), 'contactType' => 'technical'))); $metaxml = $metaBuilder->getEntityDescriptorText(); // sign the metadata if enabled $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'Shib 1.3 IdP'); if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') { $defaultidp = $config->getString('default-shib13-idp', null); $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); $t->data['clipboard.js'] = true; $t->data['header'] = 'shib13-idp'; $t->data['metaurl'] = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), array('output' => 'xml')); $t->data['metadata'] = htmlspecialchars($metaxml); $t->data['metadataflat'] = htmlspecialchars($metaflat); $t->data['defaultidp'] = $defaultidp; $t->show(); } else { header('Content-Type: application/xml'); echo $metaxml; exit(0); } } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception); }
/** * Process an assertion in a response. * * Will throw an exception if it is invalid. * * @param SimpleSAML_Configuration $spMetadata The metadata of the service provider. * @param SimpleSAML_Configuration $idpMetadata The metadata of the identity provider. * @param \SAML2\Response $response The response containing the assertion. * @param \SAML2\Assertion|\SAML2\EncryptedAssertion $assertion The assertion. * @param bool $responseSigned Whether the response is signed. * @return \SAML2\Assertion The assertion, if it is valid. */ private static function processAssertion(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata, \SAML2\Response $response, $assertion, $responseSigned) { assert('$assertion instanceof \\SAML2\\Assertion || $assertion instanceof \\SAML2\\EncryptedAssertion'); assert('is_bool($responseSigned)'); $assertion = self::decryptAssertion($idpMetadata, $spMetadata, $assertion); if (!self::checkSign($idpMetadata, $assertion)) { if (!$responseSigned) { throw new SimpleSAML_Error_Exception('Neither the assertion nor the response was signed.'); } } /* At least one valid signature found. */ $currentURL = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery(); /* Check various properties of the assertion. */ $notBefore = $assertion->getNotBefore(); if ($notBefore !== NULL && $notBefore > time() + 60) { throw new SimpleSAML_Error_Exception('Received an assertion that is valid in the future. Check clock synchronization on IdP and SP.'); } $notOnOrAfter = $assertion->getNotOnOrAfter(); if ($notOnOrAfter !== NULL && $notOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion that has expired. Check clock synchronization on IdP and SP.'); } $sessionNotOnOrAfter = $assertion->getSessionNotOnOrAfter(); if ($sessionNotOnOrAfter !== NULL && $sessionNotOnOrAfter <= time() - 60) { throw new SimpleSAML_Error_Exception('Received an assertion with a session that has expired. Check clock synchronization on IdP and SP.'); } $validAudiences = $assertion->getValidAudiences(); if ($validAudiences !== NULL) { $spEntityId = $spMetadata->getString('entityid'); if (!in_array($spEntityId, $validAudiences, TRUE)) { $candidates = '[' . implode('], [', $validAudiences) . ']'; throw new SimpleSAML_Error_Exception('This SP [' . $spEntityId . '] is not a valid audience for the assertion. Candidates were: ' . $candidates); } } $found = FALSE; $lastError = 'No SubjectConfirmation element in Subject.'; $validSCMethods = array(\SAML2\Constants::CM_BEARER, \SAML2\Constants::CM_HOK, \SAML2\Constants::CM_VOUCHES); foreach ($assertion->getSubjectConfirmation() as $sc) { if (!in_array($sc->Method, $validSCMethods)) { $lastError = 'Invalid Method on SubjectConfirmation: ' . var_export($sc->Method, TRUE); continue; } /* Is SSO with HoK enabled? IdP remote metadata overwrites SP metadata configuration. */ $hok = $idpMetadata->getBoolean('saml20.hok.assertion', NULL); if ($hok === NULL) { $hok = $spMetadata->getBoolean('saml20.hok.assertion', FALSE); } if ($sc->Method === \SAML2\Constants::CM_BEARER && $hok) { $lastError = 'Bearer SubjectConfirmation received, but Holder-of-Key SubjectConfirmation needed'; continue; } if ($sc->Method === \SAML2\Constants::CM_HOK && !$hok) { $lastError = 'Holder-of-Key SubjectConfirmation received, but the Holder-of-Key profile is not enabled.'; continue; } $scd = $sc->SubjectConfirmationData; if ($sc->Method === \SAML2\Constants::CM_HOK) { /* Check HoK Assertion */ if (\SimpleSAML\Utils\HTTP::isHTTPS() === FALSE) { $lastError = 'No HTTPS connection, but required for Holder-of-Key SSO'; continue; } if (isset($_SERVER['SSL_CLIENT_CERT']) && empty($_SERVER['SSL_CLIENT_CERT'])) { $lastError = 'No client certificate provided during TLS Handshake with SP'; continue; } /* Extract certificate data (if this is a certificate). */ $clientCert = $_SERVER['SSL_CLIENT_CERT']; $pattern = '/^-----BEGIN CERTIFICATE-----([^-]*)^-----END CERTIFICATE-----/m'; if (!preg_match($pattern, $clientCert, $matches)) { $lastError = 'Error while looking for client certificate during TLS handshake with SP, the client certificate does not ' . 'have the expected structure'; continue; } /* We have a valid client certificate from the browser. */ $clientCert = str_replace(array("\r", "\n", " "), '', $matches[1]); foreach ($scd->info as $thing) { if ($thing instanceof \SAML2\XML\ds\KeyInfo) { $keyInfo[] = $thing; } } if (count($keyInfo) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:KeyInfo> element in <SubjectConfirmationData> allowed'; continue; } foreach ($keyInfo[0]->info as $thing) { if ($thing instanceof \SAML2\XML\ds\X509Data) { $x509data[] = $thing; } } if (count($x509data) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Data> element in <ds:KeyInfo> within <SubjectConfirmationData> allowed'; continue; } foreach ($x509data[0]->data as $thing) { if ($thing instanceof \SAML2\XML\ds\X509Certificate) { $x509cert[] = $thing; } } if (count($x509cert) != 1) { $lastError = 'Error validating Holder-of-Key assertion: Only one <ds:X509Certificate> element in <ds:X509Data> within <SubjectConfirmationData> allowed'; continue; } $HoKCertificate = $x509cert[0]->certificate; if ($HoKCertificate !== $clientCert) { $lastError = 'Provided client certificate does not match the certificate bound to the Holder-of-Key assertion'; continue; } } if ($scd->NotBefore && $scd->NotBefore > time() + 60) { $lastError = 'NotBefore in SubjectConfirmationData is in the future: ' . $scd->NotBefore; continue; } if ($scd->NotOnOrAfter && $scd->NotOnOrAfter <= time() - 60) { $lastError = 'NotOnOrAfter in SubjectConfirmationData is in the past: ' . $scd->NotOnOrAfter; continue; } if ($scd->Recipient !== NULL && $scd->Recipient !== $currentURL) { $lastError = 'Recipient in SubjectConfirmationData does not match the current URL. Recipient is ' . var_export($scd->Recipient, TRUE) . ', current URL is ' . var_export($currentURL, TRUE) . '.'; continue; } if ($scd->InResponseTo !== NULL && $response->getInResponseTo() !== NULL && $scd->InResponseTo !== $response->getInResponseTo()) { $lastError = 'InResponseTo in SubjectConfirmationData does not match the Response. Response has ' . var_export($response->getInResponseTo(), TRUE) . ', SubjectConfirmationData has ' . var_export($scd->InResponseTo, TRUE) . '.'; continue; } $found = TRUE; break; } if (!$found) { throw new SimpleSAML_Error_Exception('Error validating SubjectConfirmation in Assertion: ' . $lastError); } /* As far as we can tell, the assertion is valid. */ /* Maybe we need to base64 decode the attributes in the assertion? */ if ($idpMetadata->getBoolean('base64attributes', FALSE)) { $attributes = $assertion->getAttributes(); $newAttributes = array(); foreach ($attributes as $name => $values) { $newAttributes[$name] = array(); foreach ($values as $value) { foreach (explode('_', $value) as $v) { $newAttributes[$name][] = base64_decode($v); } } } $assertion->setAttributes($newAttributes); } /* Decrypt the NameID element if it is encrypted. */ if ($assertion->isNameIdEncrypted()) { try { $keys = self::getDecryptionKeys($idpMetadata, $spMetadata); } catch (Exception $e) { throw new SimpleSAML_Error_Exception('Error decrypting NameID: ' . $e->getMessage()); } $blacklist = self::getBlacklistedAlgorithms($idpMetadata, $spMetadata); $lastException = NULL; foreach ($keys as $i => $key) { try { $assertion->decryptNameId($key, $blacklist); SimpleSAML\Logger::debug('Decryption with key #' . $i . ' succeeded.'); $lastException = NULL; break; } catch (Exception $e) { SimpleSAML\Logger::debug('Decryption with key #' . $i . ' failed with exception: ' . $e->getMessage()); $lastException = $e; } } if ($lastException !== NULL) { throw $lastException; } } return $assertion; }
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $this->start(); // no choice made. Show discovery service page $idpList = $this->getIdPList(); $idpList = $this->filterList($idpList); $preferredIdP = $this->getRecommendedIdP(); $idpintersection = array_intersect(array_keys($idpList), $this->getScopedIDPList()); if (sizeof($idpintersection) > 0) { $idpList = array_intersect_key($idpList, array_fill_keys($idpintersection, null)); } $idpintersection = array_values($idpintersection); if (sizeof($idpintersection) == 1) { $this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0])); } /* * Make use of an XHTML template to present the select IdP choice to the user. Currently the supported options * is either a drop down menu or a list view. */ switch ($this->config->getString('idpdisco.layout', 'links')) { case 'dropdown': $templateFile = 'selectidp-dropdown.php'; break; case 'links': $templateFile = 'selectidp-links.php'; break; default: throw new Exception('Invalid value for the \'idpdisco.layout\' option.'); } $t = new SimpleSAML_XHTML_Template($this->config, $templateFile, 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', false); $t->show(); }
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $this->start(); // no choice made. Show discovery service page $idpList = $this->getIdPList(); $idpList = $this->idplistStructured($this->filterList($idpList)); $preferredIdP = $this->getRecommendedIdP(); $t = new SimpleSAML_XHTML_Template($this->config, 'discopower:disco-tpl.php', 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', false); $t->data['rememberchecked'] = $this->config->getBoolean('idpdisco.rememberchecked', false); $t->data['defaulttab'] = $this->discoconfig->getValue('defaulttab', 0); $t->data['score'] = $this->discoconfig->getValue('score', 'quicksilver'); $t->show(); }
<?php require_once '../_include.php'; /* Load simpleSAMLphp, configuration */ $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getSessionFromRequest(); /* Check if valid local session exists.. */ SimpleSAML\Utils\Auth::requireAdmin(); $attributes = array(); $attributes['HTTP_HOST'] = array($_SERVER['HTTP_HOST']); $attributes['HTTPS'] = isset($_SERVER['HTTPS']) ? array($_SERVER['HTTPS']) : array(); $attributes['SERVER_PROTOCOL'] = array($_SERVER['SERVER_PROTOCOL']); $attributes['SERVER_PORT'] = array($_SERVER['SERVER_PORT']); $attributes['Utilities_getBaseURL()'] = array(\SimpleSAML\Utils\HTTP::getBaseURL()); $attributes['Utilities_getSelfHost()'] = array(\SimpleSAML\Utils\HTTP::getSelfHost()); $attributes['Utilities_selfURLhost()'] = array(\SimpleSAML\Utils\HTTP::getSelfURLHost()); $attributes['Utilities_selfURLNoQuery()'] = array(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $attributes['Utilities_getSelfHostWithPath()'] = array(\SimpleSAML\Utils\HTTP::getSelfHostWithPath()); $attributes['Utilities_getFirstPathElement()'] = array(\SimpleSAML\Utils\HTTP::getFirstPathElement()); $attributes['Utilities_selfURL()'] = array(\SimpleSAML\Utils\HTTP::getSelfURL()); $template = new SimpleSAML_XHTML_Template($config, 'hostnames.php'); $template->data['remaining'] = $session->getAuthData('admin', 'Expire') - time(); $template->data['attributes'] = $attributes; $template->data['valid'] = 'na'; $template->data['logout'] = null; $template->show();
// do not ignore other exceptions! } } $message = $binding->receive(); $idpEntityId = $message->getIssuer(); if ($idpEntityId === NULL) { /* Without an issuer we have no way to respond to the message. */ throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.'); } $spEntityId = $source->getEntityId(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $source->getIdPMetadata($idpEntityId); $spMetadata = $source->getMetadata(); sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message); $destination = $message->getDestination(); if ($destination !== NULL && $destination !== \SimpleSAML\Utils\HTTP::getSelfURLNoQuery()) { throw new SimpleSAML_Error_Exception('Destination in logout message is wrong.'); } if ($message instanceof SAML2_LogoutResponse) { $relayState = $message->getRelayState(); if ($relayState === NULL) { /* Somehow, our RelayState has been lost. */ throw new SimpleSAML_Error_BadRequest('Missing RelayState in logout response.'); } if (!$message->isSuccess()) { SimpleSAML_Logger::warning('Unsuccessful logout. Status was: ' . sspmod_saml_Message::getResponseError($message)); } $state = SimpleSAML_Auth_State::loadState($relayState, 'saml:slosent'); $state['saml:sp:LogoutStatus'] = $message->getStatus(); SimpleSAML_Auth_Source::completeLogout($state); } elseif ($message instanceof SAML2_LogoutRequest) {
} $asId = (string) $_REQUEST['as']; $as = new SimpleSAML_Auth_Simple($asId); if (array_key_exists('logout', $_REQUEST)) { $as->logout('/' . $config->getBaseURL() . 'logout.php'); } if (array_key_exists(SimpleSAML_Auth_State::EXCEPTION_PARAM, $_REQUEST)) { // This is just a simple example of an error $state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!$as->isAuthenticated()) { $url = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $asId)); $params = array('ErrorURL' => $url, 'ReturnTo' => $url); $as->login($params); } $attributes = $as->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['attributes'] = $attributes; // if saml:sp:IdP is set, this is SAML auth so we can pass a NameId $t->data['nameid'] = !is_null($as->getAuthData('saml:sp:IdP')) ? $as->getAuthData('saml:sp:NameID') : FALSE; $t->data['logouturl'] = \SimpleSAML\Utils\HTTP::getSelfURLNoQuery() . '?as=' . urlencode($asId) . '&logout'; $t->show();
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $idp = $this->getTargetIdp(); if ($idp !== NULL) { $extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL); if ($extDiscoveryStorage !== NULL) { $this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($extDiscoveryStorage, array('entityID' => $this->spEntityId, 'IdPentityID' => $idp, 'returnIDParam' => $this->returnIdParam, 'isPassive' => 'true', 'return' => $this->returnURL)); } else { $this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp)); } return; } if ($this->isPassive) { $this->log('Choice not made. (Redirecting the user back without answer)'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL); return; } /* No choice made. Show discovery service page. */ $idpList = $this->getIdPList(); $idpList = $this->idplistStructured($this->filterList($idpList)); $preferredIdP = $this->getRecommendedIdP(); $t = new SimpleSAML_XHTML_Template($this->config, 'discopower:disco-tpl.php', 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', FALSE); $t->data['rememberchecked'] = $this->config->getBoolean('idpdisco.rememberchecked', FALSE); $t->data['defaulttab'] = $this->discoconfig->getValue('defaulttab', 0); $t->data['score'] = $this->discoconfig->getValue('score', 'quicksilver'); $t->show(); }
<p>Report ID: <tt>%s</tt></p> <p>Referer: <tt>%s</tt></p> <hr /> <div class="footer"> This message was sent using SimpleSAMLphp. Visit the <a href="http://simplesamlphp.org/">SimpleSAMLphp homepage</a>. </div> MESSAGE; $message = sprintf($message, htmlspecialchars($text), $data['exceptionMsg'], $data['exceptionTrace'], $data['url'], $data['url'], htmlspecialchars(php_uname('n')), dirname(dirname(__FILE__)), $data['trackId'], $data['version'], $data['reportId'], $data['referer']); // add the email address of the submitter as the Reply-To address $email = trim($email); // check that it looks like a valid email address if (!preg_match('/\\s/', $email) && strpos($email, '@') !== false) { $replyto = $email; $from = $email; } else { $replyto = null; $from = '*****@*****.**'; } // send the email $toAddress = $config->getString('technicalcontact_email', '*****@*****.**'); if ($config->getBoolean('errorreporting', true) && $toAddress !== '*****@*****.**') { $email = new SimpleSAML_XHTML_EMail($toAddress, 'SimpleSAMLphp error report', $from); $email->setBody($message); $email->send(); SimpleSAML\Logger::error('Report with id ' . $reportId . ' sent to <' . $toAddress . '>.'); } // redirect the user back to this page to clear the POST request \SimpleSAML\Utils\HTTP::redirectTrustedURL(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery());
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $idp = $this->getTargetIdp(); if ($idp !== NULL) { $extDiscoveryStorage = $this->config->getString('idpdisco.extDiscoveryStorage', NULL); if ($extDiscoveryStorage !== NULL) { $this->log('Choice made [' . $idp . '] (Forwarding to external discovery storage)'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($extDiscoveryStorage, array('entityID' => $this->spEntityId, 'IdPentityID' => $idp, 'returnIDParam' => $this->returnIdParam, 'isPassive' => 'true', 'return' => $this->returnURL)); } else { $this->log('Choice made [' . $idp . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idp)); } return; } if ($this->isPassive) { $this->log('Choice not made. (Redirecting the user back without answer)'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL); return; } /* No choice made. Show discovery service page. */ $idpList = $this->getIdPList(); $preferredIdP = $this->getRecommendedIdP(); $idpintersection = array_intersect(array_keys($idpList), $this->getScopedIDPList()); if (sizeof($idpintersection) > 0) { $idpList = array_intersect_key($idpList, array_fill_keys($idpintersection, NULL)); } $idpintersection = array_values($idpintersection); if (sizeof($idpintersection) == 1) { $this->log('Choice made [' . $idpintersection[0] . '] (Redirecting the user back. returnIDParam=' . $this->returnIdParam . ')'); \SimpleSAML\Utils\HTTP::redirectTrustedURL($this->returnURL, array($this->returnIdParam => $idpintersection[0])); } /* * Make use of an XHTML template to present the select IdP choice to the user. * Currently the supported options is either a drop down menu or a list view. */ switch ($this->config->getString('idpdisco.layout', 'links')) { case 'dropdown': $templateFile = 'selectidp-dropdown.php'; break; case 'links': $templateFile = 'selectidp-links.php'; break; default: throw new Exception('Invalid value for the \'idpdisco.layout\' option.'); } $t = new SimpleSAML_XHTML_Template($this->config, $templateFile, 'disco'); $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', FALSE); $t->show(); }
$techcontact['contactType'] = 'technical'; $metaArray['contacts'][] = Metadata::getContact($techcontact); } $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid); $metaBuilder->addMetadataIdP20($metaArray); $metaBuilder->addOrganizationInfo($metaArray); $metaxml = $metaBuilder->getEntityDescriptorText(); $metaflat = '$metadata[' . var_export($idpentityid, true) . '] = ' . var_export($metaArray, true) . ';'; // sign the metadata if enabled $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'SAML 2 IdP'); if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') { $defaultidp = $config->getString('default-saml20-idp', null); $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); $t->data['clipboard.js'] = true; $t->data['available_certs'] = $availableCerts; $t->data['header'] = 'saml20-idp'; // TODO: Replace with headerString in 2.0 $t->data['headerString'] = $t->noop('metadata_saml20-idp'); $t->data['metaurl'] = HTTP::getSelfURLNoQuery(); $t->data['metadata'] = htmlspecialchars($metaxml); $t->data['metadataflat'] = htmlspecialchars($metaflat); $t->data['defaultidp'] = $defaultidp; $t->show(); } else { header('Content-Type: application/xml'); echo $metaxml; exit(0); } } catch (Exception $exception) { throw new SimpleSAML_Error_Error('METADATA', $exception); }
/** * Receive an authentication request. * * @param SimpleSAML_IdP $idp The IdP we are receiving it for. */ public static function receiveAuthnRequest(SimpleSAML_IdP $idp) { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $supportedBindings = array(SAML2_Const::BINDING_HTTP_POST); if ($idpMetadata->getBoolean('saml20.sendartifact', FALSE)) { $supportedBindings[] = SAML2_Const::BINDING_HTTP_ARTIFACT; } if ($idpMetadata->getBoolean('saml20.hok.assertion', FALSE)) { $supportedBindings[] = SAML2_Const::BINDING_HOK_SSO; } if (isset($_REQUEST['spentityid'])) { /* IdP initiated authentication. */ if (isset($_REQUEST['cookieTime'])) { $cookieTime = (int) $_REQUEST['cookieTime']; if ($cookieTime + 5 > time()) { /* * Less than five seconds has passed since we were * here the last time. Cookies are probably disabled. */ \SimpleSAML\Utils\HTTP::checkSessionCookie(\SimpleSAML\Utils\HTTP::getSelfURL()); } } $spEntityId = (string) $_REQUEST['spentityid']; $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); if (isset($_REQUEST['RelayState'])) { $relayState = (string) $_REQUEST['RelayState']; } else { $relayState = NULL; } if (isset($_REQUEST['binding'])) { $protocolBinding = (string) $_REQUEST['binding']; } else { $protocolBinding = NULL; } if (isset($_REQUEST['NameIDFormat'])) { $nameIDFormat = (string) $_REQUEST['NameIDFormat']; } else { $nameIDFormat = NULL; } $requestId = NULL; $IDPList = array(); $ProxyCount = NULL; $RequesterID = NULL; $forceAuthn = FALSE; $isPassive = FALSE; $consumerURL = NULL; $consumerIndex = NULL; $extensions = NULL; $allowCreate = TRUE; $idpInit = TRUE; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: IdP initiated authentication: ' . var_export($spEntityId, TRUE)); } else { $binding = SAML2_Binding::getCurrentBinding(); $request = $binding->receive(); if (!$request instanceof SAML2_AuthnRequest) { throw new SimpleSAML_Error_BadRequest('Message received on authentication request endpoint wasn\'t an authentication request.'); } $spEntityId = $request->getIssuer(); if ($spEntityId === NULL) { throw new SimpleSAML_Error_BadRequest('Received message on authentication request endpoint without issuer.'); } $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote'); sspmod_saml_Message::validateMessage($spMetadata, $idpMetadata, $request); $relayState = $request->getRelayState(); $requestId = $request->getId(); $IDPList = $request->getIDPList(); $ProxyCount = $request->getProxyCount(); if ($ProxyCount !== null) { $ProxyCount--; } $RequesterID = $request->getRequesterID(); $forceAuthn = $request->getForceAuthn(); $isPassive = $request->getIsPassive(); $consumerURL = $request->getAssertionConsumerServiceURL(); $protocolBinding = $request->getProtocolBinding(); $consumerIndex = $request->getAssertionConsumerServiceIndex(); $extensions = $request->getExtensions(); $nameIdPolicy = $request->getNameIdPolicy(); if (isset($nameIdPolicy['Format'])) { $nameIDFormat = $nameIdPolicy['Format']; } else { $nameIDFormat = NULL; } if (isset($nameIdPolicy['AllowCreate'])) { $allowCreate = $nameIdPolicy['AllowCreate']; } else { $allowCreate = FALSE; } $idpInit = FALSE; SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: incoming authentication request: ' . var_export($spEntityId, TRUE)); } SimpleSAML_Stats::log('saml:idp:AuthnRequest', array('spEntityID' => $spEntityId, 'idpEntityID' => $idpMetadata->getString('entityid'), 'forceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'protocol' => 'saml2', 'idpInit' => $idpInit)); $acsEndpoint = self::getAssertionConsumerService($supportedBindings, $spMetadata, $consumerURL, $protocolBinding, $consumerIndex); $IDPList = array_unique(array_merge($IDPList, $spMetadata->getArrayizeString('IDPList', array()))); if ($ProxyCount === null) { $ProxyCount = $spMetadata->getInteger('ProxyCount', null); } if (!$forceAuthn) { $forceAuthn = $spMetadata->getBoolean('ForceAuthn', FALSE); } $sessionLostParams = array('spentityid' => $spEntityId, 'cookieTime' => time()); if ($relayState !== NULL) { $sessionLostParams['RelayState'] = $relayState; } $sessionLostURL = \SimpleSAML\Utils\HTTP::addURLParameters(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery(), $sessionLostParams); $state = array('Responder' => array('sspmod_saml_IdP_SAML2', 'sendResponse'), SimpleSAML_Auth_State::EXCEPTION_HANDLER_FUNC => array('sspmod_saml_IdP_SAML2', 'handleAuthError'), SimpleSAML_Auth_State::RESTART => $sessionLostURL, 'SPMetadata' => $spMetadata->toArray(), 'saml:RelayState' => $relayState, 'saml:RequestId' => $requestId, 'saml:IDPList' => $IDPList, 'saml:ProxyCount' => $ProxyCount, 'saml:RequesterID' => $RequesterID, 'ForceAuthn' => $forceAuthn, 'isPassive' => $isPassive, 'saml:ConsumerURL' => $acsEndpoint['Location'], 'saml:Binding' => $acsEndpoint['Binding'], 'saml:NameIDFormat' => $nameIDFormat, 'saml:AllowCreate' => $allowCreate, 'saml:Extensions' => $extensions, 'saml:AuthnRequestReceivedAt' => microtime(TRUE)); $idp->handleAuthenticationRequest($state); }
/** * @deprecated This method will be removed in SSP 2.0. Please use SimpleSAML\Utils\HTTP::getSelfURLNoQuery() instead. */ public static function selfURLNoQuery() { return \SimpleSAML\Utils\HTTP::getSelfURLNoQuery(); }
/** * Test SimpleSAML\Utils\HTTP::getSelfURL(). */ public function testGetSelfURLMethods() { $original = $_SERVER; /* * Test a URL pointing to a script that's not part of the public interface. This allows us to test calls to * getSelfURL() from scripts outside of SimpleSAMLphp */ \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'http://example.com/simplesaml/'), '[ARRAY]', 'simplesaml'); $url = 'https://example.com/app/script.php/some/path?foo=bar'; $this->setupEnvFromURL($url); $_SERVER['SCRIPT_FILENAME'] = '/var/www/app/script.php'; $this->assertEquals($url, HTTP::getSelfURL()); $this->assertEquals('https://example.com', HTTP::getSelfURLHost()); $this->assertEquals('https://example.com/app/script.php/some/path', HTTP::getSelfURLNoQuery()); $this->assertTrue(HTTP::isHTTPS()); $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a request URI that doesn't match the current script $cfg = \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.org/simplesaml/'), '[ARRAY]', 'simplesaml'); $baseDir = $cfg->getBaseDir(); $_SERVER['SCRIPT_FILENAME'] = $baseDir . 'www/module.php'; $this->setupEnvFromURL('http://www.example.com/protected/resource.asp?foo=bar'); $this->assertEquals('http://www.example.com/protected/resource.asp?foo=bar', HTTP::getSelfURL()); $this->assertEquals('http://www.example.com', HTTP::getSelfURLHost()); $this->assertEquals('http://www.example.com/protected/resource.asp', HTTP::getSelfURLNoQuery()); $this->assertFalse(HTTP::isHTTPS()); $this->assertEquals('example.org', HTTP::getSelfHostWithNonStandardPort()); $this->assertEquals('http://www.example.com', HTTP::getSelfURLHost()); // test a valid, full URL, based on a full URL in the configuration \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml/'), '[ARRAY]', 'simplesaml'); $this->setupEnvFromURL('http://www.example.org/module.php/module/file.php?foo=bar'); $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('https://example.com', HTTP::getSelfURLHost()); $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertTrue(HTTP::isHTTPS()); $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a valid, full URL, based on a full URL *without* a trailing slash in the configuration \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com/simplesaml'), '[ARRAY]', 'simplesaml'); $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('https://example.com', HTTP::getSelfURLHost()); $this->assertEquals('https://example.com/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertTrue(HTTP::isHTTPS()); $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a valid, full URL, based on a full URL *without* a path in the configuration \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => 'https://example.com'), '[ARRAY]', 'simplesaml'); $this->assertEquals('https://example.com/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('https://example.com', HTTP::getSelfURLHost()); $this->assertEquals('https://example.com/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertTrue(HTTP::isHTTPS()); $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a valid, full URL, based on a relative path in the configuration \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml'); $this->setupEnvFromURL('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar'); $this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('http://www.example.org', HTTP::getSelfURLHost()); $this->assertEquals('http://www.example.org/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertFalse(HTTP::isHTTPS()); $this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a valid, full URL, based on a relative path in the configuration and a non standard port \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml'); $this->setupEnvFromURL('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar'); $this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('http://example.org:8080', HTTP::getSelfURLHost()); $this->assertEquals('http://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertFalse(HTTP::isHTTPS()); $this->assertEquals('http://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); // test a valid, full URL, based on a relative path in the configuration, a non standard port and HTTPS \SimpleSAML_Configuration::loadFromArray(array('baseurlpath' => '/simplesaml/'), '[ARRAY]', 'simplesaml'); $this->setupEnvFromURL('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar'); $this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php?foo=bar', HTTP::getSelfURL()); $this->assertEquals('https://example.org:8080', HTTP::getSelfURLHost()); $this->assertEquals('https://example.org:8080/simplesaml/module.php/module/file.php', HTTP::getSelfURLNoQuery()); $this->assertTrue(HTTP::isHTTPS()); $this->assertEquals('https://' . HTTP::getSelfHostWithNonStandardPort(), HTTP::getSelfURLHost()); $_SERVER = $original; }
/** * Handles a request to this discovery service. * * The IdP disco parameters should be set before calling this function. */ public function handleRequest() { $this->start(); // no choice made. Show discovery service page $idpList = $this->getIdPList(); $idpList = $this->idplistStructured($this->filterList($idpList)); $preferredIdP = $this->getRecommendedIdP(); $faventry = NULL; foreach ($idpList as $tab => $slist) { if (!empty($preferredIdP) && array_key_exists($preferredIdP, $slist)) { $faventry = $slist[$preferredIdP]; } } $t = new SimpleSAML_XHTML_Template($this->config, 'discopower:disco.tpl.php', 'disco'); $discoPowerTabs = array('denmark' => $t->noop('{discopower:tabs:denmark}'), 'edugain' => $t->noop('{discopower:tabs:edugain}'), 'finland' => $t->noop('{discopower:tabs:finland}'), 'greece' => $t->noop('{discopower:tabs:greece}'), 'iceland' => $t->noop('{discopower:tabs:iceland}'), 'incommon' => $t->noop('{discopower:tabs:incommon}'), 'kalmar' => $t->noop('{discopower:tabs:kalmar}'), 'misc' => $t->noop('{discopower:tabs:misc}'), 'norway' => $t->noop('{discopower:tabs:norway}'), 'sweden' => $t->noop('{discopower:tabs:sweden}'), 'switzerland' => $t->noop('{discopower:tabs:switzerland}'), 'ukacessfederation' => $t->noop('{discopower:tabs:ukacessfederation}')); $t->data['faventry'] = $faventry; $t->data['tabNames'] = $discoPowerTabs; $t->data['idplist'] = $idpList; $t->data['preferredidp'] = $preferredIdP; $t->data['return'] = $this->returnURL; $t->data['returnIDParam'] = $this->returnIdParam; $t->data['entityID'] = $this->spEntityId; $t->data['urlpattern'] = htmlspecialchars(\SimpleSAML\Utils\HTTP::getSelfURLNoQuery()); $t->data['rememberenabled'] = $this->config->getBoolean('idpdisco.enableremember', false); $t->data['rememberchecked'] = $this->config->getBoolean('idpdisco.rememberchecked', false); $t->data['defaulttab'] = $this->discoconfig->getValue('defaulttab', 0); $t->data['score'] = $this->discoconfig->getValue('score', 'quicksilver'); $t->show(); }