session_write_close(); print_error('retriesexceeded', 'auth_onelogin_saml', '', $retry); } $SESSION->saml_retry_count = $retry + 1; // save the jump target - this is checked later that it starts with $CFG->wwwroot, and cleaned if (isset($_GET['wantsurl'])) { $wantsurl = $SESSION->wantsurl = $_GET['wantsurl']; } // check for a wantsurl in the existing Moodle session if (empty($wantsurl) && isset($SESSION->wantsurl)) { $wantsurl = $SESSION->wantsurl; } // get the plugin config for saml $pluginconfig = get_config('auth/onelogin_saml'); require_once '_toolkit_loader.php'; $settings = auth_onelogin_saml_get_settings(); $auth = new Onelogin_Saml2_Auth($settings); if (isset($_GET['logout']) && $_GET['logout']) { if (isset($_GET['RelayState']) && !empty($_GET['RelayState'])) { $location = $_GET['RelayState']; } else { if (isset($wantsurl)) { $location = $wantsurl; } else { $location = $CFG->wwwroot; } } if (isset($_GET['normal'])) { auth_onelogin_saml_deleteLocalSession(); } else { if (isset($_GET) && (isset($_GET['SAMLRequest']) || isset($_GET['SAMLResponse']))) {
/** * Test if settings are ok, print info to output. * */ public function test_settings() { global $CFG, $OUTPUT; $pluginconfig = get_config('auth/onelogin_saml'); require_once 'functions.php'; require_once '_toolkit_loader.php'; $settings = auth_onelogin_saml_get_settings(); echo $OUTPUT->notification('Debug mode ' . ($settings['strict'] ? '<strong>on</strong>. ' . "In production turn it off" : '<strong>off</strong>'), 'userinfobox notifysuccess'); echo $OUTPUT->notification('Strict mode ' . ($settings['debug'] ? '<strong>on</strong>' : '<strong>off</strong>. ' . "In production we recommend to turn it on."), 'userinfobox notifysuccess'); $spPrivatekey = $settings['sp']['x509cert']; $spCert = $settings['sp']['privateKey']; try { $samlSettings = new OneLogin_Saml2_Settings($settings); echo $OUTPUT->notification('SAML settings are <strong>ok</strong>', 'userinfobox notifysuccess'); } catch (Exception $e) { echo $OUTPUT->notification('Found errors while validating SAML settings info.<br>' . $e->getMessage(), 'userinfobox notifyproblem'); } if ($pluginconfig->saml_slo == 'on') { echo $OUTPUT->notification("Single Log Out is enabled. If the SLO process fail, close your browser to be sure that session of the apps are closed.", 'userinfobox notifysuccess'); } else { echo $OUTPUT->notification("Single Log Out is disabled. If you log out from Moodle your session at the IdP keeps alive.", 'userinfobox notifysuccess'); } $fileSystemKeyExists = file_exists($CFG->dirroot . '/auth/onelogin_saml/certs/sp.key'); $fileSystemCertExists = file_exists($CFG->dirroot . '/auth/onelogin_saml/certs/sp.crt'); if ($fileSystemKeyExists) { $privatekey_url = $CFG->wwwroot . '/auth/onelogin_saml/certs/sp.key'; echo $OUTPUT->notification("There is a private key stored at the filesystem. Protect the 'certs' path. Nobody should be allowed to access:" . '<br>' . $privatekey_url . '<br>', 'userinfobox'); } if ($spPrivatekey && !empty($spPrivatekey)) { echo $OUTPUT->notification("There is a private key stored at the database. (An attacker could own your database and get it. Take care)", 'userinfobox'); } if ($spPrivatekey && !empty($spPrivatekey) && $fileSystemKeyExists || $spCert && !empty($spCert) && $fileSystemCertExists) { echo $OUTPUT->notification("Private key/certs stored on database have priority over the private key/cert stored at filesystem", 'userinfobox'); } if ($pluginconfig->saml_auto_create_users) { echo $OUTPUT->notification("User will be created if not exists, based on the data sent by the IdP.", 'userinfobox notifysuccess'); } else { echo $OUTPUT->notification("If the user not exists, access is prevented.", 'userinfobox notifysuccess'); } if ($pluginconfig->saml_auto_update_users) { echo $OUTPUT->notification("User account will be updated with the data sent by the IdP.", 'userinfobox notifysuccess'); } if ($pluginconfig->saml_auto_create_users || $pluginconfig->saml_auto_update_users) { echo $OUTPUT->notification("Is important to set the attribute and the role mapping when auto-provisioning or account update are active.", 'userinfobox'); } $attr_mappings = array('saml_username_map' => get_string("auth_onelogin_saml_username_map", "auth_onelogin_saml"), 'saml_email_map' => get_string("auth_onelogin_saml_email_map", "auth_onelogin_saml"), 'saml_firstname_map' => get_string("auth_onelogin_saml_firstname_map", "auth_onelogin_saml"), 'saml_surname_map' => get_string("auth_onelogin_saml_surname_map", "auth_onelogin_saml"), 'saml_role_map' => get_string("auth_onelogin_saml_role_map", "auth_onelogin_saml")); $saml_account_matcher = $pluginconfig->saml_account_matcher; if (empty($saml_account_matcher)) { $saml_account_matcher = 'username'; } $lacked_attr_mappings = array(); foreach ($attr_mappings as $field => $name) { $value = $pluginconfig->{"{$field}"}; if (empty($value)) { if ($saml_account_matcher == 'username' && $field == 'saml_username_map') { echo $OUTPUT->notification("Username mapping is required in order to enable the SAML Single Sign On", 'userinfobox notifyproblem'); } if ($saml_account_matcher == 'email' && $field == 'saml_email_map') { echo $OUTPUT->notification("Email Address mapping is required in order to enable the SAML Single Sign On", 'userinfobox notifyproblem'); } $lacked_attr_mappings[] = $name; } } if (!empty($lacked_attr_mappings)) { echo $OUTPUT->notification("Notice that there are attributes without mapping:<br>" . implode('<br>', $lacked_attr_mappings), 'userinfobox'); } $role_mappings = array('saml_role_siteadmin_map' => get_string("auth_onelogin_saml_rolemapping_head", "auth_onelogin_saml"), 'saml_role_coursecreator_map' => get_string("auth_onelogin_saml_role_coursecreator_map", "auth_onelogin_saml"), 'saml_role_manager_map' => get_string("auth_onelogin_saml_role_manager_map", "auth_onelogin_saml")); $lacked_role_mappings = array(); foreach ($role_mappings as $field => $name) { $value = $pluginconfig->{"{$field}"}; if (empty($value)) { $lacked_role_mappings[] = $name; } } if (!empty($lacked_role_mappings)) { echo $OUTPUT->notification("Notice that there are roles without mapping:<br>" . implode('<br>', $lacked_role_mappings), 'userinfobox'); } }