/**
* @param string saml_response
* @param WP_User $user
*
* @return WP_User
*/
private function handle_saml_response($saml_response, $user)
{
try {
$this->saml_response_service->load_saml_response($saml_response);
if (!$this->saml_response_service->is_entity_in_audience($this->entity_id)) {
throw new Exception(sprintf("Entity \"%s\" is not in allowed audience", $this->entity_id));
} elseif (!$this->saml_response_service->is_timestamp_within_restrictions($this->wp_facade->time())) {
throw new Exception("Response has expired");
} elseif (!$this->saml_response_service->is_valid_destination($this->wp_facade->wp_login_url())) {
throw new Exception("Invalid response destination");
} elseif ($this->saml_response_service->is_session_index_registered()) {
throw new Exception(sprintf("Session index %s already registered. Possible replay attack.", $this->saml_response_service->get_session_index()));
}
// Find the user by login
$user = $this->wp_facade->get_user_by('login', $this->saml_response_service->get_name());
// If we don't have a user, create one
if (!$user instanceof WP_User) {
$role = $this->get_sso_attribute('role');
$role = $role ? $this->translate_role($role) : false;
$user_data = array('user_login' => $this->saml_response_service->get_name(), 'user_pass' => '', 'role' => $role, 'user_email' => $this->get_sso_attribute('user_email'), 'first_name' => $this->get_sso_attribute('first_name'), 'last_name' => $this->get_sso_attribute('last_name'));
$user_id = $this->wp_facade->wp_insert_user($user_data);
// Unset the password - wp_insert_user always generates a hash - it's misleading
$this->wp_facade->wp_update_user(array('ID' => $user_id, 'user_pass' => ''));
$user = new WP_User($user_id);
}
// Set the SSO session so we know we are logged in via SSO
$this->wp_facade->update_user_meta($user->ID, 'launchkey_sso_session', $this->saml_response_service->get_session_index());
$this->wp_facade->update_user_meta($user->ID, 'launchkey_authorized', 'true');
$this->saml_response_service->register_session_index();
} catch (Exception $e) {
$this->wp_facade->wp_redirect($this->error_url);
$this->wp_facade->_exit();
}
return $user;
}
/**
* Front controller for LaunchKey Native/White Label authentication
*
*
* @param WP_User $user Unused parameter always passed first by authenticate filter
* @param string $username Username specified by the user in the login screen
* @param string $password Password specifiedby the user in the login screen
*
* @since 1.0.0
* @return WP_User
*/
public function authenticate($user, $username, $password)
{
if (empty($user) && empty($username) && empty($password) && !empty($_REQUEST['SAMLResponse'])) {
$response_element = SAML2_DOMDocumentFactory::fromString(base64_decode($_REQUEST['SAMLResponse']))->documentElement;
$signature_info = SAML2_Utils::validateElement($response_element);
try {
SAML2_Utils::validateSignature($signature_info, $this->security_key);
$response = SAML2_StatusResponse::fromXML($response_element);
/** @var SAML2_Assertion[] $assertions */
$assertions = $response->getAssertions();
if (empty($assertions)) {
throw new Exception("No assertions in SAML response");
}
$assertion = $assertions[0];
$name_id = $assertion->getNameId();
$username = $name_id['Value'];
$session_id = $assertion->getSessionIndex();
// Find the user by login
$user = $this->wp_facade->get_user_by('login', $username);
// If we don't have a user, create one
if (!$user instanceof WP_User) {
$attributes = $assertion->getAttributes();
$user_data = array('user_login' => $username, 'user_pass' => '', 'role' => empty($attributes['role']) ? false : $this->translate_role($attributes['role'][0]));
$user_id = $this->wp_facade->wp_insert_user($user_data);
// Unset the password - wp_insert_user always generates a hash - it's misleading
$this->wp_facade->wp_update_user(array('ID' => $user_id, 'user_pass' => ''));
$user = new WP_User($user_id);
}
// Set the SSO session so we know we are logged in via SSSO
$this->wp_facade->update_user_meta($user->ID, 'launchkey_sso_session', $session_id);
} catch (Exception $e) {
$this->wp_facade->wp_redirect($this->error_url);
exit;
}
return $user;
}
}
