/**
* Start an authentication process.
*
* This function never returns.
*
* This function accepts an array $params, which controls some parts of
* the authentication. The accepted parameters depends on the authentication
* source being used. Some parameters are generic:
* - 'ErrorURL': A URL that should receive errors from the authentication.
* - 'KeepPost': If the current request is a POST request, keep the POST
* data until after the authentication.
* - 'ReturnTo': The URL the user should be returned to after authentication.
* - 'ReturnCallback': The function we should call after the user has
* finished authentication.
*
* @param array $params Various options to the authentication request.
*/
public function login(array $params = array())
{
if (array_key_exists('KeepPost', $params)) {
$keepPost = (bool) $params['KeepPost'];
} else {
$keepPost = TRUE;
}
if (array_key_exists('ReturnTo', $params)) {
$returnTo = (string) $params['ReturnTo'];
} else {
if (array_key_exists('ReturnCallback', $params)) {
$returnTo = (array) $params['ReturnCallback'];
} else {
$returnTo = SimpleSAML_Utilities::selfURL();
}
}
if (is_string($returnTo) && $keepPost && $_SERVER['REQUEST_METHOD'] === 'POST') {
$returnTo = SimpleSAML_Utilities::createPostRedirectLink($returnTo, $_POST);
}
if (array_key_exists('ErrorURL', $params)) {
$errorURL = (string) $params['ErrorURL'];
} else {
$errorURL = NULL;
}
if (!isset($params[SimpleSAML_Auth_State::RESTART]) && is_string($returnTo)) {
/*
* A URL to restart the authentication, in case the user bookmarks
* something, e.g. the discovery service page.
*/
$restartURL = $this->getLoginURL($returnTo);
$params[SimpleSAML_Auth_State::RESTART] = $restartURL;
}
SimpleSAML_Auth_Default::initLogin($this->authSource, $returnTo, $errorURL, $params);
assert('FALSE');
}
/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
$metaconfig = SimpleSAML_Configuration::getConfig('module_metaedit.php');
$mdh = new SimpleSAML_Metadata_MetaDataStorageHandlerSerialize($metaconfig->getValue('metahandlerConfig', NULL));
$authsource = $metaconfig->getValue('auth', 'login-admin');
$useridattr = $metaconfig->getValue('useridattr', 'eduPersonPrincipalName');
if ($session->isValid($authsource)) {
$attributes = $session->getAttributes();
// Check if userid exists
if (!isset($attributes[$useridattr])) {
throw new Exception('User ID is missing');
}
$userid = $attributes[$useridattr][0];
} else {
SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
}
function requireOwnership($metadata, $userid)
{
if (!isset($metadata['owner'])) {
throw new Exception('Metadata has no owner. Which means no one is granted access, not even you.');
}
if ($metadata['owner'] !== $userid) {
throw new Exception('Metadata has an owner that is not equal to your userid, hence you are not granted access.');
}
}
if (array_key_exists('entityid', $_REQUEST)) {
$metadata = $mdh->getMetadata($_REQUEST['entityid'], 'saml20-sp-remote');
requireOwnership($metadata, $userid);
} elseif (array_key_exists('xmlmetadata', $_REQUEST)) {
$xmldata = $_REQUEST['xmlmetadata'];
<?php
/**
* The _include script registers a autoloader for the simpleSAMLphp libraries. It also
* initializes the simpleSAMLphp config class with the correct path.
*/
require_once '_include.php';
/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
if (empty($_REQUEST['RelayState'])) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
}
if (!$session->isValid('openid')) {
/* Authenticate with an AuthSource. */
$hints = array();
if (array_key_exists('openid', $_REQUEST)) {
$hints['openid'] = $_REQUEST['openid'];
}
SimpleSAML_Auth_Default::initLogin('openid', $_REQUEST['RelayState'], NULL, $hints);
}
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Will go to authentication module ' . $idpmetadata['auth']);
$authId = SimpleSAML_Utilities::generateID();
$session->setAuthnRequest('saml2', $authId, $requestcache);
$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
if ($authSource) {
/* Authenticate with an AuthSource. */
/* The user will be redirected to this URL if the session is lost. This will cause an
* unsoliced authentication response to be sent to the SP.
*/
$sessionLostParams = array('spentityid' => $requestcache['Issuer']);
if (isset($requestcache['RelayState'])) {
$sessionLostParams['RelayState'] = $requestcache['RelayState'];
}
$sessionLostURL = SimpleSAML_Utilities::addURLparameter($metadata->getGenerated('SingleSignOnService', 'saml20-idp-hosted'), $sessionLostParams);
$hints = array('SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'saml20-sp-remote'), 'IdPMetadata' => $idpmetadata, SimpleSAML_Auth_State::RESTART => $sessionLostURL);
SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, $redirectTo, $hints);
} else {
$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $redirectTo, 'AuthId' => $authId, 'protocol' => 'saml2'));
}
} elseif ($needAuth) {
/* We have a passive request, but need authentication. Send back a response indicating that
* the user didn't have a valid session.
*/
handleError(new SimpleSAML_Error_NoPassive('Passive authentication requested, but no session available.'));
/**
* We got an request, and we have a valid session. Then we send an AuthnResponse back to the
* service.
*/
} else {
try {
/**
* Log the user out.
*
* This function logs the user out. It will never return. By default,
* it will cause a redirect to the current page after logging the user
* out, but a different URL can be given with the $url parameter.
*
* @param string|NULL $url The url the user should be redirected to after logging out.
* Defaults to the current page.
*/
public function logout($url = NULL)
{
assert('is_string($url) || is_null($url)');
if ($url === NULL) {
$url = SimpleSAML_Utilities::selfURL();
}
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid($this->authSource)) {
/* Not authenticated to this authentication source. */
SimpleSAML_Utilities::redirect($url);
assert('FALSE');
}
SimpleSAML_Auth_Default::initLogout($url);
}
/**
* Called when we have completed the procssing chain.
*
* @param array $authProcState The processing chain state.
*/
public static function onProcessingCompleted(array $authProcState)
{
assert('array_key_exists("saml:sp:IdP", $authProcState)');
assert('array_key_exists("saml:sp:State", $authProcState)');
assert('array_key_exists("Attributes", $authProcState)');
$idp = $authProcState['saml:sp:IdP'];
$state = $authProcState['saml:sp:State'];
$sourceId = $state['saml:sp:AuthId'];
$source = SimpleSAML_Auth_Source::getById($sourceId);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $sourceId);
}
/* Register a callback that we can call if we receive a logout request from the IdP. */
$source->addLogoutCallback($idp, $state);
$state['Attributes'] = $authProcState['Attributes'];
if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) {
if (!empty($state['saml:sp:RelayState'])) {
$redirectTo = $state['saml:sp:RelayState'];
} else {
$redirectTo = $source->getMetadata()->getString('RelayState', '/');
}
SimpleSAML_Auth_Default::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
}
SimpleSAML_Auth_Source::completeAuth($state);
}
<?php
/**
* @author Shoaib Ali, Catalyst IT
* @package simpleSAMLphp
* @version $Id$
*/
$as = SimpleSAML_Configuration::getConfig('authsources.php')->getValue('auth2factor');
// Get session object
$session = \SimpleSAML_Session::getSessionFromRequest();
// Get the auth source so we can retrieve the URL we are ment to redirect to
$qaLogin = SimpleSAML_Auth_Source::getById('auth2factor');
// Trigger logout for the main auth source
if ($session->isValid($as['mainAuthSource'])) {
SimpleSAML_Auth_Default::initLogout($qaLogin->getLogoutURL(), $as['mainAuthSource']);
}
$useridattr = $janus_config->getValue('useridattr', 'eduPersonPrincipalName');
if ($session->isValid($authsource)) {
$attributes = $session->getAttributes();
// Check if userid exists
if (!isset($attributes[$useridattr])) {
throw new Exception('User ID is missing');
}
$userid = $attributes[$useridattr][0];
} else {
$returnURL = $session->getData('string', 'refURL');
if (is_null($returnURL)) {
$returnURL = SimpleSAML_Utilities::selfURL();
} else {
$session->deleteData('string', 'refURL');
}
SimpleSAML_Auth_Default::initLogin($authsource, $returnURL, NULL, $_GET);
}
$user = new sspmod_janus_User();
$user->setUserid($userid);
if (!$user->load(sspmod_janus_User::USERID_LOAD)) {
$autocreatenewuser = $janus_config->getValue('user.autocreate', false);
if ($autocreatenewuser) {
SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/newUser.php'), array('userid' => $userid));
} else {
SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/noNewUser.php'), array('userid' => $userid));
}
} else {
if ($user->getActive() === 'yes') {
SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/dashboard.php/entities'));
} else {
$session->doLogout();
* response nor a response from bridged SLO.
*/
SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: No request, response or bridge');
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS');
}
/* First, log out of the current authentication source. */
$authority = $session->getAuthority();
if ($authority !== NULL) {
/* We are logged in. */
$bridgedId = SimpleSAML_Utilities::generateID();
$returnTo = SimpleSAML_Utilities::selfURLNoQuery() . '?LogoutID=' . $bridgedId;
/* Save the $logoutInfo until we return from the SP. */
saveLogoutInfo($bridgedId);
if ($authority === $idpMetadata->getString('auth')) {
/* This is probably an authentication source. */
SimpleSAML_Auth_Default::initLogoutReturn($returnTo);
} elseif ($authority === 'saml2') {
/* SAML 2 SP which isn't an authentication source. */
SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php', array('RelayState' => $returnTo));
} else {
/* A different old-style authentication file. */
$session->doLogout();
}
}
/*
* Find the next SP we should log out from. We will search through the list of
* SPs until we find a valid SP with a SingleLogoutService endpoint.
*/
while (TRUE) {
/* Dump the current sessions (for debugging). */
$session->dump_sp_sessions();
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getSessionFromRequest();
$oauthconfig = SimpleSAML_Configuration::getOptionalConfig('module_oauth.php');
$store = new sspmod_core_Storage_SQLPermanentStorage('oauth');
$authsource = "admin";
// force admin to authenticate as registry maintainer
$useridattr = $oauthconfig->getValue('useridattr', 'user');
if ($session->isValid($authsource)) {
$attributes = $session->getAuthData($authsource, 'Attributes');
// Check if userid exists
if (!isset($attributes[$useridattr])) {
throw new Exception('User ID is missing');
}
$userid = $attributes[$useridattr][0];
} else {
SimpleSAML_Auth_Default::initLogin($authsource, \SimpleSAML\Utils\HTTP::getSelfURL());
}
function requireOwnership($entry, $userid)
{
if (!isset($entry['owner'])) {
throw new Exception('OAuth Consumer has no owner. Which means no one is granted access, not even you.');
}
if ($entry['owner'] !== $userid) {
throw new Exception('OAuth Consumer has an owner that is not equal to your userid, hence you are not granted access.');
}
}
if (isset($_REQUEST['delete'])) {
$entryc = $store->get('consumers', $_REQUEST['delete'], '');
$entry = $entryc['value'];
requireOwnership($entry, $userid);
$store->remove('consumers', $entry['key'], '');
assert('array_key_exists("SimpleSAML_Auth_Source.id", $state)');
$authId = $state['SimpleSAML_Auth_Source.id'];
$as = SimpleSAML_Configuration::getConfig('authsources.php')->getValue($authId);
// Use 2 factor authentication class
$gaLogin = SimpleSAML_Auth_Source::getById($authId, 'sspmod_authtfaga_Auth_Source_authtfaga');
if ($gaLogin === null) {
throw new Exception('Invalid authentication source: ' . $authId);
}
// Init template
$template = 'authtfaga:login.php';
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, $template);
$errorCode = null;
//If user doesn't have session, force to use the main authentication method
if (!$session->isValid($as['mainAuthSource'])) {
SimpleSAML_Auth_Default::initLogin($as['mainAuthSource'], SimpleSAML_Utilities::selfURL());
}
$attributes = $session->getAuthData($as['mainAuthSource'], 'Attributes');
$state['Attributes'] = $attributes;
$uid = $attributes[$as['uidField']][0];
$state['UserID'] = $uid;
$isEnabled = $gaLogin->isEnabled2fa($uid);
if (is_null($isEnabled) || isset($_GET['postSetEnable2fa'])) {
//If the user has not set his preference of 2 factor authentication, redirect to settings page
if (isset($_POST['setEnable2f'])) {
if ($_POST['setEnable2f'] == 1) {
$gaKey = $gaLogin->createSecret();
$gaLogin->registerGAkey($uid, $gaKey);
$gaLogin->enable2fa($uid);
$t->data['todo'] = 'generateGA';
$t->data['autofocus'] = 'otp';
<?php
/**
* The _include script registers a autoloader for the simpleSAMLphp libraries. It also
* initializes the simpleSAMLphp config class with the correct path.
*/
require_once '_include.php';
/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
if (!$session->isValid('openid')) {
/* Authenticate with an AuthSource. */
$hints = array('openid' => NULL);
SimpleSAML_Auth_Default::initLogin('openid', SimpleSAML_Utilities::selfURL(), NULL, $hints);
}
$attributes = $session->getAttributes();
$t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes');
$t->data['header'] = '{openid:dictopenid:openidtestpage}';
$t->data['remaining'] = $session->remainingTime();
$t->data['sessionsize'] = $session->getSize();
$t->data['attributes'] = $attributes;
$t->data['icon'] = 'bino.png';
$t->data['logouturl'] = NULL;
$t->show();
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SSOSERVICEPARAMS');
}
if (SimpleSAML_Auth_Source::getById($adfsconfig->getValue('auth')) !== NULL) {
$authSource = TRUE;
$authority = $adfsconfig->getValue('auth');
} else {
$authSource = FALSE;
$authority = $adfsconfig->getValue('authority');
}
if (!$session->isValid($authority)) {
SimpleSAML_Logger::info('ADFS - IdP.SSOService: Will go to authentication module ' . $adfsconfig->getValue('auth'));
$authId = SimpleSAML_Utilities::generateID();
$session->setAuthnRequest('adfs', $authId, $requestcache);
$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
if ($authSource) {
SimpleSAML_Auth_Default::initLogin($adfsconfig->getValue('auth'), $redirectTo);
} else {
$authurl = '/' . $config->getBaseURL() . $adfsconfig->getValue('auth');
SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $redirectTo, 'AuthId' => $authId, 'protocol' => 'adfs'));
}
} else {
try {
$spentityid = $requestcache['Issuer'];
$spmetadata = SimpleSAML_Configuration::getConfig('adfs-sp-remote.php');
$arr = $spmetadata->getValue($spentityid);
if (!isset($arr)) {
throw new Exception('Metadata for ADFS SP "' . $spentityid . '" could not be found in adfs-sp-remote.php!');
}
$spmetadata = SimpleSAML_Configuration::loadFromArray($arr);
$sp_name = $spmetadata->getValue('name', $spentityid);
SimpleSAML_Logger::info('ADFS - IdP.SSOService: Sending back AuthnResponse to ' . $spentityid);
/**
* Require admin access for current page.
*
* This is a helper-function for limiting a page to admin access. It will redirect
* the user to a login page if the current user doesn't have admin access.
*/
public static function requireAdmin()
{
if (self::isAdmin()) {
return;
}
$returnTo = SimpleSAML_Utilities::selfURL();
/* Not authenticated as admin user. Start authentication. */
if (SimpleSAML_Auth_Source::getById('admin') !== NULL) {
SimpleSAML_Auth_Default::initLogin('admin', $returnTo);
} else {
/* For backwards-compatibility. */
$config = SimpleSAML_Configuration::getInstance();
SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php', array('RelayState' => $returnTo));
}
}
if (is_array($state)) {
$config = sspmod_authTiqr_Auth_Tiqr::getAuthSourceConfig($authState);
if (isset($config["enroll.authsource"])) {
$mayCreate = false;
if ($session->isValid($config["enroll.authsource"])) {
$attributes = $session->getAuthData($config["enroll.authsource"], 'Attributes');
// Check if userid exists
$uidAttribute = $config["enroll.uidAttribute"];
$displayNameAttribute = $config["enroll.cnAttribute"];
if (!isset($attributes[$uidAttribute])) {
throw new Exception('User ID is missing');
}
$state["tiqrUser"]["userId"] = $attributes[$uidAttribute][0];
$state["tiqrUser"]["displayName"] = $attributes[$displayNameAttribute][0];
} else {
SimpleSAML_Auth_Default::initLogin($config["enroll.authsource"], SimpleSAML_Utilities::selfURL(), NULL, $_REQUEST);
}
}
}
}
$template = 'newuser.php';
$store = sspmod_authTiqr_Auth_Tiqr::getUserStorage();
if (is_array($_POST) && count($_POST) && isset($_POST["create"])) {
// Page was posted, so new user form has been filled.
if ($state == NULL) {
// throw new SimpleSAML_Error_NoState();
}
$displayName = isset($_POST['displayName']) ? $_POST['displayName'] : NULL;
$userId = isset($_POST['userId']) ? $_POST['userId'] : NULL;
if (empty($userId) || empty($displayName)) {
$errorcode = "userdatarequired";
$state = SimpleSAML_Auth_State::loadExceptionState();
assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)');
$e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA];
header('Content-Type: text/plain');
echo "Exception during login:\n";
foreach ($e->format() as $line) {
echo $line . "\n";
}
exit(0);
}
if (!array_key_exists('as', $_REQUEST)) {
$t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php');
$t->data['sources'] = SimpleSAML_Auth_Source::getSources();
$t->show();
exit;
}
$as = $_REQUEST['as'];
if (!$session->isValid($as)) {
$url = SimpleSAML_Utilities::selfURL();
$hints = array(SimpleSAML_Auth_State::RESTART => $url);
SimpleSAML_Auth_Default::initLogin($as, $url, $url, $hints);
}
$attributes = $session->getAttributes();
$t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes');
$t->data['header'] = '{status:header_saml20_sp}';
$t->data['remaining'] = $session->remainingTime();
$t->data['sessionsize'] = $session->getSize();
$t->data['attributes'] = $attributes;
$t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout';
$t->data['icon'] = 'bino.png';
$t->show();
