/** * Start an authentication process. * * This function never returns. * * This function accepts an array $params, which controls some parts of * the authentication. The accepted parameters depends on the authentication * source being used. Some parameters are generic: * - 'ErrorURL': A URL that should receive errors from the authentication. * - 'KeepPost': If the current request is a POST request, keep the POST * data until after the authentication. * - 'ReturnTo': The URL the user should be returned to after authentication. * - 'ReturnCallback': The function we should call after the user has * finished authentication. * * @param array $params Various options to the authentication request. */ public function login(array $params = array()) { if (array_key_exists('KeepPost', $params)) { $keepPost = (bool) $params['KeepPost']; } else { $keepPost = TRUE; } if (array_key_exists('ReturnTo', $params)) { $returnTo = (string) $params['ReturnTo']; } else { if (array_key_exists('ReturnCallback', $params)) { $returnTo = (array) $params['ReturnCallback']; } else { $returnTo = SimpleSAML_Utilities::selfURL(); } } if (is_string($returnTo) && $keepPost && $_SERVER['REQUEST_METHOD'] === 'POST') { $returnTo = SimpleSAML_Utilities::createPostRedirectLink($returnTo, $_POST); } if (array_key_exists('ErrorURL', $params)) { $errorURL = (string) $params['ErrorURL']; } else { $errorURL = NULL; } if (!isset($params[SimpleSAML_Auth_State::RESTART]) && is_string($returnTo)) { /* * A URL to restart the authentication, in case the user bookmarks * something, e.g. the discovery service page. */ $restartURL = $this->getLoginURL($returnTo); $params[SimpleSAML_Auth_State::RESTART] = $restartURL; } SimpleSAML_Auth_Default::initLogin($this->authSource, $returnTo, $errorURL, $params); assert('FALSE'); }
/* Load simpleSAMLphp, configuration and metadata */ $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); $metaconfig = SimpleSAML_Configuration::getConfig('module_metaedit.php'); $mdh = new SimpleSAML_Metadata_MetaDataStorageHandlerSerialize($metaconfig->getValue('metahandlerConfig', NULL)); $authsource = $metaconfig->getValue('auth', 'login-admin'); $useridattr = $metaconfig->getValue('useridattr', 'eduPersonPrincipalName'); if ($session->isValid($authsource)) { $attributes = $session->getAttributes(); // Check if userid exists if (!isset($attributes[$useridattr])) { throw new Exception('User ID is missing'); } $userid = $attributes[$useridattr][0]; } else { SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL()); } function requireOwnership($metadata, $userid) { if (!isset($metadata['owner'])) { throw new Exception('Metadata has no owner. Which means no one is granted access, not even you.'); } if ($metadata['owner'] !== $userid) { throw new Exception('Metadata has an owner that is not equal to your userid, hence you are not granted access.'); } } if (array_key_exists('entityid', $_REQUEST)) { $metadata = $mdh->getMetadata($_REQUEST['entityid'], 'saml20-sp-remote'); requireOwnership($metadata, $userid); } elseif (array_key_exists('xmlmetadata', $_REQUEST)) { $xmldata = $_REQUEST['xmlmetadata'];
<?php /** * The _include script registers a autoloader for the simpleSAMLphp libraries. It also * initializes the simpleSAMLphp config class with the correct path. */ require_once '_include.php'; /* Load simpleSAMLphp, configuration and metadata */ $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); if (empty($_REQUEST['RelayState'])) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); } if (!$session->isValid('openid')) { /* Authenticate with an AuthSource. */ $hints = array(); if (array_key_exists('openid', $_REQUEST)) { $hints['openid'] = $_REQUEST['openid']; } SimpleSAML_Auth_Default::initLogin('openid', $_REQUEST['RelayState'], NULL, $hints); }
SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Will go to authentication module ' . $idpmetadata['auth']); $authId = SimpleSAML_Utilities::generateID(); $session->setAuthnRequest('saml2', $authId, $requestcache); $redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId); if ($authSource) { /* Authenticate with an AuthSource. */ /* The user will be redirected to this URL if the session is lost. This will cause an * unsoliced authentication response to be sent to the SP. */ $sessionLostParams = array('spentityid' => $requestcache['Issuer']); if (isset($requestcache['RelayState'])) { $sessionLostParams['RelayState'] = $requestcache['RelayState']; } $sessionLostURL = SimpleSAML_Utilities::addURLparameter($metadata->getGenerated('SingleSignOnService', 'saml20-idp-hosted'), $sessionLostParams); $hints = array('SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'saml20-sp-remote'), 'IdPMetadata' => $idpmetadata, SimpleSAML_Auth_State::RESTART => $sessionLostURL); SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, $redirectTo, $hints); } else { $authurl = '/' . $config->getBaseURL() . $idpmetadata['auth']; SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $redirectTo, 'AuthId' => $authId, 'protocol' => 'saml2')); } } elseif ($needAuth) { /* We have a passive request, but need authentication. Send back a response indicating that * the user didn't have a valid session. */ handleError(new SimpleSAML_Error_NoPassive('Passive authentication requested, but no session available.')); /** * We got an request, and we have a valid session. Then we send an AuthnResponse back to the * service. */ } else { try {
/** * Log the user out. * * This function logs the user out. It will never return. By default, * it will cause a redirect to the current page after logging the user * out, but a different URL can be given with the $url parameter. * * @param string|NULL $url The url the user should be redirected to after logging out. * Defaults to the current page. */ public function logout($url = NULL) { assert('is_string($url) || is_null($url)'); if ($url === NULL) { $url = SimpleSAML_Utilities::selfURL(); } $session = SimpleSAML_Session::getInstance(); if (!$session->isValid($this->authSource)) { /* Not authenticated to this authentication source. */ SimpleSAML_Utilities::redirect($url); assert('FALSE'); } SimpleSAML_Auth_Default::initLogout($url); }
/** * Called when we have completed the procssing chain. * * @param array $authProcState The processing chain state. */ public static function onProcessingCompleted(array $authProcState) { assert('array_key_exists("saml:sp:IdP", $authProcState)'); assert('array_key_exists("saml:sp:State", $authProcState)'); assert('array_key_exists("Attributes", $authProcState)'); $idp = $authProcState['saml:sp:IdP']; $state = $authProcState['saml:sp:State']; $sourceId = $state['saml:sp:AuthId']; $source = SimpleSAML_Auth_Source::getById($sourceId); if ($source === NULL) { throw new Exception('Could not find authentication source with id ' . $sourceId); } /* Register a callback that we can call if we receive a logout request from the IdP. */ $source->addLogoutCallback($idp, $state); $state['Attributes'] = $authProcState['Attributes']; if (isset($state['saml:sp:isUnsolicited']) && (bool) $state['saml:sp:isUnsolicited']) { if (!empty($state['saml:sp:RelayState'])) { $redirectTo = $state['saml:sp:RelayState']; } else { $redirectTo = $source->getMetadata()->getString('RelayState', '/'); } SimpleSAML_Auth_Default::handleUnsolicitedAuth($sourceId, $state, $redirectTo); } SimpleSAML_Auth_Source::completeAuth($state); }
<?php /** * @author Shoaib Ali, Catalyst IT * @package simpleSAMLphp * @version $Id$ */ $as = SimpleSAML_Configuration::getConfig('authsources.php')->getValue('auth2factor'); // Get session object $session = \SimpleSAML_Session::getSessionFromRequest(); // Get the auth source so we can retrieve the URL we are ment to redirect to $qaLogin = SimpleSAML_Auth_Source::getById('auth2factor'); // Trigger logout for the main auth source if ($session->isValid($as['mainAuthSource'])) { SimpleSAML_Auth_Default::initLogout($qaLogin->getLogoutURL(), $as['mainAuthSource']); }
$useridattr = $janus_config->getValue('useridattr', 'eduPersonPrincipalName'); if ($session->isValid($authsource)) { $attributes = $session->getAttributes(); // Check if userid exists if (!isset($attributes[$useridattr])) { throw new Exception('User ID is missing'); } $userid = $attributes[$useridattr][0]; } else { $returnURL = $session->getData('string', 'refURL'); if (is_null($returnURL)) { $returnURL = SimpleSAML_Utilities::selfURL(); } else { $session->deleteData('string', 'refURL'); } SimpleSAML_Auth_Default::initLogin($authsource, $returnURL, NULL, $_GET); } $user = new sspmod_janus_User(); $user->setUserid($userid); if (!$user->load(sspmod_janus_User::USERID_LOAD)) { $autocreatenewuser = $janus_config->getValue('user.autocreate', false); if ($autocreatenewuser) { SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/newUser.php'), array('userid' => $userid)); } else { SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/noNewUser.php'), array('userid' => $userid)); } } else { if ($user->getActive() === 'yes') { SimpleSAML_Utilities::redirectTrustedUrl(SimpleSAML_Module::getModuleURL('janus/dashboard.php/entities')); } else { $session->doLogout();
* response nor a response from bridged SLO. */ SimpleSAML_Logger::debug('SAML2.0 - IdP.SingleLogoutService: No request, response or bridge'); SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); } /* First, log out of the current authentication source. */ $authority = $session->getAuthority(); if ($authority !== NULL) { /* We are logged in. */ $bridgedId = SimpleSAML_Utilities::generateID(); $returnTo = SimpleSAML_Utilities::selfURLNoQuery() . '?LogoutID=' . $bridgedId; /* Save the $logoutInfo until we return from the SP. */ saveLogoutInfo($bridgedId); if ($authority === $idpMetadata->getString('auth')) { /* This is probably an authentication source. */ SimpleSAML_Auth_Default::initLogoutReturn($returnTo); } elseif ($authority === 'saml2') { /* SAML 2 SP which isn't an authentication source. */ SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'saml2/sp/initSLO.php', array('RelayState' => $returnTo)); } else { /* A different old-style authentication file. */ $session->doLogout(); } } /* * Find the next SP we should log out from. We will search through the list of * SPs until we find a valid SP with a SingleLogoutService endpoint. */ while (TRUE) { /* Dump the current sessions (for debugging). */ $session->dump_sp_sessions();
$config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getSessionFromRequest(); $oauthconfig = SimpleSAML_Configuration::getOptionalConfig('module_oauth.php'); $store = new sspmod_core_Storage_SQLPermanentStorage('oauth'); $authsource = "admin"; // force admin to authenticate as registry maintainer $useridattr = $oauthconfig->getValue('useridattr', 'user'); if ($session->isValid($authsource)) { $attributes = $session->getAuthData($authsource, 'Attributes'); // Check if userid exists if (!isset($attributes[$useridattr])) { throw new Exception('User ID is missing'); } $userid = $attributes[$useridattr][0]; } else { SimpleSAML_Auth_Default::initLogin($authsource, \SimpleSAML\Utils\HTTP::getSelfURL()); } function requireOwnership($entry, $userid) { if (!isset($entry['owner'])) { throw new Exception('OAuth Consumer has no owner. Which means no one is granted access, not even you.'); } if ($entry['owner'] !== $userid) { throw new Exception('OAuth Consumer has an owner that is not equal to your userid, hence you are not granted access.'); } } if (isset($_REQUEST['delete'])) { $entryc = $store->get('consumers', $_REQUEST['delete'], ''); $entry = $entryc['value']; requireOwnership($entry, $userid); $store->remove('consumers', $entry['key'], '');
assert('array_key_exists("SimpleSAML_Auth_Source.id", $state)'); $authId = $state['SimpleSAML_Auth_Source.id']; $as = SimpleSAML_Configuration::getConfig('authsources.php')->getValue($authId); // Use 2 factor authentication class $gaLogin = SimpleSAML_Auth_Source::getById($authId, 'sspmod_authtfaga_Auth_Source_authtfaga'); if ($gaLogin === null) { throw new Exception('Invalid authentication source: ' . $authId); } // Init template $template = 'authtfaga:login.php'; $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, $template); $errorCode = null; //If user doesn't have session, force to use the main authentication method if (!$session->isValid($as['mainAuthSource'])) { SimpleSAML_Auth_Default::initLogin($as['mainAuthSource'], SimpleSAML_Utilities::selfURL()); } $attributes = $session->getAuthData($as['mainAuthSource'], 'Attributes'); $state['Attributes'] = $attributes; $uid = $attributes[$as['uidField']][0]; $state['UserID'] = $uid; $isEnabled = $gaLogin->isEnabled2fa($uid); if (is_null($isEnabled) || isset($_GET['postSetEnable2fa'])) { //If the user has not set his preference of 2 factor authentication, redirect to settings page if (isset($_POST['setEnable2f'])) { if ($_POST['setEnable2f'] == 1) { $gaKey = $gaLogin->createSecret(); $gaLogin->registerGAkey($uid, $gaKey); $gaLogin->enable2fa($uid); $t->data['todo'] = 'generateGA'; $t->data['autofocus'] = 'otp';
<?php /** * The _include script registers a autoloader for the simpleSAMLphp libraries. It also * initializes the simpleSAMLphp config class with the correct path. */ require_once '_include.php'; /* Load simpleSAMLphp, configuration and metadata */ $config = SimpleSAML_Configuration::getInstance(); $session = SimpleSAML_Session::getInstance(); if (!$session->isValid('openid')) { /* Authenticate with an AuthSource. */ $hints = array('openid' => NULL); SimpleSAML_Auth_Default::initLogin('openid', SimpleSAML_Utilities::selfURL(), NULL, $hints); } $attributes = $session->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{openid:dictopenid:openidtestpage}'; $t->data['remaining'] = $session->remainingTime(); $t->data['sessionsize'] = $session->getSize(); $t->data['attributes'] = $attributes; $t->data['icon'] = 'bino.png'; $t->data['logouturl'] = NULL; $t->show();
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SSOSERVICEPARAMS'); } if (SimpleSAML_Auth_Source::getById($adfsconfig->getValue('auth')) !== NULL) { $authSource = TRUE; $authority = $adfsconfig->getValue('auth'); } else { $authSource = FALSE; $authority = $adfsconfig->getValue('authority'); } if (!$session->isValid($authority)) { SimpleSAML_Logger::info('ADFS - IdP.SSOService: Will go to authentication module ' . $adfsconfig->getValue('auth')); $authId = SimpleSAML_Utilities::generateID(); $session->setAuthnRequest('adfs', $authId, $requestcache); $redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId); if ($authSource) { SimpleSAML_Auth_Default::initLogin($adfsconfig->getValue('auth'), $redirectTo); } else { $authurl = '/' . $config->getBaseURL() . $adfsconfig->getValue('auth'); SimpleSAML_Utilities::redirect($authurl, array('RelayState' => $redirectTo, 'AuthId' => $authId, 'protocol' => 'adfs')); } } else { try { $spentityid = $requestcache['Issuer']; $spmetadata = SimpleSAML_Configuration::getConfig('adfs-sp-remote.php'); $arr = $spmetadata->getValue($spentityid); if (!isset($arr)) { throw new Exception('Metadata for ADFS SP "' . $spentityid . '" could not be found in adfs-sp-remote.php!'); } $spmetadata = SimpleSAML_Configuration::loadFromArray($arr); $sp_name = $spmetadata->getValue('name', $spentityid); SimpleSAML_Logger::info('ADFS - IdP.SSOService: Sending back AuthnResponse to ' . $spentityid);
/** * Require admin access for current page. * * This is a helper-function for limiting a page to admin access. It will redirect * the user to a login page if the current user doesn't have admin access. */ public static function requireAdmin() { if (self::isAdmin()) { return; } $returnTo = SimpleSAML_Utilities::selfURL(); /* Not authenticated as admin user. Start authentication. */ if (SimpleSAML_Auth_Source::getById('admin') !== NULL) { SimpleSAML_Auth_Default::initLogin('admin', $returnTo); } else { /* For backwards-compatibility. */ $config = SimpleSAML_Configuration::getInstance(); SimpleSAML_Utilities::redirect('/' . $config->getBaseURL() . 'auth/login-admin.php', array('RelayState' => $returnTo)); } }
if (is_array($state)) { $config = sspmod_authTiqr_Auth_Tiqr::getAuthSourceConfig($authState); if (isset($config["enroll.authsource"])) { $mayCreate = false; if ($session->isValid($config["enroll.authsource"])) { $attributes = $session->getAuthData($config["enroll.authsource"], 'Attributes'); // Check if userid exists $uidAttribute = $config["enroll.uidAttribute"]; $displayNameAttribute = $config["enroll.cnAttribute"]; if (!isset($attributes[$uidAttribute])) { throw new Exception('User ID is missing'); } $state["tiqrUser"]["userId"] = $attributes[$uidAttribute][0]; $state["tiqrUser"]["displayName"] = $attributes[$displayNameAttribute][0]; } else { SimpleSAML_Auth_Default::initLogin($config["enroll.authsource"], SimpleSAML_Utilities::selfURL(), NULL, $_REQUEST); } } } } $template = 'newuser.php'; $store = sspmod_authTiqr_Auth_Tiqr::getUserStorage(); if (is_array($_POST) && count($_POST) && isset($_POST["create"])) { // Page was posted, so new user form has been filled. if ($state == NULL) { // throw new SimpleSAML_Error_NoState(); } $displayName = isset($_POST['displayName']) ? $_POST['displayName'] : NULL; $userId = isset($_POST['userId']) ? $_POST['userId'] : NULL; if (empty($userId) || empty($displayName)) { $errorcode = "userdatarequired";
$state = SimpleSAML_Auth_State::loadExceptionState(); assert('array_key_exists(SimpleSAML_Auth_State::EXCEPTION_DATA, $state)'); $e = $state[SimpleSAML_Auth_State::EXCEPTION_DATA]; header('Content-Type: text/plain'); echo "Exception during login:\n"; foreach ($e->format() as $line) { echo $line . "\n"; } exit(0); } if (!array_key_exists('as', $_REQUEST)) { $t = new SimpleSAML_XHTML_Template($config, 'core:authsource_list.tpl.php'); $t->data['sources'] = SimpleSAML_Auth_Source::getSources(); $t->show(); exit; } $as = $_REQUEST['as']; if (!$session->isValid($as)) { $url = SimpleSAML_Utilities::selfURL(); $hints = array(SimpleSAML_Auth_State::RESTART => $url); SimpleSAML_Auth_Default::initLogin($as, $url, $url, $hints); } $attributes = $session->getAttributes(); $t = new SimpleSAML_XHTML_Template($config, 'status.php', 'attributes'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['remaining'] = $session->remainingTime(); $t->data['sessionsize'] = $session->getSize(); $t->data['attributes'] = $attributes; $t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout'; $t->data['icon'] = 'bino.png'; $t->show();