public function actionSso() { $metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = \SimpleSAML_IdP::getById('saml2:' . $idpEntityId); \sspmod_saml_IdP_SAML2::receiveAuthnRequest($idp); assert('FALSE'); }
public function actionSso() { //logout previous sso session \utilities\Registry::clearRegistry(); $isRequestPost = $this->_request->isPost(); if ($isRequestPost) { // check if every required parameter is set or not $username = $this->_request->getParam('username', null); $password = $this->_request->getParam('password', null); $referrer = $this->_request->getParam('spentityid', null); if (!$username) { $this->_response->renderJson(array('message' => 'Username is not set')); } if (!$password) { $this->_response->renderJson(array('message' => 'Password is not set')); } if (!$referrer) { $this->_response->renderJson(array('message' => 'Referrer not set')); } $objDbUserauth = new \models\Users(); // check if user is authenticated or not $userAuthenticationStatus = $objDbUserauth->authenticate($username, $password); // user locked due to 5 invalid attempts if (\models\Users::ERROR_USER_LOCKED === $userAuthenticationStatus) { $this->_response->renderJson(array('message' => 'Your account is locked due to 5 invalid attempts', 'authstatus' => $userAuthenticationStatus)); } //user password is expired if (\models\Users::ERROR_USER_PWD_EXPIRED === $userAuthenticationStatus) { $this->_response->renderJson(array('message' => 'Your password is expired', 'authstatus' => $userAuthenticationStatus)); } //user authentication is successfull if ($userAuthenticationStatus === true) { $metadata = \SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = \SimpleSAML_IdP::getById('saml2:' . $idpEntityId); \sspmod_saml_IdP_SAML2::receiveAuthnRequest($idp); assert('FALSE'); } else { //handle invalid attempts $objInvalidAttempts = new \models\UserLoginAttempts(); $loginAttemptsLeft = $objInvalidAttempts->handleInvalidLoginAttempts($username); $invalidAttempt = false; // if attempt is invalid username is wrong $message = "Invalid credentials"; if ($loginAttemptsLeft !== false) { // if last attempt was hit then show that account is locked if ($loginAttemptsLeft === 0) { $this->_response->renderJson(array('message' => 'Your account is locked due to 5 invalid attempts', 'authstatus' => \models\Users::ERROR_USER_LOCKED)); } $invalidAttempt = true; $message = "Incorrect Password.You have {$loginAttemptsLeft} attempts left"; } $this->_response->renderJson(array('message' => $message, 'invalidAttempt' => $invalidAttempt)); exit; } } $this->_response->renderJson(array('message' => 'Only post request are accepted')); }
<?php /** * This SAML 2.0 endpoint can receive incoming LogoutRequests. It will also send LogoutResponses, * and LogoutRequests and also receive LogoutResponses. It is implemeting SLO at the SAML 2.0 IdP. * * @author Andreas Åkre Solberg, UNINETT AS. <*****@*****.**> * @package SimpleSAMLphp */ require_once '../../_include.php'; SimpleSAML\Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); if (isset($_REQUEST['ReturnTo'])) { $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed((string) $_REQUEST['ReturnTo'])); } else { try { sspmod_saml_IdP_SAML2::receiveLogoutMessage($idp); } catch (Exception $e) { // TODO: look for a specific exception /* * This is dirty. Instead of checking the message of the exception, \SAML2\Binding::getCurrentBinding() should * throw an specific exception when the binding is unknown, and we should capture that here */ if ($e->getMessage() === 'Unable to find the current binding.') { throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS', $e, 400); } else { throw $e; // do not ignore other exceptions! }
<?php /** * ADFS PRP IDP protocol support for simpleSAMLphp. * * @author Hans Zandbelt, SURFnet bv, <*****@*****.**> * @package simpleSAMLphp */ SimpleSAML_Logger::info('ADFS - IdP.prp: Accessing ADFS IdP endpoint prp'); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpEntityId = $metadata->getMetaDataCurrentEntityID('adfs-idp-hosted'); $idp = SimpleSAML_IdP::getById('adfs:' . $idpEntityId); if (isset($_GET['wa'])) { if ($_GET['wa'] === 'wsignout1.0') { sspmod_adfs_IdP_ADFS::receiveLogoutMessage($idp); } else { if ($_GET['wa'] === 'wsignin1.0') { sspmod_adfs_IdP_ADFS::receiveAuthnRequest($idp); } } assert('FALSE'); } elseif (isset($_GET['assocId'])) { // logout response from ADFS SP $assocId = $_GET['assocId']; /* Association ID of the SP that sent the logout response. */ $relayState = $_GET['relayState']; /* Data that was sent in the logout request to the SP. Can be null. */ $logoutError = NULL; /* NULL on success, or an instance of a SimpleSAML_Error_Exception on failure. */ $idp->handleLogoutResponse($assocId, $relayState, $logoutError); }
/** * Get a list of associated SAML 2 SPs. * * This function is just for backwards-compatibility. New code should * use the SimpleSAML_IdP::getAssociations()-function. * * @return array Array of SAML 2 entityIDs. * @deprecated Will be removed in the future. */ public function get_sp_list() { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); try { $idpEntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); $idp = SimpleSAML_IdP::getById('saml2:' . $idpEntityId); } catch (Exception $e) { /* No SAML 2 IdP configured? */ return array(); } $ret = array(); foreach ($idp->getAssociations() as $assoc) { if (isset($assoc['saml:entityID'])) { $ret[] = $assoc['saml:entityID']; } } return $ret; }
* @author Jaime Pérez Crespo, UNINETT AS <*****@*****.**> * * @package SimpleSAMLphp */ // retrieve the authentication state if (!array_key_exists('AuthState', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing mandatory parameter: AuthState'); } try { // try to get the state $state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], 'saml:proxy:invalid_idp'); } catch (Exception $e) { // the user probably hit the back button after starting the logout, try to recover the state with another stage $state = SimpleSAML_Auth_State::loadState($_REQUEST['AuthState'], 'core:Logout:afterbridge'); // success! Try to continue with reauthentication, since we no longer have a valid session here $idp = SimpleSAML_IdP::getById($state['core:IdP']); sspmod_saml_Auth_Source_SP::reauthPostLogout($idp, $state); } if (isset($_POST['cancel'])) { // the user does not want to logout, cancel login SimpleSAML_Auth_State::throwException($state, new \SimpleSAML\Module\saml\Error\NoAvailableIDP(\SAML2\Constants::STATUS_RESPONDER, 'User refused to reauthenticate with any of the IdPs requested.')); } if (isset($_POST['continue'])) { // log the user out before being able to login again $as = SimpleSAML_Auth_Source::getById($state['saml:sp:AuthId'], 'sspmod_saml_Auth_Source_SP'); /** @var sspmod_saml_Auth_Source_SP $as */ $as->reauthLogout($state); } $cfg = SimpleSAML_Configuration::getInstance(); $template = new SimpleSAML_XHTML_Template($cfg, 'saml:proxy/invalid_session.php'); $translator = $template->getTranslator();
<?php if (!isset($_REQUEST['idp'])) { throw new SimpleSAML_Error_BadRequest('Missing "idp" parameter.'); } $idp = (string) $_REQUEST['idp']; $idp = SimpleSAML_IdP::getById($idp); if (!isset($_REQUEST['association'])) { throw new SimpleSAML_Error_BadRequest('Missing "association" parameter.'); } $assocId = urldecode($_REQUEST['association']); $relayState = NULL; if (isset($_REQUEST['RelayState'])) { $relayState = (string) $_REQUEST['RelayState']; } $associations = $idp->getAssociations(); if (!isset($associations[$assocId])) { throw new SimpleSAML_Error_BadRequest('Invalid association id.'); } $association = $associations[$assocId]; $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $idpMetadata = $idp->getConfig(); $spMetadata = $metadata->getMetaDataConfig($association['saml:entityID'], 'saml20-sp-remote'); $lr = sspmod_saml_Message::buildLogoutRequest($idpMetadata, $spMetadata); $lr->setSessionIndex($association['saml:SessionIndex']); $lr->setNameId($association['saml:NameID']); $assertionLifetime = $spMetadata->getInteger('assertion.lifetime', NULL); if ($assertionLifetime === NULL) { $assertionLifetime = $idpMetadata->getInteger('assertion.lifetime', 300); } $lr->setNotOnOrAfter(time() + $assertionLifetime);