| public static redirect ( $url, $parameters = [], $allowed_redirect_hosts = null ) |
/**
* Start the logout operation.
*
* @param array &$state The logout state.
* @param string|NULL $assocId The SP we are logging out from.
*/
public function startLogout(array &$state, $assocId)
{
assert('is_string($assocId) || is_null($assocId)');
$associations = $this->idp->getAssociations();
if (count($associations) === 0) {
$this->idp->finishLogout($state);
}
foreach ($associations as $id => &$association) {
$idp = SimpleSAML_IdP::getByState($association);
$association['core:Logout-IFrame:Name'] = $idp->getSPName($id);
$association['core:Logout-IFrame:State'] = 'onhold';
}
$state['core:Logout-IFrame:Associations'] = $associations;
if (!is_null($assocId)) {
$spName = $this->idp->getSPName($assocId);
if ($spName === NULL) {
$spName = array('en' => $assocId);
}
$state['core:Logout-IFrame:From'] = $spName;
} else {
$state['core:Logout-IFrame:From'] = NULL;
}
$id = SimpleSAML_Auth_State::saveState($state, 'core:Logout-IFrame');
$url = SimpleSAML_Module::getModuleURL('core/idp/logout-iframe.php', array('id' => $id));
SimpleSAML_Utilities::redirect($url);
}
/**
* Process a authentication response.
*
* This function checks how long it is since the last time the user was authenticated.
* If it is to short a while since, we will show a warning to the user.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
if (!array_key_exists('PreviousSSOTimestamp', $state)) {
/*
* No timestamp from the previous SSO to this SP. This is the first
* time during this session.
*/
return;
}
$timeDelta = time() - $state['PreviousSSOTimestamp'];
if ($timeDelta >= 10) {
/* At least 10 seconds since last attempt. */
return;
}
if (array_key_exists('Destination', $state) && array_key_exists('entityid', $state['Destination'])) {
$entityId = $state['Destination']['entityid'];
} else {
$entityId = 'UNKNOWN';
}
SimpleSAML_Logger::warning('WarnShortSSOInterval: Only ' . $timeDelta . ' seconds since last SSO for this user from the SP ' . var_export($entityId, TRUE));
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'core:short_sso_interval');
$url = SimpleSAML_Module::getModuleURL('core/short_sso_interval.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
protected function saveChanges()
{
$this->foodle->updateFromPostFixDate($this->user);
# echo '<pre>'; print_r($_REQUEST); print_r($this->foodle); exit;
$this->foodle->acl($this->user, 'write');
$this->foodle->save();
// if (isset($this->user->email)) {
// $this->sendMail();
// }
if (!empty($_REQUEST['send_fixdate_mail'])) {
$responses = $this->foodle->getResponses();
foreach ($responses as $response) {
$user = null;
if (!empty($response->user)) {
$user = $response->user;
}
if (empty($user)) {
$user = new Data_User($this->fdb);
$user->userid = $response->userid;
$user->email = $response->email;
$user->username = $response->username;
}
$this->sendFixDateMail($user, $this->foodle);
}
}
$newurl = FoodleUtils::getUrl() . 'foodle/' . $this->foodle->identifier . '#distribute';
SimpleSAML_Utilities::redirect($newurl);
exit;
}
/**
* Apply filter to validate attributes.
*
* @param array &$request The current request
*/
public function process(&$request)
{
$authorize = FALSE;
assert('is_array($request)');
assert('array_key_exists("Attributes", $request)');
$attributes =& $request['Attributes'];
foreach ($this->valid_attribute_values as $name => $patterns) {
if (array_key_exists($name, $attributes)) {
foreach ($patterns as $pattern) {
$values = $attributes[$name];
if (!is_array($values)) {
$values = array($values);
}
foreach ($values as $value) {
if (preg_match($pattern, $value)) {
$authorize = TRUE;
break 3;
}
}
}
}
}
if (!$authorize) {
/* Save state and redirect to 403 page. */
$id = SimpleSAML_Auth_State::saveState($request, 'authorize:Authorize');
$url = SimpleSAML_Module::getModuleURL('authorize/authorize_403.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
}
/**
* When the process logic determines that the user is not
* authorized for this service, then forward the user to
* an 403 unauthorized page.
*
* Separated this code into its own method so that child
* classes can override it and change the action. Forward
* thinking in case a "chained" ACL is needed, more complex
* permission logic.
*
* @param array $request
*/
protected function unauthorized(&$request)
{
SimpleSAML_Logger::error('ExpectedAuthnContextClassRef: Invalid authentication context: ' . $this->AuthnContextClassRef . '. Accepted values are: ' . var_export($this->accepted, TRUE));
$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
$url = SimpleSAML_Module::getModuleURL('saml/sp/wrong_authncontextclassref.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
function prepare()
{
if (!empty($_REQUEST['useridFrom']) && !empty($_REQUEST['useridTo'])) {
$this->fdb->migrateAccount($_REQUEST['useridFrom'], $_REQUEST['useridTo']);
SimpleSAML_Utilities::redirect('/accountmappingprepare');
}
}
function handleResponse()
{
try {
$binding = SAML2_Binding::getCurrentBinding();
$response = $binding->receive();
} catch (Exception $e) {
return;
}
SimpleSAML_Logger::debug('attributequery - received message.');
if (!$response instanceof SAML2_Response) {
throw new SimpleSAML_Error_Exception('Unexpected message received to attribute query example.');
}
$idpEntityId = $response->getIssuer();
if ($idpEntityId === NULL) {
throw new SimpleSAML_Error_Exception('Missing issuer in response.');
}
$idpMetadata = $GLOBALS['metadata']->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
$spMetadata = $GLOBALS['metadata']->getMetaDataConfig($GLOBALS['spEntityId'], 'saml20-sp-hosted');
$assertion = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
if (count($assertion) > 1) {
throw new SimpleSAML_Error_Exception('More than one assertion in received response.');
}
$assertion = $assertion[0];
$dataId = $response->getRelayState();
if ($dataId === NULL) {
throw new SimpleSAML_Error_Exception('RelayState was lost during request.');
}
$data = $GLOBALS['session']->getData('attributequeryexample:data', $dataId);
$data['attributes'] = $assertion->getAttributes();
$GLOBALS['session']->setData('attributequeryexample:data', $dataId, $data, 3600);
SimpleSAML_Utilities::redirect(SimpleSAML_Utilities::selfURLNoQuery(), array('dataId' => $dataId));
}
function complete()
{
$return = FoodleUtils::getURL();
if (!empty($_REQUEST['return'])) {
$return = $_REQUEST['return'];
}
SimpleSAML_Utilities::redirect($return);
}
public function authenticate(&$state)
{
assert('is_array($state)');
// We are going to need the authId in order to retrieve this authentication source later.
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('authtfaga/login.php');
SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
}
/**
* Initialize processing of the redirect test.
*
* @param array &$state The state we should update.
*/
public function process(&$state)
{
assert('is_array($state)');
assert('array_key_exists("Attributes", $state)');
/* To check whether the state is saved correctly. */
$state['Attributes']['RedirectTest1'] = array('OK');
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'exampleauth:redirectfilter-test');
$url = SimpleSAML_Module::getModuleURL('exampleauth/redirecttest.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
/**
* Log-in using LiveID platform
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
SimpleSAML_Logger::debug('authwindowslive auth state id = ' . $stateID);
// Authenticate the user
// Documentation at: http://msdn.microsoft.com/en-us/library/ff749771.aspx
$authorizeURL = 'https://consent.live.com/Connect.aspx' . '?wrap_client_id=' . $this->key . '&wrap_callback=' . urlencode(SimpleSAML_Module::getModuleUrl('authwindowslive') . '/linkback.php') . '&wrap_client_state=' . urlencode($stateID) . '&wrap_scope=WL_Profiles.View,Messenger.SignIn';
SimpleSAML_Utilities::redirect($authorizeURL);
}
public function getAuthorizeRequest($url, $requestToken, $redirect = TRUE, $callback = NULL)
{
$authorizeURL = $url . '?oauth_token=' . $requestToken->key;
if ($callback) {
$authorizeURL .= '&oauth_callback=' . urlencode($callback);
}
if ($redirect) {
SimpleSAML_Utilities::redirect($authorizeURL);
exit;
}
return $authorizeURL;
}
/**
* Process a authentication response.
*
* This function saves the state, and redirects the user to the page where the user
* can authorize the release of the attributes.
*
* @param array $state The state of the response.
*/
public function process(&$state)
{
assert('is_array($state)');
if (isset($state['isPassive']) && $state['isPassive'] === TRUE) {
/* We have a passive request. Skip the warning. */
return;
}
/* Save state and redirect. */
$id = SimpleSAML_Auth_State::saveState($state, 'warning:request');
$url = SimpleSAML_Module::getModuleURL('preprodwarning/showwarning.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
/**
* Initiate authentication.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
$state['aselect::authid'] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, 'aselect:login', true);
try {
$app_url = SimpleSAML_Module::getModuleURL('aselect/credentials.php', array('ssp_state' => $id));
$as_url = $this->request_authentication($app_url);
SimpleSAML_Utilities::redirect($as_url);
} catch (Exception $e) {
// attach the exception to the state
SimpleSAML_Auth_State::throwException($state, $e);
}
}
/**
* Log-in using Facebook platform
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
$facebook = new sspmod_authfacebook_Facebook(array('appId' => $this->api_key, 'secret' => $this->secret), $state);
$facebook->destroySession();
$linkback = SimpleSAML_Module::getModuleURL('authfacebook/linkback.php', array('AuthState' => $stateID));
$url = $facebook->getLoginUrl(array('redirect_uri' => $linkback, 'scope' => $this->req_perms));
SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
SimpleSAML_Utilities::redirect($url);
}
protected function saveChanges()
{
$this->foodle->updateFromPost($this->user);
# echo '<pre>'; print_r($_REQUEST); exit; print_r($this->foodle); exit;
$this->foodle->acl($this->user, 'write');
$this->foodle->save();
if (isset($this->user->email)) {
$this->sendMail();
}
$newurl = FoodleUtils::getUrl() . 'foodle/' . $this->foodle->identifier . '#distribute';
SimpleSAML_Utilities::redirect($newurl);
exit;
}
function addEntry()
{
$foodle = new Data_Foodle($this->fdb);
$foodle->updateFromPost($this->user);
#echo '<pre>'; print_r($foodle); exit;
$foodle->save();
if (isset($this->user->email)) {
$this->sendMail($foodle);
}
$newurl = FoodleUtils::getUrl() . 'foodle/' . $foodle->identifier . '#distribute';
SimpleSAML_Utilities::redirect($newurl);
exit;
}
/**
* Finish login operation.
*
* This helper function finishes a login operation and redirects the user back to the page which
* requested the login.
*
* @param array $authProcState The state of the authentication process.
*/
function finishLogin($authProcState)
{
assert('is_array($authProcState)');
assert('array_key_exists("Attributes", $authProcState)');
assert('array_key_exists("core:saml20-sp:NameID", $authProcState)');
assert('array_key_exists("core:saml20-sp:SessionIndex", $authProcState)');
assert('array_key_exists("core:saml20-sp:TargetURL", $authProcState)');
assert('array_key_exists("Source", $authProcState)');
assert('array_key_exists("entityid", $authProcState["Source"])');
$authData = array('Attributes' => $authProcState['Attributes'], 'saml:sp:NameID' => $authProcState['core:saml20-sp:NameID'], 'saml:sp:SessionIndex' => $authProcState['core:saml20-sp:SessionIndex'], 'saml:sp:IdP' => $authProcState['Source']['entityid']);
global $session;
$session->doLogin('saml2', $authData);
SimpleSAML_Utilities::redirect($authProcState['core:saml20-sp:TargetURL']);
}
/**
* Prompt the user with a list of authentication sources.
*
* This method saves the information about the configured sources,
* and redirects to a page where the user must select one of these
* authentication sources.
*
* This method never return. The authentication process is finished
* in the delegateAuthentication method.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$state[self::AUTHID] = $this->authId;
$state[self::SOURCESID] = $this->sources;
/* Save the $state array, so that we can restore if after a redirect */
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
/* Redirect to the select source page. We include the identifier of the
saved state array as a parameter to the login form */
$url = SimpleSAML_Module::getModuleURL('multiauth/selectsource.php');
$params = array('AuthState' => $id);
SimpleSAML_Utilities::redirect($url, $params);
/* The previous function never returns, so this code is never
executed */
assert('FALSE');
}
/**
* Log-in using LiveID platform
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
SimpleSAML_Logger::debug('$$$$authwindowslive auth state = ' . $state['SimpleSAML_Auth_Default.Return']);
SimpleSAML_Logger::debug('$$$$authwindowslive auth state = ' . $state['SimpleSAML_Auth_Default.id']);
SimpleSAML_Logger::debug('$$$$authwindowslive auth state = ' . $state['SimpleSAML_Auth_Default.ErrorURL']);
SimpleSAML_Logger::debug('$$$$authwindowslive auth state = ' . $state['LogoutCallback']);
$stateID = SimpleSAML_Auth_State::saveState($state, self::STAGE_INIT);
SimpleSAML_Logger::debug('authwindowslive auth state id = ' . $stateID);
// Authenticate the user
// Documentation at: http://msdn.microsoft.com/en-us/library/live/hh243641
// http://msdn.microsoft.com/en-us/library/live/hh243647.aspx
$authorizeURL = 'https://login.live.com/oauth20_authorize.srf' . '?client_id=' . $this->key . '&scope=' . urlencode('wl.signin,wl.basic,wl.emails') . '&response_type=code' . '&redirect_uri=' . urlencode(SimpleSAML_Module::getModuleUrl('authwindowslive') . '/linkback.php?wrap_client_state=' . urlencode($stateID)) . '&wrap_client_state=' . urlencode($stateID);
SimpleSAML_Logger::debug('LIVE state: ' . $state);
SimpleSAML_Utilities::redirect($authorizeURL);
}
/**
* Finish login operation.
*
* This helper function finishes a login operation and redirects the user back to the page which
* requested the login.
*
* @param array $authProcState The state of the authentication process.
*/
function finishLogin($authProcState)
{
assert('is_array($authProcState)');
assert('array_key_exists("Attributes", $authProcState)');
assert('array_key_exists("core:shib13-sp:NameID", $authProcState)');
assert('array_key_exists("core:shib13-sp:SessionIndex", $authProcState)');
assert('array_key_exists("core:shib13-sp:TargetURL", $authProcState)');
assert('array_key_exists("Source", $authProcState)');
assert('array_key_exists("entityid", $authProcState["Source"])');
global $session;
/* Update the session information */
$session->doLogin('shib13');
$session->setAttributes($authProcState['Attributes']);
$session->setNameID($authProcState['core:shib13-sp:NameID']);
$session->setSessionIndex($authProcState['core:shib13-sp:SessionIndex']);
$session->setIdP($authProcState['Source']['entityid']);
SimpleSAML_Utilities::redirect($authProcState['core:shib13-sp:TargetURL']);
}
/**
* Initialize login.
*
* This function saves the information about the login, and redirects to a
* login page.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$config = SimpleSAML_Configuration::getConfig('authsources.php');
$state[sspmod_authTiqr_Auth_Tiqr::CONFIGID] = $config->getArray(self::getAuthId(), array());
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, sspmod_authTiqr_Auth_Tiqr::STAGEID);
$server = sspmod_authTiqr_Auth_Tiqr::getServer(false);
$session = SimpleSAML_Session::getSessionFromRequest();
$sessionId = $session->getSessionId();
$user = $server->getAuthenticatedUser($sessionId);
if (empty($user)) {
$url = SimpleSAML_Module::getModuleURL('authTiqr/login.php');
SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
} else {
$attributes = array('uid' => array($user), 'displayName' => array(sspmod_authTiqr_Auth_Tiqr::getUserStorage()->getDisplayName($user)));
$attributes = array_merge($attributes, sspmod_authTiqr_Auth_Tiqr::getUserStorage()->getAdditionalAttributes($user));
$state['Attributes'] = $attributes;
}
}
/**
* Picks the next SP and issues a logout request.
*
* This function never returns.
*
* @param array &$state The logout state.
*/
private function logoutNextSP(array &$state)
{
$association = array_pop($state['core:LogoutTraditional:Remaining']);
if ($association === NULL) {
$this->idp->finishLogout($state);
}
$relayState = SimpleSAML_Auth_State::saveState($state, 'core:LogoutTraditional', TRUE);
$id = $association['id'];
SimpleSAML_Logger::info('Logging out of ' . var_export($id, TRUE) . '.');
try {
$idp = SimpleSAML_IdP::getByState($association);
$url = call_user_func(array($association['Handler'], 'getLogoutURL'), $idp, $association, $relayState);
SimpleSAML_Utilities::redirect($url);
} catch (Exception $e) {
SimpleSAML_Logger::warning('Unable to initialize logout to ' . var_export($id, TRUE) . '.');
$this->idp->terminateAssociation($id);
$state['core:Failed'] = TRUE;
/* Try the next SP. */
$this->logoutNextSP($state);
assert('FALSE');
}
}
/**
* Throw exception to the state exception handler.
*
* @param array $state The state array.
* @param SimpleSAML_Error_Exception $exception The exception.
*/
public static function throwException($state, SimpleSAML_Error_Exception $exception)
{
assert('is_array($state)');
if (array_key_exists(self::EXCEPTION_HANDLER_URL, $state)) {
/* Save the exception. */
$state[self::EXCEPTION_DATA] = $exception;
$id = self::saveState($state, self::EXCEPTION_STAGE);
/* Redirect to the exception handler. */
SimpleSAML_Utilities::redirect($state[self::EXCEPTION_HANDLER_URL], array(self::EXCEPTION_PARAM => $id));
} elseif (array_key_exists(self::EXCEPTION_HANDLER_FUNC, $state)) {
/* Call the exception handler. */
$func = $state[self::EXCEPTION_HANDLER_FUNC];
assert('is_callable($func)');
call_user_func($func, $exception, $state);
assert(FALSE);
} else {
/*
* No exception handler is defined for the current state.
*/
throw $exception;
}
}
$attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']);
SimpleSAML_Logger::info('AUTH - ldap-multi: ' . $_POST['username'] . ' successfully authenticated');
$session->doLogin('login-ldapmulti');
$session->setAttributes($attributes);
$session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
/**
* Create a statistics log entry for every successfull login attempt.
* Also log a specific attribute as set in the config: statistics.authlogattr
*/
$authlogattr = $config->getValue('statistics.authlogattr', null);
if ($authlogattr && array_key_exists($authlogattr, $attributes)) {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK ' . $attributes[$authlogattr][0]);
} else {
SimpleSAML_Logger::stats('AUTH-login-ldapmulti OK');
}
$returnto = $_REQUEST['RelayState'];
SimpleSAML_Utilities::redirect($returnto);
} catch (Exception $e) {
$error = $e->getMessage();
}
}
$t = new SimpleSAML_XHTML_Template($config, 'login-ldapmulti.php', 'login');
$t->data['header'] = 'simpleSAMLphp: Enter username and password';
$t->data['relaystate'] = $_REQUEST['RelayState'];
$t->data['ldapconfig'] = $ldapmulti;
$t->data['org'] = $_REQUEST['org'];
$t->data['error'] = $error;
if (isset($error)) {
$t->data['username'] = $_POST['username'];
}
$t->show();
/**
* Log in using an external authentication helper.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
$attributes = $this->getUser();
if ($attributes !== NULL) {
/*
* The user is already authenticated.
*
* Add the users attributes to the $state-array, and return control
* to the authentication process.
*/
$state['Attributes'] = $attributes;
return;
}
/*
* The user isn't authenticated. We therefore need to
* send the user to the login page.
*/
/*
* First we add the identifier of this authentication source
* to the state array, so that we know where to resume.
*/
$state['drupalauth:AuthID'] = $this->authId;
/*
* We need to save the $state-array, so that we can resume the
* login process after authentication.
*
* Note the second parameter to the saveState-function. This is a
* unique identifier for where the state was saved, and must be used
* again when we retrieve the state.
*
* The reason for it is to prevent
* attacks where the user takes a $state-array saved in one location
* and restores it in another location, and thus bypasses steps in
* the authentication process.
*/
$stateId = SimpleSAML_Auth_State::saveState($state, 'drupalauth:External');
/*
* Now we generate an URL the user should return to after authentication.
* We assume that whatever authentication page we send the user to has an
* option to return the user to a specific page afterwards.
*/
$returnTo = SimpleSAML_Module::getModuleURL('drupalauth/resume.php', array('State' => $stateId));
/*
* Get the URL of the authentication page.
*
* Here we use the getModuleURL function again, since the authentication page
* is also part of this module, but in a real example, this would likely be
* the absolute URL of the login page for the site.
*/
$authPage = $this->drupal_login_url . '?ReturnTo=' . $returnTo;
/*
* The redirect to the authentication page.
*
* Note the 'ReturnTo' parameter. This must most likely be replaced with
* the real name of the parameter for the login page.
*/
SimpleSAML_Utilities::redirect($authPage, array('ReturnTo' => $returnTo));
/*
* The redirect function never returns, so we never get this far.
*/
assert('FALSE');
}
/* No issuer found in the assertions. */
throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
}
}
$session = SimpleSAML_Session::getInstance();
$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
/* OK, it looks like this message has the same issuer
* and ID as the SP session we already have active. We
* therefore assume that the user has somehow triggered
* a resend of the message.
* In that case we may as well just redo the previous redirect
* instead of displaying a confusing error message.
*/
SimpleSAML_Logger::info('Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.');
SimpleSAML_Utilities::redirect($prevAuth['redirect']);
}
$stateId = $response->getInResponseTo();
if (!empty($stateId)) {
/* This is a response to a request we sent earlier. */
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
/* Check that the authentication source is correct. */
assert('array_key_exists("saml:sp:AuthId", $state)');
if ($state['saml:sp:AuthId'] !== $sourceId) {
throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
}
/* Check that the issuer is the one we are expecting. */
assert('array_key_exists("ExpectedIssuer", $state)');
if ($state['ExpectedIssuer'] !== $idp) {
throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
}
<?php
/**
* Endpoint for logging in with an authentication source.
*
* @package simpleSAMLphp
* @version $Id$
*/
if (!is_string($_REQUEST['ReturnTo'])) {
throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.');
}
if (!is_string($_REQUEST['AuthId'])) {
throw new SimpleSAML_Error_BadRequest('Missing AuthId parameter.');
}
$as = new SimpleSAML_Auth_Simple($_REQUEST['AuthId']);
$as->requireAuth(array('ReturnTo' => $_REQUEST['ReturnTo']));
SimpleSAML_Utilities::redirect($_REQUEST['ReturnTo']);
/**
* Handle a unsoliced login operations.
*
* This function creates a session from the received information. It
* will then redirect to the given URL.
*
* This is used to handle IdP initiated SSO.
*
* @param string $authId The id of the authentication source that received the request.
* @param array $state A state array.
* @param string $redirectTo The URL we should redirect the user to after
* updating the session.
*/
public static function handleUnsolicedAuth($authId, array $state, $redirectTo)
{
assert('is_string($authId)');
assert('is_string($redirectTo)');
$session = SimpleSAML_Session::getInstance();
$session->doLogin($authId);
if (array_key_exists('Attributes', $state)) {
$session->setAttributes($state['Attributes']);
} else {
$session->setAttributes(array());
}
if (array_key_exists('Expires', $state)) {
$session->setSessionDuration($state['Expires'] - time());
}
if (array_key_exists('LogoutState', $state)) {
$session->setLogoutState($state['LogoutState']);
}
SimpleSAML_Utilities::redirect($redirectTo);
}
/**
* Initialize login.
*
* This function saves the information about the login, and redirects to a
* login page.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state)
{
assert('is_array($state)');
/*
* Save the identifier of this authentication source, so that we can
* retrieve it later. This allows us to call the login()-function on
* the current object.
*/
$state[self::AUTHID] = $this->authId;
/* What username we should force, if any. */
if ($this->forcedUsername !== NULL) {
/*
* This is accessed by the login form, to determine if the user
* is allowed to change the username.
*/
$state['forcedUsername'] = $this->forcedUsername;
}
/* Save the $state-array, so that we can restore it after a redirect. */
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
/*
* Redirect to the login form. We include the identifier of the saved
* state array as a parameter to the login form.
*/
$url = SimpleSAML_Module::getModuleURL('core/loginuserpass.php');
$params = array('AuthState' => $id);
SimpleSAML_Utilities::redirect($url, $params);
/* The previous function never returns, so this code is never executed. */
assert('FALSE');
}
