/** * Handle a unsolicited login operations. * * This function creates a session from the received information. It * will then redirect to the given URL. * * This is used to handle IdP initiated SSO. * * @param string $authId The id of the authentication source that received * the request. * @param array $state A state array. * @param string $redirectTo The URL we should redirect the user to after * updating the session. The function will check if the URL is allowed, so * there is no need to manually check the URL on beforehand. Please refer * to the 'trusted.url.domains' configuration directive for more * information about allowing (or disallowing) URLs. */ public static function handleUnsolicitedAuth($authId, array $state, $redirectTo) { assert('is_string($authId)'); assert('is_string($redirectTo)'); $session = SimpleSAML_Session::getSessionFromRequest(); $session->doLogin($authId, self::extractPersistentAuthState($state)); SimpleSAML_Utilities::redirectUntrustedURL($redirectTo); }
$userid = null; if (!array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) { throw new Exception('Apache header variable SSL_CLIENT_VERIFY was not available. Recheck your apache configuration.'); } if (strcmp($_SERVER['SSL_CLIENT_VERIFY'], "SUCCESS") != 0) { throw new SimpleSAML_Error_Error('NOTVALIDCERT', $e); } $userid = $_SERVER['SSL_CLIENT_S_DN']; $attributes['CertificateDN'] = array($userid); $attributes['CertificateDNCN'] = array($_SERVER['SSL_CLIENT_S_DN_CN']); $session->doLogin('tlsclient'); $session->setAttributes($attributes); #echo '<pre>'; #print_r($_SERVER); #echo '</pre>'; exit; SimpleSAML_Logger::info('AUTH - tlsclient: ' . $userid . ' successfully authenticated'); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-tlsclient OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-tlsclient OK'); } SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['RelayState']); } catch (Exception $e) { throw new SimpleSAML_Error_Error('CONFIG', $e); }
$notBefore = $condition->getAttribute('NotBefore'); $notOnOrAfter = $condition->getAttribute('NotOnOrAfter'); if (!SimpleSAML_Utilities::checkDateConditions($notBefore, $notOnOrAfter)) { throw new Exception('The response has expired.'); } } /* Extract the name identifier from the response. */ $nameid = $xpath->query('./saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', $assertion); if ($nameid->length === 0) { throw new Exception('Could not find the name identifier in the response from the WS-Fed IdP \'' . $idpEntityId . '\'.'); } $nameid = array('Format' => $nameid->item(0)->getAttribute('Format'), 'Value' => $nameid->item(0)->textContent); /* Extract the attributes from the response. */ $attributes = array(); $attributeValues = $xpath->query('./saml:AttributeStatement/saml:Attribute/saml:AttributeValue', $assertion); foreach ($attributeValues as $attribute) { $name = $attribute->parentNode->getAttribute('AttributeName'); $value = $attribute->textContent; if (!array_key_exists($name, $attributes)) { $attributes[$name] = array(); } $attributes[$name][] = $value; } /* Mark the user as logged in. */ $authData = array('Attributes' => $attributes, 'saml:sp:NameID' => $nameid, 'saml:sp:IdP' => $idpEntityId); $session->doLogin('wsfed', $authData); /* Redirect the user back to the page which requested the login. */ SimpleSAML_Utilities::redirectUntrustedURL($wctx); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception); }
/** * Apply SimpleTOTP 2fa filter * * @param array &$state The current state */ public function process(&$state) { assert('is_array($state)'); assert('array_key_exists("Attributes", $state)'); $attributes =& $state['Attributes']; // check for secret_attr coming from user store and make sure it is not empty if (array_key_exists($this->secret_attr, $attributes) && !empty($attributes[$this->secret_attr])) { $this->secret_val = $attributes[$this->secret_attr][0]; } if ($this->secret_val === NULL && $this->enforce_2fa === true) { #2f is enforced and user does not have it configured.. SimpleSAML_Logger::debug('User with ID xxx does not have 2f configured when it is mandatory for xxxSP'); //send user to custom error page if configured if ($this->not_configured_url !== NULL) { SimpleSAML_Utilities::redirectUntrustedURL($this->not_configured_url); } else { SimpleSAML_Utilities::redirectTrustedURL(SimpleSAML_Module::getModuleURL('simpletotp/not_configured.php')); } } elseif ($this->secret_val === NULL && $this->enforce_2fa === false) { SimpleSAML_Logger::debug('User with ID xxx does not have 2f configured but SP does not require it. Continue.'); return; } //as the attribute is configurable, we need to store it in a consistent location $state['2fa_secret'] = $this->secret_val; //this means we have secret_val configured for this session, time to 2fa $id = SimpleSAML_Auth_State::saveState($state, 'simpletotp:request'); $url = SimpleSAML_Module::getModuleURL('simpletotp/authenticate.php'); SimpleSAML_Utilities::redirectTrustedURL($url, array('StateId' => $id)); return; }
$attributes = $ldap->getAttributes($dn, $ldapconfig->getValue('auth.ldap.attributes', null)); SimpleSAML_Logger::info('AUTH - ldap: ' . $ldapusername . ' successfully authenticated'); $session->doLogin('login'); $session->setAttributes($attributes); $session->setNameID(array('value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); /** * Create a statistics log entry for every successfull login attempt. * Also log a specific attribute as set in the config: statistics.authlogattr */ $authlogattr = $config->getValue('statistics.authlogattr', null); if ($authlogattr && array_key_exists($authlogattr, $attributes)) { SimpleSAML_Logger::stats('AUTH-login OK ' . $attributes[$authlogattr][0]); } else { SimpleSAML_Logger::stats('AUTH-login OK'); } $returnto = $_REQUEST['RelayState']; SimpleSAML_Utilities::redirectUntrustedURL($returnto); } catch (Exception $e) { SimpleSAML_Logger::error('AUTH - ldap: User: '******'na') . ':' . $e->getMessage()); SimpleSAML_Logger::stats('AUTH-login Failed'); $error = $e->getMessage(); } } $t = new SimpleSAML_XHTML_Template($config, 'login.php', 'login'); $t->data['header'] = 'simpleSAMLphp: Enter username and password'; $t->data['relaystate'] = $relaystate; $t->data['error'] = $error; if (isset($error)) { $t->data['username'] = $username; } $t->show();
*/ if (array_key_exists('idpdisco.url', $spmetadata)) { $discservice = $spmetadata['idpdisco.url']; } elseif ($config->getString('idpdisco.url.shib13', NULL) !== NULL) { $discservice = $config->getString('idpdisco.url.shib13'); } else { $discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php'; } SimpleSAML_Utilities::redirectTrustedURL($discservice, array('entityID' => $spentityid, 'return' => SimpleSAML_Utilities::selfURL(), 'returnIDParam' => 'idpentityid')); } try { $ar = new SimpleSAML_XML_Shib13_AuthnRequest(); $ar->setIssuer($spentityid); if (isset($_GET['RelayState'])) { $ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState'])); } SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); $url = $ar->createRedirect($idpentityid); SimpleSAML_Utilities::redirectTrustedURL($url); } catch (Exception $exception) { throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception); } } else { $relaystate = $_GET['RelayState']; if (isset($relaystate) && !empty($relaystate)) { SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState'); SimpleSAML_Utilities::redirectUntrustedURL($relaystate); } else { throw new SimpleSAML_Error_Error('NORELAYSTATE'); } }
$t->data['urlAgree'] = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURL(), array("consent" => "yes")); $t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout'; $t->show(); exit; // and be done. } $attributes = $session->getAttributes(); // Assume user consent at this point and proceed with authorizing the token list($url, $verifier) = $store->authorize($requestToken, $attributes); if ($url) { // If authorize() returns a URL, take user there (oauth1.0a) SimpleSAML_Utilities::redirectTrustedURL($url); } else { if (isset($_REQUEST['oauth_callback'])) { // If callback was provided in the request (oauth1.0) SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['oauth_callback']); } else { // No callback provided, display standard template $t = new SimpleSAML_XHTML_Template($config, 'oauth:authorized.php'); $t->data['header'] = '{status:header_saml20_sp}'; $t->data['remaining'] = $session->remainingTime(); $t->data['sessionsize'] = $session->getSize(); $t->data['attributes'] = $attributes; $t->data['logouturl'] = SimpleSAML_Utilities::selfURLNoQuery() . '?logout'; $t->data['oauth_verifier'] = $verifier; $t->show(); } } } catch (Exception $e) { header('Content-type: text/plain; utf-8', TRUE, 500); header('OAuth-Error: ' . $e->getMessage());
<?php /* * Helper page for starting a admin login. Can be used as a target for links. */ if (!array_key_exists('ReturnTo', $_REQUEST)) { throw new SimpleSAML_Error_BadRequest('Missing ReturnTo parameter.'); } SimpleSAML_Utilities::requireAdmin(); SimpleSAML_Utilities::redirectUntrustedURL($_REQUEST['ReturnTo']);