Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • main
  • renovate/lock-file-maintenance
  • v0.1
  • v0.2
  • v0.3
  • v1.0
  • v1.1
  • v1.2
  • v1.3
  • v1.4
  • v1.5
  • v1.7
  • v10.0.0
  • v10.1.0
  • v10.2.0
  • v10.2.1
  • v10.2.2
  • v10.3.0
  • v10.4.0
  • v10.5.0
  • v10.5.1
  • v10.5.2
  • v10.6.0
  • v10.7.0
  • v10.7.1
  • v10.7.2
  • v10.7.3
  • v10.7.4
  • v10.7.5
  • v10.7.6
  • v11.0.0
  • v11.1.0
  • v11.1.1
  • v11.1.2
  • v12.0.0
  • v12.0.1
  • v12.1.0
  • v12.1.1
  • v12.1.2
  • v12.2.0
  • v12.3.0
  • v2.0.0
  • v3.0.0
  • v3.0.1
  • v3.1.0
  • v3.1.1
  • v3.2.0
  • v3.3.0
  • v3.3.1
  • v3.4.0
  • v3.4.1
  • v3.4.2
  • v3.4.3
  • v4.0.0
  • v4.1.0
  • v4.1.1
  • v4.1.2
  • v4.1.3
  • v5.0.0
  • v6.0.0
  • v6.1.0
  • v6.1.1
  • v6.1.2
  • v6.1.3
  • v7.0.0
  • v7.0.1
  • v7.0.2
  • v7.1.0
  • v7.1.1
  • v8.0.0
  • v8.0.1
  • v9.0.0
  • v9.0.1
  • v9.0.2
  • v9.1.0
  • v9.2.0
76 results

Target

Select target project
  • perun/perun-proxyidp/v1/simplesamlphp-module-authswitcher
1 result
Select Git revision
  • main
  • renovate/lock-file-maintenance
  • v0.1
  • v0.2
  • v0.3
  • v1.0
  • v1.1
  • v1.2
  • v1.3
  • v1.4
  • v1.5
  • v1.7
  • v10.0.0
  • v10.1.0
  • v10.2.0
  • v10.2.1
  • v10.2.2
  • v10.3.0
  • v10.4.0
  • v10.5.0
  • v10.5.1
  • v10.5.2
  • v10.6.0
  • v10.7.0
  • v10.7.1
  • v10.7.2
  • v10.7.3
  • v10.7.4
  • v10.7.5
  • v10.7.6
  • v11.0.0
  • v11.1.0
  • v11.1.1
  • v11.1.2
  • v12.0.0
  • v12.0.1
  • v12.1.0
  • v12.1.1
  • v12.1.2
  • v12.2.0
  • v12.3.0
  • v2.0.0
  • v3.0.0
  • v3.0.1
  • v3.1.0
  • v3.1.1
  • v3.2.0
  • v3.3.0
  • v3.3.1
  • v3.4.0
  • v3.4.1
  • v3.4.2
  • v3.4.3
  • v4.0.0
  • v4.1.0
  • v4.1.1
  • v4.1.2
  • v4.1.3
  • v5.0.0
  • v6.0.0
  • v6.1.0
  • v6.1.1
  • v6.1.2
  • v6.1.3
  • v7.0.0
  • v7.0.1
  • v7.0.2
  • v7.1.0
  • v7.1.1
  • v8.0.0
  • v8.0.1
  • v9.0.0
  • v9.0.1
  • v9.0.2
  • v9.1.0
  • v9.2.0
76 results
Show changes
Commits on Source (3)
# [12.3.0](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/simplesamlphp-module-authswitcher/compare/v12.2.0...v12.3.0) (2025-06-26)
### Features
* allow filter out acrs by prefix ([0630564](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/simplesamlphp-module-authswitcher/commit/06305649fdcdf38fdba81bda1ed7d32e2dfc6997))
# [12.2.0](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/simplesamlphp-module-authswitcher/compare/v12.1.2...v12.2.0) (2025-05-06)
......
......@@ -85,6 +85,7 @@ Add an instance of the auth proc filter with example configuration `authswitcher
[2] => 'example_entity_id2',
],
'setup_mfa_redirect_url' => 'mfa.id.muni.cz',
'prefixes_for_acrs_filtering' => ['prefix1', 'prefix2']
//'password_contexts' => array_merge(AuthSwitcher::PASSWORD_CONTEXTS, [
// 'my-custom-authn-context-for-password',
// '/^my-regex-.*/',
......@@ -140,6 +141,8 @@ You can override which AuthnContextClassRefs are treated as password authenticat
Use `setup_mfa_redirect_url` for redirecting user without MFA tokens to page, where he can register it. User is redirected when MFA is enforced and service is not excluded from this behaviour by `mfa_excluded_sps` configuration option.
It's possible to filter out some ACRS by using `prefixes_for_acrs_filtering`. ACRS starting with some of configured prefix will be filtered out and will not be forwarded to IdP.
## MFA tokens
This module expects that there will be a user attribute (`$attributes` aka `$state['Attributes']`) with
......
......@@ -114,14 +114,16 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
$this->change_weak_password_urls = $config->getArray('change_weak_password_urls', []);
list($this->password_contexts, $this->mfa_contexts, $password_contexts_patterns, $mfa_contexts_patterns)
[$this->password_contexts, $this->mfa_contexts, $password_contexts_patterns,
$mfa_contexts_patterns, $prefixes_for_acrs_filtering]
= ContextSettings::parseConfig($config);
$this->authnContextHelper = new AuthnContextHelper(
$this->password_contexts,
$this->mfa_contexts,
$password_contexts_patterns,
$mfa_contexts_patterns
$mfa_contexts_patterns,
$prefixes_for_acrs_filtering
);
}
......
......@@ -24,11 +24,16 @@ class AuthnContextHelper
public const CHANGE_WEAK_PASSWORD_URL_ENABLED = 'change_weak_password_url_enabled';
public const SAML_REQUESTED_AUTHN_CONTEXT = "saml:RequestedAuthnContext";
public const STATE_AUTHN_CONTEXT_CLASS_REF = "AuthnContextClassRef";
public function __construct(
$password_contexts,
$mfa_contexts,
$password_contexts_patterns = [],
$mfa_contexts_patterns = []
$mfa_contexts_patterns = [],
$prefixes_for_acrs_filtering = []
) {
$this->password_contexts = $password_contexts;
$this->password_contexts_patterns = $password_contexts_patterns;
......@@ -36,6 +41,7 @@ class AuthnContextHelper
$this->mfa_contexts_patterns = $mfa_contexts_patterns;
$this->supported_contexts = array_merge($this->mfa_contexts, $this->password_contexts);
$this->default_requested_contexts = array_merge($this->password_contexts, $this->mfa_contexts);
$this->$prefixes_for_acrs_filtering = $prefixes_for_acrs_filtering;
}
public function MFAin($contexts)
......@@ -60,7 +66,32 @@ class AuthnContextHelper
&$mustPerformMfa,
$change_weak_password_urls
) {
$requestedContexts = $state['saml:RequestedAuthnContext']['AuthnContextClassRef'] ?? null;
$originalAuthnContextClassRef =
$state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF] ?? [];
$filteredAcrs = [];
if (!empty($this->filter_acrs_prefixes)) {
Logger::debug('authswitcher: ' . json_encode($this->filter_acrs_prefixes) .
' prefixes will be filtered from AuthnContextClassRef');
foreach ($originalAuthnContextClassRef as $acr) {
$acr = trim($acr);
$retain = true;
foreach ($this->filter_acrs_prefixes as $prefix) {
if (substr($acr, 0, strlen($prefix)) === $prefix) {
$retain = false;
break;
}
}
if ($retain) {
array_push($filteredAcrs, $acr);
}
}
$state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF] = $filteredAcrs;
Logger::debug('authswitcher: AuthnContextClassRef was filtered to ' . json_encode($filteredAcrs));
}
$requestedContexts = $state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::STATE_AUTHN_CONTEXT_CLASS_REF] ?? null;
if (empty($requestedContexts)) {
Logger::info(
'authswitcher: no AuthnContext requested, using default: ' . json_encode(
......@@ -69,6 +100,7 @@ class AuthnContextHelper
);
$requestedContexts = $this->default_requested_contexts;
}
$supportedRequestedContexts = array_values(array_intersect($requestedContexts, $this->supported_contexts));
if (!$sfaEntropy && in_array(AuthSwitcher::REFEDS_SFA, $supportedRequestedContexts)) {
Logger::info(
......@@ -105,7 +137,7 @@ class AuthnContextHelper
$requestResult = $this->testComparison(
$usersCapabilities,
$supportedRequestedContexts,
$state['saml:RequestedAuthnContext']['Comparison'] ?? Constants::COMPARISON_EXACT,
$state[self::SAML_REQUESTED_AUTHN_CONTEXT]['Comparison'] ?? Constants::COMPARISON_EXACT,
$upstreamContext
);
if ($requestResult === null) {
......
......@@ -11,6 +11,7 @@ class ContextSettings
$contexts_regex = $config->getBoolean('contexts_regex', false);
$password_contexts = $config->getArray('password_contexts', AuthSwitcher::PASSWORD_CONTEXTS);
$mfa_contexts = $config->getArray('mfa_contexts', AuthSwitcher::MFA_CONTEXTS);
$prefixes_for_acrs_filtering = $config->getArray('remove_authn_context_class_ref_prefixes', []);
if ($contexts_regex) {
$password_contexts_patterns = array_filter($password_contexts, self::isRegex);
$password_contexts = array_diff($password_contexts, $password_contexts_patterns);
......@@ -21,7 +22,8 @@ class ContextSettings
$mfa_contexts_patterns = [];
}
return [$password_contexts, $mfa_contexts, $password_contexts_patterns, $mfa_contexts_patterns];
return [$password_contexts, $mfa_contexts, $password_contexts_patterns,
$mfa_contexts_patterns, $prefixes_for_acrs_filtering];
}
private static function isRegex($str)
......
......@@ -28,13 +28,18 @@ class DiscoUtils
public static function setUpstreamRequestedAuthnContext(array &$state)
{
$config = Configuration::getOptionalConfig('module_authswitcher.php');
list($password_contexts, $mfa_contexts, $password_contexts_patterns, $mfa_contexts_patterns)
[$password_contexts,
$mfa_contexts,
$password_contexts_patterns,
$mfa_contexts_patterns,
$prefixes_for_acrs_filtering]
= ContextSettings::parseConfig($config);
$authnContextHelper = new AuthnContextHelper(
$password_contexts,
$mfa_contexts,
$password_contexts_patterns,
$mfa_contexts_patterns
$mfa_contexts_patterns,
$prefixes_for_acrs_filtering
);
$spRequestedContexts = $state['saml:RequestedAuthnContext']['AuthnContextClassRef'] ?? [];
......