Skip to content
Snippets Groups Projects
Select Git revision
  • 3dd293950a009bef66a163e4b023811b298655da
  • master default protected
  • cesnet_simplesamlphp-1.19.8
  • elixir_simplesamlphp-1.19.8
  • simplesamlphp-1.19.8
  • cesnet_simplesamlphp-1.19.5
  • simplesamlphp-2.0
  • feature/assets
  • feature/rac-source-selector
  • cleanup/remove-base64-attributes
  • simplesamlphp-1.19
  • elixir_simplesamlphp-1.19.5
  • aarc_idp_hinting
  • feature/validate-authstate-before-processing
  • feature/build-two-tarballs
  • dependabot/composer/twig/twig-3.4.3
  • tvdijen-patch-1
  • unchanged-acs-url-no-www-script
  • feature/translation-improvements
  • symfony6
  • move_tests
  • v1.19.9
  • v2.1.3
  • v2.0.10
  • v2.1.2
  • v2.0.9
  • v2.1.1
  • v2.0.8
  • v2.1.0
  • v2.0.7
  • v2.1.0-rc1
  • v2.0.6
  • v2.0.5
  • 2.0.4-alpha.1
  • v2.0.4-alpha.1
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1-alpha.1
  • v2.0.1
  • v1.19.8
41 results

Default.php

Blame
    • user avatar
    SimpleSAML_Auth_Default: Add handleUnsolicedAuth().
    Olav Morken authored 
    git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1783 44740490-163a-0410-bde0-09ae8108e29a
    3dd29395
    History
    user avatar 3dd29395
    History
    Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    Default.php 6.59 KiB 
    <?php

/**
 * Implements the default behaviour for authentication.
 *
 * This class contains an implementation for default behaviour when authenticating. It will
 * save the session information it got from the authentication client in the users session.
 *
 * @author Olav Morken, UNINETT AS.
 * @package simpleSAMLphp
 * @version $Id$
 */
class SimpleSAML_Auth_Default {


	/**
	 * Start authentication.
	 *
	 * This function never returns.
	 *
	 * @param string $authId  The identifier of the authentication source.
	 * @param string $returnURL  The URL we should direct the user to after authentication.
	 * @param string|NULL $errorURL  The URL we should direct the user to after failed authentication.
	 *                               Can be NULL, in which case a standard error page will be shown.
	 * @param array $hints  Extra information about the login. Different authentication requestors may
	 *                      provide different information. Optional, will default to an empty array.
	 */
	public static function initLogin($authId, $returnURL, $errorURL = NULL, $hints = array()) {
		assert('is_string($authId)');
		assert('is_string($returnURL)');
		assert('is_string($errorURL) || is_null($errorURL)');
		assert('is_array($hints)');

		$state = array(
			'SimpleSAML_Auth_Default.id' => $authId,
			'SimpleSAML_Auth_Default.ReturnURL' => $returnURL,
			'SimpleSAML_Auth_Default.ErrorURL' => $errorURL,
			'LoginCompletedHandler' => array(get_class(), 'loginCompleted'),
			'LogoutCallback' => array(get_class(), 'logoutCallback'),
			'LogoutCallbackState' => array(
				'SimpleSAML_Auth_Default.logoutSource' => $authId,
				),
			);

		if (array_key_exists('SPMetadata', $hints)) {
			$state['SPMetadata'] = $hints['SPMetadata'];
		}
		if (array_key_exists('IdPMetadata', $hints)) {
			$state['IdPMetadata'] = $hints['IdPMetadata'];
		}

		if (array_key_exists(SimpleSAML_Auth_State::RESTART, $hints)) {
			$state[SimpleSAML_Auth_State::RESTART] = $hints[SimpleSAML_Auth_State::RESTART];
		}

		if ($errorURL !== NULL) {
			$state[SimpleSAML_Auth_State::EXCEPTION_HANDLER_URL] = $errorURL;
		}

		$as = SimpleSAML_Auth_Source::getById($authId);
		if ($as === NULL) {
			throw new Exception('Invalid authentication source: ' . $authId);
		}

		try {
			$as->authenticate($state);
		} catch (SimpleSAML_Error_Exception $e) {
			SimpleSAML_Auth_State::throwException($state, $e);
		} catch (Exception $e) {
			$e = new SimpleSAML_Error_UnserializableException($e);
    			SimpleSAML_Auth_State::throwException($state, $e);
		}
		self::loginCompleted($state);
	}


	/**
	 * Called when a login operation has finished.
	 *
	 * @param array $state  The state after the login.
	 */
	public static function loginCompleted($state) {
		assert('is_array($state)');
		assert('array_key_exists("SimpleSAML_Auth_Default.ReturnURL", $state)');
		assert('array_key_exists("SimpleSAML_Auth_Default.id", $state)');
		assert('array_key_exists("Attributes", $state)');
		assert('!array_key_exists("LogoutState", $state) || is_array($state["LogoutState"])');

		$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];

		/* Save session state. */
		$session = SimpleSAML_Session::getInstance();
		$session->doLogin($state['SimpleSAML_Auth_Default.id']);
		$session->setAttributes($state['Attributes']);
		if(array_key_exists('Expires', $state)) {
			$session->setSessionDuration($state['Expires'] - time());
		}

		if (array_key_exists('LogoutState', $state)) {
			$session->setLogoutState($state['LogoutState']);
		}

		/* Redirect... */
		SimpleSAML_Utilities::redirect($returnURL);
	}


	/**
	 * Start logout.
	 *
	 * This function starts a logout operation from the current authentication source. This function
	 * never returns.
	 *
	 * @param string $returnURL  The URL we should redirect the user to after logging out.
	 */
	public static function initLogout($returnURL) {
		assert('is_string($returnURL)');

		$session = SimpleSAML_Session::getInstance();

		$state = $session->getLogoutState();
		$authId = $session->getAuthority();
		$session->doLogout();

		$state['SimpleSAML_Auth_Default.ReturnURL'] = $returnURL;
		$state['LogoutCompletedHandler'] = array(get_class(), 'logoutCompleted');

		$as = SimpleSAML_Auth_Source::getById($authId);
		if ($as === NULL) {
			/* The authority wasn't an authentication source... */
			self::logoutCompleted($state);
		}

		$as->logout($state);
		self::logoutCompleted($state);
	}


	/**
	 * Called when logout operation completes.
    	 *
	 * This function never returns.
	 *
	 * @param array $state  The state after the logout.
	 */
	public static function logoutCompleted($state) {
		assert('is_array($state)');
		assert('array_key_exists("SimpleSAML_Auth_Default.ReturnURL", $state)');

		$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];

		/* Redirect... */
		SimpleSAML_Utilities::redirect($returnURL);
	}


	/**
	 * Called when the authentication source receives an external logout request.
	 *
	 * @param array $state  State array for the logout operation.
	 */
	public static function logoutCallback($state) {
		assert('is_array($state)');
		assert('array_key_exists("SimpleSAML_Auth_Default.logoutSource", $state)');

		$source = $state['SimpleSAML_Auth_Default.logoutSource'];

		$session = SimpleSAML_Session::getInstance();
		$authId = $session->getAuthority();

		if ($authId !== $source) {
			SimpleSAML_Logger::warning('Received logout from different authentication source ' .
				'than the current. Current is ' . var_export($authId, TRUE) .
				'. Logout source is ' . var_export($source, TRUE) . '.');
			return;
		}

		$session->doLogout();
	}


	/**
	 * Handle a unsoliced login operations.
	 *
	 * This function creates a session from the received information. It
	 * will then redirect to the given URL.
	 *
	 * This is used to handle IdP initiated SSO.
	 *
	 * @param string $authId  The id of the authentication source that received the request.
	 * @param array $state  A state array.
	 * @param string $redirectTo  The URL we should redirect the user to after
	 *                            updating the session.
	 */
	public static function handleUnsolicedAuth($authId, array $state, $redirectTo) {
		assert('is_string($authId)');
		assert('is_string($redirectTo)');

		$session = SimpleSAML_Session::getInstance();
		$session->doLogin($authId);

		if (array_key_exists('Attributes', $state)) {
			$session->setAttributes($state['Attributes']);
		} else {
			$session->setAttributes(array());
		}

		if(array_key_exists('Expires', $state)) {
			$session->setSessionDuration($state['Expires'] - time());
		}
    
		if (array_key_exists('LogoutState', $state)) {
			$session->setLogoutState($state['LogoutState']);
		}

		SimpleSAML_Utilities::redirect($redirectTo);
	}

}

?>