-
Olav Morken authored
This filter verifies the authentication context received from the IdP against a list of allowed values. Thanks to Gyula Szabó for creating this filter! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3031 44740490-163a-0410-bde0-09ae8108e29a
Olav Morken authoredThis filter verifies the authentication context received from the IdP against a list of allowed values. Thanks to Gyula Szabó for creating this filter! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3031 44740490-163a-0410-bde0-09ae8108e29a
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
ExpectedAuthnContextClassRef.php 2.52 KiB
<?php
/**
* Attribute filter for validate AuthnContextClassRef
*
* 91 => array(
* 'class' => 'saml:ExpectedAuthnContextClassRef',
* 'accepted' => array(
* 'urn:oasis:names:tc:SAML:2.0:post:ac:classes:nist-800-63:3',
* 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
* ),
* ),
*
* @package simpleSAMLphp
* @version $Id$
*/
class sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef extends SimpleSAML_Auth_ProcessingFilter {
/**
* Array of accepted AuthnContextClassRef
* @var array
*/
private $accepted;
/**
* AuthnContextClassRef of the assertion
* @var string
*/
private $AuthnContextClassRef;
/**
* Initialize this filter, parse configuration
*
* @param array $config Configuration information about this filter.
* @param mixed $reserved For future use.
*/
public function __construct($config, $reserved) {
parent::__construct($config, $reserved);
assert('is_array($config)');
if (empty($config['accepted'])){
SimpleSAML_Logger::error('ExpectedAuthnContextClassRef: Configuration error. There is no accepted AuthnContextClassRef.');
throw new SimpleSAML_Error_Exception('ExpectedAuthnContextClassRef: Configuration error. There is no accepted AuthnContextClassRef.');
}
$this->accepted = $config['accepted'];
}
/**
*
* @param array &$request The current request
*/
public function process(&$request) {
assert('is_array($request)');
assert('array_key_exists("Attributes", $request)');
$this->AuthnContextClassRef = $request['saml:sp:State']['saml:sp:AuthnContext'];
if (! in_array($this->AuthnContextClassRef,$this->accepted)){
$this->unauthorized($request);
}
}
/**
* When the process logic determines that the user is not
* authorized for this service, then forward the user to
* an 403 unauthorized page.
*
* Separated this code into its own method so that child
* classes can override it and change the action. Forward
* thinking in case a "chained" ACL is needed, more complex
* permission logic.
*
* @param array $request
*/
protected function unauthorized(&$request) {
SimpleSAML_Logger::error('ExpectedAuthnContextClassRef: Invalid authentication context: '.$this->AuthnContextClassRef.'. Accepted values are: ' . var_export($this->accepted, TRUE));
$id = SimpleSAML_Auth_State::saveState($request, 'saml:ExpectedAuthnContextClassRef:unauthorized');
$url = SimpleSAML_Module::getModuleURL(
'saml/sp/wrong_authncontextclassref.php');
SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
}
}