diff --git a/config-templates/authmemcookie.php b/config-templates/authmemcookie.php
index 036e8c2e6767cf2d888369865366d8d2d8576440..47509494cf7ba69a26d591e76cea93d3b5d0ffd8 100644
--- a/config-templates/authmemcookie.php
+++ b/config-templates/authmemcookie.php
@@ -6,15 +6,6 @@
$config = array(
- /*
- * What type of login Auth MemCookie will use.
- * Can be either 'authsource', 'saml2' or 'shib13'.
- *
- * For backwards compatibility, the default value if unset is 'saml2'.
- * New installations should use 'authsource'.
- */
- 'loginmethod' => 'authsource',
-
/*
* The authentication source that should be used.
*
diff --git a/docs/simplesamlphp-reference-idp-remote.txt b/docs/simplesamlphp-reference-idp-remote.txt
index dce7498993ddc3c19cb4654d4d74a07deb84f6d5..0ecf9e03a74bb49ff64c72c44b9fa408acd2da11 100644
--- a/docs/simplesamlphp-reference-idp-remote.txt
+++ b/docs/simplesamlphp-reference-idp-remote.txt
@@ -182,8 +182,6 @@ There are two modes of encryption supported by simpleSAMLphp. One is symmetric e
simpleSAMLphp only signs authentication responses by default. Signing of authentication request, logout requests and logout responses can be enabled by setting the `redirect.sign` option. Validation of received messages can be enabled by the `redirect.validate` option.
-These options overrides the options set in `saml20-sp-hosted`.
-
`redirect.sign`
: Whether authentication request, logout requests and logout responses sent to this IdP should be signed. The default is `FALSE`.
diff --git a/docs/simplesamlphp-reference-sp-hosted.txt b/docs/simplesamlphp-reference-sp-hosted.txt
deleted file mode 100644
index 1ffaab9d248925726a2a7a5245e715521b7ffbc1..0000000000000000000000000000000000000000
--- a/docs/simplesamlphp-reference-sp-hosted.txt
+++ /dev/null
@@ -1,218 +0,0 @@
-SP hosted metadata reference
-============================
-
-<!-- {{TOC}} -->
-
-This is a reference for the metadata files `metadata/saml20-sp-hosted.php` and `metadata/shib13-sp-hosted.php`. Both files have the following format:
-
- <?php
- /* The index of the array is the entity ID of this SP. */
- $metadata['entity-id-1'] = array(
- 'host' => 'sp.example.org',
- /* Configuration options for the first SP. */
- );
- $metadata['entity-id-2'] = array(
- 'host' => '__DEFAULT__',
- /* Configuration options for the default SP. */
- );
- /* ... */
-
-The entity ID should be an URI. It can also be on the form `__DYNAMIC:1__`, `__DYNAMIC:2__`, `...`. In that case, the entity ID will be generated automatically.
-
-The `host` option is the hostname of the SP, and will be used to select the correct configuration. One entry in the metadata-list can have the host `__DEFAULT__`. This entry will be used when no other entry matches.
-
-
-Common options
---------------
-
-`AssertionConsumerService`
-: Override the default URL for the AssertionConsumerService for this SP. This is an absolute URL. The default value is `<simpleSAMLphp-root>/{shib13|saml2}/sp/AssertionConsumerService.php`.
-
-: Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page.
-
-`attributes`
-: List of attributes this SP requests from the IdP.
- This list will be added to the generated metadata.
-
-: The attributes will be added without a `NameFormat` by default.
- Use the `attributes.NameFormat` option to specify the `NameFormat` for the attributes.
-
-: *Note*: This list will only be added to the metadata if the `name`-option is also specified.
-
-`attributes.NameFormat`
-: The `NameFormat` for the requested attributes.
-
-`authproc`
-: Used to manipulate attributes, and limit access for each SP. See the [authentication processing filter manual](simplesamlphp-authproc).
-
-`certData`
-: Base64 encoded certificate data. Can be used instead of the `certificate` option.
-
-`certificate`
-: File name of certificate for this SP. This certificate will be included in generated metadata.
-
-`description`
-: A description of this SP. Will be added to the generated metadata.
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated description:
-
- 'description' => array(
- 'en' => 'A service',
- 'no' => 'En tjeneste',
- ),
-
-: *Note*: For this to be added to the metadata, you must also specify the `attributes` and `name` options.
-
-`host`
-: The hostname for this SP. One SP can also have the `host`-option set to `__DEFAULT__`, and that SP will be used when no other entries in the metadata matches.
-
-`idpdisco.url`
-: Set which IdP discovery service this SP should use. If this is unset, the IdP discovery service specified in the global option `idpdisco.url.{saml20|shib13}` in `config/config.php` will be used. If that one is also unset, the builtin default discovery service will be used.
-
-`OrganizationName`
-: The name of the organization responsible for this SPP.
- This name does not need to be suitable for display to end users.
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
-
- 'OrganizationName' => array(
- 'en' => 'Example organization',
- 'no' => 'Eksempel organisation',
- ),
-
-: *Note*: If you specify this option, you must also specify the `OrganizationURL` option.
-
-`OrganizationDisplayName`
-: The name of the organization responsible for this SPP.
- This name must be suitable for display to end users.
- If this option isn't specified, `OrganizationName` will be used instead.
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name.
-
-: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
-
-`OrganizationURL`
-: A URL the end user can access for more information about the organization.
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated URL.
-
-: *Note*: If you specify this option, you must also specify the `OrganizationName` option.
-
-`name`
-: The name of this SP. Will be added to the generated metadata.
-
-: This option can be translated into multiple languages by specifying the value as an array of language-code to translated name:
-
- 'name' => array(
- 'en' => 'A service',
- 'no' => 'En tjeneste',
- ),
-
-: *Note*: You must also specify at least one attribute in the `attributes` option for this element to be added to the metadata.
-
-`NameIDFormat`
-: Override the default NameIDFormat in the generated metadata and in the authentication request.
-
-: The default value for SAML 2.0 is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, while the default for Shibboleth 1.3 is `urn:mace:shibboleth:1.0:nameIdentifier`. If you set the value to `NULL`, the `samlp:NameIDPolicy` element is removed from the authentication request.
-
-
-SAML 2.0 options
-----------------
-
-The following SAML 2.0 SP options are available:
-
-`AuthnContextClassRef`
-: The SP can request authentication with a specific authentication context class. One example of usage could be if the IdP supports both username/password authentication as well as software-PKI.
-
-`ForceAuthn`
-: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
-
-`IsPassive`
-: IsPassive allows you to enable passive authentication by default for this SP.
-
-`privatekey`
-: File name of private key to be used for signing messages and decrypting messages from the IdP. This option is only required if you use encrypted assertions or if you enable signing of messages.
-
-`privatekey_pass`
-: The passphrase for the private key, if it is encrypted. If the private key is unencrypted, this can be left out.
-
-`ProtocolBinding`
-: The binding that should be used for SAML2 authentication responses.
- This option controls the binding that is requested through the AuthnRequest message to the IdP.
- By default the HTTP-Redirect binding is used.
-
-`RelayState`
-: The page the user should be redirected to after an IdP initiated SSO.
-
-`saml.SOAPClient.certificate`
-: A file with a certificate _and_ private key that should be used when issuing SOAP requests from this SP.
- If this option isn't specified, the SP private key and certificate will be used.
-
-`saml.SOAPClient.privatekey_pass`
-: The passphrase of the privatekey in `saml.SOAPClient.certificate`.
-
-`SingleLogoutService`
-: Override the default URL for the SingleLogoutService for this SP. This is an absolute URL. The default value is `<simpleSAMLphp-root>/saml2/sp/SingleLogoutService.php`.
-
-: Note that this only changes the values in the generated metadata and in the messages sent to others. You must also configure your webserver to deliver this URL to the correct PHP page.
-
-### Fields for signing and validating messages
-
-simpleSAMLphp SP doesn't signa any messages by default. To enable signing of authentication requests, logout requests and logout responses, enable the `redirect.sign` option. Validation of received messages can be enabled by the `redirect.validate` option.
-
-These options set the default for this SP, but options for each IdP can be set in `saml20-idp-remote`.
-
-`redirect.sign`
-: Whether authentication requests, logout requests and logout responses sent from this SP should be signed. The default is `FALSE`.
-
-`redirect.validate`
-: Whether logout requests and logout responses received received by this SP should be validated. The default is `FALSE`.
-
-
-**Example: Configuration for signed messages**
-
- 'redirect.sign' => true,
-
-### Fields for scoping
-
-Only relevant if you are a sp connected to a proxy/bridge.
-
-`IDPList`
-: The list of scoped idps ie. the list of entityids for idps that
-are relevant for this sp. The final list is the concatenation of the
-list given as parameter to InitSSO, the list configured at the sp
-(here) and the list configured at the ipd for this sp. The
-intersection of the final list and the idps configured at the
-proxy/bridge will be presented to the user at the discovery service
-if neccessary. If only one idp is in the intersection the
-discoveryservice will go directly to the idp.
-
-**Example: Configuration for scoping**
-
- 'IDPList' => array('https://idp1.wayf.dk', 'https://idp2.wayf.dk'),
-
-Shibboleth 1.3 SP options
-----------------------
-
-There are no options specific for a Shibboleth 1.3 SP.
-
-
-Examples
---------
-
-These are some examples of SP metadata
-
-### Minimal SAML 2.0 / Shibboleth 1.3 SP ###
-
- <?php
- /*
- * We use the '__DYNAMIC:1__' entity ID so that the entity ID
- * will be autogenerated.
- */
- $metadata['__DYNAMIC:1__'] = array(
- /*
- * We use '__DEFAULT__' as the hostname so we won't have to
- * enter a hostname.
- */
- 'host' => '__DEFAULT__',
- );
diff --git a/lib/SimpleSAML/AuthMemCookie.php b/lib/SimpleSAML/AuthMemCookie.php
index 2ce0b74d67e8859fa55655df060b42fe16f31ccc..80fd00a5048107f4de82a2fe3ecc2c392026c227 100644
--- a/lib/SimpleSAML/AuthMemCookie.php
+++ b/lib/SimpleSAML/AuthMemCookie.php
@@ -43,26 +43,6 @@ class SimpleSAML_AuthMemCookie {
}
- /**
- * Retrieve the login method which should be used to authenticate the user.
- *
- * @return string The login type which should be used for Auth MemCookie.
- */
- public function getLoginMethod() {
- $loginMethod = $this->amcConfig->getString('loginmethod', 'saml2');
- $supportedLogins = array(
- 'authsource',
- 'saml2',
- 'shib13',
- );
- if(!in_array($loginMethod, $supportedLogins, TRUE)) {
- throw new Exception('Configuration option \'loginmethod\' contains an invalid value.');
- }
-
- return $loginMethod;
- }
-
-
/**
* Retrieve the authentication source that should be used to authenticate the user.
*
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index 759ff28678b6931fe34dddd0f88ba0eadbb01e5a..3e086193fe27b7f93e8e347f823da3142e665795 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -73,7 +73,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
* @param $set The set we the property comes from.
* @return The autogenerated metadata property.
*/
- public function getGenerated($property, $set = 'saml20-sp-hosted') {
+ public function getGenerated($property, $set) {
/* First we check if the user has overridden this property in the metadata. */
try {
@@ -93,19 +93,12 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
$config->getBaseURL();
if ($set == 'saml20-sp-hosted') {
- switch ($property) {
- case 'AssertionConsumerService' :
- return $baseurl . 'saml2/sp/AssertionConsumerService.php';
-
- case 'SingleLogoutService' :
- return $baseurl . 'saml2/sp/SingleLogoutService.php';
-
+ switch ($property) {
case 'SingleLogoutServiceBinding' :
return SAML2_Const::BINDING_HTTP_REDIRECT;
}
} elseif($set == 'saml20-idp-hosted') {
-
- switch ($property) {
+ switch ($property) {
case 'SingleSignOnService' :
return $baseurl . 'saml2/idp/SSOService.php';
@@ -118,11 +111,6 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
case 'SingleLogoutServiceBinding' :
return SAML2_Const::BINDING_HTTP_REDIRECT;
}
- } elseif($set == 'shib13-sp-hosted') {
- switch ($property) {
- case 'AssertionConsumerService' :
- return $baseurl . 'shib13/sp/AssertionConsumerService.php';
- }
} elseif($set == 'shib13-idp-hosted') {
switch ($property) {
case 'SingleSignOnService' :
@@ -181,7 +169,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
* @param $set The set we want metadata from.
* @return An associative array with the metadata.
*/
- public function getMetaDataCurrent($set = 'saml20-sp-hosted') {
+ public function getMetaDataCurrent($set) {
return $this->getMetaData(NULL, $set);
}
@@ -194,7 +182,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
* @param $type Do you want to return the metaindex or the entityID. [entityid|metaindex]
* @return The entity id which is associated with the current hostname/path combination.
*/
- public function getMetaDataCurrentEntityID($set = 'saml20-sp-hosted', $type = 'entityid') {
+ public function getMetaDataCurrentEntityID($set, $type = 'entityid') {
assert('is_string($set)');
@@ -268,7 +256,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
* the current entity id based on the current hostname/path.
* @param $set The set of metadata we are looking up the entity id in.
*/
- public function getMetaData($index, $set = 'saml20-sp-hosted') {
+ public function getMetaData($index, $set) {
assert('is_string($set)');
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandlerFlatFile.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandlerFlatFile.php
index ee1cab6693a994c591ee841ef4caeef1028b4d06..6281314a9d72fa2e3203fe866fb4954f58bc259f 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandlerFlatFile.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandlerFlatFile.php
@@ -120,12 +120,8 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerFlatFile extends SimpleSAML_Meta
if ($set === 'saml20-idp-hosted') {
return $baseurl . 'saml2/idp/metadata.php';
- } elseif($set === 'saml20-sp-hosted') {
- return $baseurl . 'saml2/sp/metadata.php';
} elseif($set === 'shib13-idp-hosted') {
return $baseurl . 'shib13/idp/metadata.php';
- } elseif($set === 'shib13-sp-hosted') {
- return $baseurl . 'shib13/sp/metadata.php';
} elseif($set === 'wsfed-sp-hosted') {
return 'urn:federation:' . SimpleSAML_Utilities::getSelfHost();
} elseif($set === 'adfs-idp-hosted') {
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
index ccb4d94e0fc792cdf39cf0872b228848df33774a..651b87512fb7440862e4a9055aa0efeed582b291 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnRequest.php
@@ -27,14 +27,10 @@ class SimpleSAML_XML_Shib13_AuthnRequest {
return $this->issuer;
}
- public function createRedirect($destination, $shire = NULL) {
+ public function createRedirect($destination, $shire) {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpmetadata = $metadata->getMetaDataConfig($destination, 'shib13-idp-remote');
- if ($shire === NULL) {
- $shire = $metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted');
- }
-
$desturl = $idpmetadata->getDefaultEndpoint('SingleSignOnService', array('urn:mace:shibboleth:1.0:profiles:AuthnRequest'));
$desturl = $desturl['Location'];
diff --git a/modules/core/www/frontpage_auth.php b/modules/core/www/frontpage_auth.php
index 28d45304d812baa251a3101950eb348a992ccc69..ef4fcaf20b5ec73890056741cb01275191d46758 100644
--- a/modules/core/www/frontpage_auth.php
+++ b/modules/core/www/frontpage_auth.php
@@ -28,22 +28,6 @@ $links_auth[] = array(
'text' => '{core:frontpage:authtest}',
);
-
-if ($config->getValue('enable.saml20-sp') === true)
- $links_auth[] = array(
- 'href' => SimpleSAML_Utilities::getBaseURL() . 'example-simple/saml2-example.php',
- 'text' => '{core:frontpage:link_saml2example}',
- 'deprecated' => TRUE,
- );
-
-if ($config->getValue('enable.shib13-sp') === true)
- $links_auth[] = array(
- 'href' => SimpleSAML_Utilities::getBaseURL() . 'example-simple/shib13-example.php',
- 'text' => '{core:frontpage:link_shib13example}',
- 'deprecated' => TRUE,
- );
-
-
$allLinks = array(
'links' => &$links,
'welcome' => &$links_welcome,
diff --git a/modules/core/www/frontpage_federation.php b/modules/core/www/frontpage_federation.php
index d502e7bab41f9a0a7882a2e7a955737b7b55603f..512061ed47d701afdc7469c24813e53ecbf0d63e 100644
--- a/modules/core/www/frontpage_federation.php
+++ b/modules/core/www/frontpage_federation.php
@@ -75,14 +75,6 @@ if ($isadmin) {
$metaentries['remote']['shib13-idp-remote'] = $metadata->getList('shib13-idp-remote');
}
-if ($config->getBoolean('enable.saml20-sp', TRUE) === true) {
- try {
- $metaentries['hosted']['saml20-sp'] = $metadata->getMetaDataCurrent('saml20-sp-hosted');
- $metaentries['hosted']['saml20-sp']['deprecated'] = TRUE;
- $metaentries['hosted']['saml20-sp']['metadata-url'] = '/' . $config->getBaseURL() .
- 'saml2/sp/metadata.php?output=xhtml';
- } catch(Exception $e) {}
-}
if ($config->getBoolean('enable.saml20-idp', FALSE) === true) {
try {
$metaentries['hosted']['saml20-idp'] = $metadata->getMetaDataCurrent('saml20-idp-hosted');
@@ -92,14 +84,6 @@ if ($config->getBoolean('enable.saml20-idp', FALSE) === true) {
$metaentries['remote']['saml20-sp-remote'] = $metadata->getList('saml20-sp-remote');
} catch(Exception $e) {}
}
-if ($config->getBoolean('enable.shib13-sp', FALSE) === true) {
- try {
- $metaentries['hosted']['shib13-sp'] = $metadata->getMetaDataCurrent('shib13-sp-hosted');
- $metaentries['hosted']['shib13-sp']['deprecated'] = TRUE;
- $metaentries['hosted']['shib13-sp']['metadata-url'] = '/' . $config->getBaseURL() .
- 'shib13/sp/metadata.php?output=xhtml';
- } catch(Exception $e) {}
-}
if ($config->getBoolean('enable.shib13-idp', FALSE) === true) {
try {
$metaentries['hosted']['shib13-idp'] = $metadata->getMetaDataCurrent('shib13-idp-hosted');
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 462131fa4a318eef93b9925000b205832a464ef1..45c1e60ffe0890e2944b6b08082e2f73ede45448 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -220,9 +220,7 @@ Options
: If this option is set, its value will be added to the metadata generated for this SP, in the NameIDFormat element.
-: *Note 1*: This option replaces the `NameIDFormat` option found in `saml20-sp-hosted`.
-
-: *Note 2*: SAML 2 specific.
+: *Note 1*: SAML 2 specific.
`OrganizationName`
: The name of the organization responsible for this SP.
diff --git a/modules/saml/www/sp/saml1-acs.php b/modules/saml/www/sp/saml1-acs.php
index 95cc91b58df646d5916f0de427908a2b1b575b49..fcfd5a0736a891f32505dde97ebdf4988d76ec97 100644
--- a/modules/saml/www/sp/saml1-acs.php
+++ b/modules/saml/www/sp/saml1-acs.php
@@ -8,6 +8,10 @@ if (!array_key_exists('TARGET', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing TARGET parameter.');
}
+if (!array_key_exists('PATH_INFO', $_SERVER)) {
+ throw new SimpleSAML_Error_BadRequest('Missing authentication source ID in assertion consumer service URL');
+}
+
$sourceId = $_SERVER['PATH_INFO'];
$end = strpos($sourceId, '/', 1);
if ($end === FALSE) {
diff --git a/modules/saml/www/sp/saml2-acs.php b/modules/saml/www/sp/saml2-acs.php
index 1341095cbd89b36ef6f4d71b237fa9e689a8ee65..b9fb760b18cc7e648186d2336af2f69230412e4a 100644
--- a/modules/saml/www/sp/saml2-acs.php
+++ b/modules/saml/www/sp/saml2-acs.php
@@ -4,6 +4,10 @@
* Assertion consumer service handler for SAML 2.0 SP authentication client.
*/
+if (!array_key_exists('PATH_INFO', $_SERVER)) {
+ throw new SimpleSAML_Error_BadRequest('Missing authentication source ID in assertion consumer service URL');
+}
+
$sourceId = substr($_SERVER['PATH_INFO'], 1);
$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
$spMetadata = $source->getMetadata();
diff --git a/modules/saml/www/sp/saml2-logout.php b/modules/saml/www/sp/saml2-logout.php
index d8d04c5c144ca1c653c3d2ccf22791581eab5b23..b39f3bff0c96c8bbfb7ce0cc01dc5033dc607ef3 100644
--- a/modules/saml/www/sp/saml2-logout.php
+++ b/modules/saml/www/sp/saml2-logout.php
@@ -7,7 +7,7 @@
*/
if (!array_key_exists('PATH_INFO', $_SERVER)) {
- throw new SimpleSAML_Error_BadRequest('Missing authentication source id in logout URL');
+ throw new SimpleSAML_Error_BadRequest('Missing authentication source ID in logout URL');
}
$sourceId = substr($_SERVER['PATH_INFO'], 1);
diff --git a/www/authmemcookie.php b/www/authmemcookie.php
index b385400c9031b63fa36625960da7b64cb6e5bf3d..dc52fc2c3eb02157514d4280fe2dce49ba03b0cd 100644
--- a/www/authmemcookie.php
+++ b/www/authmemcookie.php
@@ -24,24 +24,8 @@ try {
/* Load Auth MemCookie configuration. */
$amc = SimpleSAML_AuthMemCookie::getInstance();
- /* Determine the method we should use to authenticate the user and retrieve the attributes. */
- $loginMethod = $amc->getLoginMethod();
- switch($loginMethod) {
- case 'authsource':
- /* The default now. */
- $sourceId = $amc->getAuthSource();
- $s = new SimpleSAML_Auth_Simple($sourceId);
- break;
- case 'saml2':
- $s = new SimpleSAML_Auth_BWC('saml2/sp/initSSO.php', 'saml2');
- break;
- case 'shib13':
- $s = new SimpleSAML_Auth_BWC('shib13/sp/initSSO.php', 'shib13');
- break;
- default:
- /* Should never happen, as the login method is checked in the AuthMemCookie class. */
- throw new Exception('Invalid login method.');
- }
+ $sourceId = $amc->getAuthSource();
+ $s = new SimpleSAML_Auth_Simple($sourceId);
/* Check if the user is authorized. We attempt to authenticate the user if not. */
$s->requireAuth();
diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php
deleted file mode 100644
index 1f3412627c5ec31659255f9de56676df80a1ab7d..0000000000000000000000000000000000000000
--- a/www/saml2/sp/AssertionConsumerService.php
+++ /dev/null
@@ -1,184 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-/**
- * This SAML 2.0 endpoint is the endpoint at the SAML 2.0 SP that takes an Authentication Response
- * as HTTP-POST in, and parses and processes it before it redirects the use to the RelayState.
- *
- * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no>
- * @package simpleSAMLphp
- * @abstract
- */
-
-$config = SimpleSAML_Configuration::getInstance();
-
-SimpleSAML_Logger::warning('The file saml2/sp/AssertionConsumerService.php is deprecated and will be removed in future versions.');
-
-/* Get the session object for the user. Create a new session if no session
- * exists for this user.
- */
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-
-/**
- * Finish login operation.
- *
- * This helper function finishes a login operation and redirects the user back to the page which
- * requested the login.
- *
- * @param array $authProcState The state of the authentication process.
- */
-function finishLogin($authProcState) {
- assert('is_array($authProcState)');
- assert('array_key_exists("Attributes", $authProcState)');
- assert('array_key_exists("core:saml20-sp:NameID", $authProcState)');
- assert('array_key_exists("core:saml20-sp:SessionIndex", $authProcState)');
- assert('array_key_exists("core:saml20-sp:TargetURL", $authProcState)');
- assert('array_key_exists("Source", $authProcState)');
- assert('array_key_exists("entityid", $authProcState["Source"])');
-
- $authData = array(
- 'Attributes' => $authProcState['Attributes'],
- 'saml:sp:NameID' => $authProcState['core:saml20-sp:NameID'],
- 'saml:sp:SessionIndex' => $authProcState['core:saml20-sp:SessionIndex'],
- 'saml:sp:IdP' => $authProcState['Source']['entityid'],
- );
-
- global $session;
- $session->doLogin('saml2', $authData);
-
- SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:saml20-sp:TargetURL']);
-}
-
-SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService');
-
-if (!$config->getBoolean('enable.saml20-sp', TRUE))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
- /* We have returned from the authentication processing filters. */
-
- $authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authProcId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
- $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
- finishLogin($authProcState);
-}
-
-
-try {
- $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
- $sp = $metadataHandler->getMetaDataCurrentEntityID();
- $spMetadata = $metadataHandler->getMetaDataConfig($sp, 'saml20-sp-hosted');
-
- $b = SAML2_Binding::getCurrentBinding();
- if ($b instanceof SAML2_HTTPArtifact) {
- $b->setSPMetadata($spMetadata);
- }
-
- $response = $b->receive();
- if (!($response instanceof SAML2_Response)) {
- throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
- }
-
- $idp = $response->getIssuer();
- if ($idp === NULL) {
- throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
- }
-
-
- $idpMetadata = $metadataHandler->getMetaDataConfig($idp, 'saml20-idp-remote');
-
- /* Fetch the request information if it exists, fall back to RelayState if not. */
- $requestId = $response->getInResponseTo();
- $info = $session->getData('SAML2:SP:SSO:Info', $requestId);
- if($info === NULL) {
- /* Fall back to RelayState. */
- $info = array();
- $info['RelayState'] = SimpleSAML_Utilities::checkURLAllowed($response->getRelayState());
- if(empty($info['RelayState'])) {
- $info['RelayState'] = $spMetadata->getString('RelayState', NULL);
- }
- if(empty($info['RelayState'])) {
- /* RelayState missing. */
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
- }
- }
-
-
- try {
- $assertion = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
- if (count($assertion) > 1) {
- throw new SimpleSAML_Error_Exception('More than one assertion in received response.');
- }
- $assertion = $assertion[0];
- } catch (sspmod_saml_Error $e) {
- /* The status of the response wasn't "success". */
-
- $status = $response->getStatus();
- if(array_key_exists('OnError', $info)) {
- /* We have an error handler. Return the error to it. */
- SimpleSAML_Utilities::redirectTrustedURL($info['OnError'], array('StatusCode' => $status['Code']));
- }
-
- /* We don't have an error handler. Show an error page. */
- throw new SimpleSAML_Error_Error('RESPONSESTATUSNOSUCCESS', $e);
- }
-
-
- SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Successful response from IdP');
-
- /*
- * Attribute handling
- */
- $attributes = $assertion->getAttributes();
-
- SimpleSAML_Logger::stats('saml20-sp-SSO ' . $metadataHandler->getMetaDataCurrentEntityID() . ' ' . $idp . ' NA');
-
-
- $nameId = $assertion->getNameId();
-
- /* Begin module attribute processing */
-
- $spMetadataArray = $spMetadata->toArray();
- $idpMetadataArray = $idpMetadata->toArray();
-
- $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
-
- $authProcState = array(
- 'core:saml20-sp:NameID' => $nameId,
- 'core:saml20-sp:SessionIndex' => $assertion->getSessionIndex(),
- 'core:saml20-sp:TargetURL' => $info['RelayState'],
- 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(),
- 'Attributes' => $attributes,
- 'Destination' => $spMetadataArray,
- 'Source' => $idpMetadataArray,
- );
-
- $pc->processState($authProcState);
- /* Since this function returns, processing has completed and attributes have
- * been updated.
- */
-
- finishLogin($authProcState);
-
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);
-}
-
-
-?>
\ No newline at end of file
diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php
deleted file mode 100644
index e21b65ccb82444e33346eec567dbcd13b67d78b3..0000000000000000000000000000000000000000
--- a/www/saml2/sp/SingleLogoutService.php
+++ /dev/null
@@ -1,108 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file saml2/sp/SingleLogoutService.php is deprecated and will be removed in future versions.');
-
-// Get the local session
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-
-SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: Accessing SAML 2.0 SP endpoint SingleLogoutService');
-
-if (!$config->getBoolean('enable.saml20-sp', TRUE))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-
-
-// Destroy local session if exists.
-$session->doLogout('saml2');
-
-$binding = SAML2_Binding::getCurrentBinding();
-$message = $binding->receive();
-
-$idpEntityId = $message->getIssuer();
-if ($idpEntityId === NULL) {
- /* Without an issuer we have no way to respond to the message. */
- throw new SimpleSAML_Error_BadRequest('Received message on logout endpoint without issuer.');
-}
-
-$spEntityId = $metadata->getMetaDataCurrentEntityId('saml20-sp-hosted');
-
-$idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
-$spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
-
-sspmod_saml_Message::validateMessage($idpMetadata, $spMetadata, $message);
-
-if ($message instanceof SAML2_LogoutRequest) {
-
- try {
- // Extract some parameters from the logout request
- $requestid = $message->getId();
-
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: IdP (' . $idpEntityId .
- ') is sending logout request to me SP (' . $spEntityId . ') requestid '.$requestid);
- SimpleSAML_Logger::stats('saml20-idp-SLO idpinit ' . $spEntityId . ' ' . $idpEntityId);
-
- /* Create response. */
- $lr = sspmod_saml_Message::buildLogoutResponse($spMetadata, $idpMetadata);
- $lr->setRelayState($message->getRelayState());
- $lr->setInResponseTo($message->getId());
-
- SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: SP me (' . $spEntityId . ') is sending logout response to IdP (' . $idpEntityId . ')');
-
- $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
- SAML2_Const::BINDING_HTTP_REDIRECT,
- SAML2_Const::BINDING_HTTP_POST)
- );
-
- if (!$binding instanceof SAML2_SOAP) {
- $binding = SAML2_Binding::getBinding($dst['Binding']);
- if (isset($dst['ResponseLocation'])) {
- $dst = $dst['ResponseLocation'];
- } else {
- $dst = $dst['Location'];
- }
- $binding->setDestination($dst);
- }
-
- /* Send response. */
- $binding->send($lr);
- } catch (Exception $exception) {
- throw new SimpleSAML_Error_Error('LOGOUTREQUEST', $exception);
- }
-
-} elseif ($message instanceof SAML2_LogoutResponse) {
-
- SimpleSAML_Logger::stats('saml20-sp-SLO spinit ' . $spEntityId . ' ' . $idpEntityId);
-
- $id = $message->getRelayState();
- if (empty($id)) {
- /* For backwardscompatibility. */
- $id = $message->getInResponseTo();
- }
-
- // 'spLogoutReturnTo' is checked before storing it in the
- // session, so we trust it here.
- $returnTo = $session->getData('spLogoutReturnTo', $id);
- if (empty($returnTo)) {
- throw new SimpleSAML_Error_Error('LOGOUTINFOLOST');
- }
-
- SimpleSAML_Utilities::redirectTrustedURL($returnTo);
-
-} else {
- throw new SimpleSAML_Error_Error('SLOSERVICEPARAMS');
-}
-
diff --git a/www/saml2/sp/idpdisco.php b/www/saml2/sp/idpdisco.php
deleted file mode 100644
index b7cdff38101558245a682af3face4f2c4d567a3d..0000000000000000000000000000000000000000
--- a/www/saml2/sp/idpdisco.php
+++ /dev/null
@@ -1,29 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-SimpleSAML_Logger::warning('The file saml2/sp/idpdisco.php is deprecated and will be removed in future versions.');
-
-try {
- $discoHandler = new SimpleSAML_XHTML_IdPDisco(array('saml20-idp-remote'), 'saml20');
-} catch (Exception $exception) {
- /* An error here should be caused by invalid query parameters. */
- throw new SimpleSAML_Error_Error('DISCOPARAMS', $exception);
-}
-
-try {
- $discoHandler->handleRequest();
-} catch(Exception $exception) {
- /* An error here should be caused by metadata. */
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-?>
\ No newline at end of file
diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php
deleted file mode 100644
index 50b2d035fe00b29b2efc22b94dc32b948e7889bb..0000000000000000000000000000000000000000
--- a/www/saml2/sp/initSLO.php
+++ /dev/null
@@ -1,75 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-SimpleSAML_Logger::warning('The file saml2/sp/initSLO.php is deprecated and will be removed in future versions.');
-
-SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO script');
-
-if (!$config->getBoolean('enable.saml20-sp', TRUE))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-
-if (isset($_REQUEST['RelayState'])) {
- $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
-} else {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
-}
-
-
-try {
- $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
- $idpEntityId = $session->getAuthData('saml2', 'saml:sp:IdP');
- if ($idpEntityId === NULL) {
- SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: User not authenticated with an IdP.');
- SimpleSAML_Utilities::redirectTrustedURL($returnTo);
- }
- $idpMetadata = $metadata->getMetaDataConfig($idpEntityId, 'saml20-idp-remote');
- $SLOendpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
- SAML2_Const::BINDING_HTTP_REDIRECT,
- SAML2_Const::BINDING_HTTP_POST),
- NULL);
- if ($SLOendpoint === NULL) {
- $session->doLogout('saml2');
- SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: No SingleLogoutService endpoint supported in the IdP.');
- SimpleSAML_Utilities::redirectTrustedURL($returnTo);
- }
-
- $spEntityId = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
- $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-hosted');
-
- $nameId = $session->getAuthData('saml2', 'saml:sp:NameID');
-
- $lr = sspmod_saml_Message::buildLogoutRequest($spMetadata, $idpMetadata);
- $lr->setNameId($nameId);
- $lr->setSessionIndex($session->getAuthData('saml2', 'saml:sp:SessionIndex'));
- $lr->setDestination($SLOendpoint['Location']);
-
- $session->doLogout('saml2');
-
- /* Save the $returnTo URL until the user returns from the IdP. */
- $session->setData('spLogoutReturnTo', $lr->getId(), $returnTo);
-
- SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: SP (' . $spEntityId . ') is sending logout request to IdP (' . $idpEntityId . ')');
-
- $b = SAML2_Binding::getBinding($SLOendpoint['Binding']);
- $b->send($lr);
-
-
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
-}
-
diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
deleted file mode 100644
index ef1acc2396d2c4f3976335570664c0f16c53c834..0000000000000000000000000000000000000000
--- a/www/saml2/sp/initSSO.php
+++ /dev/null
@@ -1,189 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-SimpleSAML_Logger::warning('The file saml2/sp/initSSO.php is deprecated and will be removed in future versions.');
-
-SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script');
-
-if (!$config->getBoolean('enable.saml20-sp', TRUE))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-/*
- * Incomming URL parameters
- *
- * idpentityid optional The entityid of the wanted IdP to authenticate with. If not provided will use default.
- * spentityid optional The entityid of the SP config to use. If not provided will use default to host.
- * RelayState required Where to send the user back to after authentication.
- */
-
-if (empty($_GET['RelayState'])) {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
-}
-$returnTo = SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']);
-
-$reachableIDPs = array();
-
-try {
-
- $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $config->getString('default-saml20-idp', NULL) ;
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
-
- $isPassive = isset($_GET['IsPassive']) && ($_GET['IsPassive'] === 'true' || $_GET['IsPassive'] === '1');
- $forceAuthn = isset($_GET['ForceAuthn']) && ($_GET['ForceAuthn'] === 'true' || $_GET['ForceAuthn'] === '1');
-
- /* We are going to need the SP metadata to determine which IdP discovery service we should use.
- And for checking for scoping parameters. */
- $spmetadata = $metadata->getMetaDataCurrent('saml20-sp-hosted');
-
- $IDPList = array();
-
- /* Configured idp overrides one given by Scope */
- if($idpentityid === NULL && array_key_exists('idpentityid', $spmetadata)) {
- $idpentityid = $spmetadata['idpentityid'];
- }
-
- /* AuthId is set if we are on the sp side on a proxy/bridge */
- $authid = isset($_GET['AuthId']) ? $_GET['AuthId'] : FALSE;
- if ($authid) {
- $authrequestcache = $session->getAuthnRequest('saml2', $authid);
- $isPassive = $isPassive || $authrequestcache['IsPassive'];
- $forceAuthn = $forceAuthn || $authrequestcache['ForceAuthn'];
-
- /* keep the IDPList, it MUST be sent it to the next idp,
- we are only allowed to add idps */
- if (isset($authrequestcache['IDPList']) && is_array($authrequestcache['IDPList'])) {
- $IDPList = $authrequestcache['IDPList'];
- }
- if ($idpentityid === NULL) {
- /* only consider ProviderIDs we know ... */
-
- $reachableIDPs = array_intersect($IDPList, array_keys($metadata->getList()));
-
- if (sizeof($reachableIDPs) === 1) {
- $idpentityid = array_shift($reachableIDPs);
- }
- }
- }
-
-
-} catch (Exception $exception) {
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-/*
- * If no IdP can be resolved, send the user to the SAML 2.0 Discovery Service
- */
-if ($idpentityid === NULL) {
-
- SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: No chosen or default IdP, go to SAML2disco');
-
- /* Which IdP discovery service should we use? Can be set in SP metadata or in global configuration.
- * Falling back to builtin discovery service.
- */
-
- if(array_key_exists('idpdisco.url', $spmetadata)) {
- $discourl = $spmetadata['idpdisco.url'];
- } elseif($config->getString('idpdisco.url.saml20', NULL) !== NULL) {
- $discourl = $config->getString('idpdisco.url.saml20');
- } else {
- $discourl = SimpleSAML_Utilities::getBaseURL() . 'saml2/sp/idpdisco.php';
- }
-
- $extDiscoveryStorage = $config->getString('idpdisco.extDiscoveryStorage', NULL);
- if ($extDiscoveryStorage !== NULL) {
- SimpleSAML_Utilities::redirectTrustedURL($extDiscoveryStorage, array(
- 'entityID' => $spentityid,
- 'return' => SimpleSAML_Utilities::addURLparameter($discourl, array(
- 'return' => SimpleSAML_Utilities::selfURL(),
- 'remember' => 'true',
- 'entityID' => $spentityid,
- 'returnIDParam' => 'idpentityid',
- )),
- 'returnIDParam' => 'idpentityid',
- 'isPassive' => 'true')
- );
- }
-
- $discoparameters = array(
- 'entityID' => $spentityid,
- 'return' => SimpleSAML_Utilities::selfURL(),
- 'returnIDParam' => 'idpentityid');
-
- $discoparameters['isPassive'] = $isPassive;
-
- if (sizeof($reachableIDPs) > 0) {
- $discoparameters['IDPList'] = $reachableIDPs;
- }
-
- SimpleSAML_Utilities::redirectTrustedURL($discourl, $discoparameters);
-}
-
-
-/*
- * Create and send authentication request to the IdP.
- */
-try {
-
- $spMetadata = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-hosted');
- $idpMetadata = $metadata->getMetaDataConfig($idpentityid, 'saml20-idp-remote');
-
- $ar = sspmod_saml_Message::buildAuthnRequest($spMetadata, $idpMetadata);
-
- $assertionConsumerServiceURL = $metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted');
- $ar->setAssertionConsumerServiceURL($assertionConsumerServiceURL);
- $ar->setRelayState($returnTo);
-
- if ($isPassive) {
- $ar->setIsPassive(TRUE);
- }
- if ($forceAuthn) {
- $ar->setForceAuthn(TRUE);
- }
-
- if(array_key_exists('IDPList', $spmetadata)) {
- $IDPList = array_unique(array_merge($IDPList, $spmetadata['IDPList']));
- }
-
- if (isset($_GET['IDPList']) && !empty($_GET['IDPList'])) {
- $providers = $_GET['IDPList'];
- if (!is_array($providers)) $providers = array($providers);
- $IDPList = array_merge($IDPList, $providers);
- };
- $ar->setIDPList($IDPList);
-
- /* Save request information. */
- $info = array();
- $info['RelayState'] = $returnTo;
- if(array_key_exists('OnError', $_REQUEST)) {
- $info['OnError'] = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['OnError']);
- }
- $session->setData('SAML2:SP:SSO:Info', $ar->getId(), $info);
-
- /* Select appropriate SSO endpoint */
- if ($ar->getProtocolBinding() === SAML2_Const::BINDING_HOK_SSO) {
- $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HOK_SSO));
- } else {
- $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(SAML2_Const::BINDING_HTTP_REDIRECT, SAML2_Const::BINDING_HTTP_POST));
- }
- $ar->setDestination($dst['Location']);
-
- $b = SAML2_Binding::getBinding($dst['Binding']);
- $b->send($ar);
-
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
-}
-
diff --git a/www/saml2/sp/metadata.php b/www/saml2/sp/metadata.php
deleted file mode 100644
index 8d2f2a73a6a0b84e106258dab796992cc08df6a5..0000000000000000000000000000000000000000
--- a/www/saml2/sp/metadata.php
+++ /dev/null
@@ -1,125 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-/* Load simpleSAMLphp, configuration and metadata */
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file saml2/sp/metadata.php is deprecated and will be removed in future versions.');
-
-
-if (!$config->getValue('enable.saml20-sp', TRUE))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-/* Check if valid local session exists.. */
-if ($config->getBoolean('admin.protectmetadata', false)) {
- SimpleSAML_Utilities::requireAdmin();
-}
-
-try {
-
-
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
- $spmeta = $metadata->getMetaDataConfig($spentityid, 'saml20-sp-hosted');
-
- $metaArray = array(
- 'metadata-set' => 'saml20-sp-remote',
- 'entityid' => $spentityid,
- 'AssertionConsumerService' => $metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted'),
- );
-
- $slob = $metadata->getGenerated('SingleLogoutServiceBinding', 'saml20-sp-hosted');
- $slol = $metadata->getGenerated('SingleLogoutService', 'saml20-sp-hosted');
-
- if (is_array($slob)) {
- foreach ($slob as $binding) {
- $metaArray['SingleLogoutService'][] = array(
- 'Binding' => $binding,
- 'Location' => $slol,
- );
- }
- } else {
- $metaArray['SingleLogoutService'][] = array(
- 'Binding' => $slob,
- 'Location' => $slol,
- );
- }
-
- $metaArray['NameIDFormat'] = $spmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
-
- if ($spmeta->hasValue('OrganizationName')) {
- $metaArray['OrganizationName'] = $spmeta->getLocalizedString('OrganizationName');
- $metaArray['OrganizationDisplayName'] = $spmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
-
- if (!$spmeta->hasValue('OrganizationURL')) {
- throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
- }
- $metaArray['OrganizationURL'] = $spmeta->getLocalizedString('OrganizationURL');
- }
-
-
- if ($spmeta->hasValue('attributes')) {
- $metaArray['attributes'] = $spmeta->getArray('attributes');
- }
- if ($spmeta->hasValue('attributes.NameFormat')) {
- $metaArray['attributes.NameFormat'] = $spmeta->getString('attributes.NameFormat');
- }
- if ($spmeta->hasValue('name')) {
- $metaArray['name'] = $spmeta->getLocalizedString('name');
- }
- if ($spmeta->hasValue('description')) {
- $metaArray['description'] = $spmeta->getLocalizedString('description');
- }
-
- $certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta);
- if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
- $metaArray['certData'] = $certInfo['certData'];
- }
-
- $metaflat = '$metadata[' . var_export($spentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
-
- $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($spentityid);
- $metaBuilder->addMetadataSP20($metaArray);
- $metaBuilder->addOrganizationInfo($metaArray);
- $metaBuilder->addContact('technical', array(
- 'emailAddress' => $config->getString('technicalcontact_email', NULL),
- 'name' => $config->getString('technicalcontact_name', NULL),
- ));
- $metaxml = $metaBuilder->getEntityDescriptorText();
-
- /* Sign the metadata if enabled. */
- $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $spmeta->toArray(), 'SAML 2 SP');
-
- if (array_key_exists('output', $_REQUEST) && $_REQUEST['output'] == 'xhtml') {
- $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
- $t->data['header'] = 'saml20-sp';
- $t->data['metadata'] = htmlspecialchars($metaxml);
- $t->data['metadataflat'] = htmlspecialchars($metaflat);
- $t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
- $t->show();
-
- } else {
- header('Content-Type: application/xml');
-
- echo $metaxml;
- exit(0);
- }
-
-
-
-
-} catch(Exception $exception) {
-
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-
-}
-
diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php
deleted file mode 100644
index ab1fd6874390fca97191e4665ed573db0fe785f0..0000000000000000000000000000000000000000
--- a/www/shib13/sp/AssertionConsumerService.php
+++ /dev/null
@@ -1,125 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-
-SimpleSAML_Logger::warning('The file shib13/sp/AssertionConsumerService.php is deprecated and will be removed in future versions.');
-
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-
-/**
- * Finish login operation.
- *
- * This helper function finishes a login operation and redirects the user back to the page which
- * requested the login.
- *
- * @param array $authProcState The state of the authentication process.
- */
-function finishLogin($authProcState) {
- assert('is_array($authProcState)');
- assert('array_key_exists("Attributes", $authProcState)');
- assert('array_key_exists("core:shib13-sp:NameID", $authProcState)');
- assert('array_key_exists("core:shib13-sp:SessionIndex", $authProcState)');
- assert('array_key_exists("core:shib13-sp:TargetURL", $authProcState)');
- assert('array_key_exists("Source", $authProcState)');
- assert('array_key_exists("entityid", $authProcState["Source"])');
-
- $authData = array(
- 'Attributes' => $authProcState['Attributes'],
- 'saml:sp:NameID' => $authProcState['core:shib13-sp:NameID'],
- 'saml:sp:SessionIndex' => $authProcState['core:shib13-sp:SessionIndex'],
- 'saml:sp:IdP' => $authProcState['Source']['entityid'],
- );
-
- global $session;
- $session->doLogin('shib13', $authData);
-
- SimpleSAML_Utilities::redirectTrustedURL($authProcState['core:shib13-sp:TargetURL']);
-}
-
-
-SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Accessing Shibboleth 1.3 SP endpoint AssertionConsumerService');
-
-if (!$config->getBoolean('enable.shib13-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-if (array_key_exists(SimpleSAML_Auth_ProcessingChain::AUTHPARAM, $_REQUEST)) {
- /* We have returned from the authentication processing filters. */
-
- $authProcId = $_REQUEST[SimpleSAML_Auth_ProcessingChain::AUTHPARAM];
-
- // sanitize the input
- $sid = SimpleSAML_Utilities::parseStateID($authProcId);
- if (!is_null($sid['url'])) {
- SimpleSAML_Utilities::checkURLAllowed($sid['url']);
- }
-
- $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
- finishLogin($authProcState);
-}
-
-if (empty($_POST['SAMLResponse']))
- throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
-
-try {
-
- $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
- $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
- $authnResponse = $binding->decodeResponse($_POST);
-
- $authnResponse->validate();
-
- /* Successfully authenticated. */
-
- $idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote');
-
- SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']);
-
-
- SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA');
-
-
- $relayState = $authnResponse->getRelayState();
- if (!isset($relayState)) {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
- }
-
- $spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted');
-
- /* Begin module attribute processing */
- $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp');
-
- $authProcState = array(
- 'core:shib13-sp:NameID' => $authnResponse->getNameID(),
- 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(),
- 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState),
- 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(),
- 'Attributes' => $authnResponse->getAttributes(),
- 'Destination' => $spmetadata,
- 'Source' => $idpmetadata,
- );
-
- $pc->processState($authProcState);
- /* Since this function returns, processing has completed and attributes have
- * been updated.
- */
-
- finishLogin($authProcState);
-
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
-}
-
-
-?>
\ No newline at end of file
diff --git a/www/shib13/sp/idpdisco.php b/www/shib13/sp/idpdisco.php
deleted file mode 100644
index 85822edd00f6d9e68da06da3d714375a63b7303b..0000000000000000000000000000000000000000
--- a/www/shib13/sp/idpdisco.php
+++ /dev/null
@@ -1,29 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-SimpleSAML_Logger::warning('The file shib13/sp/idpdisco.php is deprecated and will be removed in future versions.');
-
-try {
- $discoHandler = new SimpleSAML_XHTML_IdPDisco(array('shib13-idp-remote'), 'shib13');
-} catch (Exception $exception) {
- /* An error here should be caused by invalid query parameters. */
- throw new SimpleSAML_Error_Error('DISCOPARAMS', $exception);
-}
-
-try {
- $discoHandler->handleRequest();
-} catch(Exception $exception) {
- /* An error here should be caused by metadata. */
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-?>
\ No newline at end of file
diff --git a/www/shib13/sp/initSSO.php b/www/shib13/sp/initSSO.php
deleted file mode 100644
index 2cceb210e0aa6508fca6c0d22133a683902053ee..0000000000000000000000000000000000000000
--- a/www/shib13/sp/initSSO.php
+++ /dev/null
@@ -1,110 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file shib13/sp/initSSO.php is deprecated and will be removed in future versions.');
-
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-
-/*
- * Incomming URL parameters
- *
- * idpentityid optional The entityid of the wanted IdP to authenticate with. If not provided will use default.
- * spentityid optional The entityid of the SP config to use. If not provided will use default to host.
- * RelayState required Where to send the user back to after authentication.
- *
- */
-
-SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Accessing Shib 1.3 SP initSSO script');
-
-if (!$config->getBoolean('enable.shib13-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-
-try {
-
- $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $config->getString('default-shib13-idp', NULL) ;
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted');
-
- if($idpentityid === NULL) {
- /* We are going to need the SP metadata to determine which IdP discovery service we should use. */
- $spmetadata = $metadata->getMetaDataCurrent('shib13-sp-hosted');
- }
-
-
-} catch (Exception $exception) {
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-
-
-if (!isset($session) || !$session->isValid('shib13') ) {
-
- if ($idpentityid == null) {
-
- SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: No chosen or default IdP, go to Shib13disco');
-
- /* Which IdP discovery service should we use? Can be set in SP metadata or in global configuration.
- * Falling back to builtin discovery service.
- */
- if(array_key_exists('idpdisco.url', $spmetadata)) {
- $discservice = $spmetadata['idpdisco.url'];
- } elseif($config->getString('idpdisco.url.shib13', NULL) !== NULL) {
- $discservice = $config->getString('idpdisco.url.shib13');
- } else {
- $discservice = '/' . $config->getBaseURL() . 'shib13/sp/idpdisco.php';
- }
-
- SimpleSAML_Utilities::redirectTrustedURL($discservice, array(
- 'entityID' => $spentityid,
- 'return' => SimpleSAML_Utilities::selfURL(),
- 'returnIDParam' => 'idpentityid',
- ));
- }
-
-
- try {
- $ar = new SimpleSAML_XML_Shib13_AuthnRequest();
- $ar->setIssuer($spentityid);
- if(isset($_GET['RelayState']))
- $ar->setRelayState(SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']));
-
- SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')');
-
- $url = $ar->createRedirect($idpentityid);
- SimpleSAML_Utilities::redirectTrustedURL($url);
-
- } catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
- }
-
-} else {
-
-
- $relaystate = $_GET['RelayState'];
-
- if (isset($relaystate) && !empty($relaystate)) {
- SimpleSAML_Logger::info('Shib1.3 - SP.initSSO: Already Authenticated, Go back to RelayState');
- SimpleSAML_Utilities::redirectUntrustedURL($relaystate);
- } else {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
- }
-
-}
-
-
-
-
-?>
\ No newline at end of file
diff --git a/www/shib13/sp/metadata.php b/www/shib13/sp/metadata.php
deleted file mode 100644
index 4f3d2dbf4cad7a4bee6797ceeb8eb7bad0728915..0000000000000000000000000000000000000000
--- a/www/shib13/sp/metadata.php
+++ /dev/null
@@ -1,111 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-/* Load simpleSAMLphp, configuration and metadata */
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file shib13/sp/metadata.php is deprecated and will be removed in future versions.');
-
-if (!$config->getBoolean('enable.shib13-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-/* Check if valid local session exists.. */
-if ($config->getBoolean('admin.protectmetadata', false)) {
- SimpleSAML_Utilities::requireAdmin();
-}
-
-
-try {
-
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted');
- $spmeta = $metadata->getMetaDataConfig($spentityid, 'shib13-sp-hosted');
-
- $metaArray = array(
- 'metadata-set' => 'shib13-sp-remote',
- 'entityid' => $spentityid,
- 'AssertionConsumerService' => $metadata->getGenerated('AssertionConsumerService', 'shib13-sp-hosted'),
- );
-
- $certInfo = SimpleSAML_Utilities::loadPublicKey($spmeta);
- if ($certInfo !== NULL && array_key_exists('certData', $certInfo)) {
- $metaArray['certData'] = $certInfo['certData'];
- }
-
- $metaArray['NameIDFormat'] = $spmeta->getString('NameIDFormat', 'urn:mace:shibboleth:1.0:nameIdentifier');
-
- if ($spmeta->hasValue('OrganizationName')) {
- $metaArray['OrganizationName'] = $spmeta->getLocalizedString('OrganizationName');
- $metaArray['OrganizationDisplayName'] = $spmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
-
- if (!$spmeta->hasValue('OrganizationURL')) {
- throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
- }
- $metaArray['OrganizationURL'] = $spmeta->getLocalizedString('OrganizationURL');
- }
-
- if ($spmeta->hasValue('attributes')) {
- $metaArray['attributes'] = $spmeta->getArray('attributes');
- }
- if ($spmeta->hasValue('attributes.NameFormat')) {
- $metaArray['attributes.NameFormat'] = $spmeta->getString('attributes.NameFormat');
- }
- if ($spmeta->hasValue('name')) {
- $metaArray['name'] = $spmeta->getLocalizedString('name');
- }
- if ($spmeta->hasValue('description')) {
- $metaArray['description'] = $spmeta->getLocalizedString('description');
- }
-
-
- $metaflat = '$metadata[' . var_export($spentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
-
- if ($spmeta->hasValue('certificate')) {
- $metaArray['certificate'] = $spmeta->getString('certificate');
- }
- $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($spentityid);
- $metaBuilder->addMetadataSP11($metaArray);
- $metaBuilder->addOrganizationInfo($metaArray);
- $metaBuilder->addContact('technical', array(
- 'emailAddress' => $config->getString('technicalcontact_email', NULL),
- 'name' => $config->getString('technicalcontact_name', NULL),
- ));
- $metaxml = $metaBuilder->getEntityDescriptorText();
-
- /* Sign the metadata if enabled. */
- $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $spmeta->toArray(), 'Shib 1.3 SP');
-
- if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
- $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
- $t->data['header'] = 'shib13-sp';
- $t->data['metadata'] = htmlspecialchars($metaxml);
- $t->data['metadataflat'] = htmlspecialchars($metaflat);
- $t->data['metaurl'] = SimpleSAML_Utilities::addURLparameter(SimpleSAML_Utilities::selfURLNoQuery(), array('output' => 'xml'));
- $t->show();
-
- } else {
-
- header('Content-Type: application/xml');
-
- echo $metaxml;
- exit(0);
- }
-
-
-
-} catch(Exception $exception) {
-
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-
-}
-
-?>
\ No newline at end of file
diff --git a/www/wsfed/sp/idpdisco.php b/www/wsfed/sp/idpdisco.php
deleted file mode 100644
index f48f9c9ea534b591be80ce1fbba34bfac3d201dd..0000000000000000000000000000000000000000
--- a/www/wsfed/sp/idpdisco.php
+++ /dev/null
@@ -1,29 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-SimpleSAML_Logger::warning('The file wsfed/sp/idpdisco.php is deprecated and will be removed in future versions.');
-
-try {
- $discoHandler = new SimpleSAML_XHTML_IdPDisco(array('wsfed-idp-remote'), 'wsfed');
-} catch (Exception $exception) {
- /* An error here should be caused by invalid query parameters. */
- throw new SimpleSAML_Error_Error('DISCOPARAMS', $exception);
-}
-
-try {
- $discoHandler->handleRequest();
-} catch(Exception $exception) {
- /* An error here should be caused by metadata. */
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-?>
\ No newline at end of file
diff --git a/www/wsfed/sp/initSLO.php b/www/wsfed/sp/initSLO.php
deleted file mode 100644
index a30e294c97f800a6d2a07dda276e530ccf992499..0000000000000000000000000000000000000000
--- a/www/wsfed/sp/initSLO.php
+++ /dev/null
@@ -1,71 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-
-SimpleSAML_Logger::warning('The file wsfed/sp/initSLO.php is deprecated and will be removed in future versions.');
-
-$session = SimpleSAML_Session::getSessionFromRequest();
-
-SimpleSAML_Logger::info('WS-Fed - SP.initSLO: Accessing WS-Fed SP initSLO script');
-
-if (!$config->getBoolean('enable.wsfed-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-
-if (isset($_REQUEST['RelayState'])) {
- $returnTo = SimpleSAML_Utilities::checkURLAllowed($_REQUEST['RelayState']);
-} else {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
-}
-
-
-if (isset($session) ) {
-
- try {
-
- $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
- $idpentityid = $session->getAuthData('wsfed', 'saml:sp:IdP');
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID();
-
- /**
- * Create a logout request
- */
-
- $session->doLogout('wsfed');
-
- SimpleSAML_Logger::info('WS-Fed - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')');
-
- $idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
-
- SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
- 'wa' => 'wsignout1.0',
- 'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
- 'wtrealm' => $spentityid,
- 'wctx' => $returnTo
- ));
-
-
- } catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
- }
-
-} else {
-
- SimpleSAML_Logger::info('WS-Fed - SP.initSLO: User is already logged out. Go back to relaystate');
- SimpleSAML_Utilities::redirectTrustedURL($returnTo);
-
-}
-
-
-?>
\ No newline at end of file
diff --git a/www/wsfed/sp/initSSO.php b/www/wsfed/sp/initSSO.php
deleted file mode 100644
index 0b95bf237dd8b34bc895532e6bf0599f8ad4ee4a..0000000000000000000000000000000000000000
--- a/www/wsfed/sp/initSSO.php
+++ /dev/null
@@ -1,75 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-/**
- * WS-Federation/ADFS PRP protocol support for simpleSAMLphp.
- *
- * The initSSO handler relays an internal request from a simpleSAMLphp
- * Service Provider as a WS-Federation Resource Partner using the Passive
- * Requestor Profile (PRP) to an Account Partner.
- *
- * @author Hans Zandbelt, SURFnet BV. <hans.zandbelt@surfnet.nl>
- * @package simpleSAMLphp
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file wsfed/sp/initSSO.php is deprecated and will be removed in future versions.');
-
-SimpleSAML_Logger::info('WS-Fed - SP.initSSO: Accessing WS-Fed SP initSSO script');
-
-if (!$config->getBoolean('enable.wsfed-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-if (empty($_GET['RelayState'])) {
- throw new SimpleSAML_Error_Error('NORELAYSTATE');
-}
-
-try {
-
- $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $config->getString('default-wsfed-idp', NULL);
- $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID('wsfed-sp-hosted');
-
-} catch (Exception $exception) {
- throw new SimpleSAML_Error_Error('METADATA', $exception);
-}
-
-if ($idpentityid == null) {
-
- SimpleSAML_Logger::info('WS-Fed - SP.initSSO: No chosen or default IdP, go to WSFeddisco');
-
- SimpleSAML_Utilities::redirectTrustedURL('/' . $config->getBaseURL() . 'wsfed/sp/idpdisco.php', array(
- 'entityID' => $spentityid,
- 'return' => SimpleSAML_Utilities::selfURL(),
- 'returnIDParam' => 'idpentityid')
- );
-}
-
-try {
- $relaystate = SimpleSAML_Utilities::checkURLAllowed($_GET['RelayState']);
-
- $idpmeta = $metadata->getMetaData($idpentityid, 'wsfed-idp-remote');
- $spmeta = $metadata->getMetaData($spentityid, 'wsfed-sp-hosted');
-
- SimpleSAML_Utilities::redirectTrustedURL($idpmeta['prp'], array(
- 'wa' => 'wsignin1.0',
- 'wct' => gmdate('Y-m-d\TH:i:s\Z', time()),
- 'wtrealm' => $spentityid,
- 'wctx' => $relaystate
- ));
-
-} catch (Exception $exception) {
- throw new SimpleSAML_Error_Error('CREATEREQUEST', $exception);
-}
-
-?>
\ No newline at end of file
diff --git a/www/wsfed/sp/prp.php b/www/wsfed/sp/prp.php
deleted file mode 100644
index 57e5f23d5631190d8944d5551db09c888108e98e..0000000000000000000000000000000000000000
--- a/www/wsfed/sp/prp.php
+++ /dev/null
@@ -1,166 +0,0 @@
-<?php
-
-/**
- * WARNING:
- *
- * THIS FILE IS DEPRECATED AND WILL BE REMOVED IN FUTURE VERSIONS
- *
- * @deprecated
- */
-
-/**
- * WS-Federation/ADFS PRP protocol support for simpleSAMLphp.
- *
- * The AssertionConsumerService handler accepts responses from a WS-Federation
- * Account Partner using the Passive Requestor Profile (PRP) and handles it as
- * a Resource Partner. It receives a response, parses it and passes on the
- * authentication+attributes.
- *
- * @author Hans Zandbelt, SURFnet BV. <hans.zandbelt@surfnet.nl>
- * @package simpleSAMLphp
- */
-
-require_once('../../_include.php');
-
-$config = SimpleSAML_Configuration::getInstance();
-$session = SimpleSAML_Session::getSessionFromRequest();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
-SimpleSAML_Logger::warning('The file wsfed/sp/prp.php is deprecated and will be removed in future versions.');
-
-SimpleSAML_Logger::info('WS-Fed - SP.AssertionConsumerService: Accessing WS-Fed SP endpoint AssertionConsumerService');
-
-if (!$config->getBoolean('enable.wsfed-sp', false))
- throw new SimpleSAML_Error_Error('NOACCESS');
-
-if (!empty($_GET['wa']) and ($_GET['wa'] == 'wsignoutcleanup1.0')) {
- if (isset($session) && $session->isValid('wsfed')) {
- $session->doLogout('wsfed');
- }
- if (!empty($_GET['wreply'])) {
- SimpleSAML_Utilities::redirectUntrustedURL(urldecode($_GET['wreply']));
- }
- exit;
-}
-
-/* Make sure that the correct query parameters are passed to this script. */
-try {
- if (empty($_POST['wresult'])) {
- throw new Exception('Missing wresult parameter');
- }
- if (empty($_POST['wa'])) {
- throw new Exception('Missing wa parameter');
- }
- if (empty($_POST['wctx'])) {
- throw new Exception('Missing wctx parameter');
- }
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
-}
-
-
-try {
-
- $wa = $_POST['wa'];
- $wresult = $_POST['wresult'];
- $wctx = $_POST['wctx'];
-
- /* Load and parse the XML. */
- $dom = new DOMDocument();
- /* Accommodate for MS-ADFS escaped quotes */
- $wresult = str_replace('\"', '"', $wresult);
- $dom->loadXML(str_replace ("\r", "", $wresult));
-
- $xpath = new DOMXpath($dom);
- $xpath->registerNamespace('wst', 'http://schemas.xmlsoap.org/ws/2005/02/trust');
- $xpath->registerNamespace('saml', 'urn:oasis:names:tc:SAML:1.0:assertion');
-
- /* Find the saml:Assertion element in the response. */
- $assertions = $xpath->query('/wst:RequestSecurityTokenResponse/wst:RequestedSecurityToken/saml:Assertion');
- if ($assertions->length === 0) {
- throw new Exception('Received a response without an assertion on the WS-Fed PRP handler.');
- }
- if ($assertions->length > 1) {
- throw new Exception('The WS-Fed PRP handler currently only supports a single assertion in a response.');
- }
- $assertion = $assertions->item(0);
-
- /* Find the entity id of the issuer. */
- $idpEntityId = $assertion->getAttribute('Issuer');
-
- /* Load the IdP metadata. */
- $idpMetadata = $metadata->getMetaData($idpEntityId, 'wsfed-idp-remote');
-
- /* Find the certificate used by the IdP. */
- if(array_key_exists('certificate', $idpMetadata)) {
- $certFile = SimpleSAML_Utilities::resolveCert($idpMetadata['certificate']);
- } else {
- throw new Exception('Missing \'certificate\' metadata option in the \'wsfed-idp-remote\' metadata' .
- ' for the IdP \'' . $idpEntityId . '\'.');
- }
-
- /* Load the certificate. */
- $certData = file_get_contents($certFile);
- if($certData === FALSE) {
- throw new Exception('Unable to load certificate file \'' . $certFile . '\' for wsfed-idp \'' .
- $idpEntityId . '\'.');
- }
-
- /* Verify that the assertion is signed by the issuer. */
- $validator = new SimpleSAML_XML_Validator($assertion, 'AssertionID', $certData);
- if(!$validator->isNodeValidated($assertion)) {
- throw new Exception('The assertion was not correctly signed by the WS-Fed IdP \'' .
- $idpEntityId . '\'.');
- }
-
- /* Check time constraints of contitions (if present). */
- foreach($xpath->query('./saml:Conditions', $assertion) as $condition) {
- $notBefore = $condition->getAttribute('NotBefore');
- $notOnOrAfter = $condition->getAttribute('NotOnOrAfter');
- if(!SimpleSAML_Utilities::checkDateConditions($notBefore, $notOnOrAfter)) {
- throw new Exception('The response has expired.');
- }
- }
-
-
- /* Extract the name identifier from the response. */
- $nameid = $xpath->query('./saml:AuthenticationStatement/saml:Subject/saml:NameIdentifier', $assertion);
- if ($nameid->length === 0) {
- throw new Exception('Could not find the name identifier in the response from the WS-Fed IdP \'' .
- $idpEntityId . '\'.');
- }
- $nameid = array(
- 'Format' => $nameid->item(0)->getAttribute('Format'),
- 'Value' => $nameid->item(0)->textContent,
- );
-
-
- /* Extract the attributes from the response. */
- $attributes = array();
- $attributeValues = $xpath->query('./saml:AttributeStatement/saml:Attribute/saml:AttributeValue', $assertion);
- foreach($attributeValues as $attribute) {
- $name = $attribute->parentNode->getAttribute('AttributeName');
- $value = $attribute->textContent;
- if(!array_key_exists($name, $attributes)) {
- $attributes[$name] = array();
- }
- $attributes[$name][] = $value;
- }
-
-
- /* Mark the user as logged in. */
- $authData = array(
- 'Attributes' => $attributes,
- 'saml:sp:NameID' => $nameid,
- 'saml:sp:IdP' => $idpEntityId,
- );
- $session->doLogin('wsfed', $authData);
-
- /* Redirect the user back to the page which requested the login. */
- SimpleSAML_Utilities::redirectUntrustedURL($wctx);
-
-} catch(Exception $exception) {
- throw new SimpleSAML_Error_Error('PROCESSASSERTION', $exception);
-}
-
-?>
\ No newline at end of file