Adding login CAS authentication module

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@398 44740490-163a-0410-bde0-09ae8108e29a

Adding login CAS authentication module
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@398 44740490-163a-0410-bde0-09ae8108e29a
285bfee0 · Andreas Åkre Solberg · 0c3d72d4 · 285bfee0 · 285bfee0 · 285bfee0
Commit 285bfee0 authored 17 years ago by Andreas Åkre Solberg
--- a/config-templates/cas-ldap.php
+++ b/config-templates/cas-ldap.php
+<?php
+/* 
+ * The configuration of simpleSAMLphp
+ * 
+ * 
+ */
+
+$casldapconfig = array (
+	'idpentityid.example.org' => array(
+		'cas' => array(
+			'login' => 'https://idpentityid.example.org/cas/login',
+			'validate' => 'https://idpentityid.example.org/cas/validate',
+		),
+		'ldap' => array(
+			'servers' => 'idpentityid.example.org',
+			'enable_tls' => false,
+			'searchbase' => 'dc=example,dc=org',
+			'searchattributes' => 'uid',
+			'attributes' => array('cn', 'mail'),
+		),
+	),
+	'idpentityid2.example.org' => array(
+		'cas' => array(
+			'login' => 'https://idpentityid2.example.org/login',
+			'validate' => 'https://idpentityid2.example.org/validate',
+		),
+		'ldap' => array(
+			'servers' => 'ldap://idpentityid2.example.org',
+			'enable_tls' => false,
+			'searchbase' => 'ou=users,dc=example,dc=org',
+			'searchattributes' => array('uid', 'mail'), # array for being able to login with either uid or mail.
+			'attributes' => null,
+			'priv_user_dn' => 'uid=admin,ou=users,dc=example,dc=org',
+			'priv_user_pw' => 'xxxxx',
+		),
+	),
+
+);
+?>
\ No newline at end of file
--- a/config-templates/config.php
+++ b/config-templates/config.php
@@ -383,4 +383,4 @@ $config = array (
 );


-?>
\ No newline at end of file
+?>
--- a/dictionaries/errors.php
+++ b/dictionaries/errors.php
@@ -55,7 +55,11 @@ $lang = array(
 		'descr_SLOSERVICEPARAMS' => 'You accessed the SingleLogoutService interface, but did not provide a SAML LogoutRequest or LogoutResponse.',
 		
 		'title_ACSPARAMS' => 'No SAML response provided',
-		'descr_ACSPARAMS' => 'You accessed the Assertion Consumer Service interface, but did not provide a SAML Authentication Response.'
+		'descr_ACSPARAMS' => 'You accessed the Assertion Consumer Service interface, but did not provide a SAML Authentication Response.',
+		
+		'title_CASERROR' => 'CAS Error',
+		'descr_CASERROR' => 'Error when communicating with the CAS server.'
+
 	)

 );
\ No newline at end of file
--- a/docs/source/simplesamlphp-idp.xml
+++ b/docs/source/simplesamlphp-idp.xml
@@ -7,7 +7,7 @@
  <articleinfo>
    <date>2007-10-15</date>

-    <pubdate>Thu Feb 28 11:22:45 2008</pubdate>
+    <pubdate>Tue Mar 11 20:59:28 2008</pubdate>

    <author>
      <firstname>Andreas Åkre</firstname>

--- a/docs/source/simplesamlphp-install.xml
+++ b/docs/source/simplesamlphp-install.xml
@@ -7,7 +7,7 @@
  <articleinfo>
    <date>2007-08-30</date>

-    <pubdate>Sat Mar 8 22:44:07 2008</pubdate>
+    <pubdate>Tue Mar 11 21:00:08 2008</pubdate>

    <author>
      <firstname>Andreas Åkre</firstname>

--- a/docs/source/simplesamlphp-sp.xml
+++ b/docs/source/simplesamlphp-sp.xml
@@ -7,7 +7,7 @@
  <articleinfo>
    <date>2007-10-15</date>

-    <pubdate>Wed Mar 5 15:38:05 2008</pubdate>
+    <pubdate>Tue Mar 11 21:00:41 2008</pubdate>

    <author>
      <firstname>Andreas Åkre</firstname>

--- a/www/auth/login-cas-ldap.php
+++ b/www/auth/login-cas-ldap.php
+<?php
+
+/**
+ * This file is part of SimpleSAMLphp. See the file COPYING in the
+ * root of the distribution for licence information.
+ *
+ * This file implements authentication of users using CAS.
+ *
+ * @author Mads Freek, RUC. 
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+ 
+require_once('../../www/_include.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Session.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Auth/LDAP.php');
+require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php');
+
+$config = SimpleSAML_Configuration::getInstance();
+$session = SimpleSAML_Session::getInstance(TRUE);
+
+try {
+	$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
+	// TODO: Make this authentication module independent from SAML 2.0
+	$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
+	
+	$ldapconfigfile = $config->getBaseDir() . 'config/cas-ldap.php';
+	require_once($ldapconfigfile);
+	
+	if (!array_key_exists($idpentityid, $casldapconfig)) {
+		throw new Exception('No CAS authentication configuration for this SAML 2.0 entity ID [' . $idpentityid . ']');
+	}
+
+	$idpconfig = $casldapconfig[$idpentityid];
+	
+} catch (Exception $exception) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
+}
+
+/*
+ * Load the RelayState argument. The RelayState argument contains the address
+ * we should redirect the user to after a successful authentication.
+ */
+if (!array_key_exists('RelayState', $_REQUEST)) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE');
+}
+
+
+
+
+
+
+
+
+
+function casValidate($cas) {
+
+	$service = SimpleSAML_Utilities::selfURL();
+	$service = preg_replace("/(\?|&)?ticket=.*/", "", $service); # always tagged on by cas
+	
+	/**
+	 * Got response from CAS server.
+	 */
+	if (isset($_GET['ticket'])) {
+	
+		$ticket = urlencode($_GET['ticket']);
+	
+		#ini_set('default_socket_timeout', 15);
+		$result = file_get_contents($cas['validate'] . '?ticket=' . $ticket . '&service=' . urlencode($service) );
+		$res = preg_split("/\n/",$result);
+		
+		if (strcmp($res[0], "yes") == 0) {
+			return $res[1];
+		} else {
+			throw new Exception("Failed to validate CAS service ticket: $ticket");
+		}
+	
+	/**
+	 * First request, will redirect the user to the CAS server for authentication.
+	 */
+	} else {
+		SimpleSAML_Logger::info("AUTH - cas-ldap: redirecting to {$cas['login']}");
+		SimpleSAML_Utilities::redirect($cas['login'], array(
+			'renew' => 'true',
+			'service' => $service
+		));		
+	}
+}
+
+
+
+try {
+
+
+
+
+
+	$relaystate = $_REQUEST['RelayState'];
+
+	$username = casValidate($idpconfig['cas']);
+	SimpleSAML_Logger::info('AUTH - cas-ldap: '. $username . ' authenticated by ' . $idpconfig['cas']['validate']);
+	
+	
+	
+	/*
+	 * Connecting to LDAP.
+	 */
+	$ldap = new SimpleSAML_Auth_LDAP($idpconfig['ldap']['servers'], $idpconfig['ldap']['enable_tls']);
+	
+	if ($idpconfig['ldap']['priv_user_dn']) {
+	
+		if (!$ldap->bind($idpconfig['ldap']['priv_user_dn'], $idpconfig['ldap']['priv_user_pw']) ) {
+			throw new Exception('Could not bind with system user: ' . $idpconfig['ldap']['priv_user_dn']);
+		}
+	}
+	
+	/*
+	 * Search for user in LDAP.
+	 */
+	$dn = $ldap->searchfordn($idpconfig['ldap']['searchbase'], $idpconfig['ldap']['searchattributes'], $username);
+	
+	/*
+	 * Retrieve attributes from LDAP
+	 */
+	$attributes = $ldap->getAttributes($dn, $idpconfig['ldap']['attributes']);
+
+	
+	$session->setAuthenticated(true, 'login-cas-ldap');
+	$session->setAttributes($attributes);
+	
+	$session->setNameID(array(
+			'value' => SimpleSAML_Utilities::generateID(),
+			'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'));
+	SimpleSAML_Utilities::redirect($relaystate);
+
+} catch(Exception $exception) {
+	SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CASERROR', $exception);
+}
+
+
+?>
\ No newline at end of file