From 2e69124c9a266d41daf6a8e93dcad4b04e8842d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no> Date: Fri, 15 Feb 2008 08:11:36 +0000 Subject: [PATCH] Improvement to debuglogging logging in general, handling of illegal input to saml interfaces, improved error handling, better language support, collected all error messages in one dictionary file. +++ git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@308 44740490-163a-0410-bde0-09ae8108e29a --- dictionaries/error_CACHEAUTHNREQUEST.php | 8 --- dictionaries/error_CREATEREQUEST.php | 8 --- dictionaries/error_DISCOPARAMS.php | 8 --- dictionaries/error_GENERATEAUTHNRESPONSE.php | 8 --- dictionaries/error_LDAPERROR.php | 8 --- dictionaries/error_LOGOUTREQUEST.php | 9 --- dictionaries/error_LOGOUTRESPONSE.php | 8 --- dictionaries/error_METADATA.php | 8 --- dictionaries/error_NOACCESS.php | 8 --- dictionaries/error_NORELAYSTATE.php | 8 --- dictionaries/error_NOSESSION.php | 12 ---- dictionaries/error_PROCESSASSERTION.php | 8 --- dictionaries/error_PROCESSAUTHNREQUEST.php | 8 --- dictionaries/error_SSOSERVICEPARAMS.php | 8 --- dictionaries/errors.php | 54 ++++++++++++++++ lib/SimpleSAML/Auth/LDAP.php | 11 +++- lib/SimpleSAML/Logger.php | 2 +- lib/SimpleSAML/Session.php | 17 +++++ lib/SimpleSAML/Utilities.php | 4 +- lib/SimpleSAML/XHTML/Template.php | 10 ++- templates/default/en/error.php | 20 +++--- templates/default/en/status.php | 66 ++++++++++---------- templates/default/includes/footer.php | 2 +- www/example-simple/saml2-example.php | 57 +++++++++++------ www/saml2/idp/SingleLogoutService.php | 13 +++- www/saml2/sp/AssertionConsumerService.php | 3 + www/saml2/sp/SingleLogoutService.php | 3 + www/shib13/idp/SSOService.php | 10 +-- www/shib13/sp/AssertionConsumerService.php | 3 + 29 files changed, 201 insertions(+), 191 deletions(-) delete mode 100644 dictionaries/error_CACHEAUTHNREQUEST.php delete mode 100644 dictionaries/error_CREATEREQUEST.php delete mode 100644 dictionaries/error_DISCOPARAMS.php delete mode 100644 dictionaries/error_GENERATEAUTHNRESPONSE.php delete mode 100644 dictionaries/error_LDAPERROR.php delete mode 100644 dictionaries/error_LOGOUTREQUEST.php delete mode 100644 dictionaries/error_LOGOUTRESPONSE.php delete mode 100644 dictionaries/error_METADATA.php delete mode 100644 dictionaries/error_NOACCESS.php delete mode 100644 dictionaries/error_NORELAYSTATE.php delete mode 100644 dictionaries/error_NOSESSION.php delete mode 100644 dictionaries/error_PROCESSASSERTION.php delete mode 100644 dictionaries/error_PROCESSAUTHNREQUEST.php delete mode 100644 dictionaries/error_SSOSERVICEPARAMS.php create mode 100644 dictionaries/errors.php diff --git a/dictionaries/error_CACHEAUTHNREQUEST.php b/dictionaries/error_CACHEAUTHNREQUEST.php deleted file mode 100644 index 00a7b3fde..000000000 --- a/dictionaries/error_CACHEAUTHNREQUEST.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error making single sign-on to service', - 'descr' => 'You can authenticated and are ready to be sent back to the service that requested authentication, but we could not find your cached authentication request. The request is only cached for a limited amount of time. If you leaved your browser open for hours before entering your username and password, this could be one possible explaination. If this could be the case in your situation, try to go back to the service you want to access, and start a new login process. If this issue continues, please report the problem.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_CREATEREQUEST.php b/dictionaries/error_CREATEREQUEST.php deleted file mode 100644 index e6ff68139..000000000 --- a/dictionaries/error_CREATEREQUEST.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error creating request', - 'descr' => 'An error occured when trying to create the SAML request.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_DISCOPARAMS.php b/dictionaries/error_DISCOPARAMS.php deleted file mode 100644 index 2c714f258..000000000 --- a/dictionaries/error_DISCOPARAMS.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Bad request to discovery service', - 'descr' => 'The parameters sent to the discovery service were not following the specification.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_GENERATEAUTHNRESPONSE.php b/dictionaries/error_GENERATEAUTHNRESPONSE.php deleted file mode 100644 index 365459c2a..000000000 --- a/dictionaries/error_GENERATEAUTHNRESPONSE.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Could not create authentication response', - 'descr' => 'When this identity provider tried to create an authentication response, an error occured.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_LDAPERROR.php b/dictionaries/error_LDAPERROR.php deleted file mode 100644 index 28d36170d..000000000 --- a/dictionaries/error_LDAPERROR.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'LDAP Error', - 'descr' => 'LDAP is the user database, and when you try to login, we need to contact an LDAP database. When we tried it this time an error occured.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_LOGOUTREQUEST.php b/dictionaries/error_LOGOUTREQUEST.php deleted file mode 100644 index 69ad2f52d..000000000 --- a/dictionaries/error_LOGOUTREQUEST.php +++ /dev/null @@ -1,9 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error processing Logout Request', - 'descr' => 'An error occured when trying to process the Logout Request.' - - ) -); \ No newline at end of file diff --git a/dictionaries/error_LOGOUTRESPONSE.php b/dictionaries/error_LOGOUTRESPONSE.php deleted file mode 100644 index 1ae382aec..000000000 --- a/dictionaries/error_LOGOUTRESPONSE.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error processing Logout Response', - 'descr' => 'An error occured when trying to process the Logout Response.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_METADATA.php b/dictionaries/error_METADATA.php deleted file mode 100644 index beac8c36a..000000000 --- a/dictionaries/error_METADATA.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error loading metadata', - 'descr' => 'There is some misconfiguration of your simpleSAMLphp installation. If you are the administrator of this service, you should make sure your metadata configuration is correctly setup.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_NOACCESS.php b/dictionaries/error_NOACCESS.php deleted file mode 100644 index 4181fd00e..000000000 --- a/dictionaries/error_NOACCESS.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'No Access', - 'descr' => 'This endpoint is not enabled. Check the enable options in your configuration of simpleSAMLphp.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_NORELAYSTATE.php b/dictionaries/error_NORELAYSTATE.php deleted file mode 100644 index 01f5786fe..000000000 --- a/dictionaries/error_NORELAYSTATE.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'No RelayState', - 'descr' => 'The initiator of this request did not provide an RelayState parameter, that tells where to go next.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_NOSESSION.php b/dictionaries/error_NOSESSION.php deleted file mode 100644 index cdb51dae3..000000000 --- a/dictionaries/error_NOSESSION.php +++ /dev/null @@ -1,12 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'No session found', - 'descr' => 'Unfortuneately we could not get your session. This could be because your browser do not support cookies, or cookies is disabled.' - ), - 'no' => array( - 'title' => 'Kunne ikke etablere sesjon', - 'descr' => 'Desverre kunne vi ikke etablere en sesjon for deg. Dette kan skyldes at din nettleser ikke støtter cookies, eller at cookies er slĂĄtt av.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_PROCESSASSERTION.php b/dictionaries/error_PROCESSASSERTION.php deleted file mode 100644 index 486605e90..000000000 --- a/dictionaries/error_PROCESSASSERTION.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error processing response from IdP', - 'descr' => 'We did not accept the response sent from the Identity Provider.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_PROCESSAUTHNREQUEST.php b/dictionaries/error_PROCESSAUTHNREQUEST.php deleted file mode 100644 index f0866cb55..000000000 --- a/dictionaries/error_PROCESSAUTHNREQUEST.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Error processing request from Service Provider', - 'descr' => 'This IdP received an authentication request from a service provider, but an error occured when trying to process the request.' - ) -); \ No newline at end of file diff --git a/dictionaries/error_SSOSERVICEPARAMS.php b/dictionaries/error_SSOSERVICEPARAMS.php deleted file mode 100644 index cdf071741..000000000 --- a/dictionaries/error_SSOSERVICEPARAMS.php +++ /dev/null @@ -1,8 +0,0 @@ -<?php - -$lang = array( - 'en' => array( - 'title' => 'Wrong parameters provided', - 'descr' => 'You must either provide a SAML Request message or a RequestID on this interface.' - ) -); \ No newline at end of file diff --git a/dictionaries/errors.php b/dictionaries/errors.php new file mode 100644 index 000000000..49a654a64 --- /dev/null +++ b/dictionaries/errors.php @@ -0,0 +1,54 @@ +<?php + +$lang = array( + 'en' => array( + 'title_CACHEAUTHNREQUEST' => 'Error making single sign-on to service', + 'descr_CACHEAUTHNREQUEST' => 'You can authenticated and are ready to be sent back to the service that requested authentication, but we could not find your cached authentication request. The request is only cached for a limited amount of time. If you leaved your browser open for hours before entering your username and password, this could be one possible explaination. If this could be the case in your situation, try to go back to the service you want to access, and start a new login process. If this issue continues, please report the problem.', + + 'title_CREATEREQUEST' => 'Error creating request', + 'descr_CREATEREQUEST' => 'An error occured when trying to create the SAML request.', + + 'title_DISCOPARAMS' => 'Bad request to discovery service', + 'descr_DISCOPARAMS' => 'The parameters sent to the discovery service were not following the specification.', + + 'title_GENERATEAUTHNRESPONSE' => 'Could not create authentication response', + 'descr_GENERATEAUTHNRESPONSE' => 'When this identity provider tried to create an authentication response, an error occured.', + + 'title_LDAPERROR' => 'LDAP Error', + 'descr_LDAPERROR' => 'LDAP is the user database, and when you try to login, we need to contact an LDAP database. When we tried it this time an error occured.', + + 'title_LOGOUTREQUEST' => 'Error processing Logout Request', + 'descr_LOGOUTREQUEST' => 'An error occured when trying to process the Logout Request.', + + 'title_LOGOUTRESPONSE' => 'Error processing Logout Response', + 'descr_LOGOUTRESPONSE' => 'An error occured when trying to process the Logout Response.', + + 'title_METADATA' => 'Error loading metadata', + 'descr_METADATA' => 'There is some misconfiguration of your simpleSAMLphp installation. If you are the administrator of this service, you should make sure your metadata configuration is correctly setup.', + + 'title_NOACCESS' => 'No access', + 'descr_NOACCESS' => 'This endpoint is not enabled. Check the enable options in your configuration of simpleSAMLphp.', + + 'title_NORELAYSTATE' => 'No RelayState', + 'descr_NORELAYSTATE' => 'The initiator of this request did not provide an RelayState parameter, that tells where to go next.', + + 'title_NOSESSION' => 'No session found', + 'descr_NOSESSION' => 'Unfortuneately we could not get your session. This could be because your browser do not support cookies, or cookies is disabled.', + + 'title_PROCESSASSERTION' => 'Error processing response from IdP', + 'descr_PROCESSASSERTION' => 'We did not accept the response sent from the Identity Provider.', + + 'title_PROCESSAUTHNRESPONSE' => 'Error processing request from Service Provider', + 'descr_PROCESSAUTHNRESPONSE' => 'This IdP received an authentication request from a service provider, but an error occured when trying to process the request.', + + 'title_SSOSERVICEPARAMS' => 'Wrong parameters provided', + 'descr_SSOSERVICEPARAMS' => 'You must either provide a SAML Request message or a RequestID on this interface.', + + 'title_SLOSERVICEPARAMS' => 'No SAML message provided', + 'descr_SLOSERVICEPARAMS' => 'You accessed the SingleLogoutService interface, but did not provide a SAML LogoutRequest or LogoutResponse.', + + 'title_ACSPARAMS' => 'No SAML response provided', + 'descr_ACSPARAMS' => 'You accessed the Assertion Consumer Service interface, but did not provide a SAML Authentication Response.' + ) + +); \ No newline at end of file diff --git a/lib/SimpleSAML/Auth/LDAP.php b/lib/SimpleSAML/Auth/LDAP.php index bfceb59ac..b26e4ba08 100644 --- a/lib/SimpleSAML/Auth/LDAP.php +++ b/lib/SimpleSAML/Auth/LDAP.php @@ -2,6 +2,7 @@ require_once('SimpleSAML/Configuration.php'); require_once('SimpleSAML/Utilities.php'); +require_once('SimpleSAML/Logger.php'); /** * The LDAP class holds helper functions to access an LDAP database. @@ -43,6 +44,10 @@ class SimpleSAML_Auth_LDAP { public function searchfordn($searchbase, $searchattr, $searchvalue) { + + SimpleSAML_Logger::debug('Library - LDAP: Search for DN (base:' . + $searchbase . ' attr:' . $searchattr . ' value:' . $searchvalue . ')'); + // Search for ePPN $search = '(' . $searchattr . '=' . $searchvalue. ')'; $search_result = @ldap_search($this->ldap, $searchbase, $search); @@ -78,8 +83,10 @@ class SimpleSAML_Auth_LDAP { */ public function bind($dn, $password) { if (@ldap_bind($this->ldap, $dn, $password)) { + SimpleSAML_Logger::debug('Library - LDAP: Bind successfull with ' . $dn); return true; } + SimpleSAML_Logger::debug('Library - LDAP: Bind failed with ' . $dn); return false; } @@ -89,7 +96,7 @@ class SimpleSAML_Auth_LDAP { */ public function getAttributes($dn, $search) { - + SimpleSAML_Logger::debug('Library - LDAP: Get attributes from ' . $dn . ' (' . $search . ')'); $sr = @ldap_read($this->ldap, $dn, $search ); if ($sr === false) @@ -111,6 +118,8 @@ class SimpleSAML_Auth_LDAP { $attributes[$ldapentries[0][$i]] = $values; } + + SimpleSAML_Logger::debug('Library - LDAP: Found attributes (' . join(',', array_keys($attributes)) . ')'); return $attributes; } diff --git a/lib/SimpleSAML/Logger.php b/lib/SimpleSAML/Logger.php index 2a2cdb8ac..80555738e 100644 --- a/lib/SimpleSAML/Logger.php +++ b/lib/SimpleSAML/Logger.php @@ -100,7 +100,7 @@ class SimpleSAML_Logger { * get trackid, prefixes all logstrings */ $session = SimpleSAML_Session::getInstance(); - self::$trackid = $session->getTrackID(); + self::$trackid = (isset($session) ? $session->getTrackID() : 'NA'); /* If 'session.handler' is NULL or unset, then we want * to fall back to the default PHP session handler. diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index 2fa078b35..8cf5309f2 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -78,6 +78,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { $this->sessionduration = $configuration->getValue('session.duration'); $this->trackid = SimpleSAML_Utilities::generateTrackID(); + } @@ -161,6 +162,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { // *** *** *** *** *** *** *** *** *** *** *** public function add_sp_session($entityid) { + SimpleSAML_Logger::debug('Library - Session: Adding SP session: ' . $entityid); $this->sp_at_idpsessions[$entityid] = self::STATE_ONLINE; } @@ -191,6 +193,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { } public function set_sp_logout_completed($entityid) { + SimpleSAML_Logger::debug('Library - Session: Setting SP state completed for : ' . $entityid); $this->dirty = true; $this->sp_at_idpsessions[$entityid] = self::STATE_LOGGEDOUT; } @@ -272,6 +275,8 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { public function setIdP($idp) { + + SimpleSAML_Logger::debug('Library - Session: Set IdP to : ' . $idp); $this->dirty = true; $this->idp = $idp; } @@ -284,6 +289,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { public function setLogoutRequest($requestcache) { + SimpleSAML_Logger::debug('Library - Session: Adding LogoutRequest cache.'); $this->dirty = true; $this->logoutrequest = $requestcache; } @@ -297,6 +303,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { public function setSessionIndex($sessionindex) { + SimpleSAML_Logger::debug('Library - Session: Set sessionindex: ' . $sessionindex); $this->dirty = true; $this->sessionindex = $sessionindex; } @@ -304,6 +311,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { return $this->sessionindex; } public function setNameID($nameid) { + SimpleSAML_Logger::debug('Library - Session: Set nameID: '); $this->dirty = true; $this->nameid = $nameid; } @@ -313,6 +321,8 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { public function setAuthenticated($auth, $authority = null) { + SimpleSAML_Logger::debug('Library - Session: Set authenticated ' . ($auth ? 'yes': 'no'). ' authority:' . + (isset($authority) ? $authority : 'null')); $this->authority = $authority; $this->authenticated = $auth; @@ -322,6 +332,7 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { } public function setSessionDuration($duration) { + SimpleSAML_Logger::debug('Library - Session: Set session duration ' . $duration); $this->dirty = true; $this->sessionduration = $duration; } @@ -332,6 +343,12 @@ class SimpleSAML_Session implements SimpleSAML_ModifiedInfo { * This function will return false after the user has timed out. */ public function isValid($authority = null) { + SimpleSAML_Logger::debug('Library - Session: Check if session is valid.' . + ' checkauthority:' . (isset($authority) ? $authority : 'null') . + ' thisauthority:' . (isset($this->authority) ? $this->authority : 'null') . + ' isauthenticated:' . ($this->isAuthenticated() ? 'yes' : 'no') . + ' remainingtime:' . $this->remainingTime()); + if (!$this->isAuthenticated()) return false; if (!empty($authority) && ($authority != $this->authority) ) return false; return $this->remainingTime() > 0; diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php index ac6d1a2aa..f32f4a419 100644 --- a/lib/SimpleSAML/Utilities.php +++ b/lib/SimpleSAML/Utilities.php @@ -290,12 +290,14 @@ class SimpleSAML_Utilities { SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - UserError: ErrCode:'.(!empty($errorcode) ? $errorcode : 'na').': '.urlencode($emsg) ); $languagefile = null; - if (isset($errorcode)) $languagefile = 'error_' . $errorcode . '.php'; + if (isset($errorcode)) $languagefile = 'errors.php'; // Initialize a template $t = new SimpleSAML_XHTML_Template($config, 'error.php', $languagefile); + $t->data['errorcode'] = $errorcode; + $t->data['showerrors'] = $config->getValue('showerrors', true); $t->data['errorreportaddress'] = $config->getValue('errorreportaddress', null); diff --git a/lib/SimpleSAML/XHTML/Template.php b/lib/SimpleSAML/XHTML/Template.php index 2ccc13501..742882de3 100644 --- a/lib/SimpleSAML/XHTML/Template.php +++ b/lib/SimpleSAML/XHTML/Template.php @@ -92,8 +92,10 @@ class SimpleSAML_XHTML_Template { include($filebase . $file); } + /** + * Include language file from the dictionaries directory. + */ private function includeLanguageFile($file) { - $data = $this->data; $filebase = $this->configuration->getBaseDir() . $this->configuration->getValue('dictionarydir'); if (!file_exists($filebase . $file)) { @@ -115,7 +117,9 @@ class SimpleSAML_XHTML_Template { } } - + /** + * Show the template to the user. + */ public function show() { $data = $this->data; $filename = $this->configuration->getBaseDir() . $this->configuration->getValue('templatedir') . $this->getLanguage() . '/' . @@ -128,7 +132,7 @@ class SimpleSAML_XHTML_Template { if (!file_exists($filename)) { - SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); + SimpleSAML_Logger::critical($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); echo 'Fatal error: Could not find template file [' . $this->template . '] at [' . $filename . ']'; exit(0); diff --git a/templates/default/en/error.php b/templates/default/en/error.php index 221b1ff8d..9f8f12f5a 100644 --- a/templates/default/en/error.php +++ b/templates/default/en/error.php @@ -5,13 +5,15 @@ ?> - <div id="content"> - - <h2><?php echo (isset($this->data['title']) ? $this->data['title'] : 'simpleSAMLphp error'); ?></h2> +<div id="content"> + + <h2><?php + echo (isset($this->data['title_' . $this->data['errorcode']]) ? $this->data['title_' . $this->data['errorcode']] : 'simpleSAMLphp error'); + ?></h2> <?php -if(array_key_exists('descr', $this->data)) { - echo '<p>' . $this->data['descr'] . '</p>'; +if(array_key_exists('descr_' . $this->data['errorcode'], $this->data)) { + echo '<p>' . $this->data['descr_' . $this->data['errorcode']] . '</p>'; } ?> @@ -77,10 +79,10 @@ if (!empty($this->data['errorreportaddress'])) { - <h2 style="clear: both">How to get help</h2> - - - <p>This error probably is due to some unexpected behaviour or to misconfiguration of simpleSAMLphp. Contact the administrator of this login service, and send them the error message above.</p> + <h2 style="clear: both">How to get help</h2> + + + <p>This error probably is due to some unexpected behaviour or to misconfiguration of simpleSAMLphp. Contact the administrator of this login service, and send them the error message above.</p> diff --git a/templates/default/en/status.php b/templates/default/en/status.php index da93738c1..dd9c13b01 100644 --- a/templates/default/en/status.php +++ b/templates/default/en/status.php @@ -1,43 +1,43 @@ <?php $this->includeAtTemplateBase('includes/header.php'); ?> - <div id="content"> +<div id="content"> - <h2><?php if (isset($data['header'])) { echo $data['header']; } else { echo "Some error occured"; } ?></h2> - - <p>Hi, this is the status page of simpleSAMLphp. Here you can see if your session is timed out, how long it lasts until it times out and all the attributes that is attached to your session.</p> - - <p><?php echo $data['valid']; ?>. Your session is valid for <?php echo $data['remaining']; ?> seconds from now.</p> - - <p>Session size: <?php echo isset($data['sessionsize']) ? $data['sessionsize'] : 'na'; ?> - - <h2>Your attributes</h2> + <h2><?php if (isset($data['header'])) { echo $data['header']; } else { echo "Some error occured"; } ?></h2> + + <p>Hi, this is the status page of simpleSAMLphp. Here you can see if your session is timed out, how long it lasts until it times out and all the attributes that is attached to your session.</p> + + <p>Your session is valid for <?php echo $data['remaining']; ?> seconds from now.</p> + + <p>Session size: <?php echo isset($data['sessionsize']) ? $data['sessionsize'] : 'na'; ?> + + <h2>Your attributes</h2> + + <table> + <?php - <table> - <?php - - $attributes = $data['attributes']; - foreach ($attributes AS $name => $value) { - if (sizeof($value) > 1) { - echo '<tr><td>' . htmlspecialchars($name) . '</td><td><ul>'; - foreach ($value AS $v) { - echo '<li>' . htmlspecialchars($v) . '</li>'; - } - echo '</ul></td></tr>'; - } else { - echo '<tr><td>' . htmlspecialchars($name) . '</td><td>' . htmlspecialchars($value[0]) . '</td></tr>'; + $attributes = $data['attributes']; + foreach ($attributes AS $name => $value) { + if (sizeof($value) > 1) { + echo '<tr><td>' . htmlspecialchars($name) . '</td><td><ul>'; + foreach ($value AS $v) { + echo '<li>' . htmlspecialchars($v) . '</li>'; } + echo '</ul></td></tr>'; + } else { + echo '<tr><td>' . htmlspecialchars($name) . '</td><td>' . htmlspecialchars($value[0]) . '</td></tr>'; } - - ?> - </table> + } + + ?> + </table> - <h2>Logout</h2> + <h2>Logout</h2> - <p><?php echo $data['logout']; ?></p> - - <h2>About simpleSAMLphp</h2> - <p>Hey! This simpleSAMLphp thing is pretty cool, where can I read more about it? - You can find more information about simpleSAMLphp at <a href="http://rnd.feide.no">the Feide RnD blog</a> over at <a href="http://uninett.no">UNINETT</a>.</p> - + <p><?php echo $data['logout']; ?></p> + + <h2>About simpleSAMLphp</h2> + <p>Hey! This simpleSAMLphp thing is pretty cool, where can I read more about it? + You can find more information about simpleSAMLphp at <a href="http://rnd.feide.no">the Feide RnD blog</a> over at <a href="http://uninett.no">UNINETT</a>.</p> + <?php $this->includeAtTemplateBase('includes/footer.php'); ?> \ No newline at end of file diff --git a/templates/default/includes/footer.php b/templates/default/includes/footer.php index 4cb1ec8d9..7cdc13c9a 100644 --- a/templates/default/includes/footer.php +++ b/templates/default/includes/footer.php @@ -1,6 +1,6 @@ <hr /> - Copyright © 2007 <a href="http://rnd.feide.no/">Feide RnD</a> + Copyright © 2007-2008 <a href="http://rnd.feide.no/">Feide RnD</a> <hr /> diff --git a/www/example-simple/saml2-example.php b/www/example-simple/saml2-example.php index 394cc9f97..c483c0eb1 100644 --- a/www/example-simple/saml2-example.php +++ b/www/example-simple/saml2-example.php @@ -1,25 +1,48 @@ <?php +/** + * The _include script sets simpleSAMLphp libraries in the PHP PATH, as well as + * initialize the simpleSAMLphp config class with the correct path. + */ require_once('../_include.php'); +/** + * We need to load a few classes from simpleSAMLphp. These are available because + * the _include script above did set the PHP class PATH properly. + */ require_once('SimpleSAML/Utilities.php'); require_once('SimpleSAML/Session.php'); -require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php'); require_once('SimpleSAML/XHTML/Template.php'); /* Load simpleSAMLphp, configuration and metadata */ $config = SimpleSAML_Configuration::getInstance(); -$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); -$session = SimpleSAML_Session::getInstance(true); +$session = SimpleSAML_Session::getInstance(TRUE); -/* Check if valid local session exists.. */ -if (!isset($session) || !$session->isValid('saml2') ) { +/** + * Check if valid local session exists, and the authority is the SAML 2.0 SP + * part of simpleSAMLphp. If the currenct session is not valid, the user is + * redirected to the initSSO.php script. This script will send the user to + * a SAML 2.0 IdP with an authentication request, and thereafter the user + * will be asked at the SAML 2.0 IdP to authenticate. You add one important + * parameter when you send the user to the initSSO script, the RelayState. + * The RelayState URL is the URL that you want to send the user to after + * authentication is complete - and usually you want to send the user back + * to this very page. To get the URL of the current page we use the selfURL() + * helper function. + * + * When the user is complete authenticating at the IdP, the user will be sent + * back to the AssertionConsumerService.php script in simpleSAMLphp. The assertion + * is validated, and if trusted, the user's session is set to be valid, and the user + * is redirected back to the RelayState URL. And then the user is here again, but + * authenticated, and therefore passes the if sentence below, and moves on to + * retrieving attributes from the session. + */ +if (!$session->isValid('saml2') ) { SimpleSAML_Utilities::redirect( - '/' . $config->getValue('baseurlpath') . - 'saml2/sp/initSSO.php', + '/' . $config->getValue('baseurlpath') . 'saml2/sp/initSSO.php', array('RelayState' => SimpleSAML_Utilities::selfURL()) - ); + ); } $attributes = $session->getAttributes(); @@ -34,18 +57,16 @@ $attributes = $session->getAttributes(); * */ -$et = new SimpleSAML_XHTML_Template($config, 'status.php'); +$t = new SimpleSAML_XHTML_Template($config, 'status.php'); -$et->data['header'] = 'SAML 2.0 SP Demo Example'; -$et->data['remaining'] = $session->remainingTime(); -$et->data['sessionsize'] = $session->getSize(); -$et->data['attributes'] = $attributes; -$et->data['valid'] = $session->isValid() ? 'Session is valid' : 'Session is invalid'; - $et->data['icon'] = 'bino.png'; -$et->data['logout'] = '<p>[ <a href="/' . $config->getValue('baseurlpath') . 'saml2/sp/initSLO.php?RelayState=/' . +$t->data['header'] = 'SAML 2.0 SP Demo Example'; +$t->data['remaining'] = $session->remainingTime(); +$t->data['sessionsize'] = $session->getSize(); +$t->data['attributes'] = $attributes; +$t->data['icon'] = 'bino.png'; +$t->data['logout'] = '<p>[ <a href="/' . $config->getValue('baseurlpath') . 'saml2/sp/initSLO.php?RelayState=/' . $config->getValue('baseurlpath') . 'logout.html">Logout</a> ]'; - -$et->show(); +$t->show(); ?> \ No newline at end of file diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php index d49a080a3..a265542b1 100644 --- a/www/saml2/idp/SingleLogoutService.php +++ b/www/saml2/idp/SingleLogoutService.php @@ -28,12 +28,16 @@ $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(); -$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); - SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); if (!$config->getValue('enable.saml20-idp', false)) - SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); + SimpleSAML_Utilities::fatalError(isset($session) ? $session->getTrackID() : null, 'NOACCESS'); + +try { + $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); +} catch (Exception $exception) { + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception); +} /** @@ -147,6 +151,9 @@ if (isset($_GET['SAMLRequest'])) { $session->set_sp_logout_completed($loginresponse->getIssuer()); SimpleSAML_Logger::notice('SAML2.0 - IDP.SingleLogoutService: got LogoutResponse from ' . $loginresponse->getIssuer()); +} else { + + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); } diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php index 13fad5ce9..b864958ee 100644 --- a/www/saml2/sp/AssertionConsumerService.php +++ b/www/saml2/sp/AssertionConsumerService.php @@ -34,6 +34,9 @@ SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2 if (!$config->getValue('enable.saml20-sp', false)) SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); +if (empty($_POST['SAMLResponse'])) + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'ACSPARAMS', $exception); + try { diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php index e88e25f6b..008602216 100644 --- a/www/saml2/sp/SingleLogoutService.php +++ b/www/saml2/sp/SingleLogoutService.php @@ -101,6 +101,9 @@ if (isset($_GET['SAMLRequest'])) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NORELAYSTATE'); } +} else { + + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SLOSERVICEPARAMS'); } diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php index 3d50db4b2..db38d9d01 100644 --- a/www/shib13/idp/SSOService.php +++ b/www/shib13/idp/SSOService.php @@ -28,9 +28,6 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(true); -$idpentityid = $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted'); -$idpmetadata = $metadata->getMetaDataCurrent('shib13-idp-hosted'); - $requestid = null; SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService'); @@ -38,7 +35,12 @@ SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP if (!$config->getValue('enable.shib13-idp', false)) SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); - +try { + $idpentityid = $metadata->getMetaDataCurrentEntityID('shib13-idp-hosted'); + $idpmetadata = $metadata->getMetaDataCurrent('shib13-idp-hosted'); +} catch (Exception $exception) { + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception); +} /* * If the shire query parameter is set, we got an incomming Authentication Request diff --git a/www/shib13/sp/AssertionConsumerService.php b/www/shib13/sp/AssertionConsumerService.php index 675172a28..68bb7fd1e 100644 --- a/www/shib13/sp/AssertionConsumerService.php +++ b/www/shib13/sp/AssertionConsumerService.php @@ -21,6 +21,9 @@ SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Accessing Shibbo if (!$config->getValue('enable.shib13-sp', false)) SimpleSAML_Utilities::fatalError($session->getTrackID(), 'NOACCESS'); +if (empty($_POST['SAMLResponse'])) + SimpleSAML_Utilities::fatalError($session->getTrackID(), 'ACSPARAMS', $exception); + try { $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); -- GitLab