saml: Add authentication parameter support.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2000 44740490-163a-0410-bde0-09ae8108e29a

saml: Add authentication parameter support.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2000 44740490-163a-0410-bde0-09ae8108e29a
9834a6e7 · Olav Morken · 865593da · 9834a6e7 · 9834a6e7
Commit 9834a6e7 authored 15 years ago by Olav Morken
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -9,11 +9,43 @@ Metadata

 The metadata for your SP will be available from the federation page on your simpleSAMLphp installation.

+Options
+-------
+
+These are options that can be used at runtime to control the authentication.
+All these options override the equivalent option from the configuration.
+
+`saml:AuthnContextClassRef`
+:   The AuthnContextClassRef that will be sent in the login request.
+
+:   *Note*: SAML 2 specific.
+
+
+`saml:ForceAuthn`
+:   Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
+
+:   *Note*: SAML 2 specific.
+
+`saml:idp`
+:   The entity ID this SP should connect to.
+
+`saml:IsPassive`
+:   IsPassive allows you to enable passive authentication by default for this SP.
+
+:   *Note*: SAML 2 specific.
+
+`saml:NameIDPolicy`
+:   The format of the NameID we request from the IdP.
+    Defaults to the transient format if unspecified.
+
+:   *Note*: SAML 2 specific.
+
+

 Examples
 --------

-Here we will list some example configurations for this authentication source.
+Here we will list some examples for this authentication source.

 ### Minimal

@@ -50,6 +82,12 @@ Here we will list some example configurations for this authentication source.
    ),


+### Requesting passive authentication
+
+$auth = new SimpleSAML_Auth_Simple('default-sp');
+$auth->login(array('saml:IsPassive' => TRUE));
+
+
 Options
 -------


--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -185,6 +185,27 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 			$ar->setRelayState($state['SimpleSAML_Auth_Default.ReturnURL']);
 		}

+		if (isset($state['saml:AuthnContextClassRef'])) {
+			$accr = SimpleSAML_Utilities::arrayize($state['saml:AuthnContextClassRef']);
+			$ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
+		}
+
+		if (isset($state['saml:ForceAuthn'])) {
+			$ar->setForceAuthn((bool)$state['saml:ForceAuthn']);
+		}
+
+		if (isset($state['saml:IsPassive'])) {
+			$ar->setIsPassive((bool)$state['saml:IsPassive']);
+		}
+
+		if (isset($state['saml:NameIDPolicy'])) {
+			$ar->setNameIdPolicy(array(
+				'Format' => (string)$state['saml:NameIDPolicy'],
+				'AllowCreate' => TRUE,
+			));
+		}
+
+
 		$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
 		$ar->setId($id);

@@ -263,12 +284,18 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
 		/* We are going to need the authId in order to retrieve this authentication source later. */
 		$state['saml:sp:AuthId'] = $this->authId;

-		if ($this->idp === NULL) {
+		$idp = $this->idp;
+
+		if (isset($state['saml:idp'])) {
+			$idp = (string)$state['saml:idp'];
+		}
+
+		if ($idp === NULL) {
 			$this->startDisco($state);
 			assert('FALSE');
 		}

-		$this->startSSO($this->idp, $state);
+		$this->startSSO($idp, $state);
 		assert('FALSE');
 	}