From 9834a6e75423d093c50e95492da32d33266e6b7b Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 18 Nov 2009 08:15:40 +0000
Subject: [PATCH] saml: Add authentication parameter support.
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2000 44740490-163a-0410-bde0-09ae8108e29a
---
modules/saml/docs/sp.txt | 40 ++++++++++++++++++++++++++++-
modules/saml/lib/Auth/Source/SP.php | 31 ++++++++++++++++++++--
2 files changed, 68 insertions(+), 3 deletions(-)
diff --git a/modules/saml/docs/sp.txt b/modules/saml/docs/sp.txt
index 621193e7b..f89440bfd 100644
--- a/modules/saml/docs/sp.txt
+++ b/modules/saml/docs/sp.txt
@@ -9,11 +9,43 @@ Metadata
The metadata for your SP will be available from the federation page on your simpleSAMLphp installation.
+Options
+-------
+
+These are options that can be used at runtime to control the authentication.
+All these options override the equivalent option from the configuration.
+
+`saml:AuthnContextClassRef`
+: The AuthnContextClassRef that will be sent in the login request.
+
+: *Note*: SAML 2 specific.
+
+
+`saml:ForceAuthn`
+: Force authentication allows you to force re-authentication of users even if the user has a SSO session at the IdP.
+
+: *Note*: SAML 2 specific.
+
+`saml:idp`
+: The entity ID this SP should connect to.
+
+`saml:IsPassive`
+: IsPassive allows you to enable passive authentication by default for this SP.
+
+: *Note*: SAML 2 specific.
+
+`saml:NameIDPolicy`
+: The format of the NameID we request from the IdP.
+ Defaults to the transient format if unspecified.
+
+: *Note*: SAML 2 specific.
+
+
Examples
--------
-Here we will list some example configurations for this authentication source.
+Here we will list some examples for this authentication source.
### Minimal
@@ -50,6 +82,12 @@ Here we will list some example configurations for this authentication source.
),
+### Requesting passive authentication
+
+$auth = new SimpleSAML_Auth_Simple('default-sp');
+$auth->login(array('saml:IsPassive' => TRUE));
+
+
Options
-------
diff --git a/modules/saml/lib/Auth/Source/SP.php b/modules/saml/lib/Auth/Source/SP.php
index 8a8b58ed3..ab3c73b5c 100644
--- a/modules/saml/lib/Auth/Source/SP.php
+++ b/modules/saml/lib/Auth/Source/SP.php
@@ -185,6 +185,27 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
$ar->setRelayState($state['SimpleSAML_Auth_Default.ReturnURL']);
}
+ if (isset($state['saml:AuthnContextClassRef'])) {
+ $accr = SimpleSAML_Utilities::arrayize($state['saml:AuthnContextClassRef']);
+ $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr));
+ }
+
+ if (isset($state['saml:ForceAuthn'])) {
+ $ar->setForceAuthn((bool)$state['saml:ForceAuthn']);
+ }
+
+ if (isset($state['saml:IsPassive'])) {
+ $ar->setIsPassive((bool)$state['saml:IsPassive']);
+ }
+
+ if (isset($state['saml:NameIDPolicy'])) {
+ $ar->setNameIdPolicy(array(
+ 'Format' => (string)$state['saml:NameIDPolicy'],
+ 'AllowCreate' => TRUE,
+ ));
+ }
+
+
$id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
$ar->setId($id);
@@ -263,12 +284,18 @@ class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
/* We are going to need the authId in order to retrieve this authentication source later. */
$state['saml:sp:AuthId'] = $this->authId;
- if ($this->idp === NULL) {
+ $idp = $this->idp;
+
+ if (isset($state['saml:idp'])) {
+ $idp = (string)$state['saml:idp'];
+ }
+
+ if ($idp === NULL) {
$this->startDisco($state);
assert('FALSE');
}
- $this->startSSO($this->idp, $state);
+ $this->startSSO($idp, $state);
assert('FALSE');
}
--
GitLab