Skip to content
Snippets Groups Projects
Commit c1c2c004 authored by Olav Morken's avatar Olav Morken
Browse files

Support authentication source modules.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@810 44740490-163a-0410-bde0-09ae8108e29a
parent 13384dde
Branches
Tags
No related merge requests found
<?php
$config = array(
'example-static' => array(
'exampleauth:Static',
'uid' => 'testuser',
'eduPersonAffiliation' => array('member', 'employee'),
'cn' => array('Test User'),
),
'example-userpass' => array(
'exampleauth:UserPass',
'student:studentpass' => array(
'uid' => 'student',
'eduPersonAffiliation' => array('member', 'student'),
),
'employee:employeepass' => array(
'uid' => 'employee',
'eduPersonAffiliation' => array('member', 'employee'),
),
),
);
?>
\ No newline at end of file
......@@ -1036,6 +1036,12 @@ $lang = array(
'nn' => 'Det er ein feil i spørringa etter denne sida. Grunnen til dette er %REASON%',
'en' => 'There is an error in the request to this page. The reason was: %REASON%',
),
'title_WRONGUSERPASS' => array (
'en' => 'Incorrect username or password',
),
'descr_WRONGUSERPASS' => array (
'en' => 'Either no user with the given username could be found, or the password you gave was wrong. Please check the username and try again.',
),
);
......
<?php
/**
* Implements the default behaviour for authentication.
*
* This class contains an implementation for default behaviour when authenticating. It will
* save the session information it got from the authentication client in the users session.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
class SimpleSAML_Auth_Default {
/**
* Start authentication.
*
* This function never returns.
*
* @param string $authId The identifier of the authentication source.
* @param string $returnURL The URL we should direct the user to after authentication.
* @param string|NULL $errorURL The URL we should direct the user to after failed authentication.
* Can be NULL, in which case a standard error page will be shown.
* @param array $hints Extra information about the login. Different authentication requestors may
* provide different information. Optional, will default to an empty array.
*/
public static function initLogin($authId, $returnURL, $errorURL = NULL, $hints = array()) {
assert('is_string($authId)');
assert('is_string($returnURL)');
assert('is_string($errorURL) || is_null($errorURL)');
assert('is_array($hints)');
$state = array(
'SimpleSAML_Auth_Default.id' => $authId,
'SimpleSAML_Auth_Default.ReturnURL' => $returnURL,
'SimpleSAML_Auth_Default.ErrorURL' => $errorURL,
'LoginCompletedHandler' => array(get_class(), 'loginCompleted'),
'LoginFailedHandler' => array(get_class(), 'loginFailed'),
);
if (array_key_exists('SPMetadata', $hints)) {
$state['SPMetadata'] = $hints['SPMetadata'];
}
if (array_key_exists('IdPMetadata', $hints)) {
$state['IdPMetadata'] = $hints['IdPMetadata'];
}
$as = SimpleSAML_Auth_Source::getById($authId);
if ($as === NULL) {
throw new Exception('Invalid authentication source: ' . $authId);
}
$as->authenticate($state);
self::loginCompleted($state);
}
/**
* Called when a login operation has finished.
*
* @param array $state The state after the login.
*/
public static function loginCompleted($state) {
assert('is_array($state)');
assert('array_key_exists("SimpleSAML_Auth_Default.ReturnURL", $state)');
assert('array_key_exists("SimpleSAML_Auth_Default.id", $state)');
assert('array_key_exists("Attributes", $state)');
$returnURL = $state['SimpleSAML_Auth_Default.ReturnURL'];
/* Save session state. */
$session = SimpleSAML_Session::getInstance();
$session->doLogin($state['SimpleSAML_Auth_Default.id']);
$session->setAttributes($state['Attributes']);
if(array_key_exists('Expires', $state)) {
$session->setSessionDuration($state['Expires'] - time());
}
/* Redirect... */
SimpleSAML_Utilities::redirect($returnURL);
}
/**
* Called when a login operation fails.
*
* @param array $state The state array.
* @param string $statusCode A status code, in the form of an URI, which indicates why the login failed.
* @param string $statusMessage A text which describes why the login failed.
*/
public static function loginFailed($state, $statusCode, $statusMessage) {
assert('is_array($state)');
assert('array_key_exists("SimpleSAML_Auth_Default.ErrorURL", $state)');
assert('is_string($statusCode)');
assert('is_string($statusMessage)');
$url = $state['SimpleSAML_Auth_Default.ErrorURL'];
if ($url === NULL) {
/* We don't have an error handler. Show an error page. */
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'RESPONSESTATUSNOSUCCESS',
new Exception('StatusCode = \'' . $statusCode . '\'; StatusMessage = \'' .
$statusMessage . '\';'));
}
$info = array('StatusCode' => $statusCode, 'StatusMessage' => $statusMessage);
/* Redirect... */
SimpleSAML_Utilities::redirect($url, $info);
}
}
?>
\ No newline at end of file
<?php
/**
* This class defines a base class for authentication source.
*
* An authentication source is any system which somehow authenticate the user.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
abstract class SimpleSAML_Auth_Source {
/**
* The authentication source identifier.
*
* This identifier can be used to look up this object, for example when returning from a login form.
*/
protected $authId;
/**
* Constructor for an authentication source.
*
* Any authentication source which implements its own constructor must call this
* constructor first.
*
* @param array $info Information about this authentication source.
* @param array &$config Configuration for this authentication source.
*/
public function __construct($info, &$config) {
assert('is_array($info)');
assert('is_array($config)');
assert('array_key_exists("AuthId", $info)');
$this->authId = $info['AuthId'];
}
/**
* Process a request.
*
* If an authentication source returns from this function, it is assumed to have
* authenticated the user, and should have set elements in $state with the attributes
* of the user.
*
* If the authentication process requires additional steps which make it impossible to
* complete before returning from this function, the authentication source should
* save the state, and at a later stage, load the state, update it with the authentication
* information about the user, and call completeAuth with the state array.
*
* @param array &$state Information about the current authentication.
*/
abstract public function authenticate(&$state);
/**
* Complete authentication.
*
* This function should be called if authentication has completed. It will never return,
* except in the case of exceptions. Exceptions thrown from this page should not be caught,
* but should instead be passed to the top-level exception handler.
*
* @param array &$state Information about the current authentication.
*/
public static function completeAuth(&$state) {
assert('is_array($state)');
assert('array_key_exists("LoginCompletedHandler", $state)');
SimpleSAML_Auth_State::deleteState($state);
$func = $state['LoginCompletedHandler'];
assert('is_callable($func)');
call_user_func($func, $state);
assert(FALSE);
}
/**
* Create authentication source object from configuration array.
*
* This function takes an array with the configuration for an authentication source object,
* and returns the object.
*
* @param string $authId The authentication source identifier.
* @param array $config The configuration.
* @return SimpleSAML_Auth_Source The parsed authentication source.
*/
private static function parseAuthSource($authId, $config) {
assert('is_string($authId)');
assert('is_array($config)');
if (!array_key_exists(0, $config) || !is_string($config[0])) {
throw new Exception('Invalid authentication source \'' . $authId .
'\': First element must be a string which identifies the authentication source.');
}
$className = SimpleSAML_Module::resolveClass($config[0], 'Auth_Source',
'SimpleSAML_Auth_Source');
$info = array('AuthId' => $authId);
unset($config[0]);
return new $className($info, $config);
}
/**
* Retrieve authentication source.
*
* This function takes an id of an authentication source, and returns the
* AuthSource object.
*
* @param string $authId The authentication source identifier.
* @return SimpleSAML_Auth_Source|NULL The AuthSource object, or NULL if no authentication
* source with the given identifier is found.
*/
public static function getById($authId) {
assert('is_string($authId)');
/* For now - load and parse config file. */
$globalConfig = SimpleSAML_Configuration::getInstance();
$config = $globalConfig->copyFromBase('authsources', 'authsources.php');
$authConfig = $config->getValue($authId, NULL);
if ($authConfig === NULL) {
return NULL;
}
if (!is_array($authConfig)) {
throw new Exception('Invalid configuration for authentication source \'' . $authId . '\'.');
}
return self::parseAuthSource($authId, $authConfig);
}
}
?>
\ No newline at end of file
<?php
/**
* This is a helper class for saving and loading state information.
*
* The state must be an associative array. This class will add additional keys to this
* array. These keys will always start with 'SimpleSAML_Auth_State.'.
*
* It is also possible to add a restart URL to the state. If state information is lost, for
* example because it timed out, or the user loaded a bookmarked page, the loadState function
* will redirect to this URL. To use this, set $state[SimpleSAML_Auth_State::RESTART] to this
* URL.
*
* Both the saveState and the loadState function takes in a $stage parameter. This parameter is
* a security feature, and is used to prevent the user from taking a state saved one place and
* using it as input a different place.
*
* The $stage parameter must be a unique string. To maintain uniqueness, it must be on the form
* "<classname>.<identifier>" or "<module>:<identifier>".
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
class SimpleSAML_Auth_State {
/**
* The index in the state array which contains the identifier.
*/
const ID = 'SimpleSAML_Auth_State.id';
/**
* The index in the state array which contains the current stage.
*/
const STAGE = 'SimpleSAML_Auth_State.stage';
/**
* The index in the state array which contains the restart URL.
*/
const RESTART = 'SimpleSAML_Auth_State.restartURL';
/**
* Save the state.
*
* This function saves the state, and returns an id which can be used to
* retrieve it later. It will also update the $state array with the identifier.
*
* @param array &$state The login request state.
* @param string $stage The current stage in the login process.
* @return string Identifier which can be used to retrieve the state later.
*/
public static function saveState(&$state, $stage) {
assert('is_array($state)');
assert('is_string($stage)');
/* Save stage. */
$state[self::STAGE] = $stage;
if (!array_key_exists(self::ID, $state)) {
$state[self::ID] = SimpleSAML_Utilities::generateID();
}
$id = $state[self::ID];
/* Embed the restart URL in the state identifier, if it is available. */
if (array_key_exists(self::RESTART, $state)) {
assert('is_string($state[self::RESTART])');
$return = $id . ':' . $state[self::RESTART];
} else {
$return = $id;
}
$serializedState = serialize($state);
$session = SimpleSAML_Session::getInstance();
$session->setData('SimpleSAML_Auth_State', $id, $serializedState, 60*60);
return $return;
}
/**
* Retrieve saved state.
*
* This function retrieves saved state information. If the state information has been lost,
* it will attempt to restart the request by calling the restart URL which is embedded in the
* state information. If there is no restart information available, an exception will be thrown.
*
* @param string $id State identifier (with embedded restart information).
* @param string $stage The stage the state should have been saved in.
* @return array State information.
*/
public static function loadState($id, $stage) {
assert('is_string($id)');
assert('is_string($stage)');
$tmp = explode(':', $id, 2);
$id = $tmp[0];
if (count($tmp) === 2) {
$restartURL = $tmp[1];
} else {
$restartURL = NULL;
}
$session = SimpleSAML_Session::getInstance();
$state = $session->getData('SimpleSAML_Auth_State', $id);
if ($state === NULL) {
/* Could not find saved data. Attempt to restart. */
if ($restartURL === NULL) {
throw new Exception('State information lost, and no way to restart the request.');
}
SimpleSAML_Utilities::redirect($restartURL);
}
$state = unserialize($state);
assert('is_array($state)');
assert('array_key_exists(self::ID, $state)');
assert('array_key_exists(self::STAGE, $state)');
/* Verify stage. */
if ($state[self::STAGE] !== $stage) {
/* This could be a user trying to bypass security, but most likely it is just
* someone using the back-button in the browser. We try to restart the
* request if that is possible. If not, show an error.
*/
$msg = 'Wrong stage in state. Was \'' . $state[self::STAGE] .
'\', shoud be \'' . $stage . '\'.';
SimpleSAML_Logger::warning($msg);
if ($restartURL === NULL) {
throw new Exception($msg);
}
SimpleSAML_Utilities::redirect($restartURL);
}
return $state;
}
/**
* Delete state.
*
* This function deletes the given state to prevent the user from reusing it later.
*
* @param array &$state The state which should be deleted.
*/
public static function deleteState(&$state) {
assert('is_array($state)');
if (!array_key_exists(self::ID, $state)) {
/* This state hasn't been saved. */
return;
}
$session = SimpleSAML_Session::getInstance();
$session->deleteData('SimpleSAML_Auth_State', $state[self::ID]);
}
}
?>
\ No newline at end of file
<?php
/**
* Helper class for username/password authentication.
*
* This helper class allows for implementations of username/password authentication by
* implementing a single function: login($username, $password)
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
abstract class sspmod_core_Auth_UserPassBase extends SimpleSAML_Auth_Source {
/**
* The string used to identify our states.
*/
const STAGEID = 'sspmod_core_Auth_UserPassBase.state';
/**
* The key of the AuthId field in the state.
*/
const AUTHID = 'sspmod_core_Auth_UserPassBase.AuthId';
/**
* Constructor for this authentication source.
*
* All subclasses who implement their own constructor must call this constructor before
* using $config for anything.
*
* @param array $info Information about this authentication source.
* @param array &$config Configuration for this authentication source.
*/
public function __construct($info, &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
}
/**
* Initialize login.
*
* This function saves the information about the login, and redirects to a
* login page.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state) {
assert('is_array($state)');
/* We are going to need the authId in order to retrieve this authentication source later. */
$state[self::AUTHID] = $this->authId;
$id = SimpleSAML_Auth_State::saveState($state, self::STAGEID);
$url = SimpleSAML_Module::getModuleURL('core/loginuserpass.php');
SimpleSAML_Utilities::redirect($url, array('AuthState' => $id));
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception/error. If the error was caused by the user entering the wrong
* username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* Note that both the username and the password are UTF-8 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the user's attributes.
*/
abstract protected function login($username, $password);
/**
* Handle login request.
*
* This function is used by the login form (core/www/loginuserpass.php) when the user
* enters a username and password. On success, it will not return. On wrong
* username/password failure, it will return the error code. Other failures will throw an
* exception.
*
* @param string $authStateId The identifier of the authentication state.
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return string Error code in the case of an error.
*/
public static function handleLogin($authStateId, $username, $password) {
assert('is_string($authStateId)');
assert('is_string($username)');
assert('is_string($password)');
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId, self::STAGEID);
/* Find authentication source. */
assert('array_key_exists(self::AUTHID, $state)');
$source = SimpleSAML_Auth_Source::getById($state[self::AUTHID]);
if ($source === NULL) {
throw new Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
}
try {
/* Attempt to log in. */
$attributes = $source->login($username, $password);
} catch (SimpleSAML_Error_Error $e) {
/* An error occured during login. Check if it is because of the wrong
* username/password - if it is, we pass that error up to the login form,
* if not, we let the generic error handler deal with it.
*/
if ($e->getErrorCode() === 'WRONGUSERPASS') {
return 'WRONGUSERPASS';
}
/* Some other error occured. Rethrow exception and let the generic error
* handler deal with it.
*/
throw $e;
}
$state['Attributes'] = $attributes;
SimpleSAML_Auth_Source::completeAuth($state);
}
}
?>
\ No newline at end of file
<?php
$this->data['icon'] = 'lock.png';
$this->data['header'] = $this->t('{login:user_pass_header}');
if (strlen($this->data['username']) > 0) {
$this->data['autofocus'] = 'password';
} else {
$this->data['autofocus'] = 'username';
}
$this->includeAtTemplateBase('includes/header.php');
?>
<div id="content">
<?php
if ($this->data['errorcode'] !== NULL) {
?>
<div style="border-left: 1px solid #e8e8e8; border-bottom: 1px solid #e8e8e8; background: #f5f5f5">
<img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/bomb.png" style="float: left; margin: 15px " />
<h2><?php echo $this->t('{login:error_header}'); ?></h2>
<p><b><?php echo $this->t('{errors:title_' . $this->data['errorcode'] . '}'); ?></b></p>
<p><?php echo $this->t('{errors:descr_' . $this->data['errorcode'] . '}'); ?></p>
</div>
<?php
}
?>
<h2 style="break: both"><?php echo $this->t('{login:user_pass_header}'); ?></h2>
<p><?php echo $this->t('{login:user_pass_text}'); ?></p>
<form action="?" method="post" name="f">
<table>
<tr>
<td rowspan="2"><img src="/<?php echo $this->data['baseurlpath']; ?>resources/icons/pencil.png" alt="" /></td>
<td style="padding: .3em;"><?php echo $this->t('{login:username}'); ?></td>
<td><input type="text" id="username" tabindex="1" name="username" value="<?php echo htmlspecialchars($this->data['username']); ?>" /></td>
<td style="padding: .4em;" rowspan="2">
<input type="submit" tabindex="3" value="<?php echo $this->t('{login:login_button}'); ?>" />
</td>
</tr>
<tr>
<td style="padding: .3em;"><?php echo $this->t('{login:password}'); ?></td>
<td><input id="password" type="password" tabindex="2" name="password" /></td>
</tr>
</table>
<?php
foreach ($this->data['stateparams'] as $name => $value) {
echo('<input type="hidden" name="' . htmlspecialchars($name) . '" value="' . htmlspecialchars($value) . '" />');
}
?>
</form>
<?php
echo('<h2>' . $this->t('{login:help_header}') . '</h2>');
echo('<p>' . $this->t('{login:help_text}') . '</p>');
$this->includeAtTemplateBase('includes/footer.php');
?>
\ No newline at end of file
<?php
/**
* This page shows a username/password login form, and passes information from it
* to the sspmod_core_Auth_UserPassBase class, which is a generic class for
* username/password authentication.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
if (!array_key_exists('AuthState', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Missing AuthState parameter.');
}
$authStateId = $_REQUEST['AuthState'];
if (array_key_exists('username', $_REQUEST)) {
$username = $_REQUEST['username'];
} else {
$username = '';
}
if (array_key_exists('password', $_REQUEST)) {
$password = $_REQUEST['password'];
} else {
$password = '';
}
if (!empty($username) || !empty($password)) {
/* Either username or password set - attempt to log in. */
$errorCode = sspmod_core_Auth_UserPassBase::handleLogin($authStateId, $username, $password);
} else {
$errorCode = NULL;
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:loginuserpass.php');
$t->data['stateparams'] = array('AuthState' => $authStateId);
$t->data['username'] = $username;
$t->data['errorcode'] = $errorCode;
$t->show();
exit();
?>
\ No newline at end of file
This file indicates that the default state of this module
is disabled. To enable, create a file named enable in the
same directory as this file.
<?php
/**
* Example authentication source.
*
* This class is an example authentication source which will always return a user with
* a static set of attributes.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
class sspmod_exampleauth_Auth_Source_Static extends SimpleSAML_Auth_Source {
/**
* The attributes we return.
*/
private $attributes;
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
/* Parse attributes. */
try {
$this->attributes = SimpleSAML_Utilities::parseAttributes($attributes);
} catch(Exception $e) {
throw new Exception('Invalid attributes for authentication source ' .
$this->authId . ': ' . $e->getMessage());
}
}
/**
* Log in using static attributes.
*
* @param array &$state Information about the current authentication.
*/
public function authenticate(&$state) {
assert('is_array($state)');
$state['Attributes'] = $this->attributes;
}
}
?>
\ No newline at end of file
<?php
/**
* Example authentication source - username & password.
*
* This class is an example authentication source which stores all username/passwords in an array,
* and authenticates users against this array.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
class sspmod_exampleauth_Auth_Source_UserPass extends sspmod_core_Auth_UserPassBase {
/**
* Our users, stored in an associative array. The key of the array is "<username>:<password>",
* while the value of each element is a new array with the attributes for each user.
*/
private $users;
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*/
public function __construct($info, $config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->users = array();
/* Validate and parse our configuration. */
foreach ($config as $userpass => $attributes) {
if (!is_string($userpass)) {
throw new Exception('Invalid <username>:<password> for authentication source ' .
$this->authId . ': ' . $userpass);
}
$userpass = explode(':', $userpass, 2);
if (count($userpass) !== 2) {
throw new Exception('Invalid <username>:<password> for authentication source ' .
$this->authId . ': ' . $userpass[0]);
}
$username = $userpass[0];
$password = $userpass[1];
try {
$attributes = SimpleSAML_Utilities::parseAttributes($attributes);
} catch(Exception $e) {
throw new Exception('Invalid attributes for user ' . $username .
' in authentication source ' . $this->authId . ': ' .
$e->getMessage());
}
$this->users[$username . ':' . $password] = $attributes;
}
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception. If the error was caused by the user entering the wrong
* username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* Note that both the username and the password are UTF-8 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($username, $password) {
assert('is_string($username)');
assert('is_string($password)');
$userpass = $username . ':' . $password;
if (!array_key_exists($userpass, $this->users)) {
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
return $this->users[$userpass];
}
}
?>
\ No newline at end of file
......@@ -144,7 +144,17 @@ if (isset($_GET['SAMLRequest'])) {
}
$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL;
/* Check whether we should authenticate with an AuthSource. Any time the auth-option matches a
* valid AuthSource, we assume that this is the case.
*/
if(SimpleSAML_Auth_Source::getById($idpmetadata['auth']) !== NULL) {
/* Authenticate with an AuthSource. */
$authSource = TRUE;
$authority = $idpmetadata['auth'];
} else {
$authSource = FALSE;
$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL;
}
/**
......@@ -175,13 +185,24 @@ if($needAuth && !$isPassive) {
$session->setAuthnRequest('saml2', $authId, $requestcache);
$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
SimpleSAML_Utilities::redirect($authurl, array(
'RelayState' => $redirectTo,
'AuthId' => $authId,
'protocol' => 'saml2',
));
if($authSource) {
/* Authenticate with an AuthSource. */
$hints = array(
'SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'saml20-sp-remote'),
'IdPMetadata' => $idpmetadata,
);
SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, NULL, $hints);
} else {
$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
SimpleSAML_Utilities::redirect($authurl, array(
'RelayState' => $redirectTo,
'AuthId' => $authId,
'protocol' => 'saml2',
));
}
} elseif($needAuth) {
/* We have a passive request, but need authentication. Send back a response indicating that
......
......@@ -96,7 +96,17 @@ if (isset($_GET['shire'])) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'SSOSERVICEPARAMS');
}
$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : null;
/* Check whether we should authenticate with an AuthSource. Any time the auth-option matches a
* valid AuthSource, we assume that this is the case.
*/
if(SimpleSAML_Auth_Source::getById($idpmetadata['auth']) !== NULL) {
/* Authenticate with an AuthSource. */
$authSource = TRUE;
$authority = $idpmetadata['auth'];
} else {
$authSource = FALSE;
$authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : NULL;
}
/*
* As we have passed the code above, we have an accociated request that is already processed.
......@@ -113,14 +123,24 @@ if (!$session->isAuthenticated($authority) ) {
$session->setAuthnRequest('shib13', $authId, $requestcache);
$redirectTo = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($authId);
$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
SimpleSAML_Utilities::redirect($authurl, array(
'RelayState' => $redirectTo,
'AuthId' => $authId,
'protocol' => 'shib13',
));
if($authSource) {
/* Authenticate with an AuthSource. */
$hints = array(
'SPMetadata' => $metadata->getMetaData($requestcache['Issuer'], 'shib13-sp-remote'),
'IdPMetadata' => $idpmetadata,
);
SimpleSAML_Auth_Default::initLogin($idpmetadata['auth'], $redirectTo, NULL, $hints);
} else {
$authurl = '/' . $config->getBaseURL() . $idpmetadata['auth'];
SimpleSAML_Utilities::redirect($authurl, array(
'RelayState' => $redirectTo,
'AuthId' => $authId,
'protocol' => 'shib13',
));
}
/*
* We got an request, and we hav a valid session. Then we send an AuthenticationResponse back to the
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment