diff --git a/config/config-template.php b/config/config-template.php
index 5f34ed7625b7a495d51aa14641298476762b8562..1f47423124d14887e5c989c54193e5dec8e08a25 100644
--- a/config/config-template.php
+++ b/config/config-template.php
@@ -48,6 +48,14 @@ $config = array (
'logging.facility' => LOG_LOCAL5,
'logging.level' => LOG_NOTICE,
+
+ /**
+ * This password must be kept secret, and modified from the default value 123.
+ * This password will give access to the installation page of simpleSAMLphp with
+ * metadata listing and diagnostics pages.
+ */
+ 'auth.adminpassword' => '123',
+
/*
* Enable
*
diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php
index 2e7b3e9da782cd4c5c22ef92bfedf92dde161aed..c1b05534c25d2c09b56ec1c2f0213098a20dbd5e 100644
--- a/lib/SimpleSAML/Session.php
+++ b/lib/SimpleSAML/Session.php
@@ -55,6 +55,8 @@ class SimpleSAML_Session {
private $sp_at_idpsessions = array();
+ private $authority = null;
+
// Session duration parameters
private $sessionstarted = null;
private $sessionduration = null;
@@ -66,7 +68,7 @@ class SimpleSAML_Session {
/**
* private constructor restricts instantiaton to getInstance()
*/
- private function __construct($protocol, $authenticated = true) {
+ private function __construct($authenticated = true) {
$this->protocol = $protocol;
@@ -112,14 +114,17 @@ class SimpleSAML_Session {
}
}
- public static function init($protocol, $authenticated = false) {
+ public static function init($authenticated = false, $authority = null) {
$preinstance = self::getInstance();
if (isset($preinstance)) {
- if (isset($authenticated)) $preinstance->setAuthenticated($authenticated);
+
+ $preinstance->clean();
+ if (isset($authenticated)) $preinstance->setAuthenticated($authenticated, $authority);
+
} else {
- self::$instance = new SimpleSAML_Session($protocol, $authenticated);
+ self::$instance = new SimpleSAML_Session($authenticated, $authority);
/* Save the new session with the session handler. */
$sh = SimpleSAML_SessionHandler::getSessionHandler();
@@ -139,6 +144,14 @@ class SimpleSAML_Session {
return $this->trackid;
}
+ /**
+ * Who authorized this session. could be in example saml2, shib13, login,login-admin etc.
+ */
+ public function getAuthority() {
+ return $this->authority;
+ }
+
+
// *** SP list to be used with SAML 2.0 SLO ***
// *** *** *** *** *** *** *** *** *** *** ***
@@ -293,11 +306,14 @@ class SimpleSAML_Session {
return $this->nameidformat;
}
- public function setAuthenticated($auth) {
+ public function setAuthenticated($auth, $authority = null) {
if ($auth === false) $this->dirty = false;
if ($auth != $this->authenticated) $this->dirty = false;
+
+ $this->authority = $authority;
$this->authenticated = $auth;
- if ($auth) {
+
+ if ($auth) {
$this->sessionstarted = time();
}
}
@@ -313,8 +329,9 @@ class SimpleSAML_Session {
* This function will return false after the user has timed out.
*/
- public function isValid() {
+ public function isValid($authority = null) {
if (!$this->isAuthenticated()) return false;
+ if (!empty($authority) && ($authority != $this->authority) ) return false;
return $this->remainingTime() > 0;
}
@@ -367,6 +384,8 @@ class SimpleSAML_Session {
$this->authnrequests = array();
$this->logoutrequest = null;
$this->idp = null;
+
+ $this->authority = null;
$this->authenticated = null;
$this->protocol = null;
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
index b53a18e23ebc1c53ffd6b4ba4ba64f5dc8618247..aff068d20819c907fdb360ca470acb515a0fa45b 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php
@@ -104,22 +104,7 @@ class SimpleSAML_XML_SAML20_AuthnRequest {
return $requestid;
*/
}
- /*
- public function createSession() {
-
-
- $session = SimpleSAML_Session::getInstance();
-
- if (!isset($session)) {
- SimpleSAML_Session::init(self::PROTOCOL, null, false);
- $session = SimpleSAML_Session::getInstance();
- }
-
- $session->setAuthnRequest($this->getRequestID(), $this);
- return $session;
- }
- */
public function generate($spentityid, $destination) {
$md = $this->metadata->getMetaData($spentityid);
diff --git a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
index a40939327a54456f2ad521aef9dc35e1d89b82d3..4827da4a375e5cd2f784c5f4bf9643399b0b253f 100644
--- a/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/SAML20/AuthnResponse.php
@@ -138,8 +138,8 @@ class SimpleSAML_XML_SAML20_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
public function createSession() {
- //($protocol, $message = null, $authenticated = true) {
- SimpleSAML_Session::init(self::PROTOCOL, true);
+
+ SimpleSAML_Session::init(true, 'saml2');
$session = SimpleSAML_Session::getInstance();
$session->setAttributes($this->getAttributes());
diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index 98c24cbeb8646d25c124352f56c07817ef85bb84..8ba625a0a9e37e7a4e4846281e972524314d6a5e 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -180,7 +180,7 @@ class SimpleSAML_XML_Shib13_AuthnResponse extends SimpleSAML_XML_AuthnResponse {
public function createSession() {
- SimpleSAML_Session::init(self::PROTOCOL, $this, true);
+ SimpleSAML_Session::init(true, 'shib13');
$session = SimpleSAML_Session::getInstance();
$session->setAttributes($this->getAttributes());
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index b1cdda863bf688894e81d9daac0153543abceac5..4f02d559ce78cc73992a98dab53597e2a5d28b8b 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -11,6 +11,15 @@ require_once('SimpleSAML/XHTML/Template.php');
$config = SimpleSAML_Configuration::getInstance();
$session = SimpleSAML_Session::getInstance();
+
+/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid('login-admin') ) {
+ SimpleSAML_Utilities::redirect('/' . $config->getValue('baseurlpath') . 'auth/login-admin.php',
+ array('RelayState' => SimpleSAML_Utilities::selfURL())
+ );
+}
+
+
try {
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
@@ -48,7 +57,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
- array('requireconsent','request.signing')
+ array('requireconsent','request.signing', 'authority')
);
}
$et->data['metadata.saml20-idp-hosted'] = $results;
@@ -98,7 +107,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'host', 'privatekey', 'certificate', 'auth'),
- array('requireconsent')
+ array('requireconsent', 'authority')
);
}
$et->data['metadata.shib13-idp-hosted'] = $results;
diff --git a/www/auth/login-auto.php b/www/auth/login-auto.php
index b2352c748fab156d28d3727a34588bdff816764f..49090cdcb7f01bc5bde9564e8cf1cc16cca56039 100644
--- a/www/auth/login-auto.php
+++ b/www/auth/login-auto.php
@@ -86,7 +86,7 @@ if($session == NULL) {
/* Set the user as authenticated and add the attributes from the
* configuration.
*/
-$session->setAuthenticated(true);
+$session->setAuthenticated(true, 'login-auto');
$session->setAttributes($attributes);
/* Return the user to the page set in the RelayState parameter. */
diff --git a/www/auth/login-ldapmulti.php b/www/auth/login-ldapmulti.php
index 0171a5c589126184dd7f1692c724466d940de26a..a85f9ac98614e589c21d68f1f4aec9c51ec5c3ee 100644
--- a/www/auth/login-ldapmulti.php
+++ b/www/auth/login-ldapmulti.php
@@ -81,7 +81,7 @@ if (isset($_POST['username'])) {
$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'ldap-multi', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');
- $session->setAuthenticated(true);
+ $session->setAuthenticated(true, 'login-ldapmulti');
$session->setAttributes($attributes);
$session->setNameID(SimpleSAML_Utilities::generateID());
diff --git a/www/auth/login-radius.php b/www/auth/login-radius.php
index 4bb69ad5bdd801fe7a2333a6d587e14bf3737589..f8488d512de0d5e64edf3cbb3f9540ff71299c90 100644
--- a/www/auth/login-radius.php
+++ b/www/auth/login-radius.php
@@ -78,7 +78,7 @@ if (isset($_POST['username'])) {
$logger->log(LOG_NOTICE, $session->getTrackID(), 'AUTH', 'radius', 'OK', $_POST['username'], $_POST['username'] . ' successfully authenticated');
- $session->setAuthenticated(true);
+ $session->setAuthenticated(true, 'login-radius');
$session->setAttributes($attributes);
$returnto = $_REQUEST['RelayState'];
diff --git a/www/auth/login.php b/www/auth/login.php
index 4e9b8882cf0a9e2a8a8e024c5b486d32012414fe..2fc4839c251dbb1dceb0092c749e45d12e9e6a54 100644
--- a/www/auth/login.php
+++ b/www/auth/login.php
@@ -136,7 +136,8 @@ if (isset($_POST['username'])) {
$attributes[$name] = $values;
}
- $session->setAuthenticated(true);
+ $session->setAuthenticated(true, 'login');
+
$session->setAttributes($attributes);
$session->setNameID(SimpleSAML_Utilities::generateID());
diff --git a/www/example-simple/hostnames.php b/www/example-simple/hostnames.php
index 7afcfd590a14c0cbb353c2c562886f38b5a5e632..ca049c204087a253c5506d9187a6f5ba82621fbf 100644
--- a/www/example-simple/hostnames.php
+++ b/www/example-simple/hostnames.php
@@ -11,10 +11,18 @@ require_once('SimpleSAML/Bindings/SAML20/HTTPRedirect.php');
require_once('SimpleSAML/Bindings/SAML20/HTTPPost.php');
require_once('SimpleSAML/XHTML/Template.php');
-/* Load simpleSAMLphp, configuration and metadata */
+/* Load simpleSAMLphp, configuration */
$config = SimpleSAML_Configuration::getInstance();
+$session = SimpleSAML_Session::getInstance(true);
+
+/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid('login-admin') ) {
+ SimpleSAML_Utilities::redirect('/' . $config->getValue('baseurlpath') . 'auth/login-admin.php',
+ array('RelayState' => SimpleSAML_Utilities::selfURL())
+ );
+}
+
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
diff --git a/www/example-simple/saml2-example.php b/www/example-simple/saml2-example.php
index be04257fb13d74e36bbbb1864fd137660fde31f1..0373563aa57f575993ad77550f9339c45aeabcd6 100644
--- a/www/example-simple/saml2-example.php
+++ b/www/example-simple/saml2-example.php
@@ -14,7 +14,7 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$session = SimpleSAML_Session::getInstance();
/* Check if valid local session exists.. */
-if (!isset($session) || !$session->isValid() ) {
+if (!isset($session) || !$session->isValid('saml2') ) {
SimpleSAML_Utilities::redirect(
'/' . $config->getValue('baseurlpath') .
'saml2/sp/initSSO.php',
diff --git a/www/example-simple/shib13-example.php b/www/example-simple/shib13-example.php
index 339758acfce808b16be59c092b84738ab2cfc9be..54010fc45e56da53d0c2eee64c9f1542f6278d59 100644
--- a/www/example-simple/shib13-example.php
+++ b/www/example-simple/shib13-example.php
@@ -16,7 +16,7 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$session = SimpleSAML_Session::getInstance();
-if (!isset($session) || !$session->isValid() ) {
+if (!isset($session) || !$session->isValid('shib13') ) {
SimpleSAML_Utilities::redirect(
'/' . $config->getValue('baseurlpath') .
diff --git a/www/index.php b/www/index.php
index c7bc19e3b7118c6ad84f910dc4baf53d20b3af9e..da695d0774b4c99a6a31d2e96b79774ba03f7cb1 100644
--- a/www/index.php
+++ b/www/index.php
@@ -8,11 +8,21 @@ require_once('SimpleSAML/Session.php');
require_once('SimpleSAML/XHTML/Template.php');
require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php');
+
+
+/* Load simpleSAMLphp, configuration */
$config = SimpleSAML_Configuration::getInstance();
+$session = SimpleSAML_Session::getInstance(true);
+
+/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid('login-admin') ) {
+ SimpleSAML_Utilities::redirect('/' . $config->getValue('baseurlpath') . 'auth/login-admin.php',
+ array('RelayState' => SimpleSAML_Utilities::selfURL())
+ );
+}
+
-$session = SimpleSAML_Session::getInstance();
-
$links = array();
diff --git a/www/resources/icons/favicon.ico b/www/resources/icons/favicon.ico
new file mode 100755
index 0000000000000000000000000000000000000000..433d7eb979dc712d3c8d8bf49aadf4fbe73a8a59
Binary files /dev/null and b/www/resources/icons/favicon.ico differ
diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php
index 31d590aa5a9cd5c0e48f0b033c38aa27b62b8cca..4b13c231589c1bfaa94ad5ca9c5d9df16fc64194 100644
--- a/www/saml2/idp/SSOService.php
+++ b/www/saml2/idp/SSOService.php
@@ -136,6 +136,9 @@ if (isset($_GET['SAMLRequest'])) {
}
+$authority = isset($idpmeta['authority']) ? $idpmeta['authority'] : null;
+
+
/*
* As we have passed the code above, we have an accociated request that is already processed.
*
@@ -145,7 +148,7 @@ if (isset($_GET['SAMLRequest'])) {
* endpoint - then the session is authenticated and set, and the user is redirected back with a RequestID
* parameter so we can retrieve the cached information from the request.
*/
-if (!$session->isAuthenticated() ) {
+if (!isset($session) || !$session->isValid($authority) ) {
$logger->log(LOG_NOTICE, $session->getTrackID(), 'SAML2.0', 'IdP.SSOService', 'AuthNext', $idpmeta['auth'],
'Will go to authentication module ' . $idpmeta['auth']);
diff --git a/www/saml2/idp/metadata.php b/www/saml2/idp/metadata.php
index 937d73a653ac4fc46a206595db8691605e343859..54176230ba320b328458b1c584a0993b52f9d47f 100644
--- a/www/saml2/idp/metadata.php
+++ b/www/saml2/idp/metadata.php
@@ -10,7 +10,18 @@ require_once('SimpleSAML/XHTML/Template.php');
/* Load simpleSAMLphp, configuration and metadata */
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-$session = SimpleSAML_Session::getInstance();
+$session = SimpleSAML_Session::getInstance(true);
+
+
+
+/* Check if valid local session exists.. */
+if (!isset($session) || !$session->isValid('login-admin') ) {
+ SimpleSAML_Utilities::redirect('/' . $config->getValue('baseurlpath') . 'auth/login-admin.php',
+ array('RelayState' => SimpleSAML_Utilities::selfURL())
+ );
+}
+
+
try {
diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php
index 5a8ff34b4d12e16223439259973f96942a6be092..508b8f1541bc4eab18f5414971ba889e8f84a078 100644
--- a/www/saml2/sp/initSSO.php
+++ b/www/saml2/sp/initSSO.php
@@ -46,7 +46,7 @@ try {
exit(0);
}
-if (!isset($session) || !$session->isValid() ) {
+if (!isset($session) || !$session->isValid('saml2') ) {
if ($idpentityid == null) {
diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php
index f5ce87b63c6f6f8ae8d727d33812ca0eb7124d2d..fa06e20528cf3272fc1841d68d04f56ca89fe885 100644
--- a/www/shib13/idp/SSOService.php
+++ b/www/shib13/idp/SSOService.php
@@ -132,7 +132,7 @@ if (isset($_GET['shire'])) {
}
-
+$authority = isset($idpmeta['authority']) ? $idpmeta['authority'] : null;
/*
* As we have passed the code above, we have an accociated request that is already processed.
@@ -143,7 +143,7 @@ if (isset($_GET['shire'])) {
* endpoint - then the session is authenticated and set, and the user is redirected back with a RequestID
* parameter so we can retrieve the cached information from the request.
*/
-if (!$session->isAuthenticated() ) {
+if (!$session->isAuthenticated($authority) ) {
$relaystate = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($requestid);
$authurl = SimpleSAML_Utilities::addURLparameter('/' . $config->getValue('baseurlpath') . $idpmeta['auth'],
diff --git a/www/shib13/sp/initSSO.php b/www/shib13/sp/initSSO.php
index 55a7723fb8b72ec5f2c52577d9a6fe4849b0e54a..95f2d2f90ab980957871d3c3153178836c543174 100644
--- a/www/shib13/sp/initSSO.php
+++ b/www/shib13/sp/initSSO.php
@@ -40,7 +40,7 @@ try {
-if (!isset($session) || !$session->isValid() ) {
+if (!isset($session) || !$session->isValid('shib13') ) {
if ($idpentityid == null) {