diff --git a/COPYING b/COPYING
index 380e3f66c14c12a9ec863f2e3574bf4061d4080b..014d808870ad7fcf47d8bf4466de1d67be569bf8 100644
--- a/COPYING
+++ b/COPYING
@@ -1,5 +1,9 @@
Note that some of the embedded libraries may be using other licences.
In example xmlseclibs uses BSD licence.
+
+If you will be using simpleSAMLphp in a commercial context, please do not use
+the embedded default template which contains some icons with licence that are limited
+to non-commercial use.
--
simpleSAMLphp is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
index 03074e5c1193ca5074078783b6b2550ecfe23b7e..555628ba69baa4463d0b3542b8e291b48c6a6a63 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -214,7 +214,28 @@ class SimpleSAML_Metadata_MetaDataStorageHandler {
/* We were unable to find the hostname/path in any metadata source. */
throw new Exception('Could not find any default metadata entities in set [' . $set . '] for host [' . $currenthost . ' : ' . $currenthostwithpath . ']');
}
-
+
+ /**
+ * This method will call getPreferredEntityIdFromCIDRhint() on all of the
+ * sources.
+ *
+ * @param $set Which set of metadata we are looking it up in.
+ * @param $ip IP address
+ * @return The entity id of a entity which have a CIDR hint where the provided
+ * IP address match.
+ */
+ public function getPreferredEntityIdFromCIDRhint($set, $ip) {
+
+ foreach($this->sources as $source) {
+ $entityId = $source->getPreferredEntityIdFromCIDRhint($set, $ip);
+ if($entityId !== NULL) {
+ return $entityId;
+ }
+ }
+
+ return NULL;
+
+ }
/**
* This function looks up the metadata for the given entity id in the given set. It will throw an
diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageSource.php b/lib/SimpleSAML/Metadata/MetaDataStorageSource.php
index c80e6607290f4c7891786b19483c33dd86d30afe..ef6371b9d5f6c47cdabc47faaeff9b8927710909 100644
--- a/lib/SimpleSAML/Metadata/MetaDataStorageSource.php
+++ b/lib/SimpleSAML/Metadata/MetaDataStorageSource.php
@@ -91,6 +91,37 @@ abstract class SimpleSAML_Metadata_MetaDataStorageSource {
/* No entries matched - we should return NULL. */
return NULL;
}
+
+ /**
+ * This function will go through all the metadata, and check the hint.cidr
+ * parameter, which defines a network space (ip range) for each remote entry.
+ * This function returns the entityID for any of the entities that have an
+ * IP range which the IP falls within.
+ *
+ * @param $set Which set of metadata we are looking it up in.
+ * @param $ip IP address
+ * @return The entity id of a entity which have a CIDR hint where the provided
+ * IP address match.
+ */
+ public function getPreferredEntityIdFromCIDRhint($set, $ip) {
+
+ $metadataSet = $this->getMetadataSet($set);
+
+ foreach($metadataSet AS $entityId => $entry) {
+
+ if(!array_key_exists('hint.cidr', $entry)) continue;
+ if(!is_array($entry['hint.cidr'])) continue;
+
+ foreach ($entry['hint.cidr'] AS $hint_entry) {
+ if (ipCIDRcheck($hint_entry, $ip))
+ return $entityId;
+ }
+
+ }
+
+ /* No entries matched - we should return NULL. */
+ return NULL;
+ }
/**
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index 91d6ce1eba8eee88933740b501865d055620f9c0..1aff02c74cf2321e971150fdca65998b4d793167 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -365,6 +365,23 @@ class SimpleSAML_Utilities {
exit;
}
+
+ /**
+ * Check whether an IP address is part of an CIDR.
+ */
+ static function ipCIDRcheck($cidr, $ip = null) {
+ if ($ip == null) $ip = $_SERVER['REMOTE_ADDR'];
+ list ($net, $mask) = split ("/", $cidr);
+
+ $ip_net = ip2long ($net);
+ $ip_mask = ~((1 << (32 - $mask)) - 1);
+
+ $ip_ip = ip2long ($ip);
+
+ $ip_ip_net = $ip_ip & $ip_mask;
+
+ return ($ip_ip_net == $ip_net);
+ }
/* This function redirects the user to the specified address.
diff --git a/metadata-templates/saml20-idp-remote.php b/metadata-templates/saml20-idp-remote.php
index 63dcb368738ea25acb4f8513619c709d52c0b2ee..34f3c51e1811bd0abc1d5cb8f91662e45f8d4c39 100644
--- a/metadata-templates/saml20-idp-remote.php
+++ b/metadata-templates/saml20-idp-remote.php
@@ -76,7 +76,8 @@ $metadata = array(
'SingleSignOnService' => 'https://max.feide.no/amserver/SSORedirect/metaAlias/idp',
'SingleLogoutService' => 'https://max.feide.no/amserver/IDPSloRedirect/metaAlias/idp',
'certFingerprint' => '3fa158e8abfd4b5203315b08c0b791b6ee4715f6',
- 'base64attributes' => true
+ 'base64attributes' => true,
+ 'hint.cidr' => '158.38.0.0/16'
),
/*
@@ -88,7 +89,8 @@ $metadata = array(
'SingleSignOnService' => 'https://sam.feide.no/amserver/SSORedirect/metaAlias/idp',
'SingleLogoutService' => 'https://sam.feide.no/amserver/IDPSloRedirect/metaAlias/idp',
'certFingerprint' => '3a:e7:d3:d3:06:ba:57:fd:7f:62:6a:4b:a8:64:b3:4a:53:d9:5d:d0',
- 'base64attributes' => true
+ 'base64attributes' => true,
+ 'hint.cidr' => '158.38.0.0/16'
)
);
diff --git a/templates/default/en/selectidp-dropdown.php b/templates/default/en/selectidp-dropdown.php
index 51964b36e5ccd93d29068450a7ca2694e9ac3076..3ba59d5bbccf0ad603b23cbfdbe5c5de8c85ed18 100644
--- a/templates/default/en/selectidp-dropdown.php
+++ b/templates/default/en/selectidp-dropdown.php
@@ -7,18 +7,21 @@
<h2><?php if (isset($data['header'])) { echo $data['header']; } else { echo "Select your IdP"; } ?></h2>
<p>Please select the identity provider where you want to authenticate:</p>
-
+
<form method="get" action="<?php echo $data['urlpattern']; ?>">
<input type="hidden" name="entityID" value="<?php echo htmlspecialchars($data['entityID']); ?>" />
<input type="hidden" name="return" value="<?php echo htmlspecialchars($data['return']); ?>" />
<input type="hidden" name="returnIDParam" value="<?php echo htmlspecialchars($data['returnIDParam']); ?>" />
<select name="idpentityid">
<?php
-
+
foreach ($data['idplist'] AS $idpentry) {
echo '<option value="'.htmlspecialchars($idpentry['entityid']).'"';
- if ($idpentry['entityid'] == $data['preferedidp']) echo ' selected="selected"';
+ if (isset($this->data['preferredidp']) &&
+ $idpentry['entityid'] == $this->data['preferredidp'])
+ echo ' selected="selected"';
+
echo '>'.htmlspecialchars($idpentry['name']).'</option>';
}
diff --git a/templates/default/en/selectidp-links.php b/templates/default/en/selectidp-links.php
index 7d5cf1ec5cfd7c04019bf9de1796f9ed4a0715ae..daab979264755e1959809275244feb60702bd1c9 100644
--- a/templates/default/en/selectidp-links.php
+++ b/templates/default/en/selectidp-links.php
@@ -9,13 +9,25 @@
<?php
+
- foreach ($data['idplist'] AS $idpentry) {
-
- echo '<h3>' . htmlspecialchars($idpentry['name']) . '</h3>';
- echo '<p>' . htmlspecialchars($idpentry['description']) . '<br />';
- echo '[ <a href="' . $data['urlpattern'] . htmlspecialchars($idpentry['entityid']) . '">Select this IdP</a>]</p>';
+ if (!empty($this->data['preferredidp']) && array_key_exists($this->data['preferredidp'], $this->data['idplist'])) {
+ $idpentry = $this->data['idplist'][$this->data['preferredidp']];
+ echo '<div class="preferredidp">';
+ echo ' <img src="/' . $this->data['baseurlpath'] .'resources/icons/star.png" style="float: right" />';
+ echo ' <h3>' . htmlspecialchars($idpentry['name']) . '</h3>';
+ echo ' <p>' . htmlspecialchars($idpentry['description']) . '<br />';
+ echo ' [ <a href="' . $data['urlpattern'] . htmlspecialchars($idpentry['entityid']) . '">Select this IdP</a>]</p>';
+ echo '</div>';
+ }
+
+ foreach ($data['idplist'] AS $idpentry) {
+ if ($idpentry['entityid'] != $this->data['preferredidp']) {
+ echo '<h3>' . htmlspecialchars($idpentry['name']) . '</h3>';
+ echo '<p>' . htmlspecialchars($idpentry['description']) . '<br />';
+ echo '[ <a href="' . $data['urlpattern'] . htmlspecialchars($idpentry['entityid']) . '">Select this IdP</a>]</p>';
+ }
}
?>
diff --git a/www/admin/metadata.php b/www/admin/metadata.php
index a40491f2cb63786d3f2139f6379f428d87edebc7..ce5ad8e890c67468e9e8104e7cd6da1214beb640 100644
--- a/www/admin/metadata.php
+++ b/www/admin/metadata.php
@@ -44,7 +44,7 @@ try {
foreach ($metalist AS $entityid => $mentry) {
$results[$entityid] = SimpleSAML_Utilities::checkAssocArrayRules($mentry,
array('entityid', 'SingleSignOnService', 'SingleLogoutService', 'certFingerprint'),
- array('name', 'description', 'base64attributes','request.signing','certificate')
+ array('name', 'description', 'base64attributes','request.signing','certificate', 'hint.cidr')
);
}
$et->data['metadata.saml20-idp-remote'] = $results;
diff --git a/www/resources/default.css b/www/resources/default.css
index 770f3c60c0398d7c937977629b692fffd39e962c..2ef216c163dffa274f44ba5169092b99bfc58a49 100644
--- a/www/resources/default.css
+++ b/www/resources/default.css
@@ -244,4 +244,8 @@ th.rowtitle {
border: 1px solid #eee;
padding: 2px;
}
-
+div.preferredidp {
+ border: 1px dashed #ccc;
+ background: #eee;
+ padding: 2px 2em 2px 2em;
+}
\ No newline at end of file
diff --git a/www/resources/icons/star.png b/www/resources/icons/star.png
new file mode 100644
index 0000000000000000000000000000000000000000..2713202e0d6e2263c81149e779902ff943c9ce67
Binary files /dev/null and b/www/resources/icons/star.png differ
diff --git a/www/saml2/sp/idpdisco.php b/www/saml2/sp/idpdisco.php
index ce16c0bfea5deb6d1c6da4de04e4806f19ae7b60..b6cc018fc2765b1b5c8ffa897b8050dab09ad460 100644
--- a/www/saml2/sp/idpdisco.php
+++ b/www/saml2/sp/idpdisco.php
@@ -2,7 +2,6 @@
require_once('../../_include.php');
-
require_once('SimpleSAML/Utilities.php');
require_once('SimpleSAML/Session.php');
require_once('SimpleSAML/XHTML/Template.php');
@@ -11,10 +10,8 @@ require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php');
$config = SimpleSAML_Configuration::getInstance();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
$session = SimpleSAML_Session::getInstance();
-
SimpleSAML_Logger::info('SAML2.0 - SP.idpDisco: Accessing SAML 2.0 discovery service');
if (!$config->getValue('enable.saml20-sp', false))
@@ -50,26 +47,39 @@ if (isset($_GET['idpentityid'])) {
try {
$idplist = $metadata->getList('saml20-idp-remote');
+ $preferredidp = $metadata->getPreferredEntityIdFromCIDRhint('saml20-idp-remote', $_SERVER['REMOTE_ADDR']);
+
+ if (!empty($preferredidp))
+ SimpleSAML_Logger::info('SAML2.0 - SP.idpDisco: Preferred IdP from CIDR hint [ ' . $preferredidp . '].');
+
} catch (Exception $exception) {
SimpleSAML_Utilities::fatalError($session->getTrackID(), 'METADATA', $exception);
}
+if (!empty($_COOKIE['preferedidp'])) {
+ $preferredidp = $_COOKIE['preferedidp'];
+ SimpleSAML_Logger::info('SAML2.0 - SP.idpDisco: Preferred IdP overridden from cookie [ ' . $preferredidp . '].');
+}
+
+
+/**
+ * Make use of an XHTML template to present the select IdP choice to the user.
+ * Currently the supported options is either a drop down menu or a list view.
+ */
+$templatefile = ($config->getValue('idpdisco.layout') == 'dropdown' ? 'selectidp-dropdown.php' : 'selectidp-links.php');
+$t = new SimpleSAML_XHTML_Template($config, $templatefile);
+$t->data['header'] = 'Select your identity provider';
+$t->data['idplist'] = $idplist;
+$t->data['preferredidp'] = $preferredidp;
+
if ($config->getValue('idpdisco.layout') == 'dropdown') {
- $t = new SimpleSAML_XHTML_Template($config, 'selectidp-dropdown.php');
- $t->data['header'] = 'Select your identity provider';
- $t->data['idplist'] = $idplist;
$t->data['return']= $return;
$t->data['returnIDParam'] = $returnidparam;
$t->data['entityID'] = $spentityid;
- $t->data['preferedidp'] = (!empty($_COOKIE['preferedidp'])) ? $_COOKIE['preferedidp'] : null;
$t->data['urlpattern'] = htmlentities(SimpleSAML_Utilities::selfURLNoQuery());
$t->show();
-}
-else
-{
- $t = new SimpleSAML_XHTML_Template($config, 'selectidp-links.php');
- $t->data['header'] = 'Select your identity provider';
- $t->data['idplist'] = $idplist;
+
+} else {
$t->data['urlpattern'] = htmlentities(SimpleSAML_Utilities::selfURL() . '&idpentityid=');
$t->show();
}