diff --git a/www/aselect/handler.php b/www/aselect/handler.php
index 55c0c9fe756f1308679bb77397083ee5e6546fe8..2c270eeabf521e096fbb335772cceb098c585d98 100644
--- a/www/aselect/handler.php
+++ b/www/aselect/handler.php
@@ -21,21 +21,21 @@
*
* Connect "local" A-Select Server:
* configure simpleSAMLphp as a "remote" aselect server as follows (example):
- * <organization id="simplSAMLphp"
- * server="localhost"
+ * <organization id="simpleSAMLphp"
+ * server="default.aselect.org"
* friendly_name="simpleSAMLphp (TEST)"
- * resourcegroup="remote_simplsamlphp_resources" />
+ * resourcegroup="remote_simplesamlphp_resources" />
*
- * <resourcegroup id="remote_simplsamlphp_resources"
+ * <resourcegroup id="remote_simplesamlphp_resources"
* interval="30">
* <resource id="simpleSAMLphp1">
- * <url>https: *localhost/simplesaml/aselect/handler.php</url>
+ * <url>https://localhost/simplesaml/aselect/handler.php</url>
* </resource>
* </resourcegroup>
*
* Bridge to "remote" A-Select Server:
* configure simpleSAMLphp as a "local" aselect server as follows (example):
- * <organization id="simplSAMLphp" server="localhost">
+ * <organization id="simpleSAMLphp" server="default.aselect.org">
* <level>1</level>
* <forced_authenticate>false</forced_authenticate>
* <attribute_policy>policyA</attribute_policy>
@@ -46,21 +46,20 @@
*
* TODO:
* - separate metadata configuration into metadata/aselect-*-*.php
+ * - remote IDP discovery handling (similar to saml2: with optional default)
* - add robustness/error-handling/error-reporting
- * - generic bridging
- *
* - factor out common, app/local server and remote server code
+ *
+ * - dynamic bridging after IDP discovery across all protocols (core feature)
*/
require_once('../../www/_include.php');
require_once('xmlseclibs.php');
require_once('SimpleSAML/Logger.php');
require_once('SimpleSAML/Configuration.php');
-require_once('SimpleSAML/Metadata/MetaDataStorageHandler.php');
$logger = new SimpleSAML_Logger();
$config = SimpleSAML_Configuration::getInstance();
-$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$as_metadata = array(
'idp' => array(
@@ -73,14 +72,21 @@ $as_metadata = array(
'authsp' => 'simpleSAMLphp',
'app_level' => '10',
'tgt_exp_time' => '1194590521000',
- 'logout_url' => '/' . $config->getValue('baseurlpath') . 'logout.html',
+# 'auth' => '/' . $config->getValue('baseurlpath') . '/auth/login.php',
+# 'logout' => '/' . $config->getValue('baseurlpath') . 'logout.html',
+ 'auth' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSSO.php',
+ 'logout' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSLO.php',
+ 'loggedout_url' => '/' . $config->getValue('baseurlpath') . 'logout.html',
),
'remote' => array(
+ // so far the IDP bridging is statically configured to the first one in
+ // this list; IDP discovery should be implemented
'testorg' => array(
'server_id' => 'default.aselect.org',
'server_url' => 'https://localhost/aselectserver/server',
'sign_requests' => true,
- // TODO: this one is actually requestor related
+ // fixed required authentication level per remote IDP, because this
+ // requestor concept cannot be mapped from the other protocols
'app_level' => '10',
),
),
@@ -107,12 +113,10 @@ $as_metadata = array(
'cert' => $config->getBaseDir() . '/cert/app.crt',
),
),
- 'saml20' => array(
- 'sp_url_sso' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSSO.php',
- 'sp_url_slo' => '/' . $config->getValue('baseurlpath') . '/saml2/sp/initSLO.php',
- ),
);
+// some work to put a browser request into the corresponding session that was
+// started by the original "authenticate" request of the agent or local server
if ($_GET['local_rid']) session_id($_GET['local_rid']); else if ($_GET['rid']) session_id($_GET['rid']);
session_start();
@@ -195,14 +199,14 @@ function as_request_authenticate() {
function as_request_login() {
global $as_metadata;
- $return_url = $_SERVER['PHP_SELF'] . '?request=return';
+ $return_url = $_SERVER['PHP_SELF'] . '?request=login_return';
header('Location: ' .
- $as_metadata['saml20']['sp_url_sso'] .
+ $as_metadata['idp']['hosted']['auth'] .
'?RelayState=' . $return_url);
}
// handle browser return redirect from a bridged IDP
-function as_request_return() {
+function as_request_login_return() {
global $as_metadata;
$rid = session_id();
@@ -297,8 +301,8 @@ function as_request_logout() {
global $as_metadata;
header('Location: ' .
- $as_metadata['saml20']['sp_url_slo'] .
- '?RelayState=' . $as_metadata['idp']['hosted']['logout_url']);
+ $as_metadata['idp']['hosted']['logout'] .
+ '?RelayState=' . urlencode($as_metadata['idp']['hosted']['loggedout_url']));
}
// helper function for sending a non-browser request to a remote server
@@ -314,9 +318,9 @@ function as_call($url) {
as_error_exception('Request on remote server failed: ' . $error);
}
$parms = array();
- foreach (explode('&', $result) as $p) {
- $a = explode('=', $p);
- $parms[$a[0]] = urldecode($a[1]);
+ foreach (explode('&', $result) as $parm) {
+ $tuple = explode('=', $parm);
+ $parms[urldecode($tuple[0])] = urldecode($tuple[1]);
}
if ($parms['result_code'] != '0000') {
as_error_exception('Request on remote server returned error: ' . $result);
@@ -418,14 +422,15 @@ function as_request_bridge_return() {
$session->setAuthenticated(true, 'aselect');
if (array_key_exists('attributes', $parms)) {
- $parm = base64_decode($parms['attributes']);
+ $decoded = base64_decode($parms['attributes']);
$attributes = array();
- foreach (explode('&', $parm) as $p) {
- $a = explode('=', $p);
- if (array_key_exists($a[0], $attributes)) {
- $attributes[$a[0]] = array();
+ foreach (explode('&', $decoded) as $parm) {
+ $tuple = explode('=', $parm);
+ $name = urldecode($tuple[0]);
+ if (array_key_exists($name, $attributes)) {
+ $attributes[$name] = array();
}
- $attributes[$a[0]][] = urldecode($a[1]);
+ $attributes[$name][] = urldecode($tuple[1]);
}
$session->setAttributes($attributes);
}