ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
ADFS.php
Go to the documentation of this file.
1 <?php
2 
3 class sspmod_adfs_IdP_ADFS
4 {
5  public static function receiveAuthnRequest(SimpleSAML_IdP $idp)
6  {
7  try {
8  parse_str($_SERVER['QUERY_STRING'], $query);
9 
10  $requestid = $query['wctx'];
11  $issuer = $query['wtrealm'];
12  $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
13  $spMetadata = $metadata->getMetaDataConfig($issuer, 'adfs-sp-remote');
14 
15  SimpleSAML\Logger::info('ADFS - IdP.prp: Incoming Authentication request: '.$issuer.' id '.$requestid);
16  } catch(Exception $exception) {
17  throw new SimpleSAML_Error_Error('PROCESSAUTHNREQUEST', $exception);
18  }
19 
20  $state = array(
21  'Responder' => array('sspmod_adfs_IdP_ADFS', 'sendResponse'),
22  'SPMetadata' => $spMetadata->toArray(),
23  'ForceAuthn' => false,
24  'isPassive' => false,
25  'adfs:wctx' => $requestid,
26  );
27 
28  $idp->handleAuthenticationRequest($state);
29  }
30 
31  private static function generateResponse($issuer, $target, $nameid, $attributes)
32  {
33  $issueInstant = SimpleSAML\Utils\Time::generateTimestamp();
34  $notBefore = SimpleSAML\Utils\Time::generateTimestamp(time() - 30);
35  $assertionExpire = SimpleSAML\Utils\Time::generateTimestamp(time() + 60 * 5);
36  $assertionID = SimpleSAML\Utils\Random::generateID();
37  $nameidFormat = 'http://schemas.xmlsoap.org/claims/UPN';
38  $nameid = htmlspecialchars($nameid);
39 
40  $result = <<<MSG
41 <wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
42  <wst:RequestedSecurityToken>
43  <saml:Assertion Issuer="$issuer" IssueInstant="$issueInstant" AssertionID="$assertionID" MinorVersion="1" MajorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
44  <saml:Conditions NotOnOrAfter="$assertionExpire" NotBefore="$notBefore">
45  <saml:AudienceRestrictionCondition>
46  <saml:Audience>$target</saml:Audience>
47  </saml:AudienceRestrictionCondition>
48  </saml:Conditions>
49  <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="$issueInstant">
50  <saml:Subject>
51  <saml:NameIdentifier Format="$nameidFormat">$nameid</saml:NameIdentifier>
52  </saml:Subject>
53  </saml:AuthenticationStatement>
54  <saml:AttributeStatement>
55  <saml:Subject>
56  <saml:NameIdentifier Format="$nameidFormat">$nameid</saml:NameIdentifier>
57  </saml:Subject>
58 MSG;
59 
60  foreach ($attributes as $name => $values) {
61  if ((!is_array($values)) || (count($values) == 0)) {
62  continue;
63  }
64 
65  list($namespace, $name) = SimpleSAML\Utils\Attributes::getAttributeNamespace($name, 'http://schemas.xmlsoap.org/claims');
66  foreach ($values as $value) {
67  if ((!isset($value)) || ($value === '')) {
68  continue;
69  }
70  $value = htmlspecialchars($value);
71 
72  $result .= <<<MSG
73  <saml:Attribute AttributeNamespace="$namespace" AttributeName="$name">
74  <saml:AttributeValue>$value</saml:AttributeValue>
75  </saml:Attribute>
76 MSG;
77 
78  }
79  }
80 
81  $result .= <<<MSG
82  </saml:AttributeStatement>
83  </saml:Assertion>
84  </wst:RequestedSecurityToken>
85  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
86  <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
87  <wsa:Address>$target</wsa:Address>
88  </wsa:EndpointReference>
89  </wsp:AppliesTo>
90 </wst:RequestSecurityTokenResponse>
91 MSG;
92 
93  return $result;
94  }
95 
96  private static function signResponse($response, $key, $cert)
97  {
98  $objXMLSecDSig = new XMLSecurityDSig();
99  $objXMLSecDSig->idKeys = array('AssertionID');
100  $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
101  $responsedom = \SAML2\DOMDocumentFactory::fromString(str_replace ("\r", "", $response));
102  $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
103  $objXMLSecDSig->addReferenceList(
104  array($firstassertionroot), XMLSecurityDSig::SHA1,
105  array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
106  array('id_name' => 'AssertionID')
107  );
108  $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
109  $objKey->loadKey($key, true);
110  $objXMLSecDSig->sign($objKey);
111  if ($cert) {
112  $public_cert = file_get_contents($cert);
113  $objXMLSecDSig->add509Cert($public_cert, true);
114  }
115  $newSig = $responsedom->importNode($objXMLSecDSig->sigNode, true);
116  $firstassertionroot->appendChild($newSig);
117  return $responsedom->saveXML();
118  }
119 
120  private static function postResponse($url, $wresult, $wctx)
121  {
122  $wresult = htmlspecialchars($wresult);
123  $wctx = htmlspecialchars($wctx);
124 
125  $post = <<<MSG
126  <body onload="document.forms[0].submit()">
127  <form method="post" action="$url">
128  <input type="hidden" name="wa" value="wsignin1.0">
129  <input type="hidden" name="wresult" value="$wresult">
130  <input type="hidden" name="wctx" value="$wctx">
131  <noscript>
132  <input type="submit" value="Continue">
133  </noscript>
134  </form>
135  </body>
136 MSG;
137 
138  echo $post;
139  exit;
140  }
141 
142  public static function sendResponse(array $state)
143  {
144  $spMetadata = $state["SPMetadata"];
145  $spEntityId = $spMetadata['entityid'];
146  $spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata,
147  '$metadata[' . var_export($spEntityId, true) . ']');
148 
149  $attributes = $state['Attributes'];
150 
151  $nameidattribute = $spMetadata->getValue('simplesaml.nameidattribute');
152  if (!empty($nameidattribute)) {
153  if (!array_key_exists($nameidattribute, $attributes)) {
154  throw new Exception('simplesaml.nameidattribute does not exist in resulting attribute set');
155  }
156  $nameid = $attributes[$nameidattribute][0];
157  } else {
158  $nameid = SimpleSAML\Utils\Random::generateID();
159  }
160 
161  $idp = SimpleSAML_IdP::getByState($state);
162  $idpMetadata = $idp->getConfig();
163  $idpEntityId = $idpMetadata->getString('entityid');
164 
165  $idp->addAssociation(array(
166  'id' => 'adfs:' . $spEntityId,
167  'Handler' => 'sspmod_adfs_IdP_ADFS',
168  'adfs:entityID' => $spEntityId,
169  ));
170 
171  $response = sspmod_adfs_IdP_ADFS::generateResponse($idpEntityId, $spEntityId, $nameid, $attributes);
172 
173  $privateKeyFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('privatekey'));
174  $certificateFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('certificate'));
175  $wresult = sspmod_adfs_IdP_ADFS::signResponse($response, $privateKeyFile, $certificateFile);
176 
177  $wctx = $state['adfs:wctx'];
178  sspmod_adfs_IdP_ADFS::postResponse($spMetadata->getValue('prp'), $wresult, $wctx);
179  }
180 
181  public static function sendLogoutResponse(SimpleSAML_IdP $idp, array $state)
182  {
183  // NB:: we don't know from which SP the logout request came from
184  $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
185  $idpMetadata = $idp->getConfig();
186  \SimpleSAML\Utils\HTTP::redirectTrustedURL($idpMetadata->getValue('redirect-after-logout', \SimpleSAML\Utils\HTTP::getBaseURL()));
187  }
188 
189  public static function receiveLogoutMessage(SimpleSAML_IdP $idp)
190  {
191  // if a redirect is to occur based on wreply, we will redirect to url as
192  // this implies an override to normal sp notification
193  if (isset($_GET['wreply']) && !empty($_GET['wreply'])) {
194  $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['wreply']));
195  assert('false');
196  }
197 
198  $state = array(
199  'Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse'),
200  );
201  $assocId = null;
202  // TODO: verify that this is really no problem for:
203  // a) SSP, because there's no caller SP.
204  // b) ADFS SP because caller will be called back..
205  $idp->handleLogoutRequest($state, $assocId);
206  }
207 
208  // accepts an association array, and returns a URL that can be accessed to terminate the association
209  public static function getLogoutURL(SimpleSAML_IdP $idp, array $association, $relayState)
210  {
211  $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
212  $idpMetadata = $idp->getConfig();
213  $spMetadata = $metadata->getMetaDataConfig($association['adfs:entityID'], 'adfs-sp-remote');
214  $returnTo = SimpleSAML\Module::getModuleURL('adfs/idp/prp.php?assocId=' . urlencode($association["id"]) . '&relayState=' . urlencode($relayState));
215  return $spMetadata->getValue('prp') . '?' . 'wa=wsignoutcleanup1.0&wreply=' . urlencode($returnTo);
216  }
217 }
SimpleSAML_IdP\handleLogoutRequest
handleLogoutRequest(array &$state, $assocId)
Process a logout request.
Definition: IdP.php:479
$namespace
if($err=$client->getError()) $namespace
Definition: dummy_client.php:50
sspmod_adfs_IdP_ADFS\receiveAuthnRequest
static receiveAuthnRequest(SimpleSAML_IdP $idp)
Definition: ADFS.php:5
SimpleSAML\Utils\Random\generateID
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
SimpleSAML_IdP\doLogoutRedirect
doLogoutRedirect($url)
Log out, then redirect to a URL.
Definition: IdP.php:536
SimpleSAML\Utils\Attributes\getAttributeNamespace
static getAttributeNamespace($name, $defaultns)
Extract an attribute&#39;s namespace, or revert to default.
Definition: Attributes.php:123
SimpleSAML_IdP\handleAuthenticationRequest
handleAuthenticationRequest(array &$state)
Process authentication requests.
Definition: IdP.php:384
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54
SimpleSAML_IdP\getByState
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:152
$result
$result
Definition: CleanUpTest.php:463
$idpEntityId
$idpEntityId
Definition: prp.php:12
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
$spEntityId
$spEntityId
Definition: attributeserver.php:14
sspmod_adfs_IdP_ADFS\getLogoutURL
static getLogoutURL(SimpleSAML_IdP $idp, array $association, $relayState)
Definition: ADFS.php:209
$attributes
$attributes
Definition: serviceValidate.php:33
sspmod_adfs_IdP_ADFS
Definition: ADFS.php:3
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
sspmod_adfs_IdP_ADFS\sendLogoutResponse
static sendLogoutResponse(SimpleSAML_IdP $idp, array $state)
Definition: ADFS.php:181
$spMetadata
$spMetadata
Definition: logout-iframe-post.php:27
$metadata
$metadata['__DYNAMIC:1__']
Definition: adfs-idp-hosted.php:3
SimpleSAML\Utils\Time\generateTimestamp
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:32
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML
Attribute-related utility methods.
$name
if($format !==null) $name
Definition: metadata.php:146
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
sspmod_adfs_IdP_ADFS\signResponse
static signResponse($response, $key, $cert)
Definition: ADFS.php:96
$relayState
$relayState
Definition: logout-iframe-post.php:14
getBaseURL
getBaseURL($t, $type='get', $key=null, $value=null)
Definition: showstats.php:133
$nameid
$nameid
Definition: status.php:36
SimpleSAML_IdP\getConfig
getConfig()
Retrieve the configuration for this IdP.
Definition: IdP.php:165
$post
$post
Definition: post.php:34
SimpleSAML_Error_Error
Definition: Error.php:10
sspmod_adfs_IdP_ADFS\postResponse
static postResponse($url, $wresult, $wctx)
Definition: ADFS.php:120
$query
$query
Definition: proxy_ylocal.php:13
$issuer
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
Definition: ArtifactResolutionService.php:48
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
SimpleSAML_IdP
Definition: IdP.php:11
$association
if(!isset($associations[$assocId])) $association
Definition: logout-iframe-post.php:23
$idp
$idp
Definition: prp.php:13
SimpleSAML\Utils\Config\getCertPath
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
NotOnOrAfter
$sc SubjectConfirmationData NotOnOrAfter
Definition: attributeserver.php:77
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
$assocId
if(!isset($_REQUEST['association'])) $assocId
Definition: logout-iframe-post.php:12
$url
$url
Definition: proxy_ylocal.php:28
time
Add data(end) time
Method that wraps PHPs time in order to allow simulations with the workflow.
Definition: 40duplicateStyle.php:39
$response
$response
Definition: proxy_ylocal.php:39
$key
$key
Definition: croninfo.php:18
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:269
sspmod_adfs_IdP_ADFS\sendResponse
static sendResponse(array $state)
Definition: ADFS.php:142
sspmod_adfs_IdP_ADFS\generateResponse
static generateResponse($issuer, $target, $nameid, $attributes)
Definition: ADFS.php:31
sspmod_adfs_IdP_ADFS\receiveLogoutMessage
static receiveLogoutMessage(SimpleSAML_IdP $idp)
Definition: ADFS.php:189