ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
sspmod_saml_Auth_Source_SP Class Reference
+ Inheritance diagram for sspmod_saml_Auth_Source_SP:
+ Collaboration diagram for sspmod_saml_Auth_Source_SP:

Public Member Functions

 __construct ($info, $config)
 Constructor for SAML SP authentication source. More...
 
 getMetadataURL ()
 Retrieve the URL to the metadata of this SP. More...
 
 getEntityId ()
 Retrieve the entity id of this SP. More...
 
 getMetadata ()
 Retrieve the metadata of this SP. More...
 
 getIdPMetadata ($entityId)
 Retrieve the metadata of an IdP. More...
 
 sendSAML2AuthnRequest (array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
 Function to actually send the authentication request. More...
 
 startSSO ($idp, array $state)
 Send a SSO request to an IdP. More...
 
 authenticate (&$state)
 Start login. More...
 
 reauthenticate (array &$state)
 Re-authenticate an user. More...
 
 startSLO2 (&$state)
 Start a SAML 2 logout operation. More...
 
 logout (&$state)
 Start logout operation. More...
 
 handleResponse (array $state, $idp, array $attributes)
 Handle a response from a SSO operation. More...
 
 handleLogout ($idpEntityId)
 Handle a logout request from an IdP. More...
 
- Public Member Functions inherited from SimpleSAML_Auth_Source
 __construct ($info, &$config)
 Constructor for an authentication source. More...
 
 getAuthId ()
 Retrieve the ID of this authentication source. More...
 
 authenticate (&$state)
 Process a request. More...
 
 reauthenticate (array &$state)
 Reauthenticate an user. More...
 
 initLogin ($return, $errorURL=null, array $params=array())
 Start authentication. More...
 
 logout (&$state)
 Log out from this authentication source. More...
 

Static Public Member Functions

static askForIdPChange (array &$state)
 Ask the user to log out before being able to log in again with a different identity provider. More...
 
static reauthLogout (array $state)
 Log the user out before logging in again. More...
 
static reauthPostLogin (array $state)
 Complete login operation after re-authenticating the user on another IdP. More...
 
static handleUnsolicitedAuth ($authId, array $state, $redirectTo)
 Handle an unsolicited login operations. More...
 
static onProcessingCompleted (array $authProcState)
 Called when we have completed the procssing chain. More...
 
- Static Public Member Functions inherited from SimpleSAML_Auth_Source
static getSourcesOfType ($type)
 Get sources of a specific type. More...
 
static completeAuth (&$state)
 Complete authentication. More...
 
static loginCompleted ($state)
 Called when a login operation has finished. More...
 
static completeLogout (&$state)
 Complete logout. More...
 
static getById ($authId, $type=null)
 Retrieve authentication source. More...
 
static logoutCallback ($state)
 Called when the authentication source receives an external logout request. More...
 
static getSources ()
 Retrieve list of authentication sources. More...
 

Private Member Functions

 startSSO1 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML1 SSO request to an IdP. More...
 
 startSSO2 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML2 SSO request to an IdP. More...
 
 startDisco (array $state)
 Start an IdP discovery service operation. More...
 

Private Attributes

 $entityId
 
 $metadata
 
 $idp
 
 $discoURL
 

Additional Inherited Members

- Protected Member Functions inherited from SimpleSAML_Auth_Source
 addLogoutCallback ($assoc, $state)
 Add a logout callback association. More...
 
 callLogoutCallback ($assoc)
 Call a logout callback based on association. More...
 
- Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static validateSource ($source, $id)
 Make sure that the first element of an auth source is its identifier. More...
 
- Protected Attributes inherited from SimpleSAML_Auth_Source
 $authId
 

Detailed Description

Definition at line 3 of file SP.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_saml_Auth_Source_SP::__construct (   $info,
  $config 
)

Constructor for SAML SP authentication source.

Parameters
array$infoInformation about this authentication source.
array$configConfiguration.

Definition at line 43 of file SP.php.

43 {
44 assert('is_array($info)');
45 assert('is_array($config)');
46
47 // Call the parent constructor first, as required by the interface
48 parent::__construct($info, $config);
49
50 if (!isset($config['entityID'])) {
51 $config['entityID'] = $this->getMetadataURL();
52 }
53
54 /* For compatibility with code that assumes that $metadata->getString('entityid') gives the entity id. */
55 $config['entityid'] = $config['entityID'];
56
57 $this->metadata = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']');
58 $this->entityId = $this->metadata->getString('entityID');
59 $this->idp = $this->metadata->getString('idp', NULL);
60 $this->discoURL = $this->metadata->getString('discoURL', NULL);
61
62 if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
63 $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
64 }
65 }
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
getMetadataURL()
Retrieve the URL to the metadata of this SP.
Definition: SP.php:73
$info
Definition: index.php:5
Attribute-related utility methods.

References $config, $info, getMetadataURL(), SimpleSAML\Module\getModuleURL(), and SimpleSAML_Configuration\loadFromArray().

+ Here is the call graph for this function:

Member Function Documentation

◆ askForIdPChange()

static sspmod_saml_Auth_Source_SP::askForIdPChange ( array &  $state)
static

Ask the user to log out before being able to log in again with a different identity provider.

Note that this method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP and an IdP at the same time.

This method will never return.

Parameters
array$stateThe state array. The following keys must be defined in the array:
  • 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated the user in the current session.
  • 'saml:sp:AuthId': the identifier of the current authentication source.
  • 'core:IdP': the identifier of the local IdP.
  • 'SPMetadata': an array with the metadata of this local SP.
Exceptions
SimpleSAML_Error_NoPassiveIn case the authentication request was passive.

Definition at line 521 of file SP.php.

522 {
523 assert('array_key_exists("saml:sp:IdPMetadata", $state)');
524 assert('array_key_exists("saml:sp:AuthId", $state)');
525 assert('array_key_exists("core:IdP", $state)');
526 assert('array_key_exists("SPMetadata", $state)');
527
528 if (isset($state['isPassive']) && (bool)$state['isPassive']) {
529 // passive request, we cannot authenticate the user
530 throw new SimpleSAML_Error_NoPassive('Reauthentication required');
531 }
532
533 // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
534 $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
535 $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
536 SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
537 assert('false');
538 }
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
Class SimpleSAML_Error_NoPassive.
Definition: NoPassive.php:12
if(!array_key_exists('StateId', $_REQUEST)) $id
$url

References $id, $state, $url, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by reauthenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ authenticate()

sspmod_saml_Auth_Source_SP::authenticate ( $state)

Start login.

This function saves the information about the login, and redirects to the IdP.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 392 of file SP.php.

392 {
393 assert('is_array($state)');
394
395 /* We are going to need the authId in order to retrieve this authentication source later. */
396 $state['saml:sp:AuthId'] = $this->authId;
397
399
400 if (isset($state['saml:idp'])) {
401 $idp = (string)$state['saml:idp'];
402 }
403
404 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
405 // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
407 $known_idps = $mdh->getList();
408 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
409
410 if (empty($intersection)) { // all requested IdPs are unknown
412 \SAML2\Constants::STATUS_REQUESTER,
413 'None of the IdPs requested are supported by this proxy.'
414 );
415 }
416
417 if (!is_null($idp) && !in_array($idp, $intersection, true)) { // the IdP is enforced but not in the IDPList
419 \SAML2\Constants::STATUS_REQUESTER,
420 'None of the IdPs requested are available to this proxy.'
421 );
422 }
423
424 if (is_null($idp) && sizeof($intersection) === 1) { // only one IdP requested or valid
425 $idp = current($state['saml:IDPList']);
426 }
427 }
428
429 if ($idp === NULL) {
430 $this->startDisco($state);
431 assert('FALSE');
432 }
433
434 $this->startSSO($idp, $state);
435 assert('FALSE');
436 }
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
startSSO($idp, array $state)
Send a SSO request to an IdP.
Definition: SP.php:328
startDisco(array $state)
Start an IdP discovery service operation.
Definition: SP.php:353
$mdh

References SimpleSAML_Auth_Source\$authId, $idp, $mdh, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), startDisco(), and startSSO().

+ Here is the call graph for this function:

◆ getEntityId()

sspmod_saml_Auth_Source_SP::getEntityId ( )

Retrieve the entity id of this SP.

Returns
string The entity id of this SP.

Definition at line 84 of file SP.php.

84 {
85
86 return $this->entityId;
87 }

References $entityId.

◆ getIdPMetadata()

sspmod_saml_Auth_Source_SP::getIdPMetadata (   $entityId)

Retrieve the metadata of an IdP.

Parameters
string$entityIdThe entity id of the IdP.
Returns
SimpleSAML_Configuration The metadata of the IdP.

Definition at line 108 of file SP.php.

108 {
109 assert('is_string($entityId)');
110
111 if ($this->idp !== NULL && $this->idp !== $entityId) {
112 throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' . var_export($entityId, TRUE) .
113 ' because it isn\'t a valid IdP for this SP.');
114 }
115
117
118 // First, look in saml20-idp-remote.
119 try {
120 return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
121 } catch (Exception $e) {
122 /* Metadata wasn't found. */
123 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
124 }
125
126 /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
127 try {
128 return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
129 } catch (Exception $e) {
130 /* Metadata wasn't found. */
131 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
132 }
133
134 /* Not found. */
135 throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' . var_export($entityId, TRUE));
136 }
static debug($string)
Definition: Logger.php:213

References $entityId, SimpleSAML\Logger\debug(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

Referenced by reauthenticate(), startSLO2(), and startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getMetadata()

sspmod_saml_Auth_Source_SP::getMetadata ( )

Retrieve the metadata of this SP.

Returns
SimpleSAML_Configuration The metadata of this SP.

Definition at line 95 of file SP.php.

95 {
96
97 return $this->metadata;
98
99 }

References $metadata.

◆ getMetadataURL()

sspmod_saml_Auth_Source_SP::getMetadataURL ( )

Retrieve the URL to the metadata of this SP.

Returns
string The metadata URL.

Definition at line 73 of file SP.php.

73 {
74
75 return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
76 }

References SimpleSAML\Module\getModuleURL().

Referenced by __construct().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ handleLogout()

sspmod_saml_Auth_Source_SP::handleLogout (   $idpEntityId)

Handle a logout request from an IdP.

Parameters
string$idpEntityIdThe entity ID of the IdP.

Definition at line 729 of file SP.php.

729 {
730 assert('is_string($idpEntityId)');
731
732 /* Call the logout callback we registered in onProcessingCompleted(). */
734 }
callLogoutCallback($assoc)
Call a logout callback based on association.
Definition: Source.php:439
$idpEntityId
Definition: prp.php:12

References $idpEntityId, and SimpleSAML_Auth_Source\callLogoutCallback().

+ Here is the call graph for this function:

◆ handleResponse()

sspmod_saml_Auth_Source_SP::handleResponse ( array  $state,
  $idp,
array  $attributes 
)

Handle a response from a SSO operation.

Parameters
array$stateThe authentication state.
string$idpThe entity id of the IdP.
array$attributesThe attributes.

Definition at line 686 of file SP.php.

686 {
687 assert('is_string($idp)');
688 assert('array_key_exists("LogoutState", $state)');
689 assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
690
691 $idpMetadata = $this->getIdpMetadata($idp);
692
693 $spMetadataArray = $this->metadata->toArray();
694 $idpMetadataArray = $idpMetadata->toArray();
695
696 /* Save the IdP in the state array. */
697 $state['saml:sp:IdP'] = $idp;
698 $state['PersistentAuthData'][] = 'saml:sp:IdP';
699
700 $authProcState = array(
701 'saml:sp:IdP' => $idp,
702 'saml:sp:State' => $state,
703 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
704
705 'Attributes' => $attributes,
706 'Destination' => $spMetadataArray,
707 'Source' => $idpMetadataArray,
708 );
709
710 if (isset($state['saml:sp:NameID'])) {
711 $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
712 }
713 if (isset($state['saml:sp:SessionIndex'])) {
714 $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
715 }
716
717 $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
718 $pc->processState($authProcState);
719
720 self::onProcessingCompleted($authProcState);
721 }
static onProcessingCompleted(array $authProcState)
Called when we have completed the procssing chain.
Definition: SP.php:765
$idpMetadata
$attributes

References $attributes, $idp, $idpMetadata, $state, and onProcessingCompleted().

+ Here is the call graph for this function:

◆ handleUnsolicitedAuth()

static sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth (   $authId,
array  $state,
  $redirectTo 
)
static

Handle an unsolicited login operations.

This method creates a session from the information received. It will then redirect to the given URL. This is used to handle IdP initiated SSO. This method will never return.

Parameters
string$authIdThe id of the authentication source that received the request.
array$stateA state array.
string$redirectToThe URL we should redirect the user to after updating the session. The function will check if the URL is allowed, so there is no need to manually check the URL on beforehand. Please refer to the 'trusted.url.domains' configuration directive for more information about allowing (or disallowing) URLs.

Definition at line 749 of file SP.php.

749 {
750 assert('is_string($authId)');
751 assert('is_string($redirectTo)');
752
755
757 }
static redirectUntrustedURL($url, $parameters=array())
This function redirects to the specified URL after performing the appropriate security checks on it.
Definition: HTTP.php:994
static getPersistentAuthData(array $state)
Get the persistent authentication state from the state array.
Definition: State.php:103
static getSessionFromRequest()
Retrieves the current session.
Definition: Session.php:243
$session

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Utils\HTTP\redirectUntrustedURL().

Referenced by SimpleSAML_Auth_Default\handleUnsolicitedAuth(), and onProcessingCompleted().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ logout()

sspmod_saml_Auth_Source_SP::logout ( $state)

Start logout operation.

Parameters
array$stateThe logout state.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 660 of file SP.php.

660 {
661 assert('is_array($state)');
662 assert('array_key_exists("saml:logout:Type", $state)');
663
664 $logoutType = $state['saml:logout:Type'];
665 switch ($logoutType) {
666 case 'saml1':
667 /* Nothing to do. */
668 return;
669 case 'saml2':
670 $this->startSLO2($state);
671 return;
672 default:
673 /* Should never happen. */
674 assert('FALSE');
675 }
676 }
startSLO2(&$state)
Start a SAML 2 logout operation.
Definition: SP.php:612

References $state, and startSLO2().

+ Here is the call graph for this function:

◆ onProcessingCompleted()

static sspmod_saml_Auth_Source_SP::onProcessingCompleted ( array  $authProcState)
static

Called when we have completed the procssing chain.

Parameters
array$authProcStateThe processing chain state.

Definition at line 765 of file SP.php.

765 {
766 assert('array_key_exists("saml:sp:IdP", $authProcState)');
767 assert('array_key_exists("saml:sp:State", $authProcState)');
768 assert('array_key_exists("Attributes", $authProcState)');
769
770 $idp = $authProcState['saml:sp:IdP'];
771 $state = $authProcState['saml:sp:State'];
772
773 $sourceId = $state['saml:sp:AuthId'];
775 if ($source === NULL) {
776 throw new Exception('Could not find authentication source with id ' . $sourceId);
777 }
778
779 /* Register a callback that we can call if we receive a logout request from the IdP. */
780 $source->addLogoutCallback($idp, $state);
781
782 $state['Attributes'] = $authProcState['Attributes'];
783
784 if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
785 if (!empty($state['saml:sp:RelayState'])) {
786 $redirectTo = $state['saml:sp:RelayState'];
787 } else {
788 $redirectTo = $source->getMetadata()->getString('RelayState', '/');
789 }
791 }
792
794 }
if(!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) $sourceId
Definition: linkback.php:20
$source
Definition: linkback.php:22
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
static handleUnsolicitedAuth($authId, array $state, $redirectTo)
Handle an unsolicited login operations.
Definition: SP.php:749

References $idp, $source, $sourceId, $state, SimpleSAML_Auth_Source\completeAuth(), SimpleSAML_Auth_Source\getById(), and handleUnsolicitedAuth().

Referenced by handleResponse().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ reauthenticate()

sspmod_saml_Auth_Source_SP::reauthenticate ( array &  $state)

Re-authenticate an user.

This function is called by the IdP to give the authentication source a chance to interact with the user even in the case when the user is already authenticated.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 447 of file SP.php.

447 {
448 assert('is_array($state)');
449
451 $data = $session->getAuthState($this->authId);
452 foreach ($data as $k => $v) {
453 $state[$k] = $v;
454 }
455
456 // check if we have an IDPList specified in the request
457 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
458 !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
459 {
460 /*
461 * The user has an existing, valid session. However, the SP provided a list of IdPs it accepts for
462 * authentication, and the IdP the existing session is related to is not in that list.
463 *
464 * First, check if we recognize any of the IdPs requested.
465 */
466
468 $known_idps = $mdh->getList();
469 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
470
471 if (empty($intersection)) { // all requested IdPs are unknown
473 \SAML2\Constants::STATUS_REQUESTER,
474 'None of the IdPs requested are supported by this proxy.'
475 );
476 }
477
478 /*
479 * We have at least one IdP in the IDPList that we recognize, and it's not the one currently in use. Let's
480 * see if this proxy enforces the use of one single IdP.
481 */
482 if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) { // an IdP is enforced but not requested
484 \SAML2\Constants::STATUS_REQUESTER,
485 'None of the IdPs requested are available to this proxy.'
486 );
487 }
488
489 /*
490 * We need to inform the user, and ask whether we should logout before starting the authentication process
491 * again with a different IdP, or cancel the current SSO attempt.
492 */
494 "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
495 "provided by the Service Provider '${state['core:SP']}'."
496 );
497
498 $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
499 $state['saml:sp:AuthId'] = $this->authId;
501 }
502 }
static warning($string)
Definition: Logger.php:179
static askForIdPChange(array &$state)
Ask the user to log out before being able to log in again with a different identity provider.
Definition: SP.php:521
getIdPMetadata($entityId)
Retrieve the metadata of an IdP.
Definition: SP.php:108

References SimpleSAML_Auth_Source\$authId, $data, $mdh, $session, $state, askForIdPChange(), getIdPMetadata(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Logger\warning().

+ Here is the call graph for this function:

◆ reauthLogout()

static sspmod_saml_Auth_Source_SP::reauthLogout ( array  $state)
static

Log the user out before logging in again.

This method will never return.

Parameters
array$stateThe state array.

Definition at line 548 of file SP.php.

549 {
550 SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
551
552 if (isset($state['Responder'])) {
553 $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
554 }
555 $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
556
558 $idp->handleLogoutRequest($state, null);
559 assert('false');
560 }
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:152

References $idp, $state, SimpleSAML\Logger\debug(), and SimpleSAML_IdP\getByState().

+ Here is the call graph for this function:

◆ reauthPostLogin()

static sspmod_saml_Auth_Source_SP::reauthPostLogin ( array  $state)
static

Complete login operation after re-authenticating the user on another IdP.

Parameters
array$stateThe authentication state.

Definition at line 568 of file SP.php.

568 {
569 assert('isset($state["ReturnCallback"])');
570
571 // Update session state
573 $authId = $state['saml:sp:AuthId'];
575
576 // resume the login process
577 call_user_func($state['ReturnCallback'], $state);
578 assert('FALSE');
579 }

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), and SimpleSAML_Session\getSessionFromRequest().

+ Here is the call graph for this function:

◆ sendSAML2AuthnRequest()

sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest ( array &  $state,
\SAML2\Binding  $binding,
\SAML2\AuthnRequest  $ar 
)

Function to actually send the authentication request.

This function does not return.

Parameters
array&$stateThe state array.
\SAML2\Binding$bindingThe binding.
\SAML2\AuthnRequest$arThe authentication request.

Definition at line 316 of file SP.php.

316 {
317 $binding->send($ar);
318 assert('FALSE');
319 }
$binding

References $binding.

Referenced by startSSO2().

+ Here is the caller graph for this function:

◆ startDisco()

sspmod_saml_Auth_Source_SP::startDisco ( array  $state)
private

Start an IdP discovery service operation.

Parameters
array$stateThe state array.

Definition at line 353 of file SP.php.

353 {
354
356
358
360 if ($discoURL === NULL) {
361 /* Fallback to internal discovery service. */
362 $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
363 }
364
365 $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
366
367 $params = array(
368 'entityID' => $this->entityId,
369 'return' => $returnTo,
370 'returnIDParam' => 'idpentityid'
371 );
372
373 if(isset($state['saml:IDPList'])) {
374 $params['IDPList'] = $state['saml:IDPList'];
375 }
376
377 if (isset($state['isPassive']) && $state['isPassive']) {
378 $params['isPassive'] = 'true';
379 }
380
382 }
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
$params
Definition: disable.php:11

References $config, $discoURL, $id, $params, $returnTo, $state, SimpleSAML_Configuration\getInstance(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSLO2()

sspmod_saml_Auth_Source_SP::startSLO2 ( $state)

Start a SAML 2 logout operation.

Parameters
array$stateThe logout state.

Definition at line 612 of file SP.php.

612 {
613 assert('is_array($state)');
614 assert('array_key_exists("saml:logout:IdP", $state)');
615 assert('array_key_exists("saml:logout:NameID", $state)');
616 assert('array_key_exists("saml:logout:SessionIndex", $state)');
617
619
620 $idp = $state['saml:logout:IdP'];
621 $nameId = $state['saml:logout:NameID'];
622 $sessionIndex = $state['saml:logout:SessionIndex'];
623
625
626 $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
627 \SAML2\Constants::BINDING_HTTP_REDIRECT,
628 \SAML2\Constants::BINDING_HTTP_POST), FALSE);
629 if ($endpoint === FALSE) {
630 SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, TRUE) . '.');
631 return;
632 }
633
635 $lr->setNameId($nameId);
636 $lr->setSessionIndex($sessionIndex);
637 $lr->setRelayState($id);
638 $lr->setDestination($endpoint['Location']);
639
640 $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', NULL);
641 if ($encryptNameId === NULL) {
642 $encryptNameId = $this->metadata->getBoolean('nameid.encryption', FALSE);
643 }
644 if ($encryptNameId) {
646 }
647
648 $b = \SAML2\Binding::getBinding($endpoint['Binding']);
649 $b->send($lr);
650
651 assert('FALSE');
652 }
$endpoint
static getBinding($urn)
Retrieve a binding with the given URN.
Definition: Binding.php:28
static info($string)
Definition: Logger.php:201
static buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
Build a logout request based on information in the metadata.
Definition: Message.php:501
static getEncryptionKey(SimpleSAML_Configuration $metadata)
Retrieve the encryption key for the given entity.
Definition: Message.php:829
$nameId
Definition: saml2-acs.php:138
$sessionIndex
Definition: saml2-acs.php:139
$lr
$encryptNameId

References $encryptNameId, $endpoint, $id, $idp, $idpMetadata, $lr, $nameId, $sessionIndex, $state, sspmod_saml_Message\buildLogoutRequest(), SAML2\Binding\getBinding(), sspmod_saml_Message\getEncryptionKey(), getIdPMetadata(), SimpleSAML\Logger\info(), and SimpleSAML_Auth_State\saveState().

Referenced by logout().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO()

sspmod_saml_Auth_Source_SP::startSSO (   $idp,
array  $state 
)

Send a SSO request to an IdP.

Parameters
string$idpThe entity ID of the IdP.
array$stateThe state array for the current authentication.

Definition at line 328 of file SP.php.

328 {
329 assert('is_string($idp)');
330
332
333 $type = $idpMetadata->getString('metadata-set');
334 switch ($type) {
335 case 'shib13-idp-remote':
337 assert('FALSE'); /* Should not return. */
338 case 'saml20-idp-remote':
340 assert('FALSE'); /* Should not return. */
341 default:
342 /* Should only be one of the known types. */
343 assert('FALSE');
344 }
345 }
startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML2 SSO request to an IdP.
Definition: SP.php:182
startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML1 SSO request to an IdP.
Definition: SP.php:145
$type

References $idp, $idpMetadata, $type, getIdPMetadata(), startSSO1(), and startSSO2().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO1()

sspmod_saml_Auth_Source_SP::startSSO1 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML1 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 145 of file SP.php.

145 {
146
147 $idpEntityId = $idpMetadata->getString('entityid');
148
149 $state['saml:idp'] = $idpEntityId;
150
151 $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
152 $ar->setIssuer($this->entityId);
153
155 $ar->setRelayState($id);
156
157 $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', NULL);
158 if ($useArtifact === NULL) {
159 $useArtifact = $this->metadata->getBoolean('saml1.useartifact', FALSE);
160 }
161
162 if ($useArtifact) {
163 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
164 } else {
165 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
166 }
167
168 $url = $ar->createRedirect($idpEntityId, $shire);
169
170 SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
171 ' from ' . var_export($this->entityId, TRUE) . '.');
173 }

References $id, $idpEntityId, $idpMetadata, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO2()

sspmod_saml_Auth_Source_SP::startSSO2 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML2 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 182 of file SP.php.

182 {
183
184 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
186 $state,
187 new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
188 );
189 }
190
192 // ilias-patch: begin
193 // see: https://bugs.launchpad.net/mahara/+bug/1689685
194 // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
195 $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
196 // ilias-patch: end
197
198 if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
199 $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
200 }
201
202 if (isset($state['saml:AuthnContextClassRef'])) {
203 $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
205 if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
206 SAML2\Constants::COMPARISON_EXACT,
207 SAML2\Constants::COMPARISON_MINIMUM,
208 SAML2\Constants::COMPARISON_MAXIMUM,
209 SAML2\Constants::COMPARISON_BETTER,
210 ), true)) {
211 $comp = $state['saml:AuthnContextComparison'];
212 }
213 $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
214 }
215
216 if (isset($state['ForceAuthn'])) {
217 $ar->setForceAuthn((bool)$state['ForceAuthn']);
218 }
219
220 if (isset($state['isPassive'])) {
221 $ar->setIsPassive((bool)$state['isPassive']);
222 }
223
224 if (isset($state['saml:NameID'])) {
225 if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
226 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
227 }
228 $ar->setNameId($state['saml:NameID']);
229 }
230
231 if (isset($state['saml:NameIDPolicy'])) {
232 if (is_string($state['saml:NameIDPolicy'])) {
233 $policy = array(
234 'Format' => (string)$state['saml:NameIDPolicy'],
235 'AllowCreate' => TRUE,
236 );
237 } elseif (is_array($state['saml:NameIDPolicy'])) {
238 $policy = $state['saml:NameIDPolicy'];
239 } else {
240 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
241 }
242 $ar->setNameIdPolicy($policy);
243 }
244
245 if (isset($state['saml:IDPList'])) {
246 $IDPList = $state['saml:IDPList'];
247 } else {
248 $IDPList = array();
249 }
250
251 $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
252 $idpMetadata->getArray('IDPList', array()),
253 (array) $IDPList)));
254
255 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
256 $ar->setProxyCount($state['saml:ProxyCount']);
257 } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
258 $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
259 } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
260 $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
261 }
262
263 $requesterID = array();
264 if (isset($state['saml:RequesterID'])) {
265 $requesterID = $state['saml:RequesterID'];
266 }
267
268 if (isset($state['core:SP'])) {
269 $requesterID[] = $state['core:SP'];
270 }
271
272 $ar->setRequesterID($requesterID);
273
274 if (isset($state['saml:Extensions'])) {
275 $ar->setExtensions($state['saml:Extensions']);
276 }
277
278 // save IdP entity ID as part of the state
279 $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
280
281 $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
282 $ar->setId($id);
283
284 SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), TRUE));
285
286 /* Select appropriate SSO endpoint */
287 if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
288 $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
289 \SAML2\Constants::BINDING_HOK_SSO)
290 );
291 } else {
292 $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
293 \SAML2\Constants::BINDING_HTTP_REDIRECT,
294 \SAML2\Constants::BINDING_HTTP_POST)
295 );
296 }
297 $ar->setDestination($dst['Location']);
298
299 $b = \SAML2\Binding::getBinding($dst['Binding']);
300
301 $this->sendSAML2AuthnRequest($state, $b, $ar);
302
303 assert('FALSE');
304 }
const COMPARISON_EXACT
Request Authentication Context Comparison indicating that the resulting authentication context in the...
Definition: Constants.php:78
static arrayize($data, $index=0)
Put a non-array variable into an array.
Definition: Arrays.php:24
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
Function to actually send the authentication request.
Definition: SP.php:316
static buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
Build an authentication request based on information in the metadata.
Definition: Message.php:431
$dst

References $dst, $id, $idpMetadata, $state, SimpleSAML\Utils\Arrays\arrayize(), sspmod_saml_Message\buildAuthnRequest(), SAML2\Constants\COMPARISON_EXACT, SimpleSAML\Logger\debug(), SAML2\Binding\getBinding(), SimpleSAML_Auth_State\saveState(), sendSAML2AuthnRequest(), and SimpleSAML_Auth_State\throwException().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $discoURL

sspmod_saml_Auth_Source_SP::$discoURL
private

Definition at line 34 of file SP.php.

Referenced by startDisco().

◆ $entityId

sspmod_saml_Auth_Source_SP::$entityId
private

Definition at line 10 of file SP.php.

Referenced by getEntityId(), and getIdPMetadata().

◆ $idp

sspmod_saml_Auth_Source_SP::$idp
private

◆ $metadata

sspmod_saml_Auth_Source_SP::$metadata
private

Definition at line 18 of file SP.php.

Referenced by getMetadata().


The documentation for this class was generated from the following file: