ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Public Member Functions | Static Public Member Functions | Private Member Functions | Private Attributes
sspmod_saml_Auth_Source_SP Class Reference
+ Inheritance diagram for sspmod_saml_Auth_Source_SP:
+ Collaboration diagram for sspmod_saml_Auth_Source_SP:

Public Member Functions

 __construct ($info, $config)
 Constructor for SAML SP authentication source. More...
 
 getMetadataURL ()
 Retrieve the URL to the metadata of this SP. More...
 
 getEntityId ()
 Retrieve the entity id of this SP. More...
 
 getMetadata ()
 Retrieve the metadata of this SP. More...
 
 getIdPMetadata ($entityId)
 Retrieve the metadata of an IdP. More...
 
 sendSAML2AuthnRequest (array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
 Function to actually send the authentication request. More...
 
 startSSO ($idp, array $state)
 Send a SSO request to an IdP. More...
 
 authenticate (&$state)
 Start login. More...
 
 reauthenticate (array &$state)
 Re-authenticate an user. More...
 
 startSLO2 (&$state)
 Start a SAML 2 logout operation. More...
 
 logout (&$state)
 Start logout operation. More...
 
 handleResponse (array $state, $idp, array $attributes)
 Handle a response from a SSO operation. More...
 
 handleLogout ($idpEntityId)
 Handle a logout request from an IdP. More...
 
- Public Member Functions inherited from SimpleSAML_Auth_Source
 __construct ($info, &$config)
 Constructor for an authentication source. More...
 
 getAuthId ()
 Retrieve the ID of this authentication source. More...
 
 authenticate (&$state)
 Process a request. More...
 
 reauthenticate (array &$state)
 Reauthenticate an user. More...
 
 initLogin ($return, $errorURL=null, array $params=array())
 Start authentication. More...
 
 logout (&$state)
 Log out from this authentication source. More...
 

Static Public Member Functions

static askForIdPChange (array &$state)
 Ask the user to log out before being able to log in again with a different identity provider. More...
 
static reauthLogout (array $state)
 Log the user out before logging in again. More...
 
static reauthPostLogin (array $state)
 Complete login operation after re-authenticating the user on another IdP. More...
 
static handleUnsolicitedAuth ($authId, array $state, $redirectTo)
 Handle an unsolicited login operations. More...
 
static onProcessingCompleted (array $authProcState)
 Called when we have completed the procssing chain. More...
 
- Static Public Member Functions inherited from SimpleSAML_Auth_Source
static getSourcesOfType ($type)
 Get sources of a specific type. More...
 
static completeAuth (&$state)
 Complete authentication. More...
 
static loginCompleted ($state)
 Called when a login operation has finished. More...
 
static completeLogout (&$state)
 Complete logout. More...
 
static getById ($authId, $type=null)
 Retrieve authentication source. More...
 
static logoutCallback ($state)
 Called when the authentication source receives an external logout request. More...
 
static getSources ()
 Retrieve list of authentication sources. More...
 

Private Member Functions

 startSSO1 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML1 SSO request to an IdP. More...
 
 startSSO2 (SimpleSAML_Configuration $idpMetadata, array $state)
 Send a SAML2 SSO request to an IdP. More...
 
 startDisco (array $state)
 Start an IdP discovery service operation. More...
 

Private Attributes

 $entityId
 
 $metadata
 
 $idp
 
 $discoURL
 

Additional Inherited Members

- Protected Member Functions inherited from SimpleSAML_Auth_Source
 addLogoutCallback ($assoc, $state)
 Add a logout callback association. More...
 
 callLogoutCallback ($assoc)
 Call a logout callback based on association. More...
 
- Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static validateSource ($source, $id)
 Make sure that the first element of an auth source is its identifier. More...
 
- Protected Attributes inherited from SimpleSAML_Auth_Source
 $authId
 

Detailed Description

Definition at line 3 of file SP.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_saml_Auth_Source_SP::__construct (   $info,
  $config 
)

Constructor for SAML SP authentication source.

Parameters
array$infoInformation about this authentication source.
array$configConfiguration.

Definition at line 43 of file SP.php.

43 {
44 assert('is_array($info)');
45 assert('is_array($config)');
46
47 // Call the parent constructor first, as required by the interface
48 parent::__construct($info, $config);
49
50 if (!isset($config['entityID'])) {
51 $config['entityID'] = $this->getMetadataURL();
52 }
53
54 /* For compatibility with code that assumes that $metadata->getString('entityid') gives the entity id. */
55 $config['entityid'] = $config['entityID'];
56
57 $this->metadata = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']');
58 $this->entityId = $this->metadata->getString('entityID');
59 $this->idp = $this->metadata->getString('idp', NULL);
60 $this->discoURL = $this->metadata->getString('discoURL', NULL);
61
62 if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
63 $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
64 }
65 }
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:269
sspmod_saml_Auth_Source_SP\getMetadataURL
getMetadataURL()
Retrieve the URL to the metadata of this SP.
Definition: SP.php:73
$info
$info
Definition: index.php:5
SimpleSAML
Attribute-related utility methods.

References $config, $info, getMetadataURL(), SimpleSAML\Module\getModuleURL(), and SimpleSAML_Configuration\loadFromArray().

+ Here is the call graph for this function:

Member Function Documentation

◆ askForIdPChange()

static sspmod_saml_Auth_Source_SP::askForIdPChange ( array &  $state)
static

Ask the user to log out before being able to log in again with a different identity provider.

Note that this method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP and an IdP at the same time.

This method will never return.

Parameters
array$stateThe state array. The following keys must be defined in the array:
  • 'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated the user in the current session.
  • 'saml:sp:AuthId': the identifier of the current authentication source.
  • 'core:IdP': the identifier of the local IdP.
  • 'SPMetadata': an array with the metadata of this local SP.
Exceptions
SimpleSAML_Error_NoPassiveIn case the authentication request was passive.

Definition at line 521 of file SP.php.

522 {
523 assert('array_key_exists("saml:sp:IdPMetadata", $state)');
524 assert('array_key_exists("saml:sp:AuthId", $state)');
525 assert('array_key_exists("core:IdP", $state)');
526 assert('array_key_exists("SPMetadata", $state)');
527
528 if (isset($state['isPassive']) && (bool)$state['isPassive']) {
529 // passive request, we cannot authenticate the user
530 throw new SimpleSAML_Error_NoPassive('Reauthentication required');
531 }
532
533 // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
534 $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
535 $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
536 SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
537 assert('false');
538 }
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
SimpleSAML_Error_NoPassive
Class SimpleSAML_Error_NoPassive.
Definition: NoPassive.php:12
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$url
$url
Definition: proxy_ylocal.php:28

References $id, $state, $url, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by reauthenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ authenticate()

sspmod_saml_Auth_Source_SP::authenticate ( $state)

Start login.

This function saves the information about the login, and redirects to the IdP.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 392 of file SP.php.

392 {
393 assert('is_array($state)');
394
395 /* We are going to need the authId in order to retrieve this authentication source later. */
396 $state['saml:sp:AuthId'] = $this->authId;
397
398 $idp = $this->idp;
399
400 if (isset($state['saml:idp'])) {
401 $idp = (string)$state['saml:idp'];
402 }
403
404 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
405 // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
406 $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
407 $known_idps = $mdh->getList();
408 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
409
410 if (empty($intersection)) { // all requested IdPs are unknown
411 throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
412 \SAML2\Constants::STATUS_REQUESTER,
413 'None of the IdPs requested are supported by this proxy.'
414 );
415 }
416
417 if (!is_null($idp) && !in_array($idp, $intersection, true)) { // the IdP is enforced but not in the IDPList
418 throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
419 \SAML2\Constants::STATUS_REQUESTER,
420 'None of the IdPs requested are available to this proxy.'
421 );
422 }
423
424 if (is_null($idp) && sizeof($intersection) === 1) { // only one IdP requested or valid
425 $idp = current($state['saml:IDPList']);
426 }
427 }
428
429 if ($idp === NULL) {
430 $this->startDisco($state);
431 assert('FALSE');
432 }
433
434 $this->startSSO($idp, $state);
435 assert('FALSE');
436 }
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:22
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
sspmod_saml_Auth_Source_SP\startSSO
startSSO($idp, array $state)
Send a SSO request to an IdP.
Definition: SP.php:328
sspmod_saml_Auth_Source_SP\startDisco
startDisco(array $state)
Start an IdP discovery service operation.
Definition: SP.php:353
sspmod_saml_Auth_Source_SP\$idp
$idp
Definition: SP.php:26
$mdh
$mdh
Definition: logout-iframe.php:23

References SimpleSAML_Auth_Source\$authId, $idp, $mdh, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), startDisco(), and startSSO().

+ Here is the call graph for this function:

◆ getEntityId()

sspmod_saml_Auth_Source_SP::getEntityId ( )

Retrieve the entity id of this SP.

Returns
string The entity id of this SP.

Definition at line 84 of file SP.php.

84 {
85
86 return $this->entityId;
87 }
sspmod_saml_Auth_Source_SP\$entityId
$entityId
Definition: SP.php:10

References $entityId.

◆ getIdPMetadata()

sspmod_saml_Auth_Source_SP::getIdPMetadata (   $entityId)

Retrieve the metadata of an IdP.

Parameters
string$entityIdThe entity id of the IdP.
Returns
SimpleSAML_Configuration The metadata of the IdP.

Definition at line 108 of file SP.php.

108 {
109 assert('is_string($entityId)');
110
111 if ($this->idp !== NULL && $this->idp !== $entityId) {
112 throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' . var_export($entityId, TRUE) .
113 ' because it isn\'t a valid IdP for this SP.');
114 }
115
116 $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
117
118 // First, look in saml20-idp-remote.
119 try {
120 return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
121 } catch (Exception $e) {
122 /* Metadata wasn't found. */
123 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
124 }
125
126 /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
127 try {
128 return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
129 } catch (Exception $e) {
130 /* Metadata wasn't found. */
131 SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
132 }
133
134 /* Not found. */
135 throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' . var_export($entityId, TRUE));
136 }
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:213
SimpleSAML_Error_Exception
Definition: Exception.php:13

References $entityId, SimpleSAML\Logger\debug(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

Referenced by reauthenticate(), startSLO2(), and startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getMetadata()

sspmod_saml_Auth_Source_SP::getMetadata ( )

Retrieve the metadata of this SP.

Returns
SimpleSAML_Configuration The metadata of this SP.

Definition at line 95 of file SP.php.

95 {
96
97 return $this->metadata;
98
99 }
sspmod_saml_Auth_Source_SP\$metadata
$metadata
Definition: SP.php:18

References $metadata.

◆ getMetadataURL()

sspmod_saml_Auth_Source_SP::getMetadataURL ( )

Retrieve the URL to the metadata of this SP.

Returns
string The metadata URL.

Definition at line 73 of file SP.php.

73 {
74
75 return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
76 }

References SimpleSAML\Module\getModuleURL().

Referenced by __construct().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ handleLogout()

sspmod_saml_Auth_Source_SP::handleLogout (   $idpEntityId)

Handle a logout request from an IdP.

Parameters
string$idpEntityIdThe entity ID of the IdP.

Definition at line 729 of file SP.php.

729 {
730 assert('is_string($idpEntityId)');
731
732 /* Call the logout callback we registered in onProcessingCompleted(). */
733 $this->callLogoutCallback($idpEntityId);
734 }
SimpleSAML_Auth_Source\callLogoutCallback
callLogoutCallback($assoc)
Call a logout callback based on association.
Definition: Source.php:439
$idpEntityId
$idpEntityId
Definition: prp.php:12

References $idpEntityId, and SimpleSAML_Auth_Source\callLogoutCallback().

+ Here is the call graph for this function:

◆ handleResponse()

sspmod_saml_Auth_Source_SP::handleResponse ( array  $state,
  $idp,
array  $attributes 
)

Handle a response from a SSO operation.

Parameters
array$stateThe authentication state.
string$idpThe entity id of the IdP.
array$attributesThe attributes.

Definition at line 686 of file SP.php.

686 {
687 assert('is_string($idp)');
688 assert('array_key_exists("LogoutState", $state)');
689 assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
690
691 $idpMetadata = $this->getIdpMetadata($idp);
692
693 $spMetadataArray = $this->metadata->toArray();
694 $idpMetadataArray = $idpMetadata->toArray();
695
696 /* Save the IdP in the state array. */
697 $state['saml:sp:IdP'] = $idp;
698 $state['PersistentAuthData'][] = 'saml:sp:IdP';
699
700 $authProcState = array(
701 'saml:sp:IdP' => $idp,
702 'saml:sp:State' => $state,
703 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
704
705 'Attributes' => $attributes,
706 'Destination' => $spMetadataArray,
707 'Source' => $idpMetadataArray,
708 );
709
710 if (isset($state['saml:sp:NameID'])) {
711 $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
712 }
713 if (isset($state['saml:sp:SessionIndex'])) {
714 $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
715 }
716
717 $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
718 $pc->processState($authProcState);
719
720 self::onProcessingCompleted($authProcState);
721 }
SimpleSAML_Auth_ProcessingChain
Definition: ProcessingChain.php:13
sspmod_saml_Auth_Source_SP\onProcessingCompleted
static onProcessingCompleted(array $authProcState)
Called when we have completed the procssing chain.
Definition: SP.php:765
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
$attributes
$attributes
Definition: serviceValidate.php:33

References $attributes, $idp, $idpMetadata, $state, and onProcessingCompleted().

+ Here is the call graph for this function:

◆ handleUnsolicitedAuth()

static sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth (   $authId,
array  $state,
  $redirectTo 
)
static

Handle an unsolicited login operations.

This method creates a session from the information received. It will then redirect to the given URL. This is used to handle IdP initiated SSO. This method will never return.

Parameters
string$authIdThe id of the authentication source that received the request.
array$stateA state array.
string$redirectToThe URL we should redirect the user to after updating the session. The function will check if the URL is allowed, so there is no need to manually check the URL on beforehand. Please refer to the 'trusted.url.domains' configuration directive for more information about allowing (or disallowing) URLs.

Definition at line 749 of file SP.php.

749 {
750 assert('is_string($authId)');
751 assert('is_string($redirectTo)');
752
753 $session = SimpleSAML_Session::getSessionFromRequest();
754 $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
755
756 \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
757 }
SimpleSAML\Utils\HTTP\redirectUntrustedURL
static redirectUntrustedURL($url, $parameters=array())
This function redirects to the specified URL after performing the appropriate security checks on it.
Definition: HTTP.php:994
SimpleSAML_Auth_State\getPersistentAuthData
static getPersistentAuthData(array $state)
Get the persistent authentication state from the state array.
Definition: State.php:103
SimpleSAML_Session\getSessionFromRequest
static getSessionFromRequest()
Retrieves the current session.
Definition: Session.php:243
$session
$session
Definition: proxy_ylocal.php:32

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Utils\HTTP\redirectUntrustedURL().

Referenced by SimpleSAML_Auth_Default\handleUnsolicitedAuth(), and onProcessingCompleted().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ logout()

sspmod_saml_Auth_Source_SP::logout ( $state)

Start logout operation.

Parameters
array$stateThe logout state.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 660 of file SP.php.

660 {
661 assert('is_array($state)');
662 assert('array_key_exists("saml:logout:Type", $state)');
663
664 $logoutType = $state['saml:logout:Type'];
665 switch ($logoutType) {
666 case 'saml1':
667 /* Nothing to do. */
668 return;
669 case 'saml2':
670 $this->startSLO2($state);
671 return;
672 default:
673 /* Should never happen. */
674 assert('FALSE');
675 }
676 }
sspmod_saml_Auth_Source_SP\startSLO2
startSLO2(&$state)
Start a SAML 2 logout operation.
Definition: SP.php:612

References $state, and startSLO2().

+ Here is the call graph for this function:

◆ onProcessingCompleted()

static sspmod_saml_Auth_Source_SP::onProcessingCompleted ( array  $authProcState)
static

Called when we have completed the procssing chain.

Parameters
array$authProcStateThe processing chain state.

Definition at line 765 of file SP.php.

765 {
766 assert('array_key_exists("saml:sp:IdP", $authProcState)');
767 assert('array_key_exists("saml:sp:State", $authProcState)');
768 assert('array_key_exists("Attributes", $authProcState)');
769
770 $idp = $authProcState['saml:sp:IdP'];
771 $state = $authProcState['saml:sp:State'];
772
773 $sourceId = $state['saml:sp:AuthId'];
774 $source = SimpleSAML_Auth_Source::getById($sourceId);
775 if ($source === NULL) {
776 throw new Exception('Could not find authentication source with id ' . $sourceId);
777 }
778
779 /* Register a callback that we can call if we receive a logout request from the IdP. */
780 $source->addLogoutCallback($idp, $state);
781
782 $state['Attributes'] = $authProcState['Attributes'];
783
784 if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
785 if (!empty($state['saml:sp:RelayState'])) {
786 $redirectTo = $state['saml:sp:RelayState'];
787 } else {
788 $redirectTo = $source->getMetadata()->getString('RelayState', '/');
789 }
790 self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
791 }
792
793 SimpleSAML_Auth_Source::completeAuth($state);
794 }
$sourceId
if(!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) $sourceId
Definition: linkback.php:20
$source
$source
Definition: linkback.php:22
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
sspmod_saml_Auth_Source_SP\handleUnsolicitedAuth
static handleUnsolicitedAuth($authId, array $state, $redirectTo)
Handle an unsolicited login operations.
Definition: SP.php:749

References $idp, $source, $sourceId, $state, SimpleSAML_Auth_Source\completeAuth(), SimpleSAML_Auth_Source\getById(), and handleUnsolicitedAuth().

Referenced by handleResponse().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ reauthenticate()

sspmod_saml_Auth_Source_SP::reauthenticate ( array &  $state)

Re-authenticate an user.

This function is called by the IdP to give the authentication source a chance to interact with the user even in the case when the user is already authenticated.

Parameters
array&$stateInformation about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 447 of file SP.php.

447 {
448 assert('is_array($state)');
449
450 $session = SimpleSAML_Session::getSessionFromRequest();
451 $data = $session->getAuthState($this->authId);
452 foreach ($data as $k => $v) {
453 $state[$k] = $v;
454 }
455
456 // check if we have an IDPList specified in the request
457 if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
458 !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
459 {
460 /*
461 * The user has an existing, valid session. However, the SP provided a list of IdPs it accepts for
462 * authentication, and the IdP the existing session is related to is not in that list.
463 *
464 * First, check if we recognize any of the IdPs requested.
465 */
466
467 $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
468 $known_idps = $mdh->getList();
469 $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
470
471 if (empty($intersection)) { // all requested IdPs are unknown
472 throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
473 \SAML2\Constants::STATUS_REQUESTER,
474 'None of the IdPs requested are supported by this proxy.'
475 );
476 }
477
478 /*
479 * We have at least one IdP in the IDPList that we recognize, and it's not the one currently in use. Let's
480 * see if this proxy enforces the use of one single IdP.
481 */
482 if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) { // an IdP is enforced but not requested
483 throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
484 \SAML2\Constants::STATUS_REQUESTER,
485 'None of the IdPs requested are available to this proxy.'
486 );
487 }
488
489 /*
490 * We need to inform the user, and ask whether we should logout before starting the authentication process
491 * again with a different IdP, or cancel the current SSO attempt.
492 */
493 SimpleSAML\Logger::warning(
494 "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
495 "provided by the Service Provider '${state['core:SP']}'."
496 );
497
498 $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
499 $state['saml:sp:AuthId'] = $this->authId;
500 self::askForIdPChange($state);
501 }
502 }
SimpleSAML\Logger\warning
static warning($string)
Definition: Logger.php:179
sspmod_saml_Auth_Source_SP\askForIdPChange
static askForIdPChange(array &$state)
Ask the user to log out before being able to log in again with a different identity provider.
Definition: SP.php:521
sspmod_saml_Auth_Source_SP\getIdPMetadata
getIdPMetadata($entityId)
Retrieve the metadata of an IdP.
Definition: SP.php:108

References SimpleSAML_Auth_Source\$authId, $data, $mdh, $session, $state, askForIdPChange(), getIdPMetadata(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Logger\warning().

+ Here is the call graph for this function:

◆ reauthLogout()

static sspmod_saml_Auth_Source_SP::reauthLogout ( array  $state)
static

Log the user out before logging in again.

This method will never return.

Parameters
array$stateThe state array.

Definition at line 548 of file SP.php.

549 {
550 SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
551
552 if (isset($state['Responder'])) {
553 $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
554 }
555 $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
556
557 $idp = SimpleSAML_IdP::getByState($state);
558 $idp->handleLogoutRequest($state, null);
559 assert('false');
560 }
SimpleSAML_IdP\getByState
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:152

References $idp, $state, SimpleSAML\Logger\debug(), and SimpleSAML_IdP\getByState().

+ Here is the call graph for this function:

◆ reauthPostLogin()

static sspmod_saml_Auth_Source_SP::reauthPostLogin ( array  $state)
static

Complete login operation after re-authenticating the user on another IdP.

Parameters
array$stateThe authentication state.

Definition at line 568 of file SP.php.

568 {
569 assert('isset($state["ReturnCallback"])');
570
571 // Update session state
572 $session = SimpleSAML_Session::getSessionFromRequest();
573 $authId = $state['saml:sp:AuthId'];
574 $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
575
576 // resume the login process
577 call_user_func($state['ReturnCallback'], $state);
578 assert('FALSE');
579 }

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), and SimpleSAML_Session\getSessionFromRequest().

+ Here is the call graph for this function:

◆ sendSAML2AuthnRequest()

sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest ( array &  $state,
\SAML2\Binding  $binding,
\SAML2\AuthnRequest  $ar 
)

Function to actually send the authentication request.

This function does not return.

Parameters
array&$stateThe state array.
\SAML2\Binding$bindingThe binding.
\SAML2\AuthnRequest$arThe authentication request.

Definition at line 316 of file SP.php.

316 {
317 $binding->send($ar);
318 assert('FALSE');
319 }
$binding
$binding
Definition: logout-iframe-post.php:55

References $binding.

Referenced by startSSO2().

+ Here is the caller graph for this function:

◆ startDisco()

sspmod_saml_Auth_Source_SP::startDisco ( array  $state)
private

Start an IdP discovery service operation.

Parameters
array$stateThe state array.

Definition at line 353 of file SP.php.

353 {
354
355 $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
356
357 $config = SimpleSAML_Configuration::getInstance();
358
359 $discoURL = $this->discoURL;
360 if ($discoURL === NULL) {
361 /* Fallback to internal discovery service. */
362 $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
363 }
364
365 $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
366
367 $params = array(
368 'entityID' => $this->entityId,
369 'return' => $returnTo,
370 'returnIDParam' => 'idpentityid'
371 );
372
373 if(isset($state['saml:IDPList'])) {
374 $params['IDPList'] = $state['saml:IDPList'];
375 }
376
377 if (isset($state['isPassive']) && $state['isPassive']) {
378 $params['isPassive'] = 'true';
379 }
380
381 \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
382 }
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297
sspmod_saml_Auth_Source_SP\$discoURL
$discoURL
Definition: SP.php:34
$params
$params
Definition: disable.php:11

References $config, $discoURL, $id, $params, $returnTo, $state, SimpleSAML_Configuration\getInstance(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSLO2()

sspmod_saml_Auth_Source_SP::startSLO2 ( $state)

Start a SAML 2 logout operation.

Parameters
array$stateThe logout state.

Definition at line 612 of file SP.php.

612 {
613 assert('is_array($state)');
614 assert('array_key_exists("saml:logout:IdP", $state)');
615 assert('array_key_exists("saml:logout:NameID", $state)');
616 assert('array_key_exists("saml:logout:SessionIndex", $state)');
617
618 $id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
619
620 $idp = $state['saml:logout:IdP'];
621 $nameId = $state['saml:logout:NameID'];
622 $sessionIndex = $state['saml:logout:SessionIndex'];
623
624 $idpMetadata = $this->getIdPMetadata($idp);
625
626 $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
627 \SAML2\Constants::BINDING_HTTP_REDIRECT,
628 \SAML2\Constants::BINDING_HTTP_POST), FALSE);
629 if ($endpoint === FALSE) {
630 SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, TRUE) . '.');
631 return;
632 }
633
634 $lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
635 $lr->setNameId($nameId);
636 $lr->setSessionIndex($sessionIndex);
637 $lr->setRelayState($id);
638 $lr->setDestination($endpoint['Location']);
639
640 $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', NULL);
641 if ($encryptNameId === NULL) {
642 $encryptNameId = $this->metadata->getBoolean('nameid.encryption', FALSE);
643 }
644 if ($encryptNameId) {
645 $lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
646 }
647
648 $b = \SAML2\Binding::getBinding($endpoint['Binding']);
649 $b->send($lr);
650
651 assert('FALSE');
652 }
$endpoint
$endpoint
Definition: attributeserver.php:23
SAML2\Binding\getBinding
static getBinding($urn)
Retrieve a binding with the given URN.
Definition: Binding.php:28
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
sspmod_saml_Message\buildLogoutRequest
static buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
Build a logout request based on information in the metadata.
Definition: Message.php:501
sspmod_saml_Message\getEncryptionKey
static getEncryptionKey(SimpleSAML_Configuration $metadata)
Retrieve the encryption key for the given entity.
Definition: Message.php:829
$nameId
$nameId
Definition: saml2-acs.php:138
$sessionIndex
$sessionIndex
Definition: saml2-acs.php:139
$lr
$lr
Definition: logout-iframe-post.php:29
$encryptNameId
$encryptNameId
Definition: logout-iframe-post.php:39

References $encryptNameId, $endpoint, $id, $idp, $idpMetadata, $lr, $nameId, $sessionIndex, $state, sspmod_saml_Message\buildLogoutRequest(), SAML2\Binding\getBinding(), sspmod_saml_Message\getEncryptionKey(), getIdPMetadata(), SimpleSAML\Logger\info(), and SimpleSAML_Auth_State\saveState().

Referenced by logout().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO()

sspmod_saml_Auth_Source_SP::startSSO (   $idp,
array  $state 
)

Send a SSO request to an IdP.

Parameters
string$idpThe entity ID of the IdP.
array$stateThe state array for the current authentication.

Definition at line 328 of file SP.php.

328 {
329 assert('is_string($idp)');
330
331 $idpMetadata = $this->getIdPMetadata($idp);
332
333 $type = $idpMetadata->getString('metadata-set');
334 switch ($type) {
335 case 'shib13-idp-remote':
336 $this->startSSO1($idpMetadata, $state);
337 assert('FALSE'); /* Should not return. */
338 case 'saml20-idp-remote':
339 $this->startSSO2($idpMetadata, $state);
340 assert('FALSE'); /* Should not return. */
341 default:
342 /* Should only be one of the known types. */
343 assert('FALSE');
344 }
345 }
sspmod_saml_Auth_Source_SP\startSSO2
startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML2 SSO request to an IdP.
Definition: SP.php:182
sspmod_saml_Auth_Source_SP\startSSO1
startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML1 SSO request to an IdP.
Definition: SP.php:145
$type
$type
Definition: proxy_ylocal.php:10

References $idp, $idpMetadata, $type, getIdPMetadata(), startSSO1(), and startSSO2().

Referenced by authenticate().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO1()

sspmod_saml_Auth_Source_SP::startSSO1 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML1 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 145 of file SP.php.

145 {
146
147 $idpEntityId = $idpMetadata->getString('entityid');
148
149 $state['saml:idp'] = $idpEntityId;
150
151 $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
152 $ar->setIssuer($this->entityId);
153
154 $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
155 $ar->setRelayState($id);
156
157 $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', NULL);
158 if ($useArtifact === NULL) {
159 $useArtifact = $this->metadata->getBoolean('saml1.useartifact', FALSE);
160 }
161
162 if ($useArtifact) {
163 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
164 } else {
165 $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
166 }
167
168 $url = $ar->createRedirect($idpEntityId, $shire);
169
170 SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
171 ' from ' . var_export($this->entityId, TRUE) . '.');
172 \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
173 }

References $id, $idpEntityId, $idpMetadata, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ startSSO2()

sspmod_saml_Auth_Source_SP::startSSO2 ( SimpleSAML_Configuration  $idpMetadata,
array  $state 
)
private

Send a SAML2 SSO request to an IdP.

Parameters
SimpleSAML_Configuration$idpMetadataThe metadata of the IdP.
array$stateThe state array for the current authentication.

Definition at line 182 of file SP.php.

182 {
183
184 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
185 SimpleSAML_Auth_State::throwException(
186 $state,
187 new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
188 );
189 }
190
191 $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
192 // ilias-patch: begin
193 // see: https://bugs.launchpad.net/mahara/+bug/1689685
194 // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
195 $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
196 // ilias-patch: end
197
198 if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
199 $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
200 }
201
202 if (isset($state['saml:AuthnContextClassRef'])) {
203 $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
204 $comp = SAML2\Constants::COMPARISON_EXACT;
205 if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
206 SAML2\Constants::COMPARISON_EXACT,
207 SAML2\Constants::COMPARISON_MINIMUM,
208 SAML2\Constants::COMPARISON_MAXIMUM,
209 SAML2\Constants::COMPARISON_BETTER,
210 ), true)) {
211 $comp = $state['saml:AuthnContextComparison'];
212 }
213 $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
214 }
215
216 if (isset($state['ForceAuthn'])) {
217 $ar->setForceAuthn((bool)$state['ForceAuthn']);
218 }
219
220 if (isset($state['isPassive'])) {
221 $ar->setIsPassive((bool)$state['isPassive']);
222 }
223
224 if (isset($state['saml:NameID'])) {
225 if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
226 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
227 }
228 $ar->setNameId($state['saml:NameID']);
229 }
230
231 if (isset($state['saml:NameIDPolicy'])) {
232 if (is_string($state['saml:NameIDPolicy'])) {
233 $policy = array(
234 'Format' => (string)$state['saml:NameIDPolicy'],
235 'AllowCreate' => TRUE,
236 );
237 } elseif (is_array($state['saml:NameIDPolicy'])) {
238 $policy = $state['saml:NameIDPolicy'];
239 } else {
240 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
241 }
242 $ar->setNameIdPolicy($policy);
243 }
244
245 if (isset($state['saml:IDPList'])) {
246 $IDPList = $state['saml:IDPList'];
247 } else {
248 $IDPList = array();
249 }
250
251 $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
252 $idpMetadata->getArray('IDPList', array()),
253 (array) $IDPList)));
254
255 if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
256 $ar->setProxyCount($state['saml:ProxyCount']);
257 } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
258 $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
259 } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
260 $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
261 }
262
263 $requesterID = array();
264 if (isset($state['saml:RequesterID'])) {
265 $requesterID = $state['saml:RequesterID'];
266 }
267
268 if (isset($state['core:SP'])) {
269 $requesterID[] = $state['core:SP'];
270 }
271
272 $ar->setRequesterID($requesterID);
273
274 if (isset($state['saml:Extensions'])) {
275 $ar->setExtensions($state['saml:Extensions']);
276 }
277
278 // save IdP entity ID as part of the state
279 $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
280
281 $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
282 $ar->setId($id);
283
284 SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), TRUE));
285
286 /* Select appropriate SSO endpoint */
287 if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
288 $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
289 \SAML2\Constants::BINDING_HOK_SSO)
290 );
291 } else {
292 $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
293 \SAML2\Constants::BINDING_HTTP_REDIRECT,
294 \SAML2\Constants::BINDING_HTTP_POST)
295 );
296 }
297 $ar->setDestination($dst['Location']);
298
299 $b = \SAML2\Binding::getBinding($dst['Binding']);
300
301 $this->sendSAML2AuthnRequest($state, $b, $ar);
302
303 assert('FALSE');
304 }
SAML2\Constants\COMPARISON_EXACT
const COMPARISON_EXACT
Request Authentication Context Comparison indicating that the resulting authentication context in the...
Definition: Constants.php:78
SimpleSAML\Utils\Arrays\arrayize
static arrayize($data, $index=0)
Put a non-array variable into an array.
Definition: Arrays.php:24
SimpleSAML_Auth_State\throwException
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
sspmod_saml_Auth_Source_SP\sendSAML2AuthnRequest
sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
Function to actually send the authentication request.
Definition: SP.php:316
sspmod_saml_Message\buildAuthnRequest
static buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
Build an authentication request based on information in the metadata.
Definition: Message.php:431
$dst
$dst
Definition: logout-iframe-post.php:54

References $dst, $id, $idpMetadata, $state, SimpleSAML\Utils\Arrays\arrayize(), sspmod_saml_Message\buildAuthnRequest(), SAML2\Constants\COMPARISON_EXACT, SimpleSAML\Logger\debug(), SAML2\Binding\getBinding(), SimpleSAML_Auth_State\saveState(), sendSAML2AuthnRequest(), and SimpleSAML_Auth_State\throwException().

Referenced by startSSO().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $discoURL

sspmod_saml_Auth_Source_SP::$discoURL
private

Definition at line 34 of file SP.php.

Referenced by startDisco().

◆ $entityId

sspmod_saml_Auth_Source_SP::$entityId
private

Definition at line 10 of file SP.php.

Referenced by getEntityId(), and getIdPMetadata().

◆ $idp

sspmod_saml_Auth_Source_SP::$idp
private

Definition at line 26 of file SP.php.

Referenced by authenticate(), handleResponse(), onProcessingCompleted(), reauthLogout(), startSLO2(), and startSSO().

◆ $metadata

sspmod_saml_Auth_Source_SP::$metadata
private

Definition at line 18 of file SP.php.

Referenced by getMetadata().

The documentation for this class was generated from the following file: