ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
All Data Structures Namespaces Files Functions Variables Typedefs Modules Pages
SP.php
Go to the documentation of this file.
1 <?php
2 
3 class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source {
4 
10  private $entityId;
11 
12 
18  private $metadata;
19 
20 
26  private $idp;
27 
28 
34  private $discoURL;
35 
36 
43  public function __construct($info, $config) {
44  assert('is_array($info)');
45  assert('is_array($config)');
46 
47  // Call the parent constructor first, as required by the interface
48  parent::__construct($info, $config);
49 
50  if (!isset($config['entityID'])) {
51  $config['entityID'] = $this->getMetadataURL();
52  }
53 
54  /* For compatibility with code that assumes that $metadata->getString('entityid') gives the entity id. */
55  $config['entityid'] = $config['entityID'];
56 
57  $this->metadata = SimpleSAML_Configuration::loadFromArray($config, 'authsources[' . var_export($this->authId, TRUE) . ']');
58  $this->entityId = $this->metadata->getString('entityID');
59  $this->idp = $this->metadata->getString('idp', NULL);
60  $this->discoURL = $this->metadata->getString('discoURL', NULL);
61 
62  if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
63  $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
64  }
65  }
66 
67 
73  public function getMetadataURL() {
74 
75  return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
76  }
77 
78 
84  public function getEntityId() {
85 
86  return $this->entityId;
87  }
88 
89 
95  public function getMetadata() {
96 
97  return $this->metadata;
98 
99  }
100 
101 
108  public function getIdPMetadata($entityId) {
109  assert('is_string($entityId)');
110 
111  if ($this->idp !== NULL && $this->idp !== $entityId) {
112  throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' . var_export($entityId, TRUE) .
113  ' because it isn\'t a valid IdP for this SP.');
114  }
115 
116  $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
117 
118  // First, look in saml20-idp-remote.
119  try {
120  return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
121  } catch (Exception $e) {
122  /* Metadata wasn't found. */
123  SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
124  }
125 
126  /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
127  try {
128  return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
129  } catch (Exception $e) {
130  /* Metadata wasn't found. */
131  SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
132  }
133 
134  /* Not found. */
135  throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' . var_export($entityId, TRUE));
136  }
137 
138 
145  private function startSSO1(SimpleSAML_Configuration $idpMetadata, array $state) {
146 
147  $idpEntityId = $idpMetadata->getString('entityid');
148 
149  $state['saml:idp'] = $idpEntityId;
150 
151  $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
152  $ar->setIssuer($this->entityId);
153 
154  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
155  $ar->setRelayState($id);
156 
157  $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', NULL);
158  if ($useArtifact === NULL) {
159  $useArtifact = $this->metadata->getBoolean('saml1.useartifact', FALSE);
160  }
161 
162  if ($useArtifact) {
163  $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
164  } else {
165  $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
166  }
167 
168  $url = $ar->createRedirect($idpEntityId, $shire);
169 
170  SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, TRUE) .
171  ' from ' . var_export($this->entityId, TRUE) . '.');
172  \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
173  }
174 
175 
182  private function startSSO2(SimpleSAML_Configuration $idpMetadata, array $state) {
183 
184  if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
185  SimpleSAML_Auth_State::throwException(
186  $state,
187  new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
188  );
189  }
190 
191  $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
192  // ilias-patch: begin
193  // see: https://bugs.launchpad.net/mahara/+bug/1689685
194  // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
195  $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
196  // ilias-patch: end
197 
198  if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
199  $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
200  }
201 
202  if (isset($state['saml:AuthnContextClassRef'])) {
203  $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
204  $comp = SAML2\Constants::COMPARISON_EXACT;
205  if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
206  SAML2\Constants::COMPARISON_EXACT,
207  SAML2\Constants::COMPARISON_MINIMUM,
208  SAML2\Constants::COMPARISON_MAXIMUM,
209  SAML2\Constants::COMPARISON_BETTER,
210  ), true)) {
211  $comp = $state['saml:AuthnContextComparison'];
212  }
213  $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
214  }
215 
216  if (isset($state['ForceAuthn'])) {
217  $ar->setForceAuthn((bool)$state['ForceAuthn']);
218  }
219 
220  if (isset($state['isPassive'])) {
221  $ar->setIsPassive((bool)$state['isPassive']);
222  }
223 
224  if (isset($state['saml:NameID'])) {
225  if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
226  throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
227  }
228  $ar->setNameId($state['saml:NameID']);
229  }
230 
231  if (isset($state['saml:NameIDPolicy'])) {
232  if (is_string($state['saml:NameIDPolicy'])) {
233  $policy = array(
234  'Format' => (string)$state['saml:NameIDPolicy'],
235  'AllowCreate' => TRUE,
236  );
237  } elseif (is_array($state['saml:NameIDPolicy'])) {
238  $policy = $state['saml:NameIDPolicy'];
239  } else {
240  throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
241  }
242  $ar->setNameIdPolicy($policy);
243  }
244 
245  if (isset($state['saml:IDPList'])) {
246  $IDPList = $state['saml:IDPList'];
247  } else {
248  $IDPList = array();
249  }
250 
251  $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
252  $idpMetadata->getArray('IDPList', array()),
253  (array) $IDPList)));
254 
255  if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
256  $ar->setProxyCount($state['saml:ProxyCount']);
257  } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
258  $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
259  } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
260  $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
261  }
262 
263  $requesterID = array();
264  if (isset($state['saml:RequesterID'])) {
265  $requesterID = $state['saml:RequesterID'];
266  }
267 
268  if (isset($state['core:SP'])) {
269  $requesterID[] = $state['core:SP'];
270  }
271 
272  $ar->setRequesterID($requesterID);
273 
274  if (isset($state['saml:Extensions'])) {
275  $ar->setExtensions($state['saml:Extensions']);
276  }
277 
278  // save IdP entity ID as part of the state
279  $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
280 
281  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', TRUE);
282  $ar->setId($id);
283 
284  SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' . var_export($idpMetadata->getString('entityid'), TRUE));
285 
286  /* Select appropriate SSO endpoint */
287  if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
288  $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
289  \SAML2\Constants::BINDING_HOK_SSO)
290  );
291  } else {
292  $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
293  \SAML2\Constants::BINDING_HTTP_REDIRECT,
294  \SAML2\Constants::BINDING_HTTP_POST)
295  );
296  }
297  $ar->setDestination($dst['Location']);
298 
299  $b = \SAML2\Binding::getBinding($dst['Binding']);
300 
301  $this->sendSAML2AuthnRequest($state, $b, $ar);
302 
303  assert('FALSE');
304  }
305 
306 
316  public function sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar) {
317  $binding->send($ar);
318  assert('FALSE');
319  }
320 
321 
328  public function startSSO($idp, array $state) {
329  assert('is_string($idp)');
330 
331  $idpMetadata = $this->getIdPMetadata($idp);
332 
333  $type = $idpMetadata->getString('metadata-set');
334  switch ($type) {
335  case 'shib13-idp-remote':
336  $this->startSSO1($idpMetadata, $state);
337  assert('FALSE'); /* Should not return. */
338  case 'saml20-idp-remote':
339  $this->startSSO2($idpMetadata, $state);
340  assert('FALSE'); /* Should not return. */
341  default:
342  /* Should only be one of the known types. */
343  assert('FALSE');
344  }
345  }
346 
347 
353  private function startDisco(array $state) {
354 
355  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
356 
357  $config = SimpleSAML_Configuration::getInstance();
358 
359  $discoURL = $this->discoURL;
360  if ($discoURL === NULL) {
361  /* Fallback to internal discovery service. */
362  $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
363  }
364 
365  $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
366 
367  $params = array(
368  'entityID' => $this->entityId,
369  'return' => $returnTo,
370  'returnIDParam' => 'idpentityid'
371  );
372 
373  if(isset($state['saml:IDPList'])) {
374  $params['IDPList'] = $state['saml:IDPList'];
375  }
376 
377  if (isset($state['isPassive']) && $state['isPassive']) {
378  $params['isPassive'] = 'true';
379  }
380 
381  \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
382  }
383 
384 
392  public function authenticate(&$state) {
393  assert('is_array($state)');
394 
395  /* We are going to need the authId in order to retrieve this authentication source later. */
396  $state['saml:sp:AuthId'] = $this->authId;
397 
398  $idp = $this->idp;
399 
400  if (isset($state['saml:idp'])) {
401  $idp = (string)$state['saml:idp'];
402  }
403 
404  if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
405  // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
406  $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
407  $known_idps = $mdh->getList();
408  $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
409 
410  if (empty($intersection)) { // all requested IdPs are unknown
411  throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
412  \SAML2\Constants::STATUS_REQUESTER,
413  'None of the IdPs requested are supported by this proxy.'
414  );
415  }
416 
417  if (!is_null($idp) && !in_array($idp, $intersection, true)) { // the IdP is enforced but not in the IDPList
418  throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
419  \SAML2\Constants::STATUS_REQUESTER,
420  'None of the IdPs requested are available to this proxy.'
421  );
422  }
423 
424  if (is_null($idp) && sizeof($intersection) === 1) { // only one IdP requested or valid
425  $idp = current($state['saml:IDPList']);
426  }
427  }
428 
429  if ($idp === NULL) {
430  $this->startDisco($state);
431  assert('FALSE');
432  }
433 
434  $this->startSSO($idp, $state);
435  assert('FALSE');
436  }
437 
438 
447  public function reauthenticate(array &$state) {
448  assert('is_array($state)');
449 
450  $session = SimpleSAML_Session::getSessionFromRequest();
451  $data = $session->getAuthState($this->authId);
452  foreach ($data as $k => $v) {
453  $state[$k] = $v;
454  }
455 
456  // check if we have an IDPList specified in the request
457  if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
458  !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
459  {
460  /*
461  * The user has an existing, valid session. However, the SP provided a list of IdPs it accepts for
462  * authentication, and the IdP the existing session is related to is not in that list.
463  *
464  * First, check if we recognize any of the IdPs requested.
465  */
466 
467  $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
468  $known_idps = $mdh->getList();
469  $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
470 
471  if (empty($intersection)) { // all requested IdPs are unknown
472  throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
473  \SAML2\Constants::STATUS_REQUESTER,
474  'None of the IdPs requested are supported by this proxy.'
475  );
476  }
477 
478  /*
479  * We have at least one IdP in the IDPList that we recognize, and it's not the one currently in use. Let's
480  * see if this proxy enforces the use of one single IdP.
481  */
482  if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) { // an IdP is enforced but not requested
483  throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
484  \SAML2\Constants::STATUS_REQUESTER,
485  'None of the IdPs requested are available to this proxy.'
486  );
487  }
488 
489  /*
490  * We need to inform the user, and ask whether we should logout before starting the authentication process
491  * again with a different IdP, or cancel the current SSO attempt.
492  */
493  SimpleSAML\Logger::warning(
494  "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
495  "provided by the Service Provider '${state['core:SP']}'."
496  );
497 
498  $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
499  $state['saml:sp:AuthId'] = $this->authId;
500  self::askForIdPChange($state);
501  }
502  }
503 
504 
521  public static function askForIdPChange(array &$state)
522  {
523  assert('array_key_exists("saml:sp:IdPMetadata", $state)');
524  assert('array_key_exists("saml:sp:AuthId", $state)');
525  assert('array_key_exists("core:IdP", $state)');
526  assert('array_key_exists("SPMetadata", $state)');
527 
528  if (isset($state['isPassive']) && (bool)$state['isPassive']) {
529  // passive request, we cannot authenticate the user
530  throw new SimpleSAML_Error_NoPassive('Reauthentication required');
531  }
532 
533  // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
534  $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
535  $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
536  SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
537  assert('false');
538  }
539 
540 
548  public static function reauthLogout(array $state)
549  {
550  SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
551 
552  if (isset($state['Responder'])) {
553  $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
554  }
555  $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
556 
557  $idp = SimpleSAML_IdP::getByState($state);
558  $idp->handleLogoutRequest($state, null);
559  assert('false');
560  }
561 
562 
568  public static function reauthPostLogin(array $state) {
569  assert('isset($state["ReturnCallback"])');
570 
571  // Update session state
572  $session = SimpleSAML_Session::getSessionFromRequest();
573  $authId = $state['saml:sp:AuthId'];
574  $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
575 
576  // resume the login process
577  call_user_func($state['ReturnCallback'], $state);
578  assert('FALSE');
579  }
580 
581 
590  public static function reauthPostLogout(SimpleSAML_IdP $idp, array $state) {
591  assert('isset($state["saml:sp:AuthId"])');
592 
593  SimpleSAML\Logger::debug('Proxy: logout completed.');
594 
595  if (isset($state['saml:proxy:reauthLogout:PrevResponder'])) {
596  $state['Responder'] = $state['saml:proxy:reauthLogout:PrevResponder'];
597  }
598 
599  $sp = SimpleSAML_Auth_Source::getById($state['saml:sp:AuthId'], 'sspmod_saml_Auth_Source_SP');
601  SimpleSAML\Logger::debug('Proxy: logging in again.');
602  $sp->authenticate($state);
603  assert('false');
604  }
605 
606 
612  public function startSLO2(&$state) {
613  assert('is_array($state)');
614  assert('array_key_exists("saml:logout:IdP", $state)');
615  assert('array_key_exists("saml:logout:NameID", $state)');
616  assert('array_key_exists("saml:logout:SessionIndex", $state)');
617 
618  $id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
619 
620  $idp = $state['saml:logout:IdP'];
621  $nameId = $state['saml:logout:NameID'];
622  $sessionIndex = $state['saml:logout:SessionIndex'];
623 
624  $idpMetadata = $this->getIdPMetadata($idp);
625 
626  $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
627  \SAML2\Constants::BINDING_HTTP_REDIRECT,
628  \SAML2\Constants::BINDING_HTTP_POST), FALSE);
629  if ($endpoint === FALSE) {
630  SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, TRUE) . '.');
631  return;
632  }
633 
634  $lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
635  $lr->setNameId($nameId);
636  $lr->setSessionIndex($sessionIndex);
637  $lr->setRelayState($id);
638  $lr->setDestination($endpoint['Location']);
639 
640  $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', NULL);
641  if ($encryptNameId === NULL) {
642  $encryptNameId = $this->metadata->getBoolean('nameid.encryption', FALSE);
643  }
644  if ($encryptNameId) {
645  $lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
646  }
647 
648  $b = \SAML2\Binding::getBinding($endpoint['Binding']);
649  $b->send($lr);
650 
651  assert('FALSE');
652  }
653 
654 
660  public function logout(&$state) {
661  assert('is_array($state)');
662  assert('array_key_exists("saml:logout:Type", $state)');
663 
664  $logoutType = $state['saml:logout:Type'];
665  switch ($logoutType) {
666  case 'saml1':
667  /* Nothing to do. */
668  return;
669  case 'saml2':
670  $this->startSLO2($state);
671  return;
672  default:
673  /* Should never happen. */
674  assert('FALSE');
675  }
676  }
677 
678 
686  public function handleResponse(array $state, $idp, array $attributes) {
687  assert('is_string($idp)');
688  assert('array_key_exists("LogoutState", $state)');
689  assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
690 
691  $idpMetadata = $this->getIdpMetadata($idp);
692 
693  $spMetadataArray = $this->metadata->toArray();
694  $idpMetadataArray = $idpMetadata->toArray();
695 
696  /* Save the IdP in the state array. */
697  $state['saml:sp:IdP'] = $idp;
698  $state['PersistentAuthData'][] = 'saml:sp:IdP';
699 
700  $authProcState = array(
701  'saml:sp:IdP' => $idp,
702  'saml:sp:State' => $state,
703  'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
704 
705  'Attributes' => $attributes,
706  'Destination' => $spMetadataArray,
707  'Source' => $idpMetadataArray,
708  );
709 
710  if (isset($state['saml:sp:NameID'])) {
711  $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
712  }
713  if (isset($state['saml:sp:SessionIndex'])) {
714  $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
715  }
716 
717  $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
718  $pc->processState($authProcState);
719 
720  self::onProcessingCompleted($authProcState);
721  }
722 
723 
729  public function handleLogout($idpEntityId) {
730  assert('is_string($idpEntityId)');
731 
732  /* Call the logout callback we registered in onProcessingCompleted(). */
733  $this->callLogoutCallback($idpEntityId);
734  }
735 
736 
749  public static function handleUnsolicitedAuth($authId, array $state, $redirectTo) {
750  assert('is_string($authId)');
751  assert('is_string($redirectTo)');
752 
753  $session = SimpleSAML_Session::getSessionFromRequest();
754  $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
755 
756  \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
757  }
758 
759 
765  public static function onProcessingCompleted(array $authProcState) {
766  assert('array_key_exists("saml:sp:IdP", $authProcState)');
767  assert('array_key_exists("saml:sp:State", $authProcState)');
768  assert('array_key_exists("Attributes", $authProcState)');
769 
770  $idp = $authProcState['saml:sp:IdP'];
771  $state = $authProcState['saml:sp:State'];
772 
773  $sourceId = $state['saml:sp:AuthId'];
774  $source = SimpleSAML_Auth_Source::getById($sourceId);
775  if ($source === NULL) {
776  throw new Exception('Could not find authentication source with id ' . $sourceId);
777  }
778 
779  /* Register a callback that we can call if we receive a logout request from the IdP. */
780  $source->addLogoutCallback($idp, $state);
781 
782  $state['Attributes'] = $authProcState['Attributes'];
783 
784  if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
785  if (!empty($state['saml:sp:RelayState'])) {
786  $redirectTo = $state['saml:sp:RelayState'];
787  } else {
788  $redirectTo = $source->getMetadata()->getString('RelayState', '/');
789  }
790  self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
791  }
792 
793  SimpleSAML_Auth_Source::completeAuth($state);
794  }
795 
796 }
SAML2\Constants\BINDING_HOK_SSO
const BINDING_HOK_SSO
The URN for the Holder-of-Key Web Browser SSO Profile binding.
Definition: Constants.php:50
$params
$params
Definition: disable.php:11
sspmod_saml_Auth_Source_SP\startDisco
startDisco(array $state)
Start an IdP discovery service operation.
Definition: SP.php:353
sspmod_saml_Auth_Source_SP\askForIdPChange
static askForIdPChange(array &$state)
Ask the user to log out before being able to log in again with a different identity provider...
Definition: SP.php:521
string
Add rich text string
Definition: 05featuredemo.inc.php:117
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
$dst
$dst
Definition: logout-iframe-post.php:54
SimpleSAML_IdP\getByState
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:152
SimpleSAML_Configuration\getArray
getArray($name, $default=self::REQUIRED_OPTION)
This function retrieves an array configuration option.
Definition: Configuration.php:857
$idpEntityId
$idpEntityId
Definition: prp.php:12
$type
$type
Definition: proxy_ylocal.php:10
SimpleSAML\Utils\Arrays\arrayize
static arrayize($data, $index=0)
Put a non-array variable into an array.
Definition: Arrays.php:24
SimpleSAML_Auth_Source\callLogoutCallback
callLogoutCallback($assoc)
Call a logout callback based on association.
Definition: Source.php:439
SimpleSAML_Auth_State\throwException
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
SAML2\Binding\getBinding
static getBinding($urn)
Retrieve a binding with the given URN.
Definition: Binding.php:28
$endpoint
$endpoint
Definition: attributeserver.php:23
sspmod_saml_Auth_Source_SP\$entityId
$entityId
Definition: SP.php:10
sspmod_saml_Auth_Source_SP\getEntityId
getEntityId()
Retrieve the entity id of this SP.
Definition: SP.php:84
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:213
SimpleSAML_Error_Exception
Definition: Exception.php:12
$session
$session
Definition: proxy_ylocal.php:32
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:22
sspmod_saml_Auth_Source_SP\$metadata
$metadata
Definition: SP.php:18
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$sessionIndex
$sessionIndex
Definition: saml2-acs.php:139
sspmod_saml_Auth_Source_SP\$idp
$idp
Definition: SP.php:26
$attributes
$attributes
Definition: serviceValidate.php:33
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
sspmod_saml_Auth_Source_SP\reauthPostLogin
static reauthPostLogin(array $state)
Complete login operation after re-authenticating the user on another IdP.
Definition: SP.php:568
sspmod_saml_Message\buildLogoutRequest
static buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
Build a logout request based on information in the metadata.
Definition: Message.php:501
sspmod_saml_Auth_Source_SP
Definition: SP.php:3
sspmod_saml_Message\buildAuthnRequest
static buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
Build an authentication request based on information in the metadata.
Definition: Message.php:431
sspmod_saml_Auth_Source_SP\reauthLogout
static reauthLogout(array $state)
Log the user out before logging in again.
Definition: SP.php:548
sspmod_saml_Auth_Source_SP\getMetadataURL
getMetadataURL()
Retrieve the URL to the metadata of this SP.
Definition: SP.php:73
SimpleSAML\Utils\HTTP\redirectUntrustedURL
static redirectUntrustedURL($url, $parameters=array())
This function redirects to the specified URL after performing the appropriate security checks on it...
Definition: HTTP.php:994
$nameId
$nameId
Definition: saml2-acs.php:138
$encryptNameId
$encryptNameId
Definition: logout-iframe-post.php:39
sspmod_saml_Auth_Source_SP\reauthenticate
reauthenticate(array &$state)
Re-authenticate an user.
Definition: SP.php:447
SimpleSAML_Error_NoPassive
Class SimpleSAML_Error_NoPassive.
Definition: NoPassive.php:12
$mdh
$mdh
Definition: logout-iframe.php:23
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
sspmod_saml_Auth_Source_SP\authenticate
authenticate(&$state)
Start login.
Definition: SP.php:392
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML
Attribute-related utility methods.
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
$sourceId
if(!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) $sourceId
Definition: linkback.php:20
sspmod_saml_Auth_Source_SP\onProcessingCompleted
static onProcessingCompleted(array $authProcState)
Called when we have completed the procssing chain.
Definition: SP.php:765
sspmod_saml_Auth_Source_SP\logout
logout(&$state)
Start logout operation.
Definition: SP.php:660
SimpleSAML_Configuration\getDefaultEndpoint
getDefaultEndpoint($endpointType, array $bindings=null, $default=self::REQUIRED_OPTION)
Find the default endpoint of the given type.
Definition: Configuration.php:1222
SimpleSAML\Logger\warning
static warning($string)
Definition: Logger.php:179
SimpleSAML_Configuration
SAML2\Constants\COMPARISON_EXACT
const COMPARISON_EXACT
Request Authentication Context Comparison indicating that the resulting authentication context in the...
Definition: Constants.php:78
sspmod_saml_Auth_Source_SP\__construct
__construct($info, $config)
Constructor for SAML SP authentication source.
Definition: SP.php:43
sspmod_saml_Auth_Source_SP\startSSO
startSSO($idp, array $state)
Send a SSO request to an IdP.
Definition: SP.php:328
sspmod_saml_Auth_Source_SP\sendSAML2AuthnRequest
sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
Function to actually send the authentication request.
Definition: SP.php:316
sspmod_saml_Auth_Source_SP\getIdPMetadata
getIdPMetadata($entityId)
Retrieve the metadata of an IdP.
Definition: SP.php:108
sspmod_saml_Auth_Source_SP\handleResponse
handleResponse(array $state, $idp, array $attributes)
Handle a response from a SSO operation.
Definition: SP.php:686
SimpleSAML_Configuration\getBoolean
getBoolean($name, $default=self::REQUIRED_OPTION)
This function retrieves a boolean configuration option.
Definition: Configuration.php:648
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
sspmod_saml_Auth_Source_SP\startSLO2
startSLO2(&$state)
Start a SAML 2 logout operation.
Definition: SP.php:612
SimpleSAML_Configuration\getInteger
getInteger($name, $default=self::REQUIRED_OPTION)
This function retrieves an integer configuration option.
Definition: Configuration.php:724
sspmod_saml_Message\getEncryptionKey
static getEncryptionKey(SimpleSAML_Configuration $metadata)
Retrieve the encryption key for the given entity.
Definition: Message.php:829
SimpleSAML_IdP
Definition: IdP.php:11
sspmod_saml_Auth_Source_SP\getMetadata
getMetadata()
Retrieve the metadata of this SP.
Definition: SP.php:95
SimpleSAML_Auth_State\getPersistentAuthData
static getPersistentAuthData(array $state)
Get the persistent authentication state from the state array.
Definition: State.php:103
sspmod_saml_Auth_Source_SP\handleUnsolicitedAuth
static handleUnsolicitedAuth($authId, array $state, $redirectTo)
Handle an unsolicited login operations.
Definition: SP.php:749
$lr
$lr
Definition: logout-iframe-post.php:29
SimpleSAML_Configuration\getString
getString($name, $default=self::REQUIRED_OPTION)
This function retrieves a string configuration option.
Definition: Configuration.php:686
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
SimpleSAML_Auth_ProcessingChain
Definition: ProcessingChain.php:13
sspmod_saml_Auth_Source_SP\$discoURL
$discoURL
Definition: SP.php:34
$url
$url
Definition: proxy_ylocal.php:28
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
sspmod_saml_Auth_Source_SP\handleLogout
handleLogout($idpEntityId)
Handle a logout request from an IdP.
Definition: SP.php:729
$source
$source
Definition: linkback.php:22
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
$info
$info
Definition: index.php:5
$binding
$binding
Definition: logout-iframe-post.php:55
sspmod_saml_Auth_Source_SP\startSSO2
startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML2 SSO request to an IdP.
Definition: SP.php:182
SimpleSAML_Session\getSessionFromRequest
static getSessionFromRequest()
Retrieves the current session.
Definition: Session.php:243
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:269
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
SimpleSAML_Configuration\getInstance
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
Definition: Configuration.php:297
sspmod_saml_Auth_Source_SP\startSSO1
startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML1 SSO request to an IdP.
Definition: SP.php:145
SimpleSAML_Auth_Source
Definition: Source.php:12