Collaboration diagram for SimpleSAML_IdP:

Public Member Functions
	getId ()
	Retrieve the ID of this IdP. More...

	getConfig ()
	Retrieve the configuration for this IdP. More...

	getSPName ($assocId)
	Get SP name. More...

	addAssociation (array $association)
	Add an SP association. More...

	getAssociations ()
	Retrieve list of SP associations. More...

	terminateAssociation ($assocId)
	Remove an SP association. More...

	isAuthenticated ()
	Is the current user authenticated? More...

	handleAuthenticationRequest (array &$state)
	Process authentication requests. More...

	getLogoutHandler ()
	Find the logout handler of this IdP. More...

	finishLogout (array &$state)
	Finish the logout operation. More...

	handleLogoutRequest (array &$state, $assocId)
	Process a logout request. More...

	handleLogoutResponse ($assocId, $relayState, SimpleSAML_Error_Exception $error=null)
	Process a logout response. More...

	doLogoutRedirect ($url)
	Log out, then redirect to a URL. More...

Static Public Member Functions
static	getById ($id)
	Retrieve an IdP by ID. More...

static	getByState (array &$state)
	Retrieve the IdP "owning" the state. More...

static	postAuthProc (array $state)
	Called after authproc has run. More...

static	postAuth (array $state)
	The user is authenticated. More...

static	finishLogoutRedirect (SimpleSAML_IdP $idp, array $state)
	Redirect to a URL after logout. More...

Private Member Functions
	__construct ($id)
	Initialize an IdP. More...

	authenticate (array &$state)
	Authenticate the user. More...

	reauthenticate (array &$state)
	Re-authenticate the user. More...

Private Attributes
	$id

	$associationGroup

	$config

	$authSource

Static Private Attributes
static	$idpCache = array()

Detailed Description

Definition at line 11 of file IdP.php.

Constructor & Destructor Documentation

◆ __construct()

SimpleSAML_IdP::__construct ( $id )

private

Initialize an IdP.

Parameters

string $id The identifier of this IdP.

Exceptions

SimpleSAML_Error_Exception If the IdP is disabled or no such auth source was found.

Definition at line 64 of file IdP.php.

References $auth, $globalConfig, $id, $metadata, SimpleSAML_Auth_Source\getById(), SimpleSAML_Configuration\getInstance(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

     {
         assert('is_string($id)');
 
         $this->id = $id;
 
         $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
         $globalConfig = SimpleSAML_Configuration::getInstance();
 
         if (substr($id, 0, 6) === 'saml2:') {
             if (!$globalConfig->getBoolean('enable.saml20-idp', false)) {
                 throw new SimpleSAML_Error_Exception('enable.saml20-idp disabled in config.php.');
             }
             $this->config = $metadata->getMetaDataConfig(substr($id, 6), 'saml20-idp-hosted');
         } elseif (substr($id, 0, 6) === 'saml1:') {
             if (!$globalConfig->getBoolean('enable.shib13-idp', false)) {
                 throw new SimpleSAML_Error_Exception('enable.shib13-idp disabled in config.php.');
             }
             $this->config = $metadata->getMetaDataConfig(substr($id, 6), 'shib13-idp-hosted');
         } elseif (substr($id, 0, 5) === 'adfs:') {
             if (!$globalConfig->getBoolean('enable.adfs-idp', false)) {
                 throw new SimpleSAML_Error_Exception('enable.adfs-idp disabled in config.php.');
             }
             $this->config = $metadata->getMetaDataConfig(substr($id, 5), 'adfs-idp-hosted');
 
             try {
                 // this makes the ADFS IdP use the same SP associations as the SAML 2.0 IdP
                 $saml2EntityId = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
                 $this->associationGroup = 'saml2:'.$saml2EntityId;
             } catch (Exception $e) {
                 // probably no SAML 2 IdP configured for this host. Ignore the error
             }
         } else {
             assert(false);
         }
 
         if ($this->associationGroup === null) {
             $this->associationGroup = $this->id;
         }
 
         $auth = $this->config->getString('auth');
         if (SimpleSAML_Auth_Source::getById($auth) !== null) {
             $this->authSource = new \SimpleSAML\Auth\Simple($auth);
         } else {
             throw new SimpleSAML_Error_Exception('No such "'.$auth.'" auth source found.');
         }
     }

Here is the call graph for this function:

Member Function Documentation

◆ addAssociation()

SimpleSAML_IdP::addAssociation ( array $association )

Add an SP association.

Parameters

array $association The SP association.

Definition at line 219 of file IdP.php.

References $id, $session, and SimpleSAML_Session\getSessionFromRequest().

     {
         assert('isset($association["id"])');
         assert('isset($association["Handler"])');
 
         $association['core:IdP'] = $this->id;
 
         $session = SimpleSAML_Session::getSessionFromRequest();
         $session->addAssociation($this->associationGroup, $association);
     }

Here is the call graph for this function:

◆ authenticate()

SimpleSAML_IdP::authenticate ( array & $state )

private

Authenticate the user.

This function authenticates the user.

Parameters

array &$state The authentication request state.

Exceptions

SimpleSAML_Error_NoPassive If we were asked to do passive authentication.

Definition at line 346 of file IdP.php.

Referenced by handleAuthenticationRequest().

     {
         if (isset($state['isPassive']) && (bool) $state['isPassive']) {
             throw new SimpleSAML_Error_NoPassive('Passive authentication not supported.');
         }
 
         $this->authSource->login($state);
     }

Here is the caller graph for this function:

◆ doLogoutRedirect()

SimpleSAML_IdP::doLogoutRedirect ( $url )

Log out, then redirect to a URL.

This function never returns.

Parameters

string $url The URL the user should be returned to after logout.

Definition at line 536 of file IdP.php.

References $state, $url, array, and handleLogoutRequest().

Referenced by sspmod_adfs_IdP_ADFS\receiveLogoutMessage().

     {
         assert('is_string($url)');
 
         $state = array(
             'Responder'       => array('SimpleSAML_IdP', 'finishLogoutRedirect'),
             'core:Logout:URL' => $url,
         );
 
         $this->handleLogoutRequest($state, null);
         assert('false');
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ finishLogout()

SimpleSAML_IdP::finishLogout ( array & $state )

Finish the logout operation.

This function will never return.

Parameters

array &$state The logout request state.

Definition at line 460 of file IdP.php.

References $idp, and getByState().

     {
         assert('isset($state["Responder"])');
 
         $idp = SimpleSAML_IdP::getByState($state);
         call_user_func($state['Responder'], $idp, $state);
         assert('false');
     }

Here is the call graph for this function:

◆ finishLogoutRedirect()

static SimpleSAML_IdP::finishLogoutRedirect	(	SimpleSAML_IdP	$idp,
		array	$state
	)

static

Redirect to a URL after logout.

This function never returns.

Parameters

SimpleSAML_IdP	$idp	Deprecated. Will be removed.
array	&$state	The logout state from doLogoutRedirect().

Definition at line 558 of file IdP.php.

References SimpleSAML\Utils\HTTP\redirectTrustedURL().

     {
         assert('isset($state["core:Logout:URL"])');
 
         \SimpleSAML\Utils\HTTP::redirectTrustedURL($state['core:Logout:URL']);
         assert('false');
     }

Here is the call graph for this function:

◆ getAssociations()

SimpleSAML_IdP::getAssociations ( )

Retrieve list of SP associations.

Returns: array List of SP associations.

Definition at line 236 of file IdP.php.

References $session, and SimpleSAML_Session\getSessionFromRequest().

     {
         $session = SimpleSAML_Session::getSessionFromRequest();
         return $session->getAssociations($this->associationGroup);
     }

Here is the call graph for this function:

◆ getById()

static SimpleSAML_IdP::getById ( $id )

static

Retrieve an IdP by ID.

Parameters

string $id The identifier of the IdP.

Returns: SimpleSAML_IdP The IdP.

Definition at line 131 of file IdP.php.

References $id, and $idp.

     {
         assert('is_string($id)');
 
         if (isset(self::$idpCache[$id])) {
             return self::$idpCache[$id];
         }
 
         $idp = new self($id);
         self::$idpCache[$id] = $idp;
         return $idp;
     }

◆ getByState()

static SimpleSAML_IdP::getByState ( array & $state )

static

Retrieve the IdP "owning" the state.

Parameters

array &$state The state array.

Returns: SimpleSAML_IdP The IdP.

Definition at line 152 of file IdP.php.

Referenced by finishLogout(), sspmod_saml_IdP_SAML2\handleAuthError(), SimpleSAML\IdP\TraditionalLogoutHandler\logoutNextSP(), postAuth(), sspmod_saml_Auth_Source_SP\reauthLogout(), sspmod_saml_IdP_SAML1\sendResponse(), sspmod_saml_IdP_SAML2\sendResponse(), sspmod_adfs_IdP_ADFS\sendResponse(), and SimpleSAML\IdP\IFrameLogoutHandler\startLogout().

     {
         assert('isset($state["core:IdP"])');
 
         return self::getById($state['core:IdP']);
     }

Here is the caller graph for this function:

◆ getConfig()

SimpleSAML_IdP::getConfig ( )

Retrieve the configuration for this IdP.

Returns: SimpleSAML_Configuration The configuration object.

Definition at line 165 of file IdP.php.

References $config.

Referenced by getLogoutHandler(), sspmod_adfs_IdP_ADFS\getLogoutURL(), sspmod_saml_IdP_SAML2\getLogoutURL(), handleAuthenticationRequest(), sspmod_saml_IdP_SAML2\receiveAuthnRequest(), sspmod_saml_IdP_SAML2\receiveLogoutMessage(), sspmod_saml_IdP_SAML2\sendLogoutRequest(), sspmod_adfs_IdP_ADFS\sendLogoutResponse(), and sspmod_saml_IdP_SAML2\sendLogoutResponse().

     {
         return $this->config;
     }

Here is the caller graph for this function:

◆ getId()

SimpleSAML_IdP::getId ( )

Retrieve the ID of this IdP.

Returns: string The ID of this IdP.

Definition at line 118 of file IdP.php.

References $id.

Referenced by sspmod_saml_IdP_SAML2\getLogoutURL().

     {
         return $this->id;
     }

Here is the caller graph for this function:

◆ getLogoutHandler()

SimpleSAML_IdP::getLogoutHandler ( )

Find the logout handler of this IdP.

Returns: The logout handler class.

Exceptions

SimpleSAML_Error_Exception If we cannot find a logout handler.

Definition at line 434 of file IdP.php.

References $handler, and getConfig().

Referenced by handleLogoutRequest(), and handleLogoutResponse().

     {
         // find the logout handler
         $logouttype = $this->getConfig()->getString('logouttype', 'traditional');
         switch ($logouttype) {
             case 'traditional':
                 $handler = 'SimpleSAML\IdP\TraditionalLogoutHandler';
                 break;
             case 'iframe':
                 $handler = 'SimpleSAML\IdP\IFrameLogoutHandler';
                 break;
             default:
                 throw new SimpleSAML_Error_Exception('Unknown logout handler: '.var_export($logouttype, true));
         }
 
         return new $handler($this);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getSPName()

SimpleSAML_IdP::getSPName ( $assocId )

Get SP name.

Parameters

string $assocId The association identifier.

Returns: array|null The name of the SP, as an associative array of language => text, or null if this isn't an SP.

Definition at line 178 of file IdP.php.

References $assocId, $metadata, $spEntityId, $spMetadata, array, and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

     {
         assert('is_string($assocId)');
 
         $prefix = substr($assocId, 0, 4);
         $spEntityId = substr($assocId, strlen($prefix) + 1);
         $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 
         if ($prefix === 'saml') {
             try {
                 $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'saml20-sp-remote');
             } catch (Exception $e) {
                 try {
                     $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'shib13-sp-remote');
                 } catch (Exception $e) {
                     return null;
                 }
             }
         } else {
             if ($prefix === 'adfs') {
                 $spMetadata = $metadata->getMetaDataConfig($spEntityId, 'adfs-sp-remote');
             } else {
                 return null;
             }
         }
 
         if ($spMetadata->hasValue('name')) {
             return $spMetadata->getLocalizedString('name');
         } elseif ($spMetadata->hasValue('OrganizationDisplayName')) {
             return $spMetadata->getLocalizedString('OrganizationDisplayName');
         } else {
             return array('en' => $spEntityId);
         }
     }

Here is the call graph for this function:

◆ handleAuthenticationRequest()

SimpleSAML_IdP::handleAuthenticationRequest ( array & $state )

Process authentication requests.

Parameters

array &$state The authentication request state.

Definition at line 384 of file IdP.php.

References $id, $spEntityId, array, authenticate(), getConfig(), isAuthenticated(), postAuth(), reauthenticate(), and SimpleSAML_Auth_State\throwException().

Referenced by sspmod_adfs_IdP_ADFS\receiveAuthnRequest(), sspmod_saml_IdP_SAML1\receiveAuthnRequest(), and sspmod_saml_IdP_SAML2\receiveAuthnRequest().

     {
         assert('isset($state["Responder"])');
 
         $state['core:IdP'] = $this->id;
 
         if (isset($state['SPMetadata']['entityid'])) {
             $spEntityId = $state['SPMetadata']['entityid'];
         } elseif (isset($state['SPMetadata']['entityID'])) {
             $spEntityId = $state['SPMetadata']['entityID'];
         } else {
             $spEntityId = null;
         }
         $state['core:SP'] = $spEntityId;
 
         // first, check whether we need to authenticate the user
         if (isset($state['ForceAuthn']) && (bool) $state['ForceAuthn']) {
             // force authentication is in effect
             $needAuth = true;
         } else {
             $needAuth = !$this->isAuthenticated();
         }
 
         $state['IdPMetadata'] = $this->getConfig()->toArray();
         $state['ReturnCallback'] = array('SimpleSAML_IdP', 'postAuth');
 
         try {
             if ($needAuth) {
                 $this->authenticate($state);
                 assert('FALSE');
             } else {
                 $this->reauthenticate($state);
             }
             $this->postAuth($state);
         } catch (SimpleSAML_Error_Exception $e) {
             SimpleSAML_Auth_State::throwException($state, $e);
         } catch (Exception $e) {
             $e = new SimpleSAML_Error_UnserializableException($e);
             SimpleSAML_Auth_State::throwException($state, $e);
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ handleLogoutRequest()

SimpleSAML_IdP::handleLogoutRequest	(	array &	$state,
			$assocId
	)

Process a logout request.

This function will never return.

Parameters

array	&$state	The logout request state.
string \| null	$assocId	The association we received the logout request from, or null if there was no association.

Definition at line 479 of file IdP.php.

References $assocId, $handler, $id, $returnTo, $session, array, getLogoutHandler(), SimpleSAML\Module\getModuleURL(), SimpleSAML_Session\getSessionFromRequest(), SimpleSAML_Auth_State\saveState(), and terminateAssociation().

Referenced by doLogoutRedirect(), sspmod_adfs_IdP_ADFS\receiveLogoutMessage(), and sspmod_saml_IdP_SAML2\receiveLogoutMessage().

     {
         assert('isset($state["Responder"])');
         assert('is_string($assocId) || is_null($assocId)');
 
         $state['core:IdP'] = $this->id;
         $state['core:TerminatedAssocId'] = $assocId;
 
         if ($assocId !== null) {
             $this->terminateAssociation($assocId);
             $session = SimpleSAML_Session::getSessionFromRequest();
             $session->deleteData('core:idp-ssotime', $this->id.':'.$state['saml:SPEntityId']);
         }
 
         // terminate the local session
         $id = SimpleSAML_Auth_State::saveState($state, 'core:Logout:afterbridge');
         $returnTo = SimpleSAML\Module::getModuleURL('core/idp/resumelogout.php', array('id' => $id));
 
         $this->authSource->logout($returnTo);
 
         $handler = $this->getLogoutHandler();
         $handler->startLogout($state, $assocId);
         assert('false');
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ handleLogoutResponse()

SimpleSAML_IdP::handleLogoutResponse	(		$assocId,
			$relayState,
		SimpleSAML_Error_Exception	$error = `null`
	)

Process a logout response.

This function will never return.

Parameters

string	$assocId	The association that is terminated.
string \| null	$relayState	The RelayState from the start of the logout.
SimpleSAML_Error_Exception \| null	$error	The error that occurred during session termination (if any).

Definition at line 514 of file IdP.php.

References $assocId, $error, $handler, $relayState, $session, getLogoutHandler(), and SimpleSAML_Session\getSessionFromRequest().

Referenced by sspmod_saml_IdP_SAML2\receiveLogoutMessage().

     {
         assert('is_string($assocId)');
         assert('is_string($relayState) || is_null($relayState)');
 
         $session = SimpleSAML_Session::getSessionFromRequest();
         $session->deleteData('core:idp-ssotime', $this->id.';'.substr($assocId, strpos($assocId, ':') + 1));
 
         $handler = $this->getLogoutHandler();
         $handler->onResponse($assocId, $relayState, $error);
 
         assert('false');
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ isAuthenticated()

SimpleSAML_IdP::isAuthenticated ( )

Is the current user authenticated?

Returns: boolean True if the user is authenticated, false otherwise.

Definition at line 262 of file IdP.php.

Referenced by handleAuthenticationRequest().

     {
         return $this->authSource->isAuthenticated();
     }

Here is the caller graph for this function:

◆ postAuth()

static SimpleSAML_IdP::postAuth ( array $state )

static

The user is authenticated.

Parameters

array $state The authentication request state array.

Exceptions

SimpleSAML_Error_Exception If we are not authenticated.

Definition at line 299 of file IdP.php.

References $idp, $idpMetadata, $session, $spMetadata, array, getByState(), and SimpleSAML_Session\getSessionFromRequest().

Referenced by handleAuthenticationRequest().

     {
         $idp = SimpleSAML_IdP::getByState($state);
 
         if (!$idp->isAuthenticated()) {
             throw new SimpleSAML_Error_Exception('Not authenticated.');
         }
 
         $state['Attributes'] = $idp->authSource->getAttributes();
 
         if (isset($state['SPMetadata'])) {
             $spMetadata = $state['SPMetadata'];
         } else {
             $spMetadata = array();
         }
 
         if (isset($state['core:SP'])) {
             $session = SimpleSAML_Session::getSessionFromRequest();
             $previousSSOTime = $session->getData('core:idp-ssotime', $state['core:IdP'].';'.$state['core:SP']);
             if ($previousSSOTime !== null) {
                 $state['PreviousSSOTimestamp'] = $previousSSOTime;
             }
         }
 
         $idpMetadata = $idp->getConfig()->toArray();
 
         $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadata, $spMetadata, 'idp');
 
         $state['ReturnCall'] = array('SimpleSAML_IdP', 'postAuthProc');
         $state['Destination'] = $spMetadata;
         $state['Source'] = $idpMetadata;
 
         $pc->processState($state);
 
         self::postAuthProc($state);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ postAuthProc()

static SimpleSAML_IdP::postAuthProc ( array $state )

static

Called after authproc has run.

Parameters

array $state The authentication request state array.

Definition at line 273 of file IdP.php.

References $session, SimpleSAML_Session\DATA_TIMEOUT_SESSION_END, SimpleSAML_Session\getSessionFromRequest(), and time.

     {
         assert('is_callable($state["Responder"])');
 
         if (isset($state['core:SP'])) {
             $session = SimpleSAML_Session::getSessionFromRequest();
             $session->setData(
                 'core:idp-ssotime',
                 $state['core:IdP'].';'.$state['core:SP'],
                 time(),
                 SimpleSAML_Session::DATA_TIMEOUT_SESSION_END
             );
         }
 
         call_user_func($state['Responder'], $state);
         assert('FALSE');
     }

Here is the call graph for this function:

◆ reauthenticate()

SimpleSAML_IdP::reauthenticate ( array & $state )

private

Re-authenticate the user.

This function re-authenticates an user with an existing session. This gives the authentication source a chance to do additional work when re-authenticating for SSO.

Note: This function is not used when ForceAuthn=true.

Parameters

array &$state The authentication request state.

Exceptions

SimpleSAML_Error_Exception If there is no auth source defined for this IdP.

Definition at line 368 of file IdP.php.

Referenced by handleAuthenticationRequest().

     {
         $sourceImpl = $this->authSource->getAuthSource();
         if ($sourceImpl === null) {
             throw new SimpleSAML_Error_Exception('No such auth source defined.');
         }
 
         $sourceImpl->reauthenticate($state);
     }

Here is the caller graph for this function:

◆ terminateAssociation()

SimpleSAML_IdP::terminateAssociation ( $assocId )

Remove an SP association.

Parameters

string $assocId The association id.

Definition at line 248 of file IdP.php.

References $assocId, $session, and SimpleSAML_Session\getSessionFromRequest().

Referenced by handleLogoutRequest().

     {
         assert('is_string($assocId)');
 
         $session = SimpleSAML_Session::getSessionFromRequest();
         $session->terminateAssociation($this->associationGroup, $assocId);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

◆ $associationGroup

SimpleSAML_IdP::$associationGroup

private

Definition at line 38 of file IdP.php.

◆ $authSource

SimpleSAML_IdP::$authSource

private

Definition at line 54 of file IdP.php.

◆ $config

SimpleSAML_IdP::$config

private

Definition at line 46 of file IdP.php.

Referenced by getConfig().

◆ $id

SimpleSAML_IdP::$id

private

Definition at line 27 of file IdP.php.

Referenced by __construct(), addAssociation(), getById(), getId(), handleAuthenticationRequest(), and handleLogoutRequest().

◆ $idpCache

SimpleSAML_IdP::$idpCache = array()

staticprivate

Definition at line 19 of file IdP.php.

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/IdP.php

Public Member Functions

Static Public Member Functions

Private Member Functions

Private Attributes

Static Private Attributes

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ addAssociation()

◆ authenticate()

◆ doLogoutRedirect()

◆ finishLogout()

◆ finishLogoutRedirect()

◆ getAssociations()

◆ getById()

◆ getByState()

◆ getConfig()

◆ getId()

◆ getLogoutHandler()

◆ getSPName()

◆ handleAuthenticationRequest()

◆ handleLogoutRequest()

◆ handleLogoutResponse()

◆ isAuthenticated()

◆ postAuth()

◆ postAuthProc()

◆ reauthenticate()

◆ terminateAssociation()

Field Documentation

◆ $associationGroup

◆ $authSource

◆ $config

◆ $id

◆ $idpCache