ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
External.php
Go to the documentation of this file.
1 <?php
2 
23 class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
24 
31  public function __construct($info, $config) {
32  assert('is_array($info)');
33  assert('is_array($config)');
34 
35  // Call the parent constructor first, as required by the interface
36  parent::__construct($info, $config);
37 
38  // Do any other configuration we need here
39  }
40 
41 
47  private function getUser() {
48 
49  /*
50  * In this example we assume that the attributes are
51  * stored in the users PHP session, but this could be replaced
52  * with anything.
53  */
54 
55  if (!session_id()) {
56  /* session_start not called before. Do it here. */
57  session_start();
58  }
59 
60  if (!isset($_SESSION['uid'])) {
61  /* The user isn't authenticated. */
62  return NULL;
63  }
64 
65  /*
66  * Find the attributes for the user.
67  * Note that all attributes in SimpleSAMLphp are multivalued, so we need
68  * to store them as arrays.
69  */
70 
71  $attributes = array(
72  'uid' => array($_SESSION['uid']),
73  'displayName' => array($_SESSION['name']),
74  'mail' => array($_SESSION['mail']),
75  );
76 
77  /* Here we generate a multivalued attribute based on the account type. */
78  $attributes['eduPersonAffiliation'] = array(
79  $_SESSION['type'], /* In this example, either 'student' or 'employee'. */
80  'member',
81  );
82 
83  return $attributes;
84  }
85 
86 
92  public function authenticate(&$state) {
93  assert('is_array($state)');
94 
95  $attributes = $this->getUser();
96  if ($attributes !== NULL) {
97  /*
98  * The user is already authenticated.
99  *
100  * Add the users attributes to the $state-array, and return control
101  * to the authentication process.
102  */
103  $state['Attributes'] = $attributes;
104  return;
105  }
106 
107  /*
108  * The user isn't authenticated. We therefore need to
109  * send the user to the login page.
110  */
111 
112  /*
113  * First we add the identifier of this authentication source
114  * to the state array, so that we know where to resume.
115  */
116  $state['exampleauth:AuthID'] = $this->authId;
117 
118 
119  /*
120  * We need to save the $state-array, so that we can resume the
121  * login process after authentication.
122  *
123  * Note the second parameter to the saveState-function. This is a
124  * unique identifier for where the state was saved, and must be used
125  * again when we retrieve the state.
126  *
127  * The reason for it is to prevent
128  * attacks where the user takes a $state-array saved in one location
129  * and restores it in another location, and thus bypasses steps in
130  * the authentication process.
131  */
132  $stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External');
133 
134  /*
135  * Now we generate a URL the user should return to after authentication.
136  * We assume that whatever authentication page we send the user to has an
137  * option to return the user to a specific page afterwards.
138  */
139  $returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array(
140  'State' => $stateId,
141  ));
142 
143  /*
144  * Get the URL of the authentication page.
145  *
146  * Here we use the getModuleURL function again, since the authentication page
147  * is also part of this module, but in a real example, this would likely be
148  * the absolute URL of the login page for the site.
149  */
150  $authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php');
151 
152  /*
153  * The redirect to the authentication page.
154  *
155  * Note the 'ReturnTo' parameter. This must most likely be replaced with
156  * the real name of the parameter for the login page.
157  */
158  \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array(
159  'ReturnTo' => $returnTo,
160  ));
161 
162  /*
163  * The redirect function never returns, so we never get this far.
164  */
165  assert('FALSE');
166  }
167 
168 
177  public static function resume() {
178 
179  /*
180  * First we need to restore the $state-array. We should have the identifier for
181  * it in the 'State' request parameter.
182  */
183  if (!isset($_REQUEST['State'])) {
184  throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
185  }
186 
187  /*
188  * Once again, note the second parameter to the loadState function. This must
189  * match the string we used in the saveState-call above.
190  */
191  $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External');
192 
193  /*
194  * Now we have the $state-array, and can use it to locate the authentication
195  * source.
196  */
197  $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']);
198  if ($source === NULL) {
199  /*
200  * The only way this should fail is if we remove or rename the authentication source
201  * while the user is at the login page.
202  */
203  throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
204  }
205 
206  /*
207  * Make sure that we haven't switched the source type while the
208  * user was at the authentication page. This can only happen if we
209  * change config/authsources.php while an user is logging in.
210  */
211  if (! ($source instanceof self)) {
212  throw new SimpleSAML_Error_Exception('Authentication source type changed.');
213  }
214 
215 
216  /*
217  * OK, now we know that our current state is sane. Time to actually log the user in.
218  *
219  * First we check that the user is acutally logged in, and didn't simply skip the login page.
220  */
221  $attributes = $source->getUser();
222  if ($attributes === NULL) {
223  /*
224  * The user isn't authenticated.
225  *
226  * Here we simply throw an exception, but we could also redirect the user back to the
227  * login page.
228  */
229  throw new SimpleSAML_Error_Exception('User not authenticated after login page.');
230  }
231 
232  /*
233  * So, we have a valid user. Time to resume the authentication process where we
234  * paused it in the authenticate()-function above.
235  */
236 
237  $state['Attributes'] = $attributes;
238  SimpleSAML_Auth_Source::completeAuth($state);
239 
240  /*
241  * The completeAuth-function never returns, so we never get this far.
242  */
243  assert('FALSE');
244  }
245 
246 
253  public function logout(&$state) {
254  assert('is_array($state)');
255 
256  if (!session_id()) {
257  /* session_start not called before. Do it here. */
258  session_start();
259  }
260 
261  /*
262  * In this example we simply remove the 'uid' from the session.
263  */
264  unset($_SESSION['uid']);
265 
266  /*
267  * If we need to do a redirect to a different page, we could do this
268  * here, but in this example we don't need to do this.
269  */
270  }
271 
272 }
sspmod_exampleauth_Auth_Source_External\logout
logout(&$state)
This function is called when the user start a logout operation, for example by logging out of a SP th...
Definition: External.php:253
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
sspmod_exampleauth_Auth_Source_External\getUser
getUser()
Retrieve attributes for the user.
Definition: External.php:47
SimpleSAML_Error_Exception
Definition: Exception.php:12
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:22
$stateId
$stateId
Definition: saml2-acs.php:76
$attributes
$attributes
Definition: serviceValidate.php:33
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
sspmod_exampleauth_Auth_Source_External\__construct
__construct($info, $config)
Constructor for this authentication source.
Definition: External.php:31
sspmod_exampleauth_Auth_Source_External\authenticate
authenticate(&$state)
Log in using an external authentication helper.
Definition: External.php:92
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML_Error_BadRequest
Definition: BadRequest.php:12
SimpleSAML_Auth_State\loadState
static loadState($id, $stage, $allowMissing=false)
Retrieve saved state.
Definition: State.php:259
sspmod_exampleauth_Auth_Source_External\resume
static resume()
Resume authentication process.
Definition: External.php:177
array
Create styles array
The data for the language used.
Definition: 40duplicateStyle.php:19
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:135
$source
$source
Definition: linkback.php:22
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
$info
$info
Definition: index.php:5
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
sspmod_exampleauth_Auth_Source_External
Definition: External.php:23
SimpleSAML_Auth_Source
Definition: Source.php:12