ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
metadata.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2017 ILIAS open source, Extended GPL, see docs/LICENSE */
3// ilias-patch: begin
4chdir(dirname(__FILE__));
5
7$cookie_path = dirname($_SERVER['PHP_SELF']);
8
9$i = 0;
10while(!file_exists($ilias_main_directory . 'ilias.ini.php') && $i < 20)
11{
12 $ilias_main_directory .= '../';
13 ++$i;
14
15 $cookie_path = dirname($cookie_path);
16}
18
19if(!file_exists(getcwd() . '/ilias.ini.php'))
20{
21 die('Please ensure ILIAS is installed!');
22}
23
24$cookie_path .= (!preg_match("/[\/|\\\\]$/", $cookie_path)) ? "/" : "";
25
26if(isset($_GET["client_id"]))
27{
28 if($cookie_path == "\\")
29 {
30 $cookie_path = '/';
31 }
32
33 setcookie('ilClientId', $_GET['client_id'], 0, $cookie_path, '');
34 $_COOKIE['ilClientId'] = $_GET['client_id'];
35}
36define('IL_COOKIE_PATH', $cookie_path);
37
38require_once 'Services/Context/classes/class.ilContext.php';
40
41require_once 'Services/Init/classes/class.ilInitialisation.php';
43
44$iliasHttpPath = ILIAS_HTTP_PATH;
45
46require_once 'Services/Saml/classes/class.ilSamlAuthFactory.php';
48$auth = $factory->auth();
49
50// The source code below is copied from the SimpleSAMLphp library and modified regarding the HTTP path
51// ilias-patch: end
52if (!array_key_exists('PATH_INFO', $_SERVER)) {
53 global $DIC;
54 $DIC->logger()->root()->warning('Missing "PATH_INFO" variable. This could be a false positive log entry, but you have to ensure a valid "PATH_INFO" setting for your HTTP server.');
55}
56
58if ($config->getBoolean('admin.protectmetadata', false)) {
60}
61// ilias-patch: begin
62//$sourceId = substr($_SERVER['PATH_INFO'], 1);
63$sourceId = $auth->getAuthId();
64// ilias-patch: end
66if ($source === null) {
67 throw new SimpleSAML_Error_NotFound('Could not find authentication source with id '.$sourceId);
68}
69
70if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
71 throw new SimpleSAML_Error_NotFound('Source isn\'t a SAML SP: '.var_export($sourceId, true));
72}
73
74$entityId = $source->getEntityId();
75$spconfig = $source->getMetadata();
77
78$metaArray20 = array();
79
81 SAML2\Constants::BINDING_HTTP_REDIRECT,
82 SAML2\Constants::BINDING_SOAP,
83);
84
85$slob = $spconfig->getArray('SingleLogoutServiceBinding', $slosvcdefault);
86// ilias-patch: begin
87$slol = $iliasHttpPath . '/saml2-logout.php/'.$sourceId . '/' . CLIENT_ID;
88// ilias-patch: end
89
90foreach ($slob as $binding) {
91 if ($binding == SAML2\Constants::BINDING_SOAP && !($store instanceof SimpleSAML\Store\SQL)) {
92 // we cannot properly support SOAP logout
93 continue;
94 }
95 $metaArray20['SingleLogoutService'][] = array(
96 'Binding' => $binding,
97 'Location' => $slol,
98 );
99}
100
102 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
103 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
104 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
105 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
106);
107
108if ($spconfig->getString('ProtocolBinding', '') == 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser') {
109 $assertionsconsumerservicesdefault[] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
110}
111
113
115$eps = array();
116foreach ($assertionsconsumerservices as $services) {
117
118 $acsArray = array('index' => $index);
119 switch ($services) {
120 case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':
121 $acsArray['Binding'] = SAML2\Constants::BINDING_HTTP_POST;
122 // ilias-patch: begin
123 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
124 // ilias-patch: end
125 break;
126 case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
127 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post';
128 // ilias-patch: begin
129 $acsArray['Location'] = $iliasHttpPath . "/saml1-acs.php/{$sourceId}/" . CLIENT_ID;
130 break;
131 case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact':
132 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
133 // ilias-patch: begin
134 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
135 // ilias-patch: end
136 break;
137 case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
138 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01';
139 // ilias-patch: begin
140 $acsArray['Location'] = $iliasHttpPath . "/saml1-acs.php/{$sourceId}/artifact/" . CLIENT_ID;
141 // ilias-patch: end
142 break;
143 case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser':
144 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
145 // ilias-patch: begin
146 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
147 // ilias-patch: end
148 $acsArray['hoksso:ProtocolBinding'] = SAML2\Constants::BINDING_HTTP_REDIRECT;
149 break;
150 }
151 $eps[] = $acsArray;
152 $index++;
153}
154
155$metaArray20['AssertionConsumerService'] = $eps;
156
157$keys = array();
159if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
160 $hasNewCert = true;
161
162 $certData = $certInfo['certData'];
163
164 $keys[] = array(
165 'type' => 'X509Certificate',
166 'signing' => true,
167 'encryption' => true,
168 'X509Certificate' => $certInfo['certData'],
169 );
170} else {
171 $hasNewCert = false;
172}
173
175if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
176 $certData = $certInfo['certData'];
177
178 $keys[] = array(
179 'type' => 'X509Certificate',
180 'signing' => true,
181 'encryption' => ($hasNewCert ? false : true),
182 'X509Certificate' => $certInfo['certData'],
183 );
184} else {
185 $certData = null;
186}
187
188$format = $spconfig->getString('NameIDPolicy', null);
189if ($format !== null) {
190 $metaArray20['NameIDFormat'] = $format;
191}
192
193$name = $spconfig->getLocalizedString('name', null);
194$attributes = $spconfig->getArray('attributes', array());
195
196if ($name !== null && !empty($attributes)) {
197 $metaArray20['name'] = $name;
198 $metaArray20['attributes'] = $attributes;
199 $metaArray20['attributes.required'] = $spconfig->getArray('attributes.required', array());
200
201 if (empty($metaArray20['attributes.required'])) {
202 unset($metaArray20['attributes.required']);
203 }
204
205 $description = $spconfig->getArray('description', null);
206 if ($description !== null) {
207 $metaArray20['description'] = $description;
208 }
209
210 $nameFormat = $spconfig->getString('attributes.NameFormat', null);
211 if ($nameFormat !== null) {
212 $metaArray20['attributes.NameFormat'] = $nameFormat;
213 }
214}
215
216// add organization info
217$orgName = $spconfig->getLocalizedString('OrganizationName', null);
218if ($orgName !== null) {
219 $metaArray20['OrganizationName'] = $orgName;
220
221 $metaArray20['OrganizationDisplayName'] = $spconfig->getLocalizedString('OrganizationDisplayName', null);
222 if ($metaArray20['OrganizationDisplayName'] === null) {
223 $metaArray20['OrganizationDisplayName'] = $orgName;
224 }
225
226 $metaArray20['OrganizationURL'] = $spconfig->getLocalizedString('OrganizationURL', null);
227 if ($metaArray20['OrganizationURL'] === null) {
228 throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
229 }
230}
231
232if ($spconfig->hasValue('contacts')) {
233 $contacts = $spconfig->getArray('contacts');
234 foreach ($contacts as $contact) {
236 }
237}
238
239// add technical contact
240$email = $config->getString('technicalcontact_email', 'na@example.org', false);
241if ($email && $email !== 'na@example.org') {
242 $techcontact['emailAddress'] = $email;
243 $techcontact['name'] = $config->getString('technicalcontact_name', null);
244 $techcontact['contactType'] = 'technical';
246}
247
248// add certificate
249if (count($keys) === 1) {
250 $metaArray20['certData'] = $keys[0]['X509Certificate'];
251} elseif (count($keys) > 1) {
252 $metaArray20['keys'] = $keys;
253}
254
255// add EntityAttributes extension
256if ($spconfig->hasValue('EntityAttributes')) {
257 $metaArray20['EntityAttributes'] = $spconfig->getArray('EntityAttributes');
258}
259
260// add UIInfo extension
261if ($spconfig->hasValue('UIInfo')) {
262 $metaArray20['UIInfo'] = $spconfig->getArray('UIInfo');
263}
264
265// add RegistrationInfo extension
266if ($spconfig->hasValue('RegistrationInfo')) {
267 $metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
268}
269
270// add signature options
271if ($spconfig->hasValue('WantAssertionsSigned')) {
272 $metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
273}
274if ($spconfig->hasValue('redirect.sign')) {
275 $metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
276} elseif ($spconfig->hasValue('sign.authnrequest')) {
277 $metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
278}
279
280$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2\Constants::NS_SAMLP);
281
282$metaArray20['metadata-set'] = 'saml20-sp-remote';
284
287$metaBuilder->addOrganizationInfo($metaArray20);
288
289$xml = $metaBuilder->getEntityDescriptorText();
290
291unset($metaArray20['UIInfo']);
292unset($metaArray20['metadata-set']);
293unset($metaArray20['entityid']);
294
295// sanitize the attributes array to remove friendly names
296if (isset($metaArray20['attributes']) && is_array($metaArray20['attributes'])) {
297 $metaArray20['attributes'] = array_values($metaArray20['attributes']);
298}
299
300// sign the metadata if enabled
301$xml = SimpleSAML_Metadata_Signer::sign($xml, $spconfig->toArray(), 'SAML 2 SP');
302
303if (array_key_exists('output', $_REQUEST) && $_REQUEST['output'] == 'xhtml') {
304
305 $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
306
307 $t->data['clipboard.js'] = true;
308 $t->data['header'] = 'saml20-sp';
309 $t->data['metadata'] = htmlspecialchars($xml);
310 $t->data['metadataflat'] = '$metadata['.var_export($entityId, true).'] = '.var_export($metaArray20, true).';';
311 // ilias-patch: begin
312 $t->data['metaurl'] = $iliasHttpPath . "/metadata.php{$sourceId}/" . CLIENT_ID;
313 // ilias-patch: end
314 $t->show();
315} else {
316 header('Content-Type: application/samlmetadata+xml');
318 header("Content-Disposition:attachment; filename=\"".$ascii_filename."\"");
319 echo($xml);
320}
$factory
Definition: metadata.php:47
$cookie_path
Definition: metadata.php:7
$auth
Definition: metadata.php:48
$ascii_filename
Definition: metadata.php:317
$i
Definition: metadata.php:9
$iliasHttpPath
Definition: metadata.php:44
$ilias_main_directory
Definition: metadata.php:6
$_COOKIE['client_id']
Definition: server.php:9
$_GET["client_id"]
An exception for terminatinating execution or to throw for unit testing.
const BINDING_HTTP_REDIRECT
The URN for the HTTP-Redirect binding.
Definition: Constants.php:30
const BINDING_HTTP_POST
The URN for the HTTP-POST binding.
Definition: Constants.php:25
static getInstance()
Retrieve our singleton instance.
Definition: Store.php:31
static requireAdmin()
Require admin access to the current page.
Definition: Auth.php:60
static getContact($contact)
Parse and sanitize a contact from an array.
Definition: Metadata.php:101
static loadPublicKey(\SimpleSAML_Configuration $metadata, $required=false, $prefix='')
Get public key or certificate from metadata.
Definition: Crypto.php:265
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:324
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
static sign($metadataString, $entityMetadata, $type)
Signs the given metadata if metadata signing is enabled.
Definition: Signer.php:219
static init($a_type)
Init context by type.
const CONTEXT_SAML
static initILIAS()
ilias initialisation
Class ilSamlAuthFactory.
static getASCIIFilename($a_filename)
convert utf8 to ascii filename
$config
Definition: metadata.php:4
$metaBuilder
Definition: metadata.php:124
$certInfo
Definition: metadata.php:25
$keys
Definition: metadata.php:24
if($name !==null &&!empty($attributes)) $orgName
Definition: metadata.php:170
if($format !==null) $name
Definition: metadata.php:146
$format
Definition: metadata.php:141
$index
Definition: metadata.php:60
$spconfig
Definition: metadata.php:23
if( $source===null) if(!($source instanceof sspmod_saml_Auth_Source_SP)) $entityId
Definition: metadata.php:22
$slol
Definition: metadata.php:34
$supported_protocols
Definition: metadata.php:62
$metaArray20
Definition: metadata.php:26
foreach($slob as $binding) $assertionsconsumerservicesdefault
Definition: metadata.php:47
$store
Definition: metadata.php:24
$slob
Definition: metadata.php:33
if( $orgName !==null) if($spconfig->hasValue('contacts')) $email
Definition: metadata.php:193
if($spconfig->getString('ProtocolBinding', '')=='urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser') $assertionsconsumerservices
Definition: metadata.php:58
$eps
Definition: metadata.php:61
$source
Definition: metadata.php:12
if($config->getBoolean('admin.protectmetadata', false)) $sourceId
Definition: metadata.php:11
$slosvcdefault
Definition: metadata.php:28
$attributes
Definition: metadata.php:147
$xml
Definition: metadata.php:240
$binding
Attribute-related utility methods.
global $DIC
Definition: saml.php:7
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']