ILIAS  release_5-3 Revision v5.3.23-19-g915713cf615
Static Public Member Functions | Static Private Member Functions
sspmod_adfs_IdP_ADFS Class Reference
+ Collaboration diagram for sspmod_adfs_IdP_ADFS:

Static Public Member Functions

static receiveAuthnRequest (SimpleSAML_IdP $idp)
 
static sendResponse (array $state)
 
static sendLogoutResponse (SimpleSAML_IdP $idp, array $state)
 
static receiveLogoutMessage (SimpleSAML_IdP $idp)
 
static getLogoutURL (SimpleSAML_IdP $idp, array $association, $relayState)
 

Static Private Member Functions

static generateResponse ($issuer, $target, $nameid, $attributes)
 
static signResponse ($response, $key, $cert)
 
static postResponse ($url, $wresult, $wctx)
 

Detailed Description

Definition at line 3 of file ADFS.php.

Member Function Documentation

◆ generateResponse()

static sspmod_adfs_IdP_ADFS::generateResponse (   $issuer,
  $target,
  $nameid,
  $attributes 
)
staticprivate

Definition at line 31 of file ADFS.php.

32 {
33 $issueInstant = SimpleSAML\Utils\Time::generateTimestamp();
34 $notBefore = SimpleSAML\Utils\Time::generateTimestamp(time() - 30);
35 $assertionExpire = SimpleSAML\Utils\Time::generateTimestamp(time() + 60 * 5);
36 $assertionID = SimpleSAML\Utils\Random::generateID();
37 $nameidFormat = 'http://schemas.xmlsoap.org/claims/UPN';
38 $nameid = htmlspecialchars($nameid);
39
40 $result = <<<MSG
41<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
42 <wst:RequestedSecurityToken>
43 <saml:Assertion Issuer="$issuer" IssueInstant="$issueInstant" AssertionID="$assertionID" MinorVersion="1" MajorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
44 <saml:Conditions NotOnOrAfter="$assertionExpire" NotBefore="$notBefore">
45 <saml:AudienceRestrictionCondition>
46 <saml:Audience>$target</saml:Audience>
47 </saml:AudienceRestrictionCondition>
48 </saml:Conditions>
49 <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="$issueInstant">
50 <saml:Subject>
51 <saml:NameIdentifier Format="$nameidFormat">$nameid</saml:NameIdentifier>
52 </saml:Subject>
53 </saml:AuthenticationStatement>
54 <saml:AttributeStatement>
55 <saml:Subject>
56 <saml:NameIdentifier Format="$nameidFormat">$nameid</saml:NameIdentifier>
57 </saml:Subject>
58MSG;
59
60 foreach ($attributes as $name => $values) {
61 if ((!is_array($values)) || (count($values) == 0)) {
62 continue;
63 }
64
65 list($namespace, $name) = SimpleSAML\Utils\Attributes::getAttributeNamespace($name, 'http://schemas.xmlsoap.org/claims');
66 foreach ($values as $value) {
67 if ((!isset($value)) || ($value === '')) {
68 continue;
69 }
70 $value = htmlspecialchars($value);
71
72 $result .= <<<MSG
73 <saml:Attribute AttributeNamespace="$namespace" AttributeName="$name">
74 <saml:AttributeValue>$value</saml:AttributeValue>
75 </saml:Attribute>
76MSG;
77
78 }
79 }
80
81 $result .= <<<MSG
82 </saml:AttributeStatement>
83 </saml:Assertion>
84 </wst:RequestedSecurityToken>
85 <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
86 <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
87 <wsa:Address>$target</wsa:Address>
88 </wsa:EndpointReference>
89 </wsp:AppliesTo>
90</wst:RequestSecurityTokenResponse>
91MSG;
92
93 return $result;
94 }
$result
$result
Definition: CleanUpTest.php:463
NotOnOrAfter
$sc SubjectConfirmationData NotOnOrAfter
Definition: attributeserver.php:77
SimpleSAML\Utils\Attributes\getAttributeNamespace
static getAttributeNamespace($name, $defaultns)
Extract an attribute's namespace, or revert to default.
Definition: Attributes.php:123
SimpleSAML\Utils\Random\generateID
static generateID()
Generate a random identifier, ID_LENGTH bytes long.
Definition: Random.php:26
SimpleSAML\Utils\Time\generateTimestamp
static generateTimestamp($instant=null)
This function generates a timestamp on the form used by the SAML protocols.
Definition: Time.php:32
$namespace
if($err=$client->getError()) $namespace
Definition: dummy_client.php:50
$name
if($format !==null) $name
Definition: metadata.php:146
$attributes
$attributes
Definition: serviceValidate.php:33
$nameid
$nameid
Definition: status.php:36

References $attributes, $name, $nameid, $namespace, $result, $target, SimpleSAML\Utils\Random\generateID(), SimpleSAML\Utils\Time\generateTimestamp(), SimpleSAML\Utils\Attributes\getAttributeNamespace(), and NotOnOrAfter.

Referenced by sendResponse().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ getLogoutURL()

static sspmod_adfs_IdP_ADFS::getLogoutURL ( SimpleSAML_IdP  $idp,
array  $association,
  $relayState 
)
static

Definition at line 209 of file ADFS.php.

210 {
211 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
212 $idpMetadata = $idp->getConfig();
213 $spMetadata = $metadata->getMetaDataConfig($association['adfs:entityID'], 'adfs-sp-remote');
214 $returnTo = SimpleSAML\Module::getModuleURL('adfs/idp/prp.php?assocId=' . urlencode($association["id"]) . '&relayState=' . urlencode($relayState));
215 return $spMetadata->getValue('prp') . '?' . 'wa=wsignoutcleanup1.0&wreply=' . urlencode($returnTo);
216 }
$metadata
$metadata['__DYNAMIC:1__']
Definition: adfs-idp-hosted.php:3
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:303
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$relayState
$relayState
Definition: logout-iframe-post.php:14
$association
if(!isset($associations[$assocId])) $association
Definition: logout-iframe-post.php:23
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
$spMetadata
$spMetadata
Definition: logout-iframe-post.php:27
$idp
$idp
Definition: prp.php:13

References $association, $idp, $idpMetadata, $metadata, $relayState, $returnTo, $spMetadata, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), and SimpleSAML\Module\getModuleURL().

+ Here is the call graph for this function:

◆ postResponse()

static sspmod_adfs_IdP_ADFS::postResponse (   $url,
  $wresult,
  $wctx 
)
staticprivate

Definition at line 120 of file ADFS.php.

121 {
122 $wresult = htmlspecialchars($wresult);
123 $wctx = htmlspecialchars($wctx);
124
125 $post = <<<MSG
126 <body onload="document.forms[0].submit()">
127 <form method="post" action="$url">
128 <input type="hidden" name="wa" value="wsignin1.0">
129 <input type="hidden" name="wresult" value="$wresult">
130 <input type="hidden" name="wctx" value="$wctx">
131 <noscript>
132 <input type="submit" value="Continue">
133 </noscript>
134 </form>
135 </body>
136MSG;
137
138 echo $post;
139 exit;
140 }
$post
$post
Definition: post.php:34

References $post, and exit.

Referenced by sendResponse().

+ Here is the caller graph for this function:

◆ receiveAuthnRequest()

static sspmod_adfs_IdP_ADFS::receiveAuthnRequest ( SimpleSAML_IdP  $idp)
static

Definition at line 5 of file ADFS.php.

6 {
7 try {
8 parse_str($_SERVER['QUERY_STRING'], $query);
9
10 $requestid = $query['wctx'];
11 $issuer = $query['wtrealm'];
12 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
13 $spMetadata = $metadata->getMetaDataConfig($issuer, 'adfs-sp-remote');
14
15 SimpleSAML\Logger::info('ADFS - IdP.prp: Incoming Authentication request: '.$issuer.' id '.$requestid);
16 } catch(Exception $exception) {
17 throw new SimpleSAML_Error_Error('PROCESSAUTHNREQUEST', $exception);
18 }
19
20 $state = array(
21 'Responder' => array('sspmod_adfs_IdP_ADFS', 'sendResponse'),
22 'SPMetadata' => $spMetadata->toArray(),
23 'ForceAuthn' => false,
24 'isPassive' => false,
25 'adfs:wctx' => $requestid,
26 );
27
28 $idp->handleAuthenticationRequest($state);
29 }
$issuer
catch(Exception $e) if(!($request instanceof \SAML2\ArtifactResolve)) $issuer
Definition: ArtifactResolutionService.php:48
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:201
SimpleSAML_Error_Error
Definition: Error.php:11
$query
$query
Definition: proxy_ylocal.php:13
$_SERVER
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']
Definition: tcpdf_autoconfig.php:54

References $_SERVER, $idp, $issuer, $metadata, $query, $spMetadata, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), and SimpleSAML\Logger\info().

+ Here is the call graph for this function:

◆ receiveLogoutMessage()

static sspmod_adfs_IdP_ADFS::receiveLogoutMessage ( SimpleSAML_IdP  $idp)
static

Definition at line 189 of file ADFS.php.

190 {
191 // if a redirect is to occur based on wreply, we will redirect to url as
192 // this implies an override to normal sp notification
193 if (isset($_GET['wreply']) && !empty($_GET['wreply'])) {
194 $idp->doLogoutRedirect(\SimpleSAML\Utils\HTTP::checkURLAllowed($_GET['wreply']));
195 assert('false');
196 }
197
198 $state = array(
199 'Responder' => array('sspmod_adfs_IdP_ADFS', 'sendLogoutResponse'),
200 );
201 $assocId = null;
202 // TODO: verify that this is really no problem for:
203 // a) SSP, because there's no caller SP.
204 // b) ADFS SP because caller will be called back..
205 $idp->handleLogoutRequest($state, $assocId);
206 }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
$assocId
if(!isset($_REQUEST['association'])) $assocId
Definition: logout-iframe-post.php:12
SimpleSAML
Attribute-related utility methods.

References $_GET, $assocId, $idp, and $state.

◆ sendLogoutResponse()

static sspmod_adfs_IdP_ADFS::sendLogoutResponse ( SimpleSAML_IdP  $idp,
array  $state 
)
static

Definition at line 181 of file ADFS.php.

182 {
183 // NB:: we don't know from which SP the logout request came from
184 $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
185 $idpMetadata = $idp->getConfig();
186 \SimpleSAML\Utils\HTTP::redirectTrustedURL($idpMetadata->getValue('redirect-after-logout', \SimpleSAML\Utils\HTTP::getBaseURL()));
187 }
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:962
getBaseURL
getBaseURL($t, $type='get', $key=null, $value=null)
Definition: showstats.php:133

References $idp, $idpMetadata, $metadata, getBaseURL(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), and SimpleSAML\Utils\HTTP\redirectTrustedURL().

+ Here is the call graph for this function:

◆ sendResponse()

static sspmod_adfs_IdP_ADFS::sendResponse ( array  $state)
static

Definition at line 142 of file ADFS.php.

143 {
144 $spMetadata = $state["SPMetadata"];
145 $spEntityId = $spMetadata['entityid'];
146 $spMetadata = SimpleSAML_Configuration::loadFromArray($spMetadata,
147 '$metadata[' . var_export($spEntityId, true) . ']');
148
149 $attributes = $state['Attributes'];
150
151 $nameidattribute = $spMetadata->getValue('simplesaml.nameidattribute');
152 if (!empty($nameidattribute)) {
153 if (!array_key_exists($nameidattribute, $attributes)) {
154 throw new Exception('simplesaml.nameidattribute does not exist in resulting attribute set');
155 }
156 $nameid = $attributes[$nameidattribute][0];
157 } else {
158 $nameid = SimpleSAML\Utils\Random::generateID();
159 }
160
161 $idp = SimpleSAML_IdP::getByState($state);
162 $idpMetadata = $idp->getConfig();
163 $idpEntityId = $idpMetadata->getString('entityid');
164
165 $idp->addAssociation(array(
166 'id' => 'adfs:' . $spEntityId,
167 'Handler' => 'sspmod_adfs_IdP_ADFS',
168 'adfs:entityID' => $spEntityId,
169 ));
170
171 $response = sspmod_adfs_IdP_ADFS::generateResponse($idpEntityId, $spEntityId, $nameid, $attributes);
172
173 $privateKeyFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('privatekey'));
174 $certificateFile = \SimpleSAML\Utils\Config::getCertPath($idpMetadata->getString('certificate'));
175 $wresult = sspmod_adfs_IdP_ADFS::signResponse($response, $privateKeyFile, $certificateFile);
176
177 $wctx = $state['adfs:wctx'];
178 sspmod_adfs_IdP_ADFS::postResponse($spMetadata->getValue('prp'), $wresult, $wctx);
179 }
$spEntityId
$spEntityId
Definition: attributeserver.php:14
SimpleSAML\Utils\Config\getCertPath
static getCertPath($path)
Resolves a path that may be relative to the cert-directory.
Definition: Config.php:22
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:269
SimpleSAML_IdP\getByState
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:152
sspmod_adfs_IdP_ADFS\signResponse
static signResponse($response, $key, $cert)
Definition: ADFS.php:96
sspmod_adfs_IdP_ADFS\postResponse
static postResponse($url, $wresult, $wctx)
Definition: ADFS.php:120
sspmod_adfs_IdP_ADFS\generateResponse
static generateResponse($issuer, $target, $nameid, $attributes)
Definition: ADFS.php:31
$response
$response
Definition: proxy_ylocal.php:39
$idpEntityId
$idpEntityId
Definition: prp.php:12

References $attributes, $idp, $idpEntityId, $idpMetadata, $nameid, $response, $spEntityId, $spMetadata, $state, SimpleSAML\Utils\Random\generateID(), generateResponse(), SimpleSAML_IdP\getByState(), SimpleSAML\Utils\Config\getCertPath(), SimpleSAML_Configuration\loadFromArray(), postResponse(), and signResponse().

+ Here is the call graph for this function:

◆ signResponse()

static sspmod_adfs_IdP_ADFS::signResponse (   $response,
  $key,
  $cert 
)
staticprivate

Definition at line 96 of file ADFS.php.

97 {
98 $objXMLSecDSig = new XMLSecurityDSig();
99 $objXMLSecDSig->idKeys = array('AssertionID');
100 $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
101 $responsedom = \SAML2\DOMDocumentFactory::fromString(str_replace ("\r", "", $response));
102 $firstassertionroot = $responsedom->getElementsByTagName('Assertion')->item(0);
103 $objXMLSecDSig->addReferenceList(
104 array($firstassertionroot), XMLSecurityDSig::SHA1,
105 array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
106 array('id_name' => 'AssertionID')
107 );
108 $objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
109 $objKey->loadKey($key, true);
110 $objXMLSecDSig->sign($objKey);
111 if ($cert) {
112 $public_cert = file_get_contents($cert);
113 $objXMLSecDSig->add509Cert($public_cert, true);
114 }
115 $newSig = $responsedom->importNode($objXMLSecDSig->sigNode, true);
116 $firstassertionroot->appendChild($newSig);
117 return $responsedom->saveXML();
118 }
$key
$key
Definition: croninfo.php:18

References $key, $response, and SAML2\DOMDocumentFactory\fromString().

Referenced by sendResponse().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:
The documentation for this class was generated from the following file: