ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
SP.php
Go to the documentation of this file.
1 <?php
2 
3 class sspmod_saml_Auth_Source_SP extends SimpleSAML_Auth_Source
4 {
10  private $entityId;
11 
17  private $metadata;
18 
24  private $idp;
25 
31  private $discoURL;
32 
39  public function __construct($info, $config)
40  {
41  assert(is_array($info));
42  assert(is_array($config));
43 
44  // Call the parent constructor first, as required by the interface
45  parent::__construct($info, $config);
46 
47  if (!isset($config['entityID'])) {
48  $config['entityID'] = $this->getMetadataURL();
49  }
50 
51  /* For compatibility with code that assumes that $metadata->getString('entityid')
52  * gives the entity id. */
53  $config['entityid'] = $config['entityID'];
54 
55  $this->metadata = SimpleSAML_Configuration::loadFromArray($config,
56  'authsources[' . var_export($this->authId, true) . ']');
57  $this->entityId = $this->metadata->getString('entityID');
58  $this->idp = $this->metadata->getString('idp', null);
59  $this->discoURL = $this->metadata->getString('discoURL', null);
60 
61  if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
62  $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
63  }
64  }
65 
71  public function getMetadataURL()
72  {
73  return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
74  }
75 
81  public function getEntityId()
82  {
83  return $this->entityId;
84  }
85 
91  public function getMetadata()
92  {
93  return $this->metadata;
94  }
95 
102  public function getIdPMetadata($entityId)
103  {
104  assert(is_string($entityId));
105 
106  if ($this->idp !== null && $this->idp !== $entityId) {
107  throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' .
108  var_export($entityId, true) .
109  ' because it isn\'t a valid IdP for this SP.');
110  }
111 
112  $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
113 
114  // First, look in saml20-idp-remote.
115  try {
116  return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
117  } catch (Exception $e) {
118  /* Metadata wasn't found. */
119  SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
120  }
121 
122  /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
123  try {
124  return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
125  } catch (Exception $e) {
126  /* Metadata wasn't found. */
127  SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
128  }
129 
130  /* Not found. */
131  throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' .
132  var_export($entityId, true));
133  }
134 
141  private function startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
142  {
143  $idpEntityId = $idpMetadata->getString('entityid');
144 
145  $state['saml:idp'] = $idpEntityId;
146 
147  $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
148  $ar->setIssuer($this->entityId);
149 
150  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
151  $ar->setRelayState($id);
152 
153  $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', null);
154  if ($useArtifact === null) {
155  $useArtifact = $this->metadata->getBoolean('saml1.useartifact', false);
156  }
157 
158  if ($useArtifact) {
159  $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
160  } else {
161  $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
162  }
163 
164  $url = $ar->createRedirect($idpEntityId, $shire);
165 
166  SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, true) .
167  ' from ' . var_export($this->entityId, true) . '.');
168  \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
169  }
170 
177  private function startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
178  {
179  if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
180  SimpleSAML_Auth_State::throwException(
181  $state,
182  new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
183  );
184  }
185 
186  $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
187 
188  // ilias-patch: begin
189  // see: https://bugs.launchpad.net/mahara/+bug/1689685
190  // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
191  //$ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
192  $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
193  // ilias-patch: end
194 
195  if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
196  $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
197  }
198 
199  if (isset($state['saml:AuthnContextClassRef'])) {
200  $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
201  $comp = SAML2\Constants::COMPARISON_EXACT;
202  if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
203  SAML2\Constants::COMPARISON_EXACT,
204  SAML2\Constants::COMPARISON_MINIMUM,
205  SAML2\Constants::COMPARISON_MAXIMUM,
206  SAML2\Constants::COMPARISON_BETTER,
207  ), true)) {
208  $comp = $state['saml:AuthnContextComparison'];
209  }
210  $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
211  }
212 
213  if (isset($state['ForceAuthn'])) {
214  $ar->setForceAuthn((bool)$state['ForceAuthn']);
215  }
216 
217  if (isset($state['isPassive'])) {
218  $ar->setIsPassive((bool)$state['isPassive']);
219  }
220 
221  if (isset($state['saml:NameID'])) {
222  if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
223  throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
224  }
225  $ar->setNameId($state['saml:NameID']);
226  }
227 
228  if (isset($state['saml:NameIDPolicy'])) {
229  if (is_string($state['saml:NameIDPolicy'])) {
230  $policy = array(
231  'Format' => (string)$state['saml:NameIDPolicy'],
232  'AllowCreate' => true,
233  );
234  } elseif (is_array($state['saml:NameIDPolicy'])) {
235  $policy = $state['saml:NameIDPolicy'];
236  } else {
237  throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
238  }
239  $ar->setNameIdPolicy($policy);
240  }
241 
242  if (isset($state['saml:IDPList'])) {
243  $IDPList = $state['saml:IDPList'];
244  } else {
245  $IDPList = array();
246  }
247 
248  $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()),
249  $idpMetadata->getArray('IDPList', array()),
250  (array) $IDPList)));
251 
252  if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
253  $ar->setProxyCount($state['saml:ProxyCount']);
254  } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
255  $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
256  } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
257  $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
258  }
259 
260  $requesterID = array();
261  if (isset($state['saml:RequesterID'])) {
262  $requesterID = $state['saml:RequesterID'];
263  }
264 
265  if (isset($state['core:SP'])) {
266  $requesterID[] = $state['core:SP'];
267  }
268 
269  $ar->setRequesterID($requesterID);
270 
271  if (isset($state['saml:Extensions'])) {
272  $ar->setExtensions($state['saml:Extensions']);
273  }
274 
275  // save IdP entity ID as part of the state
276  $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
277 
278  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', true);
279  $ar->setId($id);
280 
281  SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' .
282  var_export($idpMetadata->getString('entityid'), true));
283 
284  /* Select appropriate SSO endpoint */
285  if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
286  $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
287  \SAML2\Constants::BINDING_HOK_SSO)
288  );
289  } else {
290  $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleSignOnService', [
291  \SAML2\Constants::BINDING_HTTP_REDIRECT,
292  \SAML2\Constants::BINDING_HTTP_POST,
293  ]);
294  }
295  $ar->setDestination($dst['Location']);
296 
297  $b = \SAML2\Binding::getBinding($dst['Binding']);
298 
299  $this->sendSAML2AuthnRequest($state, $b, $ar);
300 
301  assert(false);
302  }
303 
313  public function sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
314  {
315  $binding->send($ar);
316  assert(false);
317  }
318 
325  public function startSSO($idp, array $state)
326  {
327  assert(is_string($idp));
328 
329  $idpMetadata = $this->getIdPMetadata($idp);
330 
331  $type = $idpMetadata->getString('metadata-set');
332  switch ($type) {
333  case 'shib13-idp-remote':
334  $this->startSSO1($idpMetadata, $state);
335  assert(false); /* Should not return. */
336  case 'saml20-idp-remote':
337  $this->startSSO2($idpMetadata, $state);
338  assert(false); /* Should not return. */
339  default:
340  /* Should only be one of the known types. */
341  assert(false);
342  }
343  }
344 
350  private function startDisco(array $state)
351  {
352  $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
353 
354  $discoURL = $this->discoURL;
355  if ($discoURL === null) {
356  /* Fallback to internal discovery service. */
357  $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
358  }
359 
360  $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
361 
362  $params = array(
363  'entityID' => $this->entityId,
364  'return' => $returnTo,
365  'returnIDParam' => 'idpentityid'
366  );
367 
368  if(isset($state['saml:IDPList'])) {
369  $params['IDPList'] = $state['saml:IDPList'];
370  }
371 
372  if (isset($state['isPassive']) && $state['isPassive']) {
373  $params['isPassive'] = 'true';
374  }
375 
376  \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
377  }
378 
386  public function authenticate(&$state)
387  {
388  assert(is_array($state));
389 
390  /* We are going to need the authId in order to retrieve this authentication source later. */
391  $state['saml:sp:AuthId'] = $this->authId;
392 
393  $idp = $this->idp;
394 
395  if (isset($state['saml:idp'])) {
396  $idp = (string)$state['saml:idp'];
397  }
398 
399  if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
400  // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
401  $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
402  $known_idps = $mdh->getList();
403  $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
404 
405  if (empty($intersection)) {
406  // all requested IdPs are unknown
407  throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
408  \SAML2\Constants::STATUS_REQUESTER,
409  'None of the IdPs requested are supported by this proxy.'
410  );
411  }
412 
413  if (!is_null($idp) && !in_array($idp, $intersection, true)) {
414  // the IdP is enforced but not in the IDPList
415  throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
416  \SAML2\Constants::STATUS_REQUESTER,
417  'None of the IdPs requested are available to this proxy.'
418  );
419  }
420 
421  if (is_null($idp) && sizeof($intersection) === 1) {
422  // only one IdP requested or valid
423  $idp = current($state['saml:IDPList']);
424  }
425  }
426 
427  if ($idp === null) {
428  $this->startDisco($state);
429  assert(false);
430  }
431 
432  $this->startSSO($idp, $state);
433  assert(false);
434  }
435 
444  public function reauthenticate(array &$state)
445  {
446  assert(is_array($state));
447 
448  $session = SimpleSAML_Session::getSessionFromRequest();
449  $data = $session->getAuthState($this->authId);
450  foreach ($data as $k => $v) {
451  $state[$k] = $v;
452  }
453 
454  // check if we have an IDPList specified in the request
455  if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
456  !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
457  {
458  /*
459  * The user has an existing, valid session. However, the SP
460  * provided a list of IdPs it accepts for authentication, and
461  * the IdP the existing session is related to is not in that list.
462  *
463  * First, check if we recognize any of the IdPs requested.
464  */
465 
466  $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
467  $known_idps = $mdh->getList();
468  $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
469 
470  if (empty($intersection)) {
471  // all requested IdPs are unknown
472  throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
473  \SAML2\Constants::STATUS_REQUESTER,
474  'None of the IdPs requested are supported by this proxy.'
475  );
476  }
477 
478  /*
479  * We have at least one IdP in the IDPList that we recognize, and
480  * it's not the one currently in use. Let's see if this proxy
481  * enforces the use of one single IdP.
482  */
483  if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) {
484  // an IdP is enforced but not requested
485  throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
486  \SAML2\Constants::STATUS_REQUESTER,
487  'None of the IdPs requested are available to this proxy.'
488  );
489  }
490 
491  /*
492  * We need to inform the user, and ask whether we should logout before
493  * starting the authentication process again with a different IdP, or
494  * cancel the current SSO attempt.
495  */
496  SimpleSAML\Logger::warning(
497  "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
498  "provided by the Service Provider '${state['core:SP']}'."
499  );
500 
501  $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
502  $state['saml:sp:AuthId'] = $this->authId;
503  self::askForIdPChange($state);
504  }
505  }
506 
507 
527  public static function askForIdPChange(array &$state)
528  {
529  assert(array_key_exists('saml:sp:IdPMetadata', $state));
530  assert(array_key_exists('saml:sp:AuthId', $state));
531  assert(array_key_exists('core:IdP', $state));
532  assert(array_key_exists('SPMetadata', $state));
533 
534  if (isset($state['isPassive']) && (bool)$state['isPassive']) {
535  // passive request, we cannot authenticate the user
536  throw new SimpleSAML\Module\saml\Error\NoPassive(
537  \SAML2\Constants::STATUS_REQUESTER,
538  'Reauthentication required'
539  );
540  }
541 
542  // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
543  $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
544  $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
545  SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
546  assert(false);
547  }
548 
556  public static function reauthLogout(array $state)
557  {
558  SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
559 
560  if (isset($state['Responder'])) {
561  $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
562  }
563  $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
564 
565  $idp = SimpleSAML_IdP::getByState($state);
566  $idp->handleLogoutRequest($state, null);
567  assert(false);
568  }
569 
575  public static function reauthPostLogin(array $state)
576  {
577  assert(isset($state['ReturnCallback']));
578 
579  // Update session state
580  $session = SimpleSAML_Session::getSessionFromRequest();
581  $authId = $state['saml:sp:AuthId'];
582  $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
583 
584  // resume the login process
585  call_user_func($state['ReturnCallback'], $state);
586  assert(false);
587  }
588 
597  public static function reauthPostLogout(SimpleSAML_IdP $idp, array $state)
598  {
599  assert(isset($state['saml:sp:AuthId']));
600 
601  SimpleSAML\Logger::debug('Proxy: logout completed.');
602 
603  if (isset($state['saml:proxy:reauthLogout:PrevResponder'])) {
604  $state['Responder'] = $state['saml:proxy:reauthLogout:PrevResponder'];
605  }
606 
607  $sp = SimpleSAML_Auth_Source::getById($state['saml:sp:AuthId'], 'sspmod_saml_Auth_Source_SP');
609  SimpleSAML\Logger::debug('Proxy: logging in again.');
610  $sp->authenticate($state);
611  assert(false);
612  }
613 
619  public function startSLO2(&$state)
620  {
621  assert(is_array($state));
622  assert(array_key_exists('saml:logout:IdP', $state));
623  assert(array_key_exists('saml:logout:NameID', $state));
624  assert(array_key_exists('saml:logout:SessionIndex', $state));
625 
626  $id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
627 
628  $idp = $state['saml:logout:IdP'];
629  $nameId = $state['saml:logout:NameID'];
630  $sessionIndex = $state['saml:logout:SessionIndex'];
631 
632  $idpMetadata = $this->getIdPMetadata($idp);
633 
634  $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
635  \SAML2\Constants::BINDING_HTTP_REDIRECT,
636  \SAML2\Constants::BINDING_HTTP_POST), false);
637  if ($endpoint === false) {
638  SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, true) . '.');
639  return;
640  }
641 
642  $lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
643  $lr->setNameId($nameId);
644  $lr->setSessionIndex($sessionIndex);
645  $lr->setRelayState($id);
646  $lr->setDestination($endpoint['Location']);
647 
648  $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', null);
649  if ($encryptNameId === null) {
650  $encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
651  }
652  if ($encryptNameId) {
653  $lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
654  }
655 
656  $b = \SAML2\Binding::getBinding($endpoint['Binding']);
657  $b->send($lr);
658 
659  assert(false);
660  }
661 
667  public function logout(&$state)
668  {
669  assert(is_array($state));
670  assert(array_key_exists('saml:logout:Type', $state));
671 
672  $logoutType = $state['saml:logout:Type'];
673  switch ($logoutType) {
674  case 'saml1':
675  /* Nothing to do. */
676  return;
677  case 'saml2':
678  $this->startSLO2($state);
679  return;
680  default:
681  /* Should never happen. */
682  assert(false);
683  }
684  }
685 
693  public function handleResponse(array $state, $idp, array $attributes)
694  {
695  assert(is_string($idp));
696  assert(array_key_exists('LogoutState', $state));
697  assert(array_key_exists('saml:logout:Type', $state['LogoutState']));
698 
699  $idpMetadata = $this->getIdpMetadata($idp);
700 
701  $spMetadataArray = $this->metadata->toArray();
702  $idpMetadataArray = $idpMetadata->toArray();
703 
704  /* Save the IdP in the state array. */
705  $state['saml:sp:IdP'] = $idp;
706  $state['PersistentAuthData'][] = 'saml:sp:IdP';
707 
708  $authProcState = array(
709  'saml:sp:IdP' => $idp,
710  'saml:sp:State' => $state,
711  'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
712 
713  'Attributes' => $attributes,
714  'Destination' => $spMetadataArray,
715  'Source' => $idpMetadataArray,
716  );
717 
718  if (isset($state['saml:sp:NameID'])) {
719  $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
720  }
721  if (isset($state['saml:sp:SessionIndex'])) {
722  $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
723  }
724 
725  $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
726  $pc->processState($authProcState);
727 
728  self::onProcessingCompleted($authProcState);
729  }
730 
736  public function handleLogout($idpEntityId)
737  {
738  assert(is_string($idpEntityId));
739 
740  /* Call the logout callback we registered in onProcessingCompleted(). */
741  $this->callLogoutCallback($idpEntityId);
742  }
743 
758  public static function handleUnsolicitedAuth($authId, array $state, $redirectTo)
759  {
760  assert(is_string($authId));
761  assert(is_string($redirectTo));
762 
763  $session = SimpleSAML_Session::getSessionFromRequest();
764  $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
765 
766  \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
767  }
768 
774  public static function onProcessingCompleted(array $authProcState)
775  {
776  assert(array_key_exists('saml:sp:IdP', $authProcState));
777  assert(array_key_exists('saml:sp:State', $authProcState));
778  assert(array_key_exists('Attributes', $authProcState));
779 
780  $idp = $authProcState['saml:sp:IdP'];
781  $state = $authProcState['saml:sp:State'];
782 
783  $sourceId = $state['saml:sp:AuthId'];
784  $source = SimpleSAML_Auth_Source::getById($sourceId);
785  if ($source === null) {
786  throw new Exception('Could not find authentication source with id ' . $sourceId);
787  }
788 
789  /* Register a callback that we can call if we receive a logout request from the IdP. */
790  $source->addLogoutCallback($idp, $state);
791 
792  $state['Attributes'] = $authProcState['Attributes'];
793 
794  if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
795  if (!empty($state['saml:sp:RelayState'])) {
796  $redirectTo = $state['saml:sp:RelayState'];
797  } else {
798  $redirectTo = $source->getMetadata()->getString('RelayState', '/');
799  }
800  self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
801  }
802 
803  SimpleSAML_Auth_Source::completeAuth($state);
804  }
805 }
SAML2\Constants\BINDING_HOK_SSO
const BINDING_HOK_SSO
The URN for the Holder-of-Key Web Browser SSO Profile binding.
Definition: Constants.php:55
sspmod_saml_Auth_Source_SP\startDisco
startDisco(array $state)
Start an IdP discovery service operation.
Definition: SP.php:350
sspmod_saml_Auth_Source_SP\askForIdPChange
static askForIdPChange(array &$state)
Ask the user to log out before being able to log in again with a different identity provider...
Definition: SP.php:527
SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler
static getMetadataHandler()
This function retrieves the current instance of the metadata handler.
Definition: MetaDataStorageHandler.php:40
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
$dst
$dst
Definition: logout-iframe-post.php:54
SimpleSAML_IdP\getByState
static getByState(array &$state)
Retrieve the IdP "owning" the state.
Definition: IdP.php:145
SimpleSAML_Configuration\getArray
getArray($name, $default=self::REQUIRED_OPTION)
This function retrieves an array configuration option.
Definition: Configuration.php:873
$config
$config
Definition: bootstrap.php:15
$idpEntityId
$idpEntityId
Definition: prp.php:12
$type
$type
Definition: proxy_ylocal.php:10
SimpleSAML\Utils\Arrays\arrayize
static arrayize($data, $index=0)
Put a non-array variable into an array.
Definition: Arrays.php:24
SimpleSAML_Auth_Source\callLogoutCallback
callLogoutCallback($assoc)
Call a logout callback based on association.
Definition: Source.php:455
SimpleSAML_Auth_State\throwException
static throwException($state, SimpleSAML_Error_Exception $exception)
Throw exception to the state exception handler.
Definition: State.php:343
SAML2\Binding\getBinding
static getBinding($urn)
Retrieve a binding with the given URN.
Definition: Binding.php:28
$endpoint
$endpoint
Definition: attributeserver.php:23
SimpleSAML_Auth_Source
sspmod_saml_Auth_Source_SP\$entityId
$entityId
Definition: SP.php:10
sspmod_saml_Auth_Source_SP\getEntityId
getEntityId()
Retrieve the entity id of this SP.
Definition: SP.php:81
SimpleSAML\Logger\debug
static debug($string)
Definition: Logger.php:211
SimpleSAML_Error_Exception
Definition: Exception.php:12
$session
$session
Definition: proxy_ylocal.php:32
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:23
sspmod_saml_Auth_Source_SP\$metadata
$metadata
Definition: SP.php:17
$id
if(!array_key_exists('StateId', $_REQUEST)) $id
Definition: expirywarning.php:14
$sessionIndex
$sessionIndex
Definition: saml2-acs.php:139
sspmod_saml_Auth_Source_SP\$idp
$idp
Definition: SP.php:24
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:959
sspmod_saml_Auth_Source_SP\reauthPostLogin
static reauthPostLogin(array $state)
Complete login operation after re-authenticating the user on another IdP.
Definition: SP.php:575
sspmod_saml_Message\buildLogoutRequest
static buildLogoutRequest(SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata)
Build a logout request based on information in the metadata.
Definition: Message.php:536
sspmod_saml_Auth_Source_SP
Definition: SP.php:3
sspmod_saml_Message\buildAuthnRequest
static buildAuthnRequest(SimpleSAML_Configuration $spMetadata, SimpleSAML_Configuration $idpMetadata)
Build an authentication request based on information in the metadata.
Definition: Message.php:466
sspmod_saml_Auth_Source_SP\reauthLogout
static reauthLogout(array $state)
Log the user out before logging in again.
Definition: SP.php:556
sspmod_saml_Auth_Source_SP\getMetadataURL
getMetadataURL()
Retrieve the URL to the metadata of this SP.
Definition: SP.php:71
SimpleSAML\Utils\HTTP\redirectUntrustedURL
static redirectUntrustedURL($url, $parameters=array())
This function redirects to the specified URL after performing the appropriate security checks on it...
Definition: HTTP.php:991
$nameId
$nameId
Definition: saml2-acs.php:138
$encryptNameId
$encryptNameId
Definition: logout-iframe-post.php:39
sspmod_saml_Auth_Source_SP\reauthenticate
reauthenticate(array &$state)
Re-authenticate an user.
Definition: SP.php:444
$mdh
$mdh
Definition: logout-iframe.php:23
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:220
sspmod_saml_Auth_Source_SP\authenticate
authenticate(&$state)
Start login.
Definition: SP.php:386
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
SimpleSAML
Attribute-related utility methods.
SimpleSAML\Logger\info
static info($string)
Definition: Logger.php:199
$sourceId
if(!array_key_exists(sspmod_authfacebook_Auth_Source_Facebook::AUTHID, $state)) $sourceId
Definition: linkback.php:20
SimpleSAML_Configuration\getEndpointPrioritizedByBinding
getEndpointPrioritizedByBinding($endpointType, array $bindings, $default=self::REQUIRED_OPTION)
Find an endpoint of the given type, using a list of supported bindings as a way to prioritize...
Definition: Configuration.php:1203
sspmod_saml_Auth_Source_SP\onProcessingCompleted
static onProcessingCompleted(array $authProcState)
Called when we have completed the procssing chain.
Definition: SP.php:774
sspmod_saml_Auth_Source_SP\logout
logout(&$state)
Start logout operation.
Definition: SP.php:667
SimpleSAML_Configuration\getDefaultEndpoint
getDefaultEndpoint($endpointType, array $bindings=null, $default=self::REQUIRED_OPTION)
Find the default endpoint of the given type.
Definition: Configuration.php:1238
SimpleSAML\Logger\warning
static warning($string)
Definition: Logger.php:177
SimpleSAML_Configuration
SAML2\Constants\COMPARISON_EXACT
const COMPARISON_EXACT
Request Authentication Context Comparison indicating that the resulting authentication context in the...
Definition: Constants.php:83
sspmod_saml_Auth_Source_SP\__construct
__construct($info, $config)
Constructor for SAML SP authentication source.
Definition: SP.php:39
sspmod_saml_Auth_Source_SP\startSSO
startSSO($idp, array $state)
Send a SSO request to an IdP.
Definition: SP.php:325
sspmod_saml_Auth_Source_SP\sendSAML2AuthnRequest
sendSAML2AuthnRequest(array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
Function to actually send the authentication request.
Definition: SP.php:313
sspmod_saml_Auth_Source_SP\getIdPMetadata
getIdPMetadata($entityId)
Retrieve the metadata of an IdP.
Definition: SP.php:102
sspmod_saml_Auth_Source_SP\handleResponse
handleResponse(array $state, $idp, array $attributes)
Handle a response from a SSO operation.
Definition: SP.php:693
SimpleSAML_Configuration\getBoolean
getBoolean($name, $default=self::REQUIRED_OPTION)
This function retrieves a boolean configuration option.
Definition: Configuration.php:664
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
sspmod_saml_Auth_Source_SP\startSLO2
startSLO2(&$state)
Start a SAML 2 logout operation.
Definition: SP.php:619
SimpleSAML_Configuration\getInteger
getInteger($name, $default=self::REQUIRED_OPTION)
This function retrieves an integer configuration option.
Definition: Configuration.php:740
sspmod_saml_Message\getEncryptionKey
static getEncryptionKey(SimpleSAML_Configuration $metadata)
Retrieve the encryption key for the given entity.
Definition: Message.php:865
SimpleSAML_IdP
Definition: IdP.php:10
sspmod_saml_Auth_Source_SP\getMetadata
getMetadata()
Retrieve the metadata of this SP.
Definition: SP.php:91
SimpleSAML_Auth_State\getPersistentAuthData
static getPersistentAuthData(array $state)
Get the persistent authentication state from the state array.
Definition: State.php:103
sspmod_saml_Auth_Source_SP\handleUnsolicitedAuth
static handleUnsolicitedAuth($authId, array $state, $redirectTo)
Handle an unsolicited login operations.
Definition: SP.php:758
$lr
$lr
Definition: logout-iframe-post.php:29
SimpleSAML_Configuration\getString
getString($name, $default=self::REQUIRED_OPTION)
This function retrieves a string configuration option.
Definition: Configuration.php:702
$idpMetadata
$idpMetadata
Definition: logout-iframe-post.php:26
SimpleSAML_Auth_ProcessingChain
Definition: ProcessingChain.php:13
sspmod_saml_Auth_Source_SP\$discoURL
$discoURL
Definition: SP.php:31
$url
$url
Definition: proxy_ylocal.php:28
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:136
sspmod_saml_Auth_Source_SP\handleLogout
handleLogout($idpEntityId)
Handle a logout request from an IdP.
Definition: SP.php:736
$source
$source
Definition: linkback.php:22
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:340
$info
$info
Definition: index.php:5
$binding
$binding
Definition: logout-iframe-post.php:55
sspmod_saml_Auth_Source_SP\startSSO2
startSSO2(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML2 SSO request to an IdP.
Definition: SP.php:177
SimpleSAML_Session\getSessionFromRequest
static getSessionFromRequest()
Retrieves the current session.
Definition: Session.php:241
SimpleSAML_Configuration\loadFromArray
static loadFromArray($config, $location='[ARRAY]', $instance=null)
Loads a configuration from the given array.
Definition: Configuration.php:297
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
sspmod_saml_Auth_Source_SP\startSSO1
startSSO1(SimpleSAML_Configuration $idpMetadata, array $state)
Send a SAML1 SSO request to an IdP.
Definition: SP.php:141
$data
$data
Definition: bench.php:6