ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
External.php
Go to the documentation of this file.
1<?php
2
23class sspmod_exampleauth_Auth_Source_External extends SimpleSAML_Auth_Source {
24
31 public function __construct($info, $config) {
32 assert(is_array($info));
33 assert(is_array($config));
34
35 // Call the parent constructor first, as required by the interface
36 parent::__construct($info, $config);
37
38 // Do any other configuration we need here
39 }
40
41
47 private function getUser() {
48
49 /*
50 * In this example we assume that the attributes are
51 * stored in the users PHP session, but this could be replaced
52 * with anything.
53 */
54
55 if (!session_id()) {
56 /* session_start not called before. Do it here. */
57 session_start();
58 }
59
60 if (!isset($_SESSION['uid'])) {
61 /* The user isn't authenticated. */
62 return NULL;
63 }
64
65 /*
66 * Find the attributes for the user.
67 * Note that all attributes in SimpleSAMLphp are multivalued, so we need
68 * to store them as arrays.
69 */
70
71 $attributes = array(
72 'uid' => array($_SESSION['uid']),
73 'displayName' => array($_SESSION['name']),
74 'mail' => array($_SESSION['mail']),
75 );
76
77 /* Here we generate a multivalued attribute based on the account type. */
78 $attributes['eduPersonAffiliation'] = array(
79 $_SESSION['type'], /* In this example, either 'student' or 'employee'. */
80 'member',
81 );
82
83 return $attributes;
84 }
85
86
92 public function authenticate(&$state) {
93 assert(is_array($state));
94
95 $attributes = $this->getUser();
96 if ($attributes !== NULL) {
97 /*
98 * The user is already authenticated.
99 *
100 * Add the users attributes to the $state-array, and return control
101 * to the authentication process.
102 */
103 $state['Attributes'] = $attributes;
104 return;
105 }
106
107 /*
108 * The user isn't authenticated. We therefore need to
109 * send the user to the login page.
110 */
111
112 /*
113 * First we add the identifier of this authentication source
114 * to the state array, so that we know where to resume.
115 */
116 $state['exampleauth:AuthID'] = $this->authId;
117
118
119 /*
120 * We need to save the $state-array, so that we can resume the
121 * login process after authentication.
122 *
123 * Note the second parameter to the saveState-function. This is a
124 * unique identifier for where the state was saved, and must be used
125 * again when we retrieve the state.
126 *
127 * The reason for it is to prevent
128 * attacks where the user takes a $state-array saved in one location
129 * and restores it in another location, and thus bypasses steps in
130 * the authentication process.
131 */
132 $stateId = SimpleSAML_Auth_State::saveState($state, 'exampleauth:External');
133
134 /*
135 * Now we generate a URL the user should return to after authentication.
136 * We assume that whatever authentication page we send the user to has an
137 * option to return the user to a specific page afterwards.
138 */
139 $returnTo = SimpleSAML\Module::getModuleURL('exampleauth/resume.php', array(
140 'State' => $stateId,
141 ));
142
143 /*
144 * Get the URL of the authentication page.
145 *
146 * Here we use the getModuleURL function again, since the authentication page
147 * is also part of this module, but in a real example, this would likely be
148 * the absolute URL of the login page for the site.
149 */
150 $authPage = SimpleSAML\Module::getModuleURL('exampleauth/authpage.php');
151
152 /*
153 * The redirect to the authentication page.
154 *
155 * Note the 'ReturnTo' parameter. This must most likely be replaced with
156 * the real name of the parameter for the login page.
157 */
158 \SimpleSAML\Utils\HTTP::redirectTrustedURL($authPage, array(
159 'ReturnTo' => $returnTo,
160 ));
161
162 /*
163 * The redirect function never returns, so we never get this far.
164 */
165 assert(false);
166 }
167
168
177 public static function resume() {
178
179 /*
180 * First we need to restore the $state-array. We should have the identifier for
181 * it in the 'State' request parameter.
182 */
183 if (!isset($_REQUEST['State'])) {
184 throw new SimpleSAML_Error_BadRequest('Missing "State" parameter.');
185 }
186
187 /*
188 * Once again, note the second parameter to the loadState function. This must
189 * match the string we used in the saveState-call above.
190 */
191 $state = SimpleSAML_Auth_State::loadState($_REQUEST['State'], 'exampleauth:External');
192
193 /*
194 * Now we have the $state-array, and can use it to locate the authentication
195 * source.
196 */
197 $source = SimpleSAML_Auth_Source::getById($state['exampleauth:AuthID']);
198 if ($source === NULL) {
199 /*
200 * The only way this should fail is if we remove or rename the authentication source
201 * while the user is at the login page.
202 */
203 throw new SimpleSAML_Error_Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
204 }
205
206 /*
207 * Make sure that we haven't switched the source type while the
208 * user was at the authentication page. This can only happen if we
209 * change config/authsources.php while an user is logging in.
210 */
211 if (! ($source instanceof self)) {
212 throw new SimpleSAML_Error_Exception('Authentication source type changed.');
213 }
214
215
216 /*
217 * OK, now we know that our current state is sane. Time to actually log the user in.
218 *
219 * First we check that the user is acutally logged in, and didn't simply skip the login page.
220 */
221 $attributes = $source->getUser();
222 if ($attributes === NULL) {
223 /*
224 * The user isn't authenticated.
225 *
226 * Here we simply throw an exception, but we could also redirect the user back to the
227 * login page.
228 */
229 throw new SimpleSAML_Error_Exception('User not authenticated after login page.');
230 }
231
232 /*
233 * So, we have a valid user. Time to resume the authentication process where we
234 * paused it in the authenticate()-function above.
235 */
236
237 $state['Attributes'] = $attributes;
238 SimpleSAML_Auth_Source::completeAuth($state);
239
240 /*
241 * The completeAuth-function never returns, so we never get this far.
242 */
243 assert(false);
244 }
245
246
253 public function logout(&$state) {
254 assert(is_array($state));
255
256 if (!session_id()) {
257 /* session_start not called before. Do it here. */
258 session_start();
259 }
260
261 /*
262 * In this example we simply remove the 'uid' from the session.
263 */
264 unset($_SESSION['uid']);
265
266 /*
267 * If we need to do a redirect to a different page, we could do this
268 * here, but in this example we don't need to do this.
269 */
270 }
271
272}
$source
$source
Definition: linkback.php:22
$state
if(!array_key_exists('stateid', $_REQUEST)) $state
Handle linkback() response from LinkedIn.
Definition: linkback.php:10
$returnTo
if(!isset($_REQUEST['ReturnTo'])) $returnTo
Definition: authpage.php:16
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
php
An exception for terminatinating execution or to throw for unit testing.
SimpleSAML\Module\getModuleURL
static getModuleURL($resource, array $parameters=array())
Get absolute URL to a specified module resource.
Definition: Module.php:220
SimpleSAML\Utils\HTTP\redirectTrustedURL
static redirectTrustedURL($url, $parameters=array())
This function redirects to the specified URL without performing any security checks.
Definition: HTTP.php:959
SimpleSAML_Auth_Source
Definition: Source.php:14
SimpleSAML_Auth_Source\getById
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:340
SimpleSAML_Auth_Source\completeAuth
static completeAuth(&$state)
Complete authentication.
Definition: Source.php:136
SimpleSAML_Auth_Source\$authId
$authId
Definition: Source.php:23
SimpleSAML_Auth_State\saveState
static saveState(&$state, $stage, $rawId=false)
Save the state.
Definition: State.php:194
SimpleSAML_Auth_State\loadState
static loadState($id, $stage, $allowMissing=false)
Retrieve saved state.
Definition: State.php:259
SimpleSAML_Error_BadRequest
Definition: BadRequest.php:13
SimpleSAML_Error_Exception
Definition: Exception.php:13
sspmod_exampleauth_Auth_Source_External
Definition: External.php:23
sspmod_exampleauth_Auth_Source_External\authenticate
authenticate(&$state)
Log in using an external authentication helper.
Definition: External.php:92
sspmod_exampleauth_Auth_Source_External\__construct
__construct($info, $config)
Constructor for this authentication source.
Definition: External.php:31
sspmod_exampleauth_Auth_Source_External\resume
static resume()
Resume authentication process.
Definition: External.php:177
sspmod_exampleauth_Auth_Source_External\getUser
getUser()
Retrieve attributes for the user.
Definition: External.php:47
sspmod_exampleauth_Auth_Source_External\logout
logout(&$state)
This function is called when the user start a logout operation, for example by logging out of a SP th...
Definition: External.php:253
$attributes
if(array_key_exists('yes', $_REQUEST)) $attributes
Definition: getconsent.php:85
$config
$config
Definition: bootstrap.php:15
$stateId
$stateId
Definition: saml2-acs.php:76
$info
$info
Definition: index.php:5