ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
metadata.php
Go to the documentation of this file.
1<?php
2/* Copyright (c) 1998-2017 ILIAS open source, Extended GPL, see docs/LICENSE */
3// ilias-patch: begin
4chdir(dirname(__FILE__));
5
7$cookie_path = dirname($_SERVER['PHP_SELF']);
8
9$i = 0;
10while (!file_exists($ilias_main_directory . 'ilias.ini.php') && $i < 20) {
11 $ilias_main_directory .= '../';
12 ++$i;
13
14 $cookie_path = dirname($cookie_path);
15}
17
18if (!file_exists(getcwd() . '/ilias.ini.php')) {
19 die('Please ensure ILIAS is installed!');
20}
21
22$cookie_path .= (!preg_match("/[\/|\\\\]$/", $cookie_path)) ? "/" : "";
23
24if (isset($_GET["client_id"])) {
25 if ($cookie_path == "\\") {
26 $cookie_path = '/';
27 }
28
29 setcookie('ilClientId', $_GET['client_id'], 0, $cookie_path, '');
30 $_COOKIE['ilClientId'] = $_GET['client_id'];
31}
32define('IL_COOKIE_PATH', $cookie_path);
33
34require_once 'Services/Context/classes/class.ilContext.php';
36
37require_once 'Services/Init/classes/class.ilInitialisation.php';
39
40$iliasHttpPath = ILIAS_HTTP_PATH;
41
42require_once 'Services/Saml/classes/class.ilSamlAuthFactory.php';
44$auth = $factory->auth();
45
46// The source code below is copied from the SimpleSAMLphp library and modified regarding the HTTP path
47// ilias-patch: end
48if (!array_key_exists('PATH_INFO', $_SERVER)) {
49 global $DIC;
50 $DIC->logger()->root()->warning('Missing "PATH_INFO" variable. This could be a false positive log entry, but you have to ensure a valid "PATH_INFO" setting for your HTTP server.');
51}
52
54if ($config->getBoolean('admin.protectmetadata', false)) {
56}
57// ilias-patch: begin
58//$sourceId = substr($_SERVER['PATH_INFO'], 1);
59$sourceId = $auth->getAuthId();
60// ilias-patch: end
62if ($source === null) {
63 throw new SimpleSAML_Error_NotFound('Could not find authentication source with id ' . $sourceId);
64}
65
66if (!($source instanceof sspmod_saml_Auth_Source_SP)) {
67 throw new SimpleSAML_Error_NotFound('Source isn\'t a SAML SP: ' . var_export($sourceId, true));
68}
69
70$entityId = $source->getEntityId();
71$spconfig = $source->getMetadata();
73
74$metaArray20 = array();
75
77 SAML2\Constants::BINDING_HTTP_REDIRECT,
78 SAML2\Constants::BINDING_SOAP,
79);
80
81$slob = $spconfig->getArray('SingleLogoutServiceBinding', $slosvcdefault);
82// ilias-patch: begin
83$slol = $iliasHttpPath . '/saml2-logout.php/' . $sourceId . '/' . CLIENT_ID;
84// ilias-patch: end
85
86foreach ($slob as $binding) {
87 if ($binding == SAML2\Constants::BINDING_SOAP && !($store instanceof SimpleSAML\Store\SQL)) {
88 // we cannot properly support SOAP logout
89 continue;
90 }
91 $metaArray20['SingleLogoutService'][] = array(
92 'Binding' => $binding,
93 'Location' => $slol,
94 );
95}
96
98 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
99 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
100 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
101 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01',
102);
103
104if ($spconfig->getString('ProtocolBinding', '') == 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser') {
105 $assertionsconsumerservicesdefault[] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
106}
107
109
111$eps = array();
112foreach ($assertionsconsumerservices as $services) {
113 $acsArray = array('index' => $index);
114 switch ($services) {
115 case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST':
116 $acsArray['Binding'] = SAML2\Constants::BINDING_HTTP_POST;
117 // ilias-patch: begin
118 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
119 // ilias-patch: end
120 break;
121 case 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post':
122 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:browser-post';
123 // ilias-patch: begin
124 $acsArray['Location'] = $iliasHttpPath . "/saml1-acs.php/{$sourceId}/" . CLIENT_ID;
125 break;
126 case 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact':
127 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
128 // ilias-patch: begin
129 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
130 // ilias-patch: end
131 break;
132 case 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01':
133 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:1.0:profiles:artifact-01';
134 // ilias-patch: begin
135 $acsArray['Location'] = $iliasHttpPath . "/saml1-acs.php/{$sourceId}/artifact/" . CLIENT_ID;
136 // ilias-patch: end
137 break;
138 case 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser':
139 $acsArray['Binding'] = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
140 // ilias-patch: begin
141 $acsArray['Location'] = $iliasHttpPath . "/saml2-acs.php/{$sourceId}/" . CLIENT_ID;
142 // ilias-patch: end
143 $acsArray['hoksso:ProtocolBinding'] = SAML2\Constants::BINDING_HTTP_REDIRECT;
144 break;
145 }
146 $eps[] = $acsArray;
147 $index++;
148}
149
150$metaArray20['AssertionConsumerService'] = $eps;
151
152$keys = array();
154if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
155 $hasNewCert = true;
156
157 $certData = $certInfo['certData'];
158
159 $keys[] = array(
160 'type' => 'X509Certificate',
161 'signing' => true,
162 'encryption' => true,
163 'X509Certificate' => $certInfo['certData'],
164 );
165} else {
166 $hasNewCert = false;
167}
168
170if ($certInfo !== null && array_key_exists('certData', $certInfo)) {
171 $certData = $certInfo['certData'];
172
173 $keys[] = array(
174 'type' => 'X509Certificate',
175 'signing' => true,
176 'encryption' => ($hasNewCert ? false : true),
177 'X509Certificate' => $certInfo['certData'],
178 );
179} else {
180 $certData = null;
181}
182
183$format = $spconfig->getString('NameIDPolicy', null);
184if ($format !== null) {
185 $metaArray20['NameIDFormat'] = $format;
186}
187
188$name = $spconfig->getLocalizedString('name', null);
189$attributes = $spconfig->getArray('attributes', array());
190
191if ($name !== null && !empty($attributes)) {
192 $metaArray20['name'] = $name;
193 $metaArray20['attributes'] = $attributes;
194 $metaArray20['attributes.required'] = $spconfig->getArray('attributes.required', array());
195
196 if (empty($metaArray20['attributes.required'])) {
197 unset($metaArray20['attributes.required']);
198 }
199
200 $description = $spconfig->getArray('description', null);
201 if ($description !== null) {
202 $metaArray20['description'] = $description;
203 }
204
205 $nameFormat = $spconfig->getString('attributes.NameFormat', null);
206 if ($nameFormat !== null) {
207 $metaArray20['attributes.NameFormat'] = $nameFormat;
208 }
209}
210
211// add organization info
212$orgName = $spconfig->getLocalizedString('OrganizationName', null);
213if ($orgName !== null) {
214 $metaArray20['OrganizationName'] = $orgName;
215
216 $metaArray20['OrganizationDisplayName'] = $spconfig->getLocalizedString('OrganizationDisplayName', null);
217 if ($metaArray20['OrganizationDisplayName'] === null) {
218 $metaArray20['OrganizationDisplayName'] = $orgName;
219 }
220
221 $metaArray20['OrganizationURL'] = $spconfig->getLocalizedString('OrganizationURL', null);
222 if ($metaArray20['OrganizationURL'] === null) {
223 throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
224 }
225}
226
227if ($spconfig->hasValue('contacts')) {
228 $contacts = $spconfig->getArray('contacts');
229 foreach ($contacts as $contact) {
231 }
232}
233
234// add technical contact
235$email = $config->getString('technicalcontact_email', 'na@example.org', false);
236if ($email && $email !== 'na@example.org') {
237 $techcontact['emailAddress'] = $email;
238 $techcontact['name'] = $config->getString('technicalcontact_name', null);
239 $techcontact['contactType'] = 'technical';
241}
242
243// add certificate
244if (count($keys) === 1) {
245 $metaArray20['certData'] = $keys[0]['X509Certificate'];
246} elseif (count($keys) > 1) {
247 $metaArray20['keys'] = $keys;
248}
249
250// add EntityAttributes extension
251if ($spconfig->hasValue('EntityAttributes')) {
252 $metaArray20['EntityAttributes'] = $spconfig->getArray('EntityAttributes');
253}
254
255// add UIInfo extension
256if ($spconfig->hasValue('UIInfo')) {
257 $metaArray20['UIInfo'] = $spconfig->getArray('UIInfo');
258}
259
260// add RegistrationInfo extension
261if ($spconfig->hasValue('RegistrationInfo')) {
262 $metaArray20['RegistrationInfo'] = $spconfig->getArray('RegistrationInfo');
263}
264
265// add signature options
266if ($spconfig->hasValue('WantAssertionsSigned')) {
267 $metaArray20['saml20.sign.assertion'] = $spconfig->getBoolean('WantAssertionsSigned');
268}
269if ($spconfig->hasValue('redirect.sign')) {
270 $metaArray20['redirect.validate'] = $spconfig->getBoolean('redirect.sign');
271} elseif ($spconfig->hasValue('sign.authnrequest')) {
272 $metaArray20['validate.authnrequest'] = $spconfig->getBoolean('sign.authnrequest');
273}
274
275$supported_protocols = array('urn:oasis:names:tc:SAML:1.1:protocol', SAML2\Constants::NS_SAMLP);
276
277$metaArray20['metadata-set'] = 'saml20-sp-remote';
279
282$metaBuilder->addOrganizationInfo($metaArray20);
283
284$xml = $metaBuilder->getEntityDescriptorText();
285
286unset($metaArray20['UIInfo']);
287unset($metaArray20['metadata-set']);
288unset($metaArray20['entityid']);
289
290// sanitize the attributes array to remove friendly names
291if (isset($metaArray20['attributes']) && is_array($metaArray20['attributes'])) {
292 $metaArray20['attributes'] = array_values($metaArray20['attributes']);
293}
294
295// sign the metadata if enabled
296$xml = SimpleSAML_Metadata_Signer::sign($xml, $spconfig->toArray(), 'SAML 2 SP');
297
298if (array_key_exists('output', $_REQUEST) && $_REQUEST['output'] == 'xhtml') {
299 $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
300
301 $t->data['clipboard.js'] = true;
302 $t->data['header'] = 'saml20-sp';
303 $t->data['metadata'] = htmlspecialchars($xml);
304 $t->data['metadataflat'] = '$metadata[' . var_export($entityId, true) . '] = ' . var_export($metaArray20, true) . ';';
305 // ilias-patch: begin
306 $t->data['metaurl'] = $iliasHttpPath . "/metadata.php{$sourceId}/" . CLIENT_ID;
307 // ilias-patch: end
308 $t->show();
309} else {
310 header('Content-Type: application/samlmetadata+xml');
312 header("Content-Disposition:attachment; filename=\"" . $ascii_filename . "\"");
313 echo($xml);
314}
$factory
Definition: metadata.php:43
$cookie_path
Definition: metadata.php:7
$auth
Definition: metadata.php:44
$ascii_filename
Definition: metadata.php:311
$i
Definition: metadata.php:9
$iliasHttpPath
Definition: metadata.php:40
$ilias_main_directory
Definition: metadata.php:6
$_COOKIE['client_id']
Definition: server.php:9
$_GET["client_id"]
An exception for terminatinating execution or to throw for unit testing.
const BINDING_HTTP_REDIRECT
The URN for the HTTP-Redirect binding.
Definition: Constants.php:35
const BINDING_HTTP_POST
The URN for the HTTP-POST binding.
Definition: Constants.php:30
static getInstance()
Retrieve our singleton instance.
Definition: Store.php:31
static requireAdmin()
Require admin access to the current page.
Definition: Auth.php:60
static getContact($contact)
Parse and sanitize a contact from an array.
Definition: Metadata.php:101
static loadPublicKey(\SimpleSAML_Configuration $metadata, $required=false, $prefix='')
Get public key or certificate from metadata.
Definition: Crypto.php:265
static getById($authId, $type=null)
Retrieve authentication source.
Definition: Source.php:340
static getInstance($instancename='simplesaml')
Get a configuration file by its instance name.
static sign($metadataString, $entityMetadata, $type)
Signs the given metadata if metadata signing is enabled.
Definition: Signer.php:214
static init($a_type)
Init context by type.
const CONTEXT_SAML
static initILIAS()
ilias initialisation
Class ilSamlAuthFactory.
static getASCIIFilename($a_filename)
convert utf8 to ascii filename
$config
Definition: metadata.php:4
$metaBuilder
Definition: metadata.php:124
$certInfo
Definition: metadata.php:25
$keys
Definition: metadata.php:24
if($name !==null &&!empty($attributes)) $orgName
Definition: metadata.php:178
if($format !==null) $name
Definition: metadata.php:146
$format
Definition: metadata.php:141
$index
Definition: metadata.php:60
$spconfig
Definition: metadata.php:23
if( $source===null) if(!($source instanceof sspmod_saml_Auth_Source_SP)) $entityId
Definition: metadata.php:22
$slol
Definition: metadata.php:34
$supported_protocols
Definition: metadata.php:62
$metaArray20
Definition: metadata.php:26
foreach($slob as $binding) $assertionsconsumerservicesdefault
Definition: metadata.php:47
$store
Definition: metadata.php:24
$slob
Definition: metadata.php:33
if( $orgName !==null) if($spconfig->hasValue('contacts')) $email
Definition: metadata.php:201
if($spconfig->getString('ProtocolBinding', '')=='urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser') $assertionsconsumerservices
Definition: metadata.php:58
$eps
Definition: metadata.php:61
$source
Definition: metadata.php:12
if($config->getBoolean('admin.protectmetadata', false)) $sourceId
Definition: metadata.php:11
$slosvcdefault
Definition: metadata.php:28
$attributes
Definition: metadata.php:147
$xml
Definition: metadata.php:248
$binding
Attribute-related utility methods.
global $DIC
Definition: saml.php:7
if((!isset($_SERVER['DOCUMENT_ROOT'])) OR(empty($_SERVER['DOCUMENT_ROOT']))) $_SERVER['DOCUMENT_ROOT']