ILIAS  trunk Revision v11.0_alpha-1689-g66c127b4ae8
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.ilAuthProviderSaml.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 class ilAuthProviderSaml extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
22 {
23  private const LOG_COMPONENT = 'auth';
24 
25  private const ERR_WRONG_LOGIN = 'err_wrong_login';
26 
27  private const SESSION_TMP_ATTRIBUTES = 'tmp_attributes';
28  private const SESSION_TMP_RETURN_TO = 'tmp_return_to';
29 
30  private ilSamlIdp $idp;
31  private readonly ilLanguage $lng;
33  private array $attributes = [];
34  private string $return_to = '';
35  private string $uid = '';
36  private bool $force_new_account = false;
37  private string $migration_account = '';
38 
39  public function __construct(ilAuthCredentials $credentials, ?int $a_idp_id = null)
40  {
41  global $DIC;
42 
43  parent::__construct($credentials);
44 
45  $this->lng = $DIC->language();
46 
47  if (null === $a_idp_id || 0 === $a_idp_id) {
48  $this->idp = ilSamlIdp::getFirstActiveIdp();
49  } else {
50  $this->idp = ilSamlIdp::getInstanceByIdpId($a_idp_id);
51  }
52 
53  if ($credentials instanceof ilAuthFrontendCredentialsSaml) {
54  $this->attributes = $credentials->getAttributes();
55  $this->return_to = $credentials->getReturnTo();
56  }
57  }
58 
59  private function determineUidFromAttributes(): void
60  {
61  if (
62  !array_key_exists($this->idp->getUidClaim(), $this->attributes) ||
63  !is_array($this->attributes[$this->idp->getUidClaim()]) ||
64  !array_key_exists(0, $this->attributes[$this->idp->getUidClaim()]) ||
65  $this->attributes[$this->idp->getUidClaim()][0] === ''
66  ) {
67  throw new ilException(sprintf(
68  'Could not find unique SAML attribute for the configured identifier: %s',
69  print_r($this->idp->getUidClaim(), true)
70  ));
71  }
72 
73  $this->uid = $this->attributes[$this->idp->getUidClaim()][0];
74  }
75 
76  public function doAuthentication(ilAuthStatus $status): bool
77  {
78  if ([] === $this->attributes) {
79  $this->getLogger()->warning('Could not parse any attributes from SAML response.');
80  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
81 
82  return false;
83  }
84 
85  try {
86  $this->determineUidFromAttributes();
87 
88  return $this->handleSamlAuth($status);
89  } catch (Exception $e) {
90  $this->getLogger()->warning($e->getMessage());
91  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
92 
93  return false;
94  }
95  }
96 
97  private function handleSamlAuth(ilAuthStatus $status): bool
98  {
99  $update_auth_mode = false;
100 
101  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
102  'Login observer called for SAML authentication request of ext_account "%s" and auth_mode "%s".',
103  $this->uid,
104  $this->getUserAuthModeName()
105  ));
106  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf('Target set to: %s', print_r($this->return_to, true)));
107  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
108  'Trying to find ext_account "%s" for auth_mode "%s".',
109  $this->uid,
110  $this->getUserAuthModeName()
111  ));
112 
113  $internal_account = ilObjUser::_checkExternalAuthAccount(
114  $this->getUserAuthModeName(),
115  $this->uid,
116  false
117  );
118 
119  if (!is_string($internal_account) || $internal_account === '') {
120  $update_auth_mode = true;
121 
122  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
123  'Could not find ext_account "%s" for auth_mode "%s".',
124  $this->uid,
125  $this->getUserAuthModeName()
126  ));
127 
128  $fallback_auth_mode = 'local';
129  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
130  'Trying to find ext_account "%s" for auth_mode "%s".',
131  $this->uid,
132  $fallback_auth_mode
133  ));
134  $internal_account = ilObjUser::_checkExternalAuthAccount($fallback_auth_mode, $this->uid, false);
135 
136  $defaultAuth = ilAuthUtils::AUTH_LOCAL;
137  if ($GLOBALS['DIC']['ilSetting']->get('auth_mode')) {
138  $defaultAuth = $GLOBALS['DIC']['ilSetting']->get('auth_mode');
139  }
140 
141  if (
142  (!is_string($internal_account) || $internal_account === '') &&
143  ($defaultAuth == ilAuthUtils::AUTH_LOCAL || $defaultAuth == $this->getTriggerAuthMode())
144  ) {
145  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
146  'Could not find ext_account "%s" for auth_mode "%s".',
147  $this->uid,
148  $fallback_auth_mode
149  ));
150 
151  $fallback_auth_mode = 'default';
152  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
153  'Trying to find ext_account "%s" for auth_mode "%s".',
154  $this->uid,
155  $fallback_auth_mode
156  ));
157  $internal_account = ilObjUser::_checkExternalAuthAccount($fallback_auth_mode, $this->uid, false);
158  }
159  }
160 
161  if (is_string($internal_account) && $internal_account !== '') {
162  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
163  'Found user "%s" for ext_account "%s" in ILIAS database.',
164  $internal_account,
165  $this->uid
166  ));
167 
168  if ($this->idp->isSynchronizationEnabled()) {
169  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
170  'SAML user synchronisation is enabled, so update existing user "%s" with ext_account "%s".',
171  $internal_account,
172  $this->uid
173  ));
174  $internal_account = $this->importUser($internal_account, $this->uid, $this->attributes);
175  }
176 
177  if ($update_auth_mode) {
178  $usr_id = ilObjUser::_loginExists($internal_account);
179  if ($usr_id > 0) {
180  ilObjUser::_writeAuthMode($usr_id, $this->getUserAuthModeName());
181  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
182  'SAML Switched auth_mode of user with login "%s" and ext_account "%s" to "%s".',
183  $internal_account,
184  $this->uid,
185  $this->getUserAuthModeName()
186  ));
187  } else {
188  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
189  'SAML Could not switch auth_mode of user with login "%s" and ext_account "%s" to "%s".',
190  $internal_account,
191  $this->uid,
192  $this->getUserAuthModeName()
193  ));
194  }
195  }
196 
197  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
198  'Authentication succeeded: Found internal login "%s for ext_account "%s" and auth_mode "%s".',
199  $internal_account,
200  $this->uid,
201  $this->getUserAuthModeName()
202  ));
203 
204  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
205  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
206  ilSession::set('used_external_auth_mode', $this->getTriggerAuthMode());
207 
208  return true;
209  }
210 
211  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
212  'Could not find an existing user for ext_account "%s" for any relevant auth_mode.',
213  $this->uid
214  ));
215  if ($this->idp->isSynchronizationEnabled()) {
216  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
217  'SAML user synchronisation is enabled, so determine action for ext_account "%s" and auth_mode "%s".',
218  $this->uid,
219  $this->getUserAuthModeName()
220  ));
221  if (!$this->force_new_account && $this->idp->isAccountMigrationEnabled()) {
222  ilSession::set(self::SESSION_TMP_ATTRIBUTES, $this->attributes);
223  ilSession::set(self::SESSION_TMP_RETURN_TO, $this->return_to);
224 
225  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
226  'Account migration is enabled, so redirecting ext_account "%s" to account migration screen.',
227  $this->uid
228  ));
229 
230  $this->setExternalAccountName($this->uid);
231  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
232 
233  return false;
234  }
235 
236  $new_name = $this->importUser(null, $this->uid, $this->attributes);
237  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
238  'Created new user account with login "%s" and ext_account "%s".',
239  $new_name,
240  $this->uid
241  ));
242 
243  ilSession::set(self::SESSION_TMP_ATTRIBUTES, null);
244  ilSession::set(self::SESSION_TMP_RETURN_TO, null);
245  ilSession::set('used_external_auth_mode', $this->getTriggerAuthMode());
246 
247  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
248  $status->setAuthenticatedUserId(ilObjUser::_lookupId($new_name));
249 
250  return true;
251  }
252 
253  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug("SAML user synchronisation is not enabled, auth failed.");
254  $this->handleAuthenticationFail($status, 'err_auth_saml_no_ilias_user');
255 
256  return false;
257  }
258 
259  public function migrateAccount(ilAuthStatus $status): void
260  {
261  }
262 
263  public function createNewAccount(ilAuthStatus $status): void
264  {
265  if (
266  !is_array(ilSession::get(self::SESSION_TMP_ATTRIBUTES)) ||
267  [] === ilSession::get(self::SESSION_TMP_ATTRIBUTES) ||
268  $this->getCredentials()->getUsername() === ''
269  ) {
270  $this->getLogger()->warning('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
271  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
272  return;
273  }
274 
275  $this->uid = $this->getCredentials()->getUsername();
276  $this->attributes = ilSession::get(self::SESSION_TMP_ATTRIBUTES);
277  $this->return_to = (string) ilSession::get(self::SESSION_TMP_RETURN_TO);
278 
279  $this->force_new_account = true;
280 
281  $this->handleSamlAuth($status);
282  }
283 
284  public function setExternalAccountName(string $a_name): void
285  {
286  $this->migration_account = $a_name;
287  }
288 
289  public function getExternalAccountName(): string
290  {
291  return $this->migration_account;
292  }
293 
294  public function getTriggerAuthMode(): string
295  {
296  return ilAuthUtils::AUTH_SAML . '_' . $this->idp->getIdpId();
297  }
298 
299  public function getUserAuthModeName(): string
300  {
301  return 'saml_' . $this->idp->getIdpId();
302  }
303 
304  private function importUser(?string $a_internal_login, string $a_external_account, array $a_user_data = []): string
305  {
306  $mapping = new ilExternalAuthUserAttributeMapping('saml', $this->idp->getIdpId());
307 
308  $xml_writer = new ilXmlWriter();
309  $xml_writer->xmlStartTag('Users');
310  if (null === $a_internal_login) {
311  $login = $a_user_data[$this->idp->getLoginClaim()][0];
312  $login = ilAuthUtils::_generateLogin($login);
313 
314  $xml_writer->xmlStartTag(
315  'User',
316  [
317  'Action' => 'Insert',
318  'Language' => $this->lng->getDefaultLanguage()
319  ]
320  );
321  $xml_writer->xmlElement('Login', [], $login);
322 
323  $xml_writer->xmlElement('Role', [
324  'Id' => $this->idp->getDefaultRoleId(),
325  'Type' => 'Global',
326  'Action' => 'Assign'
327  ]);
328 
329  $xml_writer->xmlElement('Active', [], "true");
330  $xml_writer->xmlElement('TimeLimitOwner', [], USER_FOLDER_ID);
331  $xml_writer->xmlElement('TimeLimitUnlimited', [], 1);
332  $xml_writer->xmlElement('TimeLimitFrom', [], time());
333  $xml_writer->xmlElement('TimeLimitUntil', [], time());
334  $xml_writer->xmlElement(
335  'AuthMode',
336  ['type' => $this->getUserAuthModeName()],
337  $this->getUserAuthModeName()
338  );
339  $xml_writer->xmlElement('ExternalAccount', [], $a_external_account);
340 
341  $mapping = new ilExternalAuthUserCreationAttributeMappingFilter($mapping);
342  } else {
343  $login = $a_internal_login;
344  $usr_id = ilObjUser::_lookupId($a_internal_login);
345 
346  $xml_writer->xmlStartTag('User', ['Action' => 'Update', 'Id' => $usr_id]);
347 
348  $loginClaim = $a_user_data[$this->idp->getLoginClaim()][0];
349  if (ilStr::strToLower($login) !== ilStr::strToLower($loginClaim)) {
350  $login = ilAuthUtils::_generateLogin($loginClaim);
351  $xml_writer->xmlElement('Login', [], $login);
352  }
353 
354  $mapping = new ilExternalAuthUserUpdateAttributeMappingFilter($mapping);
355  }
356 
357  foreach ($mapping as $rule) {
358  try {
359  $attributeValueParser = new ilSamlMappedUserAttributeValueParser($rule, $a_user_data);
360  $value = $attributeValueParser->parse();
361  $this->buildUserAttributeXml($xml_writer, $rule, $value);
362  } catch (ilSamlException $e) {
363  $this->getLogger()->warning($e->getMessage());
364  continue;
365  }
366  }
367 
368  $xml_writer->xmlEndTag('User');
369  $xml_writer->xmlEndTag('Users');
370 
371  ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
372  'Started import of user "%s" with ext_account "%s" and auth_mode "%s".',
373  $login,
374  $a_external_account,
375  $this->getUserAuthModeName()
376  ));
377  $importParser = new ilUserImportParser();
378  $importParser->setXMLContent($xml_writer->xmlDumpMem(false));
379  $importParser->setRoleAssignment([
380  $this->idp->getDefaultRoleId() => $this->idp->getDefaultRoleId(),
381  ]);
382  $importParser->setFolderId(USER_FOLDER_ID);
383  $importParser->setUserMappingMode(ilUserImportParser::IL_USER_MAPPING_ID);
384  $importParser->startParsing();
385 
386  return $login;
387  }
388 
389  private function buildUserAttributeXml(
390  ilXmlWriter $xml_writer,
391  ilExternalAuthUserAttributeMappingRule $rule,
392  string $value
393  ): void {
394  switch (strtolower($rule->getAttribute())) {
395  case 'gender':
396  $gender_attr = 'Gender';
397  match (strtolower($value)) {
398  'n', 'neutral' => $xml_writer->xmlElement($gender_attr, [], 'n'),
399  'm', 'male' => $xml_writer->xmlElement($gender_attr, [], 'm'),
400  // no break
401  default => $xml_writer->xmlElement($gender_attr, [], 'f'),
402  };
403  break;
404 
405  case 'firstname':
406  $xml_writer->xmlElement('Firstname', [], $value);
407  break;
408 
409  case 'lastname':
410  $xml_writer->xmlElement('Lastname', [], $value);
411  break;
412 
413  case 'email':
414  $xml_writer->xmlElement('Email', [], $value);
415  break;
416 
417  case 'second_email':
418  $xml_writer->xmlElement('SecondEmail', [], $value);
419  break;
420 
421  case 'institution':
422  $xml_writer->xmlElement('Institution', [], $value);
423  break;
424 
425  case 'department':
426  $xml_writer->xmlElement('Department', [], $value);
427  break;
428 
429  case 'hobby':
430  $xml_writer->xmlElement('Hobby', [], $value);
431  break;
432 
433  case 'title':
434  $xml_writer->xmlElement('Title', [], $value);
435  break;
436 
437  case 'street':
438  $xml_writer->xmlElement('Street', [], $value);
439  break;
440 
441  case 'city':
442  $xml_writer->xmlElement('City', [], $value);
443  break;
444 
445  case 'zipcode':
446  $xml_writer->xmlElement('PostalCode', [], $value);
447  break;
448 
449  case 'country':
450  $xml_writer->xmlElement('Country', [], $value);
451  break;
452 
453  case 'phone_office':
454  $xml_writer->xmlElement('PhoneOffice', [], $value);
455  break;
456 
457  case 'phone_home':
458  $xml_writer->xmlElement('PhoneHome', [], $value);
459  break;
460 
461  case 'phone_mobile':
462  $xml_writer->xmlElement('PhoneMobile', [], $value);
463  break;
464 
465  case 'fax':
466  $xml_writer->xmlElement('Fax', [], $value);
467  break;
468 
469  case 'referral_comment':
470  $xml_writer->xmlElement('Comment', [], $value);
471  break;
472 
473  case 'matriculation':
474  $xml_writer->xmlElement('Matriculation', [], $value);
475  break;
476 
477  case 'birthday':
478  $xml_writer->xmlElement('Birthday', [], $value);
479  break;
480 
481  default:
482  if (!str_starts_with($rule->getAttribute(), 'udf_')) {
483  break;
484  }
485 
486  $udf_data = explode('_', $rule->getAttribute());
487  if (!isset($udf_data[1])) {
488  break;
489  }
490 
491  $definition = ilUserDefinedFields::_getInstance()->getDefinition((int) $udf_data[1]);
492  if (empty($definition)) {
493  ilLoggerFactory::getLogger('auth')->warning(sprintf(
494  "Invalid/Orphaned UD field mapping detected: %s",
495  $rule->getAttribute()
496  ));
497  break;
498  }
499 
500  $xml_writer->xmlElement(
501  'UserDefinedField',
502  ['Id' => $definition['il_id'], 'Name' => $definition['field_name']],
503  $value
504  );
505  break;
506  }
507  }
508 }
ilAuthProviderSaml\doAuthentication
doAuthentication(ilAuthStatus $status)
Definition: class.ilAuthProviderSaml.php:76
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:401
ilAuthUtils\_generateLogin
static _generateLogin(string $a_login)
generate free login by starting with a default string and adding postfix numbers
Definition: class.ilAuthUtils.php:373
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:27
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
USER_FOLDER_ID
const USER_FOLDER_ID
Definition: constants.php:33
ilAuthProviderSaml\__construct
__construct(ilAuthCredentials $credentials, ?int $a_idp_id=null)
Definition: class.ilAuthProviderSaml.php:39
ilAuthProviderSaml\importUser
importUser(?string $a_internal_login, string $a_external_account, array $a_user_data=[])
Definition: class.ilAuthProviderSaml.php:304
ilAuthProviderSaml\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderSaml.php:289
ilObjUser\_writeAuthMode
static _writeAuthMode(int $a_usr_id, string $a_auth_mode)
Definition: class.ilObjUser.php:1583
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:692
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2746
ilSamlIdp\getInstanceByIdpId
static getInstanceByIdpId(int $a_idp_id)
Definition: class.ilSamlIdp.php:64
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:142
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:71
ilAuthProvider
Base class for authentication providers (ldap, apache, ...)
Definition: class.ilAuthProvider.php:27
ilExternalAuthUserAttributeMapping
Class ilExternalAuthUserAttributeMapping.
Definition: class.ilExternalAuthUserAttributeMapping.php:25
$GLOBALS
$GLOBALS["DIC"]
Definition: wac.php:53
ilAuthProviderSaml\$lng
readonly ilLanguage $lng
Definition: class.ilAuthProviderSaml.php:31
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
ilAuthProviderSaml\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderSaml.php:263
ilObjUser\_loginExists
static _loginExists(string $a_login, int $a_user_id=0)
check if a login name already exists You may exclude a user from the check by giving his user id as 2...
Definition: class.ilObjUser.php:3240
$DIC
global $DIC
Definition: shib_login.php:22
ilAuthProviderSaml\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderSaml.php:259
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ilAuthProviderSaml\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth...
Definition: class.ilAuthProviderSaml.php:299
ilAuthProviderSaml\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: class.ilAuthProviderSaml.php:294
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:55
ilAuthProviderSaml\handleSamlAuth
handleSamlAuth(ilAuthStatus $status)
Definition: class.ilAuthProviderSaml.php:97
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilStr\strToLower
static strToLower(string $a_string)
Definition: class.ilStr.php:72
ilAuthProviderSaml\buildUserAttributeXml
buildUserAttributeXml(ilXmlWriter $xml_writer, ilExternalAuthUserAttributeMappingRule $rule, string $value)
Definition: class.ilAuthProviderSaml.php:389
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:120
ilXmlWriter\xmlElement
xmlElement(string $tag, $attrs=null, $data=null, $encode=true, $escape=true)
Writes a basic element (no children, just textual content)
Definition: class.ilXmlWriter.php:318
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:27
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:36
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:393
ilAuthProviderSaml\setExternalAccountName
setExternalAccountName(string $a_name)
Definition: class.ilAuthProviderSaml.php:284
ilSamlIdp\getFirstActiveIdp
static getFirstActiveIdp()
Definition: class.ilSamlIdp.php:54