ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
class.ilAuthProviderSaml.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21use ILIAS\User\Profile\Profile;
22
23class ilAuthProviderSaml extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
24{
25 private const string LOG_COMPONENT = 'auth';
26
27 private const string ERR_WRONG_LOGIN = 'err_wrong_login';
28
29 private const string SESSION_TMP_ATTRIBUTES = 'tmp_attributes';
30 private const string SESSION_TMP_RETURN_TO = 'tmp_return_to';
31
32 private ilSamlIdp $idp;
33 private readonly ilLanguage $lng;
34 private readonly Profile $profile;
36 private array $attributes = [];
37 private string $return_to = '';
38 private string $uid = '';
39 private bool $force_new_account = false;
40 private string $migration_account = '';
44 private ?array $user_defined_fields = null;
45
46 public function __construct(ilAuthCredentials $credentials, ?int $a_idp_id = null)
47 {
48 global $DIC;
49
50 parent::__construct($credentials);
51
52 $this->lng = $DIC->language();
53 $this->profile = $DIC['user']->getProfile();
54
55 if (null === $a_idp_id || 0 === $a_idp_id) {
56 $this->idp = ilSamlIdp::getFirstActiveIdp();
57 } else {
58 $this->idp = ilSamlIdp::getInstanceByIdpId($a_idp_id);
59 }
60
61 if ($credentials instanceof ilAuthFrontendCredentialsSaml) {
62 $this->attributes = $credentials->getAttributes();
63 $this->return_to = $credentials->getReturnTo();
64 }
65 }
66
67 private function determineUidFromAttributes(): void
68 {
69 if (
70 !array_key_exists($this->idp->getUidClaim(), $this->attributes) ||
71 !is_array($this->attributes[$this->idp->getUidClaim()]) ||
72 !array_key_exists(0, $this->attributes[$this->idp->getUidClaim()]) ||
73 $this->attributes[$this->idp->getUidClaim()][0] === ''
74 ) {
75 throw new ilException(sprintf(
76 'Could not find unique SAML attribute for the configured identifier: %s',
77 print_r($this->idp->getUidClaim(), true)
78 ));
79 }
80
81 $this->uid = $this->attributes[$this->idp->getUidClaim()][0];
82 }
83
84 public function doAuthentication(ilAuthStatus $status): bool
85 {
86 if ([] === $this->attributes) {
87 $this->getLogger()->warning('Could not parse any attributes from SAML response.');
88 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
89
90 return false;
91 }
92
93 try {
94 $this->determineUidFromAttributes();
95
96 return $this->handleSamlAuth($status);
97 } catch (Exception $e) {
98 $this->getLogger()->warning($e->getMessage());
99 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
100
101 return false;
102 }
103 }
104
105 private function handleSamlAuth(ilAuthStatus $status): bool
106 {
107 $update_auth_mode = false;
108
109 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
110 'Login observer called for SAML authentication request of ext_account "%s" and auth_mode "%s".',
111 $this->uid,
112 $this->getUserAuthModeName()
113 ));
114 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf('Target set to: %s', print_r($this->return_to, true)));
115 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
116 'Trying to find ext_account "%s" for auth_mode "%s".',
117 $this->uid,
118 $this->getUserAuthModeName()
119 ));
120
121 $internal_account = ilObjUser::_checkExternalAuthAccount(
122 $this->getUserAuthModeName(),
123 $this->uid,
124 false
125 );
126
127 if (!is_string($internal_account) || $internal_account === '') {
128 $update_auth_mode = true;
129
130 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
131 'Could not find ext_account "%s" for auth_mode "%s".',
132 $this->uid,
133 $this->getUserAuthModeName()
134 ));
135
136 $fallback_auth_mode = 'local';
137 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
138 'Trying to find ext_account "%s" for auth_mode "%s".',
139 $this->uid,
140 $fallback_auth_mode
141 ));
142 $internal_account = ilObjUser::_checkExternalAuthAccount($fallback_auth_mode, $this->uid, false);
143
144 $defaultAuth = ilAuthUtils::AUTH_LOCAL;
145 if ($GLOBALS['DIC']['ilSetting']->get('auth_mode')) {
146 $defaultAuth = $GLOBALS['DIC']['ilSetting']->get('auth_mode');
147 }
148
149 if (
150 (!is_string($internal_account) || $internal_account === '') &&
151 ($defaultAuth == ilAuthUtils::AUTH_LOCAL || $defaultAuth == $this->getTriggerAuthMode())
152 ) {
153 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
154 'Could not find ext_account "%s" for auth_mode "%s".',
155 $this->uid,
156 $fallback_auth_mode
157 ));
158
159 $fallback_auth_mode = 'default';
160 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
161 'Trying to find ext_account "%s" for auth_mode "%s".',
162 $this->uid,
163 $fallback_auth_mode
164 ));
165 $internal_account = ilObjUser::_checkExternalAuthAccount($fallback_auth_mode, $this->uid, false);
166 }
167 }
168
169 if (is_string($internal_account) && $internal_account !== '') {
170 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
171 'Found user "%s" for ext_account "%s" in ILIAS database.',
172 $internal_account,
173 $this->uid
174 ));
175
176 if ($this->idp->isSynchronizationEnabled()) {
177 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
178 'SAML user synchronisation is enabled, so update existing user "%s" with ext_account "%s".',
179 $internal_account,
180 $this->uid
181 ));
182 $internal_account = $this->importUser($internal_account, $this->uid, $this->attributes);
183 }
184
185 if ($update_auth_mode) {
186 $usr_id = ilObjUser::_loginExists($internal_account);
187 if ($usr_id > 0) {
188 ilObjUser::_writeAuthMode($usr_id, $this->getUserAuthModeName());
189 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
190 'SAML Switched auth_mode of user with login "%s" and ext_account "%s" to "%s".',
191 $internal_account,
192 $this->uid,
193 $this->getUserAuthModeName()
194 ));
195 } else {
196 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
197 'SAML Could not switch auth_mode of user with login "%s" and ext_account "%s" to "%s".',
198 $internal_account,
199 $this->uid,
200 $this->getUserAuthModeName()
201 ));
202 }
203 }
204
205 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
206 'Authentication succeeded: Found internal login "%s for ext_account "%s" and auth_mode "%s".',
207 $internal_account,
208 $this->uid,
209 $this->getUserAuthModeName()
210 ));
211
212 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
213 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
214 ilSession::set('used_external_auth_mode', $this->getTriggerAuthMode());
215
216 return true;
217 }
218
219 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
220 'Could not find an existing user for ext_account "%s" for any relevant auth_mode.',
221 $this->uid
222 ));
223 if ($this->idp->isSynchronizationEnabled()) {
224 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
225 'SAML user synchronisation is enabled, so determine action for ext_account "%s" and auth_mode "%s".',
226 $this->uid,
227 $this->getUserAuthModeName()
228 ));
229 if (!$this->force_new_account && $this->idp->isAccountMigrationEnabled()) {
230 ilSession::set(self::SESSION_TMP_ATTRIBUTES, $this->attributes);
231 ilSession::set(self::SESSION_TMP_RETURN_TO, $this->return_to);
232
233 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
234 'Account migration is enabled, so redirecting ext_account "%s" to account migration screen.',
235 $this->uid
236 ));
237
238 $this->setExternalAccountName($this->uid);
239 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
240
241 return false;
242 }
243
244 $new_name = $this->importUser(null, $this->uid, $this->attributes);
245 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
246 'Created new user account with login "%s" and ext_account "%s".',
247 $new_name,
248 $this->uid
249 ));
250
251 ilSession::set(self::SESSION_TMP_ATTRIBUTES, null);
252 ilSession::set(self::SESSION_TMP_RETURN_TO, null);
253 ilSession::set('used_external_auth_mode', $this->getTriggerAuthMode());
254
255 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
256 $status->setAuthenticatedUserId(ilObjUser::_lookupId($new_name));
257
258 return true;
259 }
260
261 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug("SAML user synchronisation is not enabled, auth failed.");
262 $this->handleAuthenticationFail($status, 'err_auth_saml_no_ilias_user');
263
264 return false;
265 }
266
267 public function migrateAccount(ilAuthStatus $status): void
268 {
269 }
270
271 public function createNewAccount(ilAuthStatus $status): void
272 {
273 if (
274 !is_array(ilSession::get(self::SESSION_TMP_ATTRIBUTES)) ||
275 [] === ilSession::get(self::SESSION_TMP_ATTRIBUTES) ||
276 $this->getCredentials()->getUsername() === ''
277 ) {
278 $this->getLogger()->warning('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
279 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
280 return;
281 }
282
283 $this->uid = $this->getCredentials()->getUsername();
284 $this->attributes = ilSession::get(self::SESSION_TMP_ATTRIBUTES);
285 $this->return_to = (string) ilSession::get(self::SESSION_TMP_RETURN_TO);
286
287 $this->force_new_account = true;
288
289 $this->handleSamlAuth($status);
290 }
291
292 public function setExternalAccountName(string $a_name): void
293 {
294 $this->migration_account = $a_name;
295 }
296
297 public function getExternalAccountName(): string
298 {
299 return $this->migration_account;
300 }
301
302 public function getTriggerAuthMode(): string
303 {
304 return ilAuthUtils::AUTH_SAML . '_' . $this->idp->getIdpId();
305 }
306
307 public function getUserAuthModeName(): string
308 {
309 return 'saml_' . $this->idp->getIdpId();
310 }
311
312 private function importUser(?string $a_internal_login, string $a_external_account, array $a_user_data = []): string
313 {
314 $mapping = new ilExternalAuthUserAttributeMapping('saml', $this->idp->getIdpId());
315
316 $xml_writer = new ilXmlWriter();
317 $xml_writer->xmlStartTag('Users');
318 if (null === $a_internal_login) {
319 $login = $a_user_data[$this->idp->getLoginClaim()][0];
320 $login = ilAuthUtils::_generateLogin($login);
321
322 $xml_writer->xmlStartTag(
323 'User',
324 [
325 'Action' => 'Insert',
326 'Language' => $this->lng->getDefaultLanguage()
327 ]
328 );
329 $xml_writer->xmlElement('Login', [], $login);
330
331 $xml_writer->xmlElement('Role', [
332 'Id' => $this->idp->getDefaultRoleId(),
333 'Type' => 'Global',
334 'Action' => 'Assign'
335 ]);
336
337 $xml_writer->xmlElement('Active', [], "true");
338 $xml_writer->xmlElement('TimeLimitOwner', [], USER_FOLDER_ID);
339 $xml_writer->xmlElement('TimeLimitUnlimited', [], 1);
340 $xml_writer->xmlElement('TimeLimitFrom', [], time());
341 $xml_writer->xmlElement('TimeLimitUntil', [], time());
342 $xml_writer->xmlElement(
343 'AuthMode',
344 ['type' => $this->getUserAuthModeName()],
345 $this->getUserAuthModeName()
346 );
347 $xml_writer->xmlElement('ExternalAccount', [], $a_external_account);
348
349 $mapping = new ilExternalAuthUserCreationAttributeMappingFilter($mapping);
350 } else {
351 $login = $a_internal_login;
352 $usr_id = ilObjUser::_lookupId($a_internal_login);
353
354 $xml_writer->xmlStartTag('User', ['Action' => 'Update', 'Id' => $usr_id]);
355
356 $loginClaim = $a_user_data[$this->idp->getLoginClaim()][0];
357 if (ilStr::strToLower($login) !== ilStr::strToLower($loginClaim)) {
358 $login = ilAuthUtils::_generateLogin($loginClaim);
359 $xml_writer->xmlElement('Login', [], $login);
360 }
361
362 $mapping = new ilExternalAuthUserUpdateAttributeMappingFilter($mapping);
363 }
364
365 foreach ($mapping as $rule) {
366 try {
367 $attributeValueParser = new ilSamlMappedUserAttributeValueParser($rule, $a_user_data);
368 $value = $attributeValueParser->parse();
369 $this->buildUserAttributeXml($xml_writer, $rule, $value);
370 } catch (ilSamlException $e) {
371 $this->getLogger()->warning($e->getMessage());
372 continue;
373 }
374 }
375
376 $xml_writer->xmlEndTag('User');
377 $xml_writer->xmlEndTag('Users');
378
379 ilLoggerFactory::getLogger(self::LOG_COMPONENT)->debug(sprintf(
380 'Started import of user "%s" with ext_account "%s" and auth_mode "%s".',
381 $login,
382 $a_external_account,
383 $this->getUserAuthModeName()
384 ));
385 $importParser = new ilUserImportParser();
386 $importParser->setXMLContent($xml_writer->xmlDumpMem(false));
387 $importParser->setRoleAssignment([
388 $this->idp->getDefaultRoleId() => $this->idp->getDefaultRoleId(),
389 ]);
390 $importParser->setFolderId(USER_FOLDER_ID);
391 $importParser->setUserMappingMode(ilUserImportParser::IL_USER_MAPPING_ID);
392 $importParser->startParsing();
393
394 return $login;
395 }
396
397 private function buildUserAttributeXml(
398 ilXmlWriter $xml_writer,
399 ilExternalAuthUserAttributeMappingRule $rule,
400 string $value
401 ): void {
402 switch (strtolower($rule->getAttribute())) {
403 case 'gender':
404 $gender_attr = 'Gender';
405 match (strtolower($value)) {
406 'n', 'neutral' => $xml_writer->xmlElement($gender_attr, [], 'n'),
407 'm', 'male' => $xml_writer->xmlElement($gender_attr, [], 'm'),
408 // no break
409 default => $xml_writer->xmlElement($gender_attr, [], 'f'),
410 };
411 break;
412
413 case 'firstname':
414 $xml_writer->xmlElement('Firstname', [], $value);
415 break;
416
417 case 'lastname':
418 $xml_writer->xmlElement('Lastname', [], $value);
419 break;
420
421 case 'email':
422 $xml_writer->xmlElement('Email', [], $value);
423 break;
424
425 case 'second_email':
426 $xml_writer->xmlElement('SecondEmail', [], $value);
427 break;
428
429 case 'institution':
430 $xml_writer->xmlElement('Institution', [], $value);
431 break;
432
433 case 'department':
434 $xml_writer->xmlElement('Department', [], $value);
435 break;
436
437 case 'hobby':
438 $xml_writer->xmlElement('Hobby', [], $value);
439 break;
440
441 case 'title':
442 $xml_writer->xmlElement('Title', [], $value);
443 break;
444
445 case 'street':
446 $xml_writer->xmlElement('Street', [], $value);
447 break;
448
449 case 'city':
450 $xml_writer->xmlElement('City', [], $value);
451 break;
452
453 case 'zipcode':
454 $xml_writer->xmlElement('PostalCode', [], $value);
455 break;
456
457 case 'country':
458 $xml_writer->xmlElement('Country', [], $value);
459 break;
460
461 case 'phone_office':
462 $xml_writer->xmlElement('PhoneOffice', [], $value);
463 break;
464
465 case 'phone_home':
466 $xml_writer->xmlElement('PhoneHome', [], $value);
467 break;
468
469 case 'phone_mobile':
470 $xml_writer->xmlElement('PhoneMobile', [], $value);
471 break;
472
473 case 'fax':
474 $xml_writer->xmlElement('Fax', [], $value);
475 break;
476
477 case 'referral_comment':
478 $xml_writer->xmlElement('Comment', [], $value);
479 break;
480
481 case 'matriculation':
482 $xml_writer->xmlElement('Matriculation', [], $value);
483 break;
484
485 case 'birthday':
486 $xml_writer->xmlElement('Birthday', [], $value);
487 break;
488
489 default:
490 if (!str_starts_with($rule->getAttribute(), 'udf_')) {
491 break;
492 }
493
494 $udf_data = explode('_', $rule->getAttribute());
495 if (!isset($udf_data[1])) {
496 break;
497 }
498
499 $this->initUserDefinedFields();
500 $field = $this->user_defined_fields[$udf_data[1]] ?? null;
501 if ($field === null) {
502 ilLoggerFactory::getLogger('auth')->warning(sprintf(
503 "Invalid/Orphaned UD field mapping detected: %s",
504 $rule->getAttribute()
505 ));
506 break;
507 }
508
509 $xml_writer->xmlElement(
510 'UserDefinedField',
511 ['Id' => $field->getIdentifier(), 'Name' => $field->getLabel($this->lng)],
512 $value
513 );
514 break;
515 }
516 }
517
518 private function initUserDefinedFields(): void
519 {
520 if ($this->user_defined_fields === null) {
521 $this->user_defined_fields = $this->profile->getAllUserDefinedFields();
522 }
523 }
524}
ilAuthProviderSaml\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderSaml.php:271
ilAuthProviderSaml\importUser
importUser(?string $a_internal_login, string $a_external_account, array $a_user_data=[])
Definition: class.ilAuthProviderSaml.php:312
ilAuthProviderSaml\setExternalAccountName
setExternalAccountName(string $a_name)
Definition: class.ilAuthProviderSaml.php:292
ilAuthProviderSaml\buildUserAttributeXml
buildUserAttributeXml(ilXmlWriter $xml_writer, ilExternalAuthUserAttributeMappingRule $rule, string $value)
Definition: class.ilAuthProviderSaml.php:397
ilAuthProviderSaml\handleSamlAuth
handleSamlAuth(ilAuthStatus $status)
Definition: class.ilAuthProviderSaml.php:105
ilAuthProviderSaml\__construct
__construct(ilAuthCredentials $credentials, ?int $a_idp_id=null)
Definition: class.ilAuthProviderSaml.php:46
ilAuthProviderSaml\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderSaml.php:297
ilAuthProviderSaml\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.
Definition: class.ilAuthProviderSaml.php:307
ilAuthProviderSaml\$lng
readonly ilLanguage $lng
Definition: class.ilAuthProviderSaml.php:33
ilAuthProviderSaml\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderSaml.php:267
ilAuthProviderSaml\doAuthentication
doAuthentication(ilAuthStatus $status)
Definition: class.ilAuthProviderSaml.php:84
ilAuthProviderSaml\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: class.ilAuthProviderSaml.php:302
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Definition: class.ilAuthProvider.php:43
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:24
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const int STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:30
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:114
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthStatus\STATUS_AUTHENTICATED
const int STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:28
ilAuthUtils\AUTH_LOCAL
const int AUTH_LOCAL
Definition: class.ilAuthUtils.php:29
ilAuthUtils\AUTH_SAML
const int AUTH_SAML
Definition: class.ilAuthUtils.php:37
ilAuthUtils\_generateLogin
static _generateLogin(string $a_login)
generate free login by starting with a default string and adding postfix numbers
Definition: class.ilAuthUtils.php:339
ilException
Base class for ILIAS Exception handling.
Definition: class.ilException.php:26
ilLanguage
language handling
Definition: class.ilLanguage.php:43
ilLoggerFactory\getLogger
static getLogger(string $a_component_id)
Get component logger.
Definition: class.ilLoggerFactory.php:89
ilObjUser\_lookupId
static _lookupId(string|array $a_user_str)
Definition: class.ilObjUser.php:2915
ilObjUser\_writeAuthMode
static _writeAuthMode(int $a_usr_id, string $a_auth_mode)
Definition: class.ilObjUser.php:2684
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2813
ilObjUser\_loginExists
static _loginExists(string $a_login, int $a_user_id=0)
Definition: class.ilObjUser.php:1934
ilSamlIdp\getInstanceByIdpId
static getInstanceByIdpId(int $a_idp_id)
Definition: class.ilSamlIdp.php:66
ilSamlIdp\getFirstActiveIdp
static getFirstActiveIdp()
Definition: class.ilSamlIdp.php:56
ilSession\get
static get(string $a_var)
Definition: class.ilSession.php:388
ilSession\set
static set(string $a_var, $a_val)
Set a value.
Definition: class.ilSession.php:380
ilStr\strToLower
static strToLower(string $a_string)
Definition: class.ilStr.php:69
ilXmlWriter
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilXmlWriter.php:33
ilXmlWriter\xmlElement
xmlElement(string $tag, $attrs=null, $data=null, $encode=true, $escape=true)
Writes a basic element (no children, just textual content)
Definition: class.ilXmlWriter.php:318
USER_FOLDER_ID
const USER_FOLDER_ID
Definition: constants.php:33
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$DIC
global $DIC
Definition: shib_login.php:26
$GLOBALS
$GLOBALS["DIC"]
Definition: wac.php:54