140 lines
4.8 KiB
PHP
140 lines
4.8 KiB
PHP
<?php
|
|
/**
|
|
* Elgg SAML v2.0 authentication
|
|
*
|
|
* @package ElggSAMLAuth
|
|
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
|
|
* @author Jerome Schneider <jschneider@entrouvert.com>
|
|
*/
|
|
|
|
require_once dirname(__FILE__) . '/simplesamlphp/lib/_autoload.php';
|
|
|
|
// Register the events
|
|
elgg_register_event_handler('init','system','saml_auth_init');
|
|
|
|
/**
|
|
* SAML Authentication init
|
|
*
|
|
* These parameters are required for the event API, but we won't use them:
|
|
*/
|
|
function saml_auth_init()
|
|
{
|
|
global $CONFIG;
|
|
|
|
init_config();
|
|
$as = new SimpleSAML_Auth_Simple(elgg_get_plugin_setting('sp_name', 'saml_auth'));
|
|
$isAuth = $as->isAuthenticated();
|
|
$attributes = $as->getAttributes();
|
|
$elgg_user = saml_map_attributes($attributes);
|
|
if ($isAuth && ! elgg_is_logged_in() && $elgg_user)
|
|
{
|
|
$user = get_user_by_username($elgg_user['username']);
|
|
if ($user) {
|
|
trigger_error('SAMLAuth found user "' . $user->username, E_USER_NOTICE);
|
|
}
|
|
if (! $user)
|
|
{
|
|
try {
|
|
if (!register_user($elgg_user['username'], $elgg_user['password'],
|
|
$elgg_user['name'], $elgg_user['email']))
|
|
return 1;
|
|
} catch (RegistrationException $e) {
|
|
error_log('SAMLAuth cannot register username "' . $elgg_user['username'] . '", it exists already.');
|
|
return true;
|
|
}
|
|
$user = get_user_by_username($elgg_user['username']);
|
|
}
|
|
if ($user) {
|
|
saml_sync_user($user, $elgg_user);
|
|
$result = login($user);
|
|
$_SESSION['saml_user'] = TRUE;
|
|
return $result;
|
|
}
|
|
// XXX: else return an error ?
|
|
}
|
|
if (! $isAuth && elgg_is_logged_in() && $_SESSION['saml_user']) {
|
|
// unlogged from simplesamlphp but not from elgg
|
|
return logout();
|
|
}
|
|
elgg_register_event_handler('logout','user','saml_logout');
|
|
}
|
|
|
|
function init_config()
|
|
{
|
|
$config = elgg_get_calling_plugin_entity('saml_auth');
|
|
if (! $config->sp_name)
|
|
elgg_set_plugin_setting('sp_name', 'default-sp', 'saml_auth');
|
|
if (! $config->username)
|
|
elgg_set_plugin_setting('username', 'urn:oid:0.9.2342.19200300.100.1.1', 'saml_auth');
|
|
if (! $config->firstname)
|
|
elgg_set_plugin_setting('firstname', 'urn:oid:1.3.6.1.4.1.5923.1.1.1.2', 'saml_auth');
|
|
if (! $config->surname)
|
|
elgg_set_plugin_setting('surname', 'urn:oid:2.5.4.4', 'saml_auth');
|
|
if (! $config->email)
|
|
elgg_set_plugin_setting('email', 'urn:oid:0.9.2342.19200300.100.1.3', 'saml_auth');
|
|
if (! $config->classical_auth)
|
|
elgg_set_plugin_setting('classical_auth', 'yes', 'saml_auth');
|
|
}
|
|
|
|
function saml_sync_user($user, $elgg_user)
|
|
{
|
|
$user->name = $elgg_user['name'];
|
|
$user->email = $elgg_user['email'];
|
|
$user->save();
|
|
}
|
|
|
|
|
|
function gen_rand_pwd()
|
|
{
|
|
$password = "";
|
|
$chars = "0123456789_!@#$%&*()-=+/abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_!@#$%&*()-=+/";
|
|
$i = 0;
|
|
|
|
while ($i < 18)
|
|
{
|
|
$char = substr($chars, rand(0, strlen($chars)-1), 1);
|
|
$password .= $char;
|
|
$i++;
|
|
}
|
|
return $password;
|
|
}
|
|
|
|
function saml_map_attributes($attributes)
|
|
{
|
|
$elgg_user = array();
|
|
|
|
$config = elgg_get_calling_plugin_entity('saml_auth');
|
|
if (! $attributes[$config->username] or ! $attributes[$config->email])
|
|
return false;
|
|
$elgg_user['username'] = $attributes[$config->username][0];
|
|
$elgg_user['password'] = gen_rand_pwd();
|
|
$elgg_user['name'] = '';
|
|
if ($attributes[$config->surname] || $attributes[$config->firstname])
|
|
{
|
|
if ($attributes[$config->firstname])
|
|
$elgg_user['name'] = $attributes[$config->firstname][0];
|
|
if ($attributes[$config->surname])
|
|
{
|
|
if (! empty($elgg_user['name']))
|
|
$elgg_user['name'] .= ' ';
|
|
$elgg_user['name'] .= $attributes[$config->surname][0];
|
|
}
|
|
}
|
|
else
|
|
$elgg_user['name'] = $elgg_user['username'];
|
|
$elgg_user['email'] = $attributes[$config->email][0];
|
|
|
|
return $elgg_user;
|
|
}
|
|
|
|
function saml_logout($page)
|
|
{
|
|
global $CONFIG;
|
|
|
|
$auth = new SimpleSAML_Auth_Simple(elgg_get_plugin_setting('sp_name', 'saml_auth'));
|
|
if ($auth->isAuthenticated()) {
|
|
$auth->logout(elgg_get_site_url());
|
|
}
|
|
}
|
|
|