142 lines
4.6 KiB
PHP
142 lines
4.6 KiB
PHP
<?php
|
|
require_once('/usr/share/simplesamlphp/lib/_autoload.php');
|
|
/**
|
|
* Elgg SAML v2.0 authentication
|
|
*
|
|
* @package ElggSAMLAuth
|
|
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
|
|
* @author Jerome Schneider <jschneider@entrouvert.com>
|
|
*/
|
|
|
|
// Register the events
|
|
register_elgg_event_handler('init','system','saml_auth_init');
|
|
register_elgg_event_handler('logout','user','saml_logout');
|
|
|
|
/**
|
|
* SAML Authentication init
|
|
*
|
|
* These parameters are required for the event API, but we won't use them:
|
|
*/
|
|
function saml_auth_init()
|
|
{
|
|
global $CONFIG;
|
|
|
|
init_config();
|
|
$as = new SimpleSAML_Auth_Simple(get_plugin_setting('sp_name', 'saml_auth'));
|
|
$isAuth = $as->isAuthenticated();
|
|
$attributes = $as->getAttributes();
|
|
$elgg_user = saml_map_attributes($attributes);
|
|
if ($isAuth && ! isloggedin() && $elgg_user)
|
|
{
|
|
|
|
if ($user = get_entities_from_metadata('ldapDN', $elgg_user['ldapDN'], 'user')) {
|
|
$user = $user[0];
|
|
}
|
|
error_log('SAMLAuth found user "' . $user . '" for ldapDN "' . $elgg_user['ldapDN'] . '"');
|
|
if (! $user)
|
|
{
|
|
try {
|
|
if (!register_user($elgg_user['username'], $elgg_user['password'],
|
|
$elgg_user['name'], $elgg_user['email']))
|
|
return 1;
|
|
} catch (RegistrationException $e) {
|
|
return true;
|
|
}
|
|
$user = get_user_by_username($elgg_user['username']);
|
|
$user->ldapDN = $elgg_user['ldapDN'];
|
|
}
|
|
else
|
|
saml_sync_user($user, $elgg_user);
|
|
if ($user) {
|
|
$result = login($user);
|
|
$_SESSION['saml_user'] = TRUE;
|
|
return $result;
|
|
}
|
|
// XXX: else return an error ?
|
|
}
|
|
if (! $isAuth && isloggedin() && $_SESSION['saml_user']) {
|
|
// unlogged from simplesamlphp but not from elgg
|
|
return logout();
|
|
}
|
|
}
|
|
|
|
function init_config()
|
|
{
|
|
$config = find_plugin_settings('saml_auth');
|
|
if (! $config->sp_name)
|
|
set_plugin_setting('sp_name', 'default-sp', 'saml_auth');
|
|
if (! $config->username)
|
|
set_plugin_setting('username', 'uid', 'saml_auth');
|
|
if (! $config->firstname)
|
|
set_plugin_setting('firstname', 'givenName', 'saml_auth');
|
|
if (! $config->surname)
|
|
set_plugin_setting('surname', 'sn', 'saml_auth');
|
|
if (! $config->email)
|
|
set_plugin_setting('email', 'mail', 'saml_auth');
|
|
}
|
|
|
|
function saml_sync_user($user, $elgg_user)
|
|
{
|
|
$user->name = $elgg_user['name'];
|
|
$user->email = $elgg_user['email'];
|
|
$user->ldapDN = $elgg_user['ldapDN'];
|
|
$user->save();
|
|
}
|
|
|
|
|
|
function gen_rand_pwd()
|
|
{
|
|
$password = "";
|
|
$chars = "0123456789_!@#$%&*()-=+/abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_!@#$%&*()-=+/";
|
|
$i = 0;
|
|
|
|
while ($i < 18)
|
|
{
|
|
$char = substr($chars, rand(0, strlen($chars)-1), 1);
|
|
$password .= $char;
|
|
$i++;
|
|
}
|
|
return $password;
|
|
}
|
|
|
|
function saml_map_attributes($attributes)
|
|
{
|
|
$elgg_user = array();
|
|
|
|
$config = find_plugin_settings('saml_auth');
|
|
if (! $attributes[$config->username] or ! $attributes[$config->email])
|
|
return false;
|
|
$elgg_user['username'] = $attributes[$config->username][0];
|
|
$elgg_user['password'] = gen_rand_pwd();
|
|
$elgg_user['name'] = '';
|
|
if ($attributes['dn']) {
|
|
$elgg_user['ldapDN'] = $attributes['dn'][0];
|
|
}
|
|
if ($attributes[$config->surname] || $attributes[$config->firstname])
|
|
{
|
|
if ($attributes[$config->firstname])
|
|
$elgg_user['name'] = $attributes[$config->firstname][0];
|
|
if ($attributes[$config->surname])
|
|
{
|
|
if (! empty($elgg_user['name']))
|
|
$elgg_user['name'] .= ' ';
|
|
$elgg_user['name'] .= $attributes[$config->surname][0];
|
|
}
|
|
}
|
|
else
|
|
$elgg_user['name'] = $elgg_user['username'];
|
|
$elgg_user['email'] = $attributes[$config->email][0];
|
|
|
|
return $elgg_user;
|
|
}
|
|
|
|
function saml_logout()
|
|
{
|
|
$as = new SimpleSAML_Auth_Simple(get_plugin_setting('sp_name', 'saml_auth'));
|
|
if ($as->isAuthenticated())
|
|
$as->logout();
|
|
|
|
return true;
|
|
}
|
|
|