diff --git a/attributemap/name2claim.php b/attributemap/name2claim.php new file mode 100644 index 00000000..ba32920a --- /dev/null +++ b/attributemap/name2claim.php @@ -0,0 +1,14 @@ + 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country', + 'givenName' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname', + 'mail' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress', + 'memberOf' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role', + 'postalcode' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode', + 'uid' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name', + 'sn' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname', + 'st' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince', + 'streetaddress' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress', + 'telephonenumber' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone', +); +?> diff --git a/dictionaries/admin.definition.json b/dictionaries/admin.definition.json index fc9739fc..f9e3b209 100644 --- a/dictionaries/admin.definition.json +++ b/dictionaries/admin.definition.json @@ -68,6 +68,12 @@ "metaover_group_metadata.shib13-idp-remote": { "en": "Shib 1.3 Identity Provider (Remote)" }, + "metaover_group_metadata.adfs-sp-remote": { + "en": "ADFS Service Provider (Remote)" + }, + "metaover_group_metadata.adfs-idp-hosted": { + "en": "ADFS Identity Provider (Hosted)" + }, "metaover_group_metadata.wsfed-sp-hosted": { "en": "WS-Federation Service Provider (Hosted)" }, @@ -95,6 +101,12 @@ "metadata_shib13-idp": { "en": "Shib 1.3 IdP Metadata" }, + "metadata_adfs-sp": { + "en": "ADFS SP Metadata" + }, + "metadata_adfs-idp": { + "en": "ADFS IdP Metadata" + }, "metadata_intro": { "en": "Here is the metadata that simpleSAMLphp has generated for you. You may send this metadata document to trusted partners to setup a trusted federation." }, diff --git a/dictionaries/admin.translation.json b/dictionaries/admin.translation.json index 4808bb51..d0a17135 100644 --- a/dictionaries/admin.translation.json +++ b/dictionaries/admin.translation.json @@ -834,6 +834,68 @@ "ro": "Furnizor de identitate Shib 1.3 (distant)", "ru": "\u041f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 Shib 1.3 (\u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)" }, + "metaover_group_metadata.adfs-sp-remote": { + "no": "ADFS Tjenesteleverand\u00f8r (ekstern)", + "nn": "ADFS Service Provider (Remote)", + "sv": "ADFS Service Provider (Fj\u00e4rr)", + "es": "Proveedor de Servicio ADFS (Remoto)", + "nl": "ADFS Service Provider (Remote)", + "sl": "ADFS SP (Oddaljeni)", + "da": "ADFS tjenesteudbyder (remote)", + "hr": "ADFS davatelj usluge (udaljeni)", + "hu": "ADFS alkalmaz\u00e1sszolg\u00e1ltat\u00f3 (t\u00e1voli)", + "pt-br": "ADFS Service Provider (Remoto)", + "pt": "Fornecedor de servi\u00e7o (SP) ADFS (Remoto)", + "pl": "ADFS Dostawca Serwisu (Zdalny)", + "cs": "SAML 2.O Service Provider (Remote - vzd\u00e1len\u00fd)", + "tr": "ADFS Servis Sa\u011flay\u0131c\u0131 (Uzak sistemde sunulan)", + "de": "ADFS Service Provider (entfernt)", + "fr": "Fournisseur de service ADFS distant", + "it": "ADFS Service Provider (Remoto)", + "ja": "ADFS\u30b5\u30fc\u30d3\u30b9\u30d7\u30ed\u30d0\u30a4\u30c0(\u30ea\u30e2\u30fc\u30c8)", + "lt": "ADFS Paslaugos teik\u0117jas (nutol\u0119s)", + "zh-tw": "ADFS \u670d\u52d9\u63d0\u4f9b\u8005(\u9060\u7aef)", + "et": "ADFS teenusepakkuja (kaug)", + "he": "\u05e1\u05e4\u05e7 \u05e9\u05d9\u05e8\u05d5\u05ea \u05de\u05e8\u05d5\u05d7\u05e7 \u05de\u05e1\u05d5\u05d2 ADFS", + "zh": "ADFS \u670d\u52a1\u63d0\u4f9b\u8005 (\u8fdc\u7a0b)", + "ar": "\u0645\u0642\u062f\u0645 \u062e\u062f\u0645\u0629 ADFS \u0627\u0644\u0628\u0639\u064a\u062f", + "lv": "ADFS servisa pieg\u0101d\u0101t\u0101js (att\u0101lin\u0101ts)", + "id": "Service Provider ADFS (Remote)", + "sr": "ADFS Davalac Servisa (udaljeni)", + "ro": "Furnizor de servicii ADFS (distant)", + "ru": "\u0421\u0435\u0440\u0432\u0438\u0441 \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 ADFS (\u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)" + }, + "metaover_group_metadata.adfs-idp-hosted": { + "no": "ADFS Identitetsleverand\u00f8r (ekstern)", + "nn": "ADFS Identity Provider (Hosted)", + "sv": "ADFS Identity Provider (V\u00e4rd)", + "es": "Proveedor de Identidad ADFS (Anfitri\u00f3n)", + "nl": "ADFS Identity Provider (Hosted)", + "sl": "ADFS IdP (Lokalni)", + "da": "ADFS identitetsudbyder (hosted)", + "hr": "ADFS autentifikacijski servis (lokalni)", + "hu": "ADFS szem\u00e9lyazonoss\u00e1g-szolg\u00e1ltat\u00f3 (helyi)", + "pt-br": "ADFS Identity Provider (Local)", + "pt": "Fornecedor de identidade (IdP) ADFS (Local)", + "pl": "ADFS Dostawca To\u017csamo\u015bci (Lokalny)", + "cs": "ADFS Identity Provider (Hosted - lok\u00e1ln\u00ed)", + "tr": "ADFS Kimlik Sa\u011flay\u0131c\u0131 (Bu sistemde sunulan)", + "de": "ADFS Identity Provider (gehosted)", + "fr": "Fournisseur d'identit\u00e9 ADFS local", + "it": "SAML 2.o Identity Provider (Hosted)", + "ja": "ADFS\u30a2\u30a4\u30c7\u30f3\u30c6\u30a3\u30c6\u30a3\u30d7\u30ed\u30d0\u30a4\u30c0(\u30db\u30b9\u30c8)", + "lt": "ADFS Tapatybi\u0173 teik\u0117jas (vietinis)", + "zh-tw": "ADFS \u9a57\u8b49\u63d0\u4f9b\u8005(\u4e3b\u6a5f)", + "et": "ADFS identiteedipakkuja (hostitud)", + "he": "\u05e1\u05e4\u05e7 \u05d6\u05d4\u05d5\u05ea \u05de\u05e7\u05d5\u05de\u05d9 \u05de\u05e1\u05d5\u05d2 ADFS", + "zh": "ADFS \u8eab\u4efd\u63d0\u4f9b\u8005\uff08\u672c\u5730\uff09", + "ar": "\u0645\u0642\u062f\u0645 \u0647\u0648\u064a\u0629 ADFS \u0627\u0644\u0645\u0633\u062a\u0636\u0627\u0641", + "lv": "ADFS identit\u0101tes pieg\u0101d\u0101t\u0101js (host\u0113ts)", + "id": "Identity Provider ADFS (Hosted)", + "sr": "ADFS Davalac Identiteta (lokalni)", + "ro": "Furnizor de identitate ADFS (g\u0103zduit)", + "ru": "\u041f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 ADFS (\u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)" + }, "metaover_group_metadata.wsfed-sp-hosted": { "no": "WS-Federation tjenesteleverand\u00f8r (intern)", "nn": "WS-Federation Service Provider (Hosted)", @@ -1144,7 +1206,69 @@ "ro": "Metadate furnizor de identitate (IdP) Shib 1.3", "ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 Shib 1.3 IdP" }, - "metadata_intro": { + "metadata_adfs-sp": { + "no": "ADFS SP metadata", + "nn": "ADFS SP Metadata", + "sv": "ADFS SP Metadata", + "es": "Metadatos SP ADFS", + "nl": "ADFS SP Metadata", + "sl": "ADFS SP Metapodatki", + "da": "Shibboleth 1.3 tjenesteudbyders metadata", + "hr": "ADFS metapodaci o davatelju usluge", + "hu": "ADFS SP Metaadatok", + "pt-br": "ADFS SP Metadata", + "pt": "Metadados ADFS SP", + "pl": "ADFS SP - Metadane", + "cs": "ADFS SP Metadata", + "tr": "ADFS SP \u00dcstveri (Metadata)", + "de": "ADFS SP Metadaten", + "fr": "M\u00e9tadonn\u00e9es de SP ADFS", + "it": "Metadati ADFS SP", + "ja": "ADFS SP\u30e1\u30bf\u30c7\u30fc\u30bf", + "lt": "ADFS SP Metaduomenys", + "zh-tw": "ADFS SP \u8a6e\u91cb\u8cc7\u6599", + "et": "ADFS SP metaandmed", + "he": "\u05de\u05d8\u05d0-\u05de\u05d9\u05d3\u05e2 \u05e9\u05dc \u05e1\u05e9 \u05de\u05e1\u05d5\u05d2 ADFS", + "zh": "ADFS SP \u5143\u4fe1\u606f", + "ar": "\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644ADFS SP", + "lv": "ADFS SP metadati", + "id": "Metadata ADFS SP", + "sr": "ADFS SP metapodaci", + "ro": "Metadate furnizor de servicii (SP) ADFS", + "ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 ADFS SP" + }, + "metadata_adfs-idp": { + "no": "ADFS IdP metadata", + "nn": "ADFS IdP Metadata", + "sv": "ADFS IdP Metadata", + "es": "Metadatos IdP ADFS", + "nl": "ADFS IdP Metadata", + "sl": "ADFS IdP Metapodatki", + "da": "ADFS identitetsudbyders metadata", + "hr": "ADFS metapodaci o autentifikacijskom servisu", + "hu": "ADFS IdP Metaadatok", + "pt-br": "ADFS IdP Metadata", + "pt": "Metadados ADFS IdP", + "pl": "ADFS IdP - Metadane", + "cs": "ADFS IdP Metadata", + "tr": "ADFS IdP \u00dcstveri (Metadata)", + "de": "ADFS IdP Metadaten", + "fr": "M\u00e9tadonn\u00e9es d'IdP ADFS", + "it": "Metadati ADFS IdP", + "ja": "ADFS IdP\u30e1\u30bf\u30c7\u30fc\u30bf", + "lt": "ADFS IdP Metaduomenys", + "zh-tw": "ADFS IdP \u8a6e\u91cb\u8cc7\u6599", + "et": "ADFS IdP metaandmed", + "he": "\u05de\u05d8\u05d0-\u05de\u05d9\u05d3\u05e2 \u05e9\u05dc \u05e1\u05d6 \u05de\u05e1\u05d5\u05d2 ADFS ", + "zh": "ADFS IdP \u5143\u4fe1\u606f", + "ar": "\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644 ADFS IdP", + "lv": "ADFS IdP metadati", + "id": "Metadata ADFS IdP", + "sr": "ADFS IdP metapodaci", + "ro": "Metadate furnizor de identitate (IdP) ADFS", + "ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 ADFS IdP" + }, + "metadata_intro": { "no": "Her er metadata som simpleSAMLphp har generert for deg. Du m\u00e5 utveksle metadata med de partene du stoler p\u00e5 for \u00e5 sette opp en f\u00f8derasjon.", "nn": "Her er metadata generert av simpleSAMLphp for deg. Du kan senda dette metadata-dokumentet til dine partnarar, slik at de kan setja opp ein tillitsf\u00f8derasjon.", "sv": "simpleSAMLphp har har genererat f\u00f6ljande metadata. F\u00f6r att s\u00e4tta upp en betrodd federation kan du skicka metadata till de parter du har f\u00f6rtroende f\u00f6r.", diff --git a/lib/SimpleSAML/Metadata/SAMLBuilder.php b/lib/SimpleSAML/Metadata/SAMLBuilder.php index 865412f9..33cd9bd0 100644 --- a/lib/SimpleSAML/Metadata/SAMLBuilder.php +++ b/lib/SimpleSAML/Metadata/SAMLBuilder.php @@ -85,6 +85,20 @@ class SimpleSAML_Metadata_SAMLBuilder { return $xml->ownerDocument->saveXML(); } + public function addSecurityTokenServiceType($metadata) { + assert('is_array($metadata)'); + assert('isset($metadata["entityid"])'); + assert('isset($metadata["metadata-set"])'); + + $metadata = SimpleSAML_Configuration::loadFromArray($metadata, $metadata['entityid']); + $defaultEndpoint = $metadata->getDefaultEndpoint('SingleSignOnService'); + $e = new sspmod_adfs_SAML2_XML_fed_SecurityTokenServiceType(); + $e->Location = $defaultEndpoint['Location']; + + $this->addCertificate($e, $metadata); + + $this->entityDescriptor->RoleDescriptor[] = $e; + } /** * @param SimpleSAML_Configuration $metadata Metadata. diff --git a/metadata-templates/adfs-idp-hosted.php b/metadata-templates/adfs-idp-hosted.php index 040a199a..4360c04c 100644 --- a/metadata-templates/adfs-idp-hosted.php +++ b/metadata-templates/adfs-idp-hosted.php @@ -5,6 +5,10 @@ $metadata['__DYNAMIC:1__'] = array( 'privatekey' => 'server.pem', 'certificate' => 'server.crt', 'auth' => 'example-userpass', + 'authproc' => array( + // Convert LDAP names to WS-Fed Claims. + 100 => array('class' => 'core:AttributeMap', 'name2claim'), + ), ); ?> diff --git a/modules/adfs/docs/adfs.txt b/modules/adfs/docs/adfs.txt new file mode 100644 index 00000000..a57820a7 --- /dev/null +++ b/modules/adfs/docs/adfs.txt @@ -0,0 +1,83 @@ +Enables AD FS IdP +Compatible with VS 2012 Identity and Access + +Basic Setup Companion based on: +http://simplesamlphp.org/docs/stable/simplesamlphp-idp + +1. Enabling the Identity Provider functionality + +In config/config.php, the option will be: +'enable.adfs-idp' => true + +2. Authentication module + +Follow as is. + +3. Configuring the authentication module + +In addition to enabling authentication module, enable adfs module by creating a file named 'enable' in modules/adfs + +In unix from installation directory: +touch modules/adfs/enable + +4. Configuring the IdP + +ADFS IdP is configured by metadata stored in /metadata/adfs-idp-hosted.php and metadata/adfs-sp-remote.php + +If they are not present, copy them from /metadata-templates to the metadata +directory. + +5. Using the uri NameFormat on attributes + +WS-FED likes a few parameters to be very specifically named. This is +especially true if .net clients will be treating this as a Microsoft ADFS +IdP. + +The recommended settings for /metadata/adfs-idp-hosted.php is: + +'authproc' => array( + // Convert LDAP names to WS-Fed Claims. + 100 => array('class' => 'core:AttributeMap', 'name2claim'), +), + +6. Adding SPs to the IdP + +The minimal configuration for /metadata/adfs-sp-remote.php is: + +$metadata['urn:federation:localhost'] = array( + prp' => 'https://localhost/adfs/ls/', +); + +7. Creating a SSL self signed certificate + +Follow as is. + +8. Adding this IdP to other SPs + +Metadata should be available from /module.php/adfs/idp/metadata.php + +9. This module tries its best to emulate a Microsoft ADFS endpoint, and as +such, it is simplest to test using a .net client. + +To build the test client, follow the tutorial at: +http://code.msdn.microsoft.com/Claims-Aware-Web-d94a89ca + +This will build a .net app that uses a dev machine running STS (their name for +an IdP). + +To point to your SimpleSamlPHP ADFS IdP, in VS 2012: + +a. Right-click the project in Solution Explorer and select the Identity and +Access option. + +b. In the Identity and Access Window, Select Use a business identity +provider. + +c. Under “Enter the path to the STS metadata document” enter the url you have + +from step 8. Something like +https://.../module.php/adfs/idp/metadata.php + +d. Click Ok + +For more information in regards to .NET: http://msdn.microsoft.com/en-us/library/hh377151.aspx diff --git a/modules/adfs/lib/SAML2/XML/fed/Const.php b/modules/adfs/lib/SAML2/XML/fed/Const.php new file mode 100644 index 00000000..cdcd9b20 --- /dev/null +++ b/modules/adfs/lib/SAML2/XML/fed/Const.php @@ -0,0 +1,13 @@ +ownerDocument->createElement($name); + $parent->appendChild($e); + + $endpoint = $parent->ownerDocument->createElement('EndpointReference'); + $endpoint->setAttribute('xmlns', 'http://www.w3.org/2005/08/addressing'); + $e->appendChild($endpoint); + + $address = $parent->ownerDocument->createElement('Address', $address); + $endpoint->appendChild($address); + + return $e; + } + +} diff --git a/modules/adfs/lib/SAML2/XML/fed/SecurityTokenServiceType.php b/modules/adfs/lib/SAML2/XML/fed/SecurityTokenServiceType.php new file mode 100644 index 00000000..8369b40b --- /dev/null +++ b/modules/adfs/lib/SAML2/XML/fed/SecurityTokenServiceType.php @@ -0,0 +1,56 @@ +Location)'); + + $e = parent::toXML($parent); + $e->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:fed', sspmod_adfs_SAML2_XML_fed_Const::NS_FED); + $e->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', 'fed:SecurityTokenServiceType'); + sspmod_adfs_SAML2_XML_fed_TokenTypesOffered::appendXML($e); + sspmod_adfs_SAML2_XML_fed_Endpoint::appendXML($e, 'SecurityTokenServiceEndpoint', $this->Location); + sspmod_adfs_SAML2_XML_fed_Endpoint::appendXML($e, 'fed:PassiveRequestorEndpoint', $this->Location); + + return $e; + } +} diff --git a/modules/adfs/lib/SAML2/XML/fed/TokenTypesOffered.php b/modules/adfs/lib/SAML2/XML/fed/TokenTypesOffered.php new file mode 100644 index 00000000..598a233c --- /dev/null +++ b/modules/adfs/lib/SAML2/XML/fed/TokenTypesOffered.php @@ -0,0 +1,26 @@ +ownerDocument->createElementNS(sspmod_adfs_SAML2_XML_fed_Const::NS_FED, 'fed:TokenTypesOffered'); + $parent->appendChild($e); + + $tokentype = $parent->ownerDocument->createElementNS(sspmod_adfs_SAML2_XML_fed_Const::NS_FED, 'fed:TokenType'); + $tokentype->setAttribute('Uri', 'urn:oasis:names:tc:SAML:1.0:assertion'); + $e->appendChild($tokentype); + + return $e; + } + +} diff --git a/modules/adfs/www/idp/metadata.php b/modules/adfs/www/idp/metadata.php new file mode 100644 index 00000000..fd563ba4 --- /dev/null +++ b/modules/adfs/www/idp/metadata.php @@ -0,0 +1,156 @@ +getBoolean('enable.adfs-idp', false)) + throw new SimpleSAML_Error_Error('NOACCESS'); + +/* Check if valid local session exists.. */ +if ($config->getBoolean('admin.protectmetadata', false)) { + SimpleSAML_Utilities::requireAdmin(); +} + + +try { + $idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('adfs-idp-hosted'); + $idpmeta = $metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted'); + + $availableCerts = array(); + + $keys = array(); + $certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, FALSE, 'new_'); + if ($certInfo !== NULL) { + $availableCerts['new_idp.crt'] = $certInfo; + $keys[] = array( + 'type' => 'X509Certificate', + 'signing' => TRUE, + 'encryption' => TRUE, + 'X509Certificate' => $certInfo['certData'], + ); + $hasNewCert = TRUE; + } else { + $hasNewCert = FALSE; + } + + $certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE); + $availableCerts['idp.crt'] = $certInfo; + $keys[] = array( + 'type' => 'X509Certificate', + 'signing' => TRUE, + 'encryption' => ($hasNewCert ? FALSE : TRUE), + 'X509Certificate' => $certInfo['certData'], + ); + + if ($idpmeta->hasValue('https.certificate')) { + $httpsCert = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE, 'https.'); + assert('isset($httpsCert["certData"])'); + $availableCerts['https.crt'] = $httpsCert; + $keys[] = array( + 'type' => 'X509Certificate', + 'signing' => TRUE, + 'encryption' => FALSE, + 'X509Certificate' => $httpsCert['certData'], + ); + } + + $adfs_service_location = SimpleSAML_Module::getModuleURL('adfs') . '/idp/prp.php'; + $metaArray = array( + 'metadata-set' => 'adfs-idp-remote', + 'entityid' => $idpentityid, + 'SingleSignOnService' => array(0 => array( + 'Binding' => SAML2_Const::BINDING_HTTP_REDIRECT, + 'Location' => $adfs_service_location)), + 'SingleLogoutService' => array(0 => array( + 'Binding' => SAML2_Const::BINDING_HTTP_REDIRECT, + 'Location' => $adfs_service_location)), + ); + + if (count($keys) === 1) { + $metaArray['certData'] = $keys[0]['X509Certificate']; + } else { + $metaArray['keys'] = $keys; + } + + $metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'); + + if ($idpmeta->hasValue('OrganizationName')) { + $metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName'); + $metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']); + + if (!$idpmeta->hasValue('OrganizationURL')) { + throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.'); + } + $metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL'); + } + + if ($idpmeta->hasValue('scope')) { + $metaArray['scope'] = $idpmeta->getArray('scope'); + } + + if ($idpmeta->hasValue('EntityAttributes')) { + $metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes'); + } + + if ($idpmeta->hasValue('UIInfo')) { + $metaArray['UIInfo'] = $idpmeta->getArray('UIInfo'); + } + + if ($idpmeta->hasValue('DiscoHints')) { + $metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints'); + } + + if ($idpmeta->hasValue('RegistrationInfo')) { + $metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo'); + } + + $metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';'; + + $metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid); + $metaBuilder->addSecurityTokenServiceType($metaArray); + $metaBuilder->addOrganizationInfo($metaArray); + $technicalContactEmail = $config->getString('technicalcontact_email', NULL); + if ($technicalContactEmail && $technicalContactEmail !== 'na@example.org') { + $metaBuilder->addContact('technical', array( + 'emailAddress' => $technicalContactEmail, + 'name' => $config->getString('technicalcontact_name', NULL), + )); + } + $metaxml = explode("\n", $metaBuilder->getEntityDescriptorText()); + unset($metaxml[0]); + $metaxml = implode("\n", $metaxml); + + /* Sign the metadata if enabled. */ + $metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP'); + + if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') { + $defaultidp = $config->getString('default-adfs-idp', NULL); + + $t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin'); + + $t->data['available_certs'] = $availableCerts; + $t->data['header'] = 'adfs-idp'; + $t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery(); + $t->data['metadata'] = htmlspecialchars($metaxml); + $t->data['metadataflat'] = htmlspecialchars($metaflat); + $t->data['defaultidp'] = $defaultidp; + $t->show(); + + } else { + + header('Content-Type: application/xml'); + + echo $metaxml; + exit(0); + + } + + + +} catch(Exception $exception) { + + throw new SimpleSAML_Error_Error('METADATA', $exception); + +} + diff --git a/modules/core/templates/frontpage_federation.tpl.php b/modules/core/templates/frontpage_federation.tpl.php index afe93b08..243aa4de 100644 --- a/modules/core/templates/frontpage_federation.tpl.php +++ b/modules/core/templates/frontpage_federation.tpl.php @@ -42,6 +42,10 @@ function mtype($set) { case 'shib13-sp-hosted': return '{admin:metadata_shib13-sp}'; case 'shib13-idp-remote': return '{admin:metadata_shib13-idp}'; case 'shib13-idp-hosted': return '{admin:metadata_shib13-idp}'; + case 'adfs-sp-remote'; return '{admin:metadata_adfs-sp}'; + case 'adfs-sp-hosted'; return '{admin:metadata_adfs-sp}'; + case 'adfs-idp-remote'; return '{admin:metadata_adfs-idp}'; + case 'adfs-idp-hosted'; return '{admin:metadata_adfs-idp}'; } } diff --git a/modules/core/www/frontpage_federation.php b/modules/core/www/frontpage_federation.php index addf765d..072ad6c5 100644 --- a/modules/core/www/frontpage_federation.php +++ b/modules/core/www/frontpage_federation.php @@ -79,13 +79,15 @@ if ($config->getBoolean('enable.saml20-sp', TRUE) === true) { try { $metaentries['hosted']['saml20-sp'] = $metadata->getMetaDataCurrent('saml20-sp-hosted'); $metaentries['hosted']['saml20-sp']['deprecated'] = TRUE; - $metaentries['hosted']['saml20-sp']['metadata-url'] = '/' . $config->getBaseURL() . 'saml2/sp/metadata.php?output=xhtml'; + $metaentries['hosted']['saml20-sp']['metadata-url'] = '/' . $config->getBaseURL() . + 'saml2/sp/metadata.php?output=xhtml'; } catch(Exception $e) {} } if ($config->getBoolean('enable.saml20-idp', FALSE) === true) { try { $metaentries['hosted']['saml20-idp'] = $metadata->getMetaDataCurrent('saml20-idp-hosted'); - $metaentries['hosted']['saml20-idp']['metadata-url'] = '/' . $config->getBaseURL() . 'saml2/idp/metadata.php?output=xhtml'; + $metaentries['hosted']['saml20-idp']['metadata-url'] = '/' . $config->getBaseURL() . + 'saml2/idp/metadata.php?output=xhtml'; if ($isadmin) $metaentries['remote']['saml20-sp-remote'] = $metadata->getList('saml20-sp-remote'); } catch(Exception $e) {} @@ -94,17 +96,28 @@ if ($config->getBoolean('enable.shib13-sp', FALSE) === true) { try { $metaentries['hosted']['shib13-sp'] = $metadata->getMetaDataCurrent('shib13-sp-hosted'); $metaentries['hosted']['shib13-sp']['deprecated'] = TRUE; - $metaentries['hosted']['shib13-sp']['metadata-url'] = '/' . $config->getBaseURL() . 'shib13/sp/metadata.php?output=xhtml'; + $metaentries['hosted']['shib13-sp']['metadata-url'] = '/' . $config->getBaseURL() . + 'shib13/sp/metadata.php?output=xhtml'; } catch(Exception $e) {} } if ($config->getBoolean('enable.shib13-idp', FALSE) === true) { try { $metaentries['hosted']['shib13-idp'] = $metadata->getMetaDataCurrent('shib13-idp-hosted'); - $metaentries['hosted']['shib13-idp']['metadata-url'] = '/' . $config->getBaseURL() . 'shib13/idp/metadata.php?output=xhtml'; + $metaentries['hosted']['shib13-idp']['metadata-url'] = '/' . $config->getBaseURL() . + 'shib13/idp/metadata.php?output=xhtml'; if ($isadmin) $metaentries['remote']['shib13-sp-remote'] = $metadata->getList('shib13-sp-remote'); } catch(Exception $e) {} } +if ($config->getBoolean('enable.adfs-idp', FALSE) === true) { + try { + $metaentries['hosted']['adfs-idp'] = $metadata->getMetaDataCurrent('adfs-idp-hosted'); + $metaentries['hosted']['adfs-idp']['metadata-url'] = SimpleSAML_Module::getModuleURL('adfs/idp/metadata.php', + array('output' => 'xhtml')); + if ($isadmin) + $metaentries['remote']['adfs-sp-remote'] = $metadata->getList('adfs-sp-remote'); + } catch(Exception $e) {} +}