* saml2.inc.php:
- add a relaystate parameter to sso functions * saml_common.inc.php: - add a relaystate parameter to sso functions - complete error handling * endpoints.inc.php: - extract query string - detect HTTP_METHOD - block endpoints from bad methods
This commit is contained in:
parent
c0aba95c76
commit
2183d6b9af
|
@ -27,13 +27,13 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
to create a new federation if a persistent
|
||||
one is asked for federate = TRUE.
|
||||
*/
|
||||
function sso($create = TRUE, $federate = TRUE, $passive = FALSE) {
|
||||
function sso($create = TRUE, $federate = TRUE, $passive = FALSE, $relayState = null) {
|
||||
if ($federate) {
|
||||
$format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT;
|
||||
} else {
|
||||
$format = LASSO_SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT;
|
||||
}
|
||||
return $this->ssoInit(array('allowCreate' => $create, 'nameIDFormat' => $format, 'isPassive' => $passive));
|
||||
return $this->ssoInit(array('allowCreate' => $create, 'nameIDFormat' => $format, 'isPassive' => $passive, 'relayState' => $relayState));
|
||||
}
|
||||
function ssoInit($params = array())
|
||||
{
|
||||
|
@ -44,12 +44,13 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
'method' => LASSO_HTTP_METHOD_REDIRECT,
|
||||
'isConsentObtained' => FALSE,
|
||||
'forceAuthn' => FALSE,
|
||||
'relayState' => null,
|
||||
'isPassive' => FALSE);
|
||||
$params = array_merge($default_params, $params);
|
||||
extract($params);
|
||||
#lassospkit_debuglog("Params isPassive: $isPassive allowCreate: $allowCreate format: $nameIDFormat");
|
||||
$login = null;
|
||||
return parent::ssoCommon($login, $remoteID, $method, $isConsentObtained, $forceAuthn, $isPassive, array('nameIDFormat'=>$nameIDFormat, 'allowCreate' => $allowCreate));
|
||||
return parent::ssoCommon($login, $remoteID, $method, $isConsentObtained, $forceAuthn, $isPassive, $relayState, array('nameIDFormat'=>$nameIDFormat, 'allowCreate' => $allowCreate));
|
||||
}
|
||||
/** Defederation, convert to NameIdManagement protocol **/
|
||||
public function initiateFTNotification($method = LASSO_HTTP_METHOD_SOAP,$remoteID = null)
|
||||
|
|
|
@ -7,15 +7,16 @@ require_once('lassospkit_generic_session.inc.php');
|
|||
* TODO: initServer();
|
||||
*/
|
||||
class LassoSPKitSAMLCommon {
|
||||
public $session;
|
||||
public $server;
|
||||
var $session;
|
||||
var $server;
|
||||
|
||||
/** Error handling */
|
||||
public $reset_status = 0;
|
||||
public $human_status = "";
|
||||
public $ret = 0;
|
||||
public $ret_str = "";
|
||||
public $exception = null;
|
||||
var $reset_status = 0;
|
||||
var $human_status = "";
|
||||
var $ret = 0;
|
||||
var $ret_str = "";
|
||||
var $exception = null;
|
||||
var $relay_state;
|
||||
|
||||
public function __construct(LassoSPKitGenericSession $session) {
|
||||
$this->session = $session;
|
||||
|
@ -107,7 +108,13 @@ class LassoSPKitSAMLCommon {
|
|||
lassospkit_errlog("artifactResolve: soapCall result empty");
|
||||
$content = "";
|
||||
}
|
||||
$retPRM = $profile->processResponseMsg($content);
|
||||
try {
|
||||
$retPRM = $profile->processResponseMsg($content);
|
||||
} catch (Exception $e) {
|
||||
lassospkit_showCode($content);
|
||||
var_dump($e);
|
||||
throw $e;
|
||||
}
|
||||
if ($retIR || $retBRM || $retPRM) {
|
||||
lassospkit_errlog("artifactResolve: retIR: $retIR retBRM: $retBRM retPRM: $retPRM");
|
||||
if ($retIR) {
|
||||
|
@ -158,7 +165,9 @@ class LassoSPKitSAMLCommon {
|
|||
$isConsentObtained,
|
||||
$forceAuthn,
|
||||
$isPassive,
|
||||
$relayState,
|
||||
$blob) {
|
||||
lassospkit_debuglog("isPassive: $isPassive");
|
||||
$login = new LassoLogin($this->server);
|
||||
$retFF = $this->findFederation($login);
|
||||
$retIAR = $login->initAuthnRequest($remoteID,$method);
|
||||
|
@ -172,6 +181,9 @@ class LassoSPKitSAMLCommon {
|
|||
} else {
|
||||
throw new Exception("SSO: Pas d'object NameIDPolicy");
|
||||
}
|
||||
if ($relayState && is_string($relayState)) {
|
||||
$request->msgRelayState = $relayState;
|
||||
}
|
||||
$retBAR = $login->buildAuthnRequestMsg();
|
||||
switch($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
|
@ -194,6 +206,7 @@ class LassoSPKitSAMLCommon {
|
|||
$method);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_POST:
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
$retPRM = $this->processResponseMsg($message);
|
||||
break;
|
||||
}
|
||||
|
@ -205,6 +218,9 @@ class LassoSPKitSAMLCommon {
|
|||
$retPRM == LASSO_LOGIN_ERROR_STATUS_NOT_SUCCESS) {
|
||||
$this->setMessage("Request denied");
|
||||
}
|
||||
if ($login->msgRelayState) {
|
||||
$this->relay_state = $login->msgRelayState;
|
||||
}
|
||||
if ($retAR || $retPRM) {
|
||||
lassospkit_errlog("ssoConsumer, retAR: $retAR retPRM: $retPRM");
|
||||
} else {
|
||||
|
@ -235,7 +251,7 @@ class LassoSPKitSAMLCommon {
|
|||
break;
|
||||
case LASSO_HTTP_METHOD_SOAP:
|
||||
$this->finishSOAPRequest($logout, $response);
|
||||
$this->processResponseSLO($logout, $response);
|
||||
$this->processResponseSLO($method, $response, $logout);
|
||||
break;
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_GET:
|
||||
case LASSO_HTTP_METHOD_ARTIFACT_POST:
|
||||
|
@ -245,11 +261,10 @@ class LassoSPKitSAMLCommon {
|
|||
}
|
||||
}
|
||||
public function processRedirectResponseSLO() {
|
||||
$logout = null;
|
||||
$this->processResponseSLO($logout, $_SERVER['QUERY_STRING']);
|
||||
$this->processResponseSLO(LASSO_HTTP_METHOD_REDIRECT, $_SERVER['QUERY_STRING']);
|
||||
}
|
||||
public function processResponseSLO(&$logout, $message) {
|
||||
if (! $logout) {
|
||||
public function processResponseSLO($http_method, $message, &$logout = null) {
|
||||
if ($logout == null) {
|
||||
$logout = new LassoLogout($this->server);
|
||||
$this->findFederation($logout);
|
||||
}
|
||||
|
@ -290,7 +305,16 @@ class LassoSPKitSAMLCommon {
|
|||
$retBR = $this->finishResponse($logout, $logout->http_request_method);
|
||||
$this->session->logout();
|
||||
lassospkit_infolog("Logout request handled for nameId: " . $logout->nameID . " retPRM: $retPRM retVR: $retVR retBR: $retBR");
|
||||
return $ok;
|
||||
if ($retPRM) {
|
||||
return $retPRM;
|
||||
}
|
||||
if ($retVR) {
|
||||
return $retVR;
|
||||
}
|
||||
if ($retBR) {
|
||||
return $retBR;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
public function saveFederation(LassoProfile $profile) {
|
||||
LassoSPKitHelper::saveFederation($profile, $this->session);
|
||||
|
|
Reference in New Issue