slo idp initiated still not working
This commit is contained in:
parent
770ff3e143
commit
db0c492287
|
@ -62,6 +62,7 @@ function finishResponse($profileSTR, $session, $ret) {
|
|||
if (! $ret) {
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState($profileSTR));
|
||||
} else {
|
||||
LassoSPKitUtilsSession::setLastError("Erreur: $ret");
|
||||
$session->doRedirect(LassoSPKitUtilsSession::getRelayState('error'));
|
||||
}
|
||||
}
|
||||
|
@ -105,7 +106,7 @@ function ssoAssertionConsumer() {
|
|||
function slo() {
|
||||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$method = LASSO_HTTP_METHOD_REDIRECT;
|
||||
$method = LASSO_HTTP_METHOD_SOAP;
|
||||
$ret = $saml2->initiateSLO($method);
|
||||
$headers = headers_list();
|
||||
finishRequest($method, 'slo', $session, $ret);
|
||||
|
@ -113,9 +114,13 @@ function slo() {
|
|||
function sloSoap() {
|
||||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
try {
|
||||
if ($saml2->processSOAPRequestSLO() == 0) {
|
||||
lassospkit_debuglog("SLO SOAP Request handler: fatal error");
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
lassospkit_debuglog("Problem in $e");
|
||||
}
|
||||
}
|
||||
function sloRedirect() {
|
||||
}
|
||||
|
@ -128,7 +133,7 @@ function sloResponse() {
|
|||
function defederate() {
|
||||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$method = LASSO_HTTP_METHOD_REDIRECT;
|
||||
$method = LASSO_HTTP_METHOD_SOAP;
|
||||
$ret = $saml2->initiateFTNotification($method);
|
||||
finishRequest($method, 'defederation', $session, $ret);
|
||||
LassoSPKitUtilsSession::setRelayState('nidmanagement',LassoSPKitUtilsSession::getRelayState('defederation'));
|
||||
|
@ -144,9 +149,8 @@ function nidManagementRedirect() {
|
|||
function nidManagementResponse() {
|
||||
$session = getSession();
|
||||
$saml2 = new LassoSPKitSAML2($session);
|
||||
$method = LASSO_HTTP_METHOD_REDIRECT;
|
||||
$ret = $saml2->processRedirectResponseNameIdManagement();
|
||||
finishResponse('defederation', $session, $ret);
|
||||
finishResponse('nidmanagement', $session, $ret);
|
||||
}
|
||||
function metadata() {
|
||||
$datadir = LassoSPKitHelper::getMetadataDir(LASSO_PROTOCOL_SAML_2_0);
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
<?php
|
||||
session_start();
|
||||
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
require_once('spkitlasso/include/lassospkit_public_api.inc.php');
|
||||
require_once('spkitlasso/include/lassospkit_debug.inc.php');
|
||||
require_once('spkitlasso/include/lassospkit_utils.inc.php');
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
|
||||
function show($a) {
|
||||
echo "<li><a href='$a'>";
|
||||
|
|
|
@ -6,7 +6,7 @@ require_once('lassospkit_file.inc.php');
|
|||
require_once('lassospkit_config.inc.php');
|
||||
require_once('lassospkit_generic_session.inc.php');
|
||||
|
||||
class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
|
||||
class LassoSPKitAutoPersistentSession extends LassoSPKitDummySession {
|
||||
private $storage;
|
||||
function __construct() {
|
||||
$storage_class = "LassoSPKit" . LassoSPKitConfig::get('storage') . "Store";
|
||||
|
@ -16,25 +16,26 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
|
|||
}
|
||||
}
|
||||
function findFederation($nameID) {
|
||||
lassospkit_debuglog("looking for session for $nameID");
|
||||
if (! $nameID) {
|
||||
$nameID = array_pop(LassoSPKitUtilsSession::getNameID());
|
||||
}
|
||||
$federation = $this->storage->get($nameID);
|
||||
if ($federation == null) {
|
||||
return 0;
|
||||
}
|
||||
$blob = $this->storage->get($nameID);
|
||||
if ($blob == null) {
|
||||
return 0;
|
||||
}
|
||||
return $this->explodeFederationBlob($blob);
|
||||
$this->explodeFederation($federation);
|
||||
return 1;
|
||||
}
|
||||
function saveFederation() {
|
||||
$nameIDs = $this->getNameIDs();
|
||||
$firstID = array_pop($nameIDs);
|
||||
if ($firstID == null) {
|
||||
throw new Exception("save federation has no nameIDs to create keys");
|
||||
}
|
||||
$blob = $this->getFederationBlob();
|
||||
$this->storage->set($firstID, $blob);
|
||||
foreach ($nameIDs as $otherID) {
|
||||
$this->storage->alias($firstID, $otherID);
|
||||
if ($firstID) {
|
||||
$federation = $this->getFederationArray();
|
||||
$this->storage->set($firstID, $federation);
|
||||
foreach ($nameIDs as $otherID) {
|
||||
$this->storage->alias($firstID, $otherID);
|
||||
}
|
||||
}
|
||||
parent::saveFederation();
|
||||
}
|
||||
|
@ -44,5 +45,6 @@ class LassoSPKitAutoPersistentSession extends LassoSPKitGenericSession {
|
|||
} else {
|
||||
$this->storage->delete($oldID);
|
||||
}
|
||||
parent::saveFederation();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@ class LassoSPKitDummySession extends LassoSPKitGenericSession {
|
|||
/** Save the federation into the SESSION object */
|
||||
function saveFederation() {
|
||||
LassoSPKitUtilsSession::setFederation(
|
||||
serialize($this->getFederationBlob()));
|
||||
serialize($this->getFederationArray()));
|
||||
parent::saveFederation();
|
||||
}
|
||||
/** Use the nameID as a hint to validate the stored dumps.
|
||||
|
|
|
@ -51,7 +51,7 @@ class LassoSPKitGenericSession {
|
|||
$identity_dump = $this->getIdentityDump();
|
||||
return LassoSPKitHelper::getNameIDsFromDump($identity_dump);
|
||||
}
|
||||
function getFederationBlob() {
|
||||
function getFederationArray() {
|
||||
$userid = LassoSPKitUtilsSession::getUserID();
|
||||
return array(
|
||||
'identity'=> $this->getIdentityDump(),
|
||||
|
@ -61,11 +61,15 @@ class LassoSPKitGenericSession {
|
|||
function explodeFederationBlob($blob) {
|
||||
$federation = @unserialize($blob);
|
||||
if ($federation === FALSE) {
|
||||
$this->debug(FALSE, "Could not unserialize content of key file for key $nameID");
|
||||
lassospkit_debuglog("LassoSPKitGenericSession: cannot deserialize the federation blob");
|
||||
return 0;
|
||||
}
|
||||
$this->explodeFederation($federation);
|
||||
}
|
||||
function explodeFederation($federation) {
|
||||
$this->setSessionDump($federation['session']);
|
||||
$this->setIdentityDump($federation['identity']);
|
||||
LassoSPKitUtilsSession::setUserID($federation['userid']);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -76,7 +76,7 @@ class LassoSPKitHelper {
|
|||
LassoSPKitGenericSession $session) {
|
||||
$nameID = self::profileGetNameID($profile);
|
||||
if (self::saveDumps($profile,$session)) {
|
||||
$session->saveFederation($nameID);
|
||||
$session->saveFederation();
|
||||
}
|
||||
}
|
||||
/** Contract is that if NewID is null, session should forget about
|
||||
|
@ -86,6 +86,7 @@ class LassoSPKitHelper {
|
|||
LassoSPKitGenericSession $session,
|
||||
$NewID) {
|
||||
$nameID = self::profileGetNameID($profile);
|
||||
self::saveDumps($profile,$session);
|
||||
$session->changeFederation($nameID, $NewID);
|
||||
}
|
||||
/** Try to restore the federation informations from the profile.
|
||||
|
@ -96,10 +97,13 @@ class LassoSPKitHelper {
|
|||
static function findFederation(LassoProfile $profile,
|
||||
LassoSPKitGenericSession $session) {
|
||||
$nameID = self::profileGetNameID($profile);
|
||||
lassospkit_debuglog("SLO request IDP initiated9");
|
||||
if ($session->findFederation($nameID) == 0) {
|
||||
if ($nameID) {
|
||||
lassospkit_debuglog("fed not found");
|
||||
throw new LassoProfileFederationNotFoundError();
|
||||
} else {
|
||||
lassospkit_debuglog("nameid not found");
|
||||
throw new LassoProfileNameIdentifierNotFoundError($profile->dump());
|
||||
}
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
}
|
||||
}
|
||||
/** Overloaded method to serve as callback to common SSO method. */
|
||||
protected function ssoNameIdPolicyConfig(LassoLogin $login, $blob) {
|
||||
public function ssoNameIdPolicyConfig(LassoLogin $login, $blob) {
|
||||
$request = $login->request;
|
||||
$nameidpolicy = $request->NameIDPolicy;
|
||||
$nameidpolicy->format = $blob['nameIDFormat'];
|
||||
|
@ -96,7 +96,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
}
|
||||
$ok = $ok && ! $ret = $nidmanagement->processResponseMsg($message);
|
||||
if ($ok || $ret > 0) {
|
||||
$this->saveFederation($nidmanagement);
|
||||
$this->changeFederation($nidmanagement);
|
||||
}
|
||||
if ($ret != 0) {
|
||||
$this->setRet($ret);
|
||||
|
@ -108,12 +108,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
return processRequestNameIdManagement(LASSO_HTTP_METHOD_REDIRECT,
|
||||
$_SERVER['QUERY_STRING']);
|
||||
}
|
||||
public function processSOAPRequestSLO() {
|
||||
$contents = $this->receiveSoapMessage();
|
||||
return processRequestSLO(LASSO_HTTP_METHOD_SOAP,
|
||||
$contents);
|
||||
}
|
||||
private function processRequestNameIdManagement($method, $message)
|
||||
public function processRequestNameIdManagement($method, $message)
|
||||
{
|
||||
lassospkit_debuglog("NameIdManagement request handling");
|
||||
$ret = 0;
|
||||
|
@ -155,4 +150,7 @@ class LassoSPKitSaml2 extends LassoSPKitSAMLCommon {
|
|||
LassoSPKitUtilsSession::setFederation(serialize($fed));
|
||||
return $profile;
|
||||
}
|
||||
function changeFederation(LassoNameIdManagement $nidmanagement) {
|
||||
LassoSPKitHelper::changeFederation($nidmanagement, $this->session, $nidmanagement->request->NewID);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -7,30 +7,30 @@ require_once('lassospkit_generic_session.inc.php');
|
|||
* TODO: initServer();
|
||||
*/
|
||||
class LassoSPKitSAMLCommon {
|
||||
protected $session;
|
||||
protected $server;
|
||||
public $session;
|
||||
public $server;
|
||||
|
||||
/** Error handling */
|
||||
protected $reset_status = 0;
|
||||
protected $human_status = "";
|
||||
protected $ret = 0;
|
||||
public $reset_status = 0;
|
||||
public $human_status = "";
|
||||
public $ret = 0;
|
||||
public $ret_str = "";
|
||||
protected $exception = null;
|
||||
public $exception = null;
|
||||
|
||||
public function __construct(LassoSPKitGenericSession $session) {
|
||||
$this->session = $session;
|
||||
}
|
||||
/* Accessors */
|
||||
/* Status is a human readable and translatable string. */
|
||||
protected function setStatus($str) {
|
||||
public function setStatus($str) {
|
||||
$this->human_status = gettext($str);
|
||||
}
|
||||
protected function getStatus() {
|
||||
public function getStatus() {
|
||||
return $this->human_status;
|
||||
}
|
||||
/* Ret is the return code from the last error returning
|
||||
lasso function. */
|
||||
protected function setRet($ret, $prefix = "") {
|
||||
public function setRet($ret, $prefix = "") {
|
||||
$this->ret = $ret;
|
||||
if ($ret != 0) {
|
||||
$this->ret_str = strError($ret);
|
||||
|
@ -39,7 +39,7 @@ class LassoSPKitSAMLCommon {
|
|||
$this->ret_str = "";
|
||||
}
|
||||
}
|
||||
protected function getRet() {
|
||||
public function getRet() {
|
||||
return $this->ret . ":" . $this->ret_str;
|
||||
}
|
||||
/** Create the server object by retrieving the configuration from
|
||||
|
@ -67,7 +67,7 @@ class LassoSPKitSAMLCommon {
|
|||
return $server;
|
||||
}
|
||||
}
|
||||
protected static function checkFile($file) {
|
||||
public static function checkFile($file) {
|
||||
if (! file_exists($file)) {
|
||||
lassospkit_debuglog("File " . $file . " is absent, can't construct server object");
|
||||
return 0;
|
||||
|
@ -75,20 +75,26 @@ class LassoSPKitSAMLCommon {
|
|||
return 1;
|
||||
}
|
||||
/*** Helper functions ***/
|
||||
protected function ssoNameIdPolicyConfig($blob) {
|
||||
public function ssoNameIdPolicyConfig($blob) {
|
||||
throw new Exception("Must be overloaded!!");
|
||||
}
|
||||
/** Helper function to do redirects. */
|
||||
protected function doRedirect(LassoProfile $profile) {
|
||||
public function doRedirect(LassoProfile $profile) {
|
||||
$this->session->doRedirect($profile->msgUrl);
|
||||
}
|
||||
/** Return a normal HTTP response, for SOAP Response binding */
|
||||
protected function doResponse(LassoProfile $profile) {
|
||||
public function doResponse(LassoProfile $profile) {
|
||||
$this->session->doResponse('text/xml', $profile->msgBody);
|
||||
}
|
||||
/** Read a soap message from stdin */
|
||||
protected function receiveSOAPMessage() {
|
||||
$contents = file_get_contents("php://input");
|
||||
public function receiveSOAPMessage() {
|
||||
lassospkit_debuglog("Receiving a SOAP message");
|
||||
$contents = @file_get_contents("php://input");
|
||||
if ($contents === FALSE) {
|
||||
lassospkit_debuglog("Problem Receiving a SOAP message2");
|
||||
} else {
|
||||
lassospkit_debuglog("Received a SOAP message");
|
||||
}
|
||||
return $contents;
|
||||
}
|
||||
/** Retrieve the response message associated to an artifact string,
|
||||
|
@ -96,7 +102,7 @@ class LassoSPKitSAMLCommon {
|
|||
This method makes a soap call to resolve the artifact, it is synchronous
|
||||
so can potentially take times.
|
||||
*/
|
||||
protected function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
|
||||
public function artifactResolve(LassoProfile $profile, $query, $method, &$ok, &$ret) {
|
||||
$ok = $ok && ! $ret = $profile->initRequest($query, $method);
|
||||
$ok = $ok && ! $ret = $profile->buildRequestMsg();
|
||||
$ok = $ok && $content = LassoSPKitHelper::SoapCallWithProfile($profile);
|
||||
|
@ -107,19 +113,19 @@ class LassoSPKitSAMLCommon {
|
|||
return $ok;
|
||||
}
|
||||
/** Finish a request with a redirect transport */
|
||||
protected function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
|
||||
public function finishRedirectRequest(LassoProfile $profile, &$ret, &$ok) {
|
||||
if ($ok) {
|
||||
$this->doRedirect($profile);
|
||||
}
|
||||
}
|
||||
/** Finish a request with a SOAP transport */
|
||||
protected function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
|
||||
public function finishSOAPRequest(LassoProfile $profile, &$ret, &$ok, &$response) {
|
||||
if ($ok) {
|
||||
$response = LassoSPKitHelper::SoapCallWithProfile($profile);
|
||||
}
|
||||
}
|
||||
|
||||
protected function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
|
||||
public function finishResponse(LassoProfile $profile, $method, &$ret, &$ok) {
|
||||
$ok = $ok && ! $ret = $profile->buildResponse();
|
||||
switch ($method) {
|
||||
case LASSO_HTTP_METHOD_REDIRECT:
|
||||
|
@ -139,7 +145,7 @@ class LassoSPKitSAMLCommon {
|
|||
the doRedirect method of the session object.
|
||||
Calls ssoNameIdPolicyConfig on the session object to initialize.
|
||||
*/
|
||||
protected function ssoCommon(&$login,
|
||||
public function ssoCommon(&$login,
|
||||
$remoteID,
|
||||
$method,
|
||||
$isConsentObtained,
|
||||
|
@ -258,7 +264,7 @@ class LassoSPKitSAMLCommon {
|
|||
}
|
||||
return $ok;
|
||||
}
|
||||
protected function processResponseSLO(&$logout, $message) {
|
||||
public function processResponseSLO(&$logout, $message) {
|
||||
$ret = 0;
|
||||
$ok = 1;
|
||||
lassospkit_debuglog("SLO SP initiated Response");
|
||||
|
@ -309,20 +315,25 @@ class LassoSPKitSAMLCommon {
|
|||
}
|
||||
/** IDP initiated SLO **/
|
||||
public function processRedirectRequestSLO() {
|
||||
return processRequestSLO(LASSO_HTTP_METHOD_REDIRECT,
|
||||
return $this->processRequestSLO(LASSO_HTTP_METHOD_REDIRECT,
|
||||
$_SERVER['QUERY_STRING']);
|
||||
}
|
||||
public function processSOAPRequestSLO() {
|
||||
$contents = $this->receiveSoapMessage();
|
||||
return processRequestSLO(LASSO_HTTP_METHOD_SOAP,
|
||||
return $this->processRequestSLO(LASSO_HTTP_METHOD_SOAP,
|
||||
$contents);
|
||||
}
|
||||
protected function processRequestSLO(&$method, $message) {
|
||||
lassospkit_debuglog("SLO Request handling");
|
||||
public function processRequestSLO($method, $message) {
|
||||
lassospkit_debuglog("SLO request IDP initiated");
|
||||
sleep(120);
|
||||
$ret = 0;
|
||||
$ok = $ok && $logout = new LassoLogout($this->server);
|
||||
$ok = $ok && ! $ret = $logout->processRequestMsg($content);
|
||||
$this->findFederation($logout);
|
||||
$ok = 1 && $logout = new LassoLogout($this->server);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("Cannot build logout profile");
|
||||
return;
|
||||
}
|
||||
$ok = $ok && ! $ret = $logout->processRequestMsg($message);
|
||||
$ok = $ok && $this->findFederation($logout);
|
||||
$ok = $ok && ! $ret = $logout->validateRequest();
|
||||
if ($ok) {
|
||||
if ($method == LASSO_HTTP_METHOD_ANY) {
|
||||
|
@ -330,21 +341,23 @@ class LassoSPKitSAMLCommon {
|
|||
} else {
|
||||
$ok = ($method == $logout->http_request_method);
|
||||
}
|
||||
}
|
||||
$this->finishResponse($method, $logout, $ret, $ok);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog("SLO Request handling failed ErrCode: $ret");
|
||||
$this->setStatus("Le SLO a échoué");
|
||||
$this->setRet($ret);
|
||||
} else {
|
||||
lassospkit_debuglog("SLO Request validate failed ErrCode: $ret " . strError($ret));
|
||||
}
|
||||
$this->finishResponse($logout, $method, $ret, $ok);
|
||||
if (! $ok) {
|
||||
lassospkit_debuglog($message);
|
||||
} else {
|
||||
lassospkit_debuglog("SLO request handling validated for nameid " . LassoSPKitHelper::profileGetNameID($logout));
|
||||
$this->session->logout();
|
||||
}
|
||||
return $ok;
|
||||
}
|
||||
protected function saveFederation(LassoProfile $profile) {
|
||||
public function saveFederation(LassoProfile $profile) {
|
||||
LassoSPKitHelper::saveFederation($profile, $this->session);
|
||||
}
|
||||
protected function findFederation(LassoProfile $profile) {
|
||||
public function findFederation(LassoProfile $profile) {
|
||||
lassospkit_debuglog("SLO request IDP initiated4");
|
||||
LassoSPKitHelper::findFederation($profile, $this->session);
|
||||
}
|
||||
/** Federation termination **/
|
||||
|
|
Reference in New Issue