Support for exporting ADFS metadata + documentation for the ADFS module.
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3363 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
parent
23db5d5e3d
commit
62de96506d
|
@ -0,0 +1,14 @@
|
|||
<?php // Maps AD LDAP to Claims from http://msdn.microsoft.com/en-us/library/hh159803.aspx
|
||||
$attributemap = array(
|
||||
'c' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country',
|
||||
'givenName' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname',
|
||||
'mail' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress',
|
||||
'memberOf' => 'http://schemas.microsoft.com/ws/2008/06/identity/claims/role',
|
||||
'postalcode' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode',
|
||||
'uid' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name',
|
||||
'sn' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname',
|
||||
'st' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince',
|
||||
'streetaddress' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress',
|
||||
'telephonenumber' => 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone',
|
||||
);
|
||||
?>
|
|
@ -68,6 +68,12 @@
|
|||
"metaover_group_metadata.shib13-idp-remote": {
|
||||
"en": "Shib 1.3 Identity Provider (Remote)"
|
||||
},
|
||||
"metaover_group_metadata.adfs-sp-remote": {
|
||||
"en": "ADFS Service Provider (Remote)"
|
||||
},
|
||||
"metaover_group_metadata.adfs-idp-hosted": {
|
||||
"en": "ADFS Identity Provider (Hosted)"
|
||||
},
|
||||
"metaover_group_metadata.wsfed-sp-hosted": {
|
||||
"en": "WS-Federation Service Provider (Hosted)"
|
||||
},
|
||||
|
@ -95,6 +101,12 @@
|
|||
"metadata_shib13-idp": {
|
||||
"en": "Shib 1.3 IdP Metadata"
|
||||
},
|
||||
"metadata_adfs-sp": {
|
||||
"en": "ADFS SP Metadata"
|
||||
},
|
||||
"metadata_adfs-idp": {
|
||||
"en": "ADFS IdP Metadata"
|
||||
},
|
||||
"metadata_intro": {
|
||||
"en": "Here is the metadata that simpleSAMLphp has generated for you. You may send this metadata document to trusted partners to setup a trusted federation."
|
||||
},
|
||||
|
|
|
@ -834,6 +834,68 @@
|
|||
"ro": "Furnizor de identitate Shib 1.3 (distant)",
|
||||
"ru": "\u041f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 Shib 1.3 (\u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)"
|
||||
},
|
||||
"metaover_group_metadata.adfs-sp-remote": {
|
||||
"no": "ADFS Tjenesteleverand\u00f8r (ekstern)",
|
||||
"nn": "ADFS Service Provider (Remote)",
|
||||
"sv": "ADFS Service Provider (Fj\u00e4rr)",
|
||||
"es": "Proveedor de Servicio ADFS (Remoto)",
|
||||
"nl": "ADFS Service Provider (Remote)",
|
||||
"sl": "ADFS SP (Oddaljeni)",
|
||||
"da": "ADFS tjenesteudbyder (remote)",
|
||||
"hr": "ADFS davatelj usluge (udaljeni)",
|
||||
"hu": "ADFS alkalmaz\u00e1sszolg\u00e1ltat\u00f3 (t\u00e1voli)",
|
||||
"pt-br": "ADFS Service Provider (Remoto)",
|
||||
"pt": "Fornecedor de servi\u00e7o (SP) ADFS (Remoto)",
|
||||
"pl": "ADFS Dostawca Serwisu (Zdalny)",
|
||||
"cs": "SAML 2.O Service Provider (Remote - vzd\u00e1len\u00fd)",
|
||||
"tr": "ADFS Servis Sa\u011flay\u0131c\u0131 (Uzak sistemde sunulan)",
|
||||
"de": "ADFS Service Provider (entfernt)",
|
||||
"fr": "Fournisseur de service ADFS distant",
|
||||
"it": "ADFS Service Provider (Remoto)",
|
||||
"ja": "ADFS\u30b5\u30fc\u30d3\u30b9\u30d7\u30ed\u30d0\u30a4\u30c0(\u30ea\u30e2\u30fc\u30c8)",
|
||||
"lt": "ADFS Paslaugos teik\u0117jas (nutol\u0119s)",
|
||||
"zh-tw": "ADFS \u670d\u52d9\u63d0\u4f9b\u8005(\u9060\u7aef)",
|
||||
"et": "ADFS teenusepakkuja (kaug)",
|
||||
"he": "\u05e1\u05e4\u05e7 \u05e9\u05d9\u05e8\u05d5\u05ea \u05de\u05e8\u05d5\u05d7\u05e7 \u05de\u05e1\u05d5\u05d2 ADFS",
|
||||
"zh": "ADFS \u670d\u52a1\u63d0\u4f9b\u8005 (\u8fdc\u7a0b)",
|
||||
"ar": "\u0645\u0642\u062f\u0645 \u062e\u062f\u0645\u0629 ADFS \u0627\u0644\u0628\u0639\u064a\u062f",
|
||||
"lv": "ADFS servisa pieg\u0101d\u0101t\u0101js (att\u0101lin\u0101ts)",
|
||||
"id": "Service Provider ADFS (Remote)",
|
||||
"sr": "ADFS Davalac Servisa (udaljeni)",
|
||||
"ro": "Furnizor de servicii ADFS (distant)",
|
||||
"ru": "\u0421\u0435\u0440\u0432\u0438\u0441 \u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 ADFS (\u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)"
|
||||
},
|
||||
"metaover_group_metadata.adfs-idp-hosted": {
|
||||
"no": "ADFS Identitetsleverand\u00f8r (ekstern)",
|
||||
"nn": "ADFS Identity Provider (Hosted)",
|
||||
"sv": "ADFS Identity Provider (V\u00e4rd)",
|
||||
"es": "Proveedor de Identidad ADFS (Anfitri\u00f3n)",
|
||||
"nl": "ADFS Identity Provider (Hosted)",
|
||||
"sl": "ADFS IdP (Lokalni)",
|
||||
"da": "ADFS identitetsudbyder (hosted)",
|
||||
"hr": "ADFS autentifikacijski servis (lokalni)",
|
||||
"hu": "ADFS szem\u00e9lyazonoss\u00e1g-szolg\u00e1ltat\u00f3 (helyi)",
|
||||
"pt-br": "ADFS Identity Provider (Local)",
|
||||
"pt": "Fornecedor de identidade (IdP) ADFS (Local)",
|
||||
"pl": "ADFS Dostawca To\u017csamo\u015bci (Lokalny)",
|
||||
"cs": "ADFS Identity Provider (Hosted - lok\u00e1ln\u00ed)",
|
||||
"tr": "ADFS Kimlik Sa\u011flay\u0131c\u0131 (Bu sistemde sunulan)",
|
||||
"de": "ADFS Identity Provider (gehosted)",
|
||||
"fr": "Fournisseur d'identit\u00e9 ADFS local",
|
||||
"it": "SAML 2.o Identity Provider (Hosted)",
|
||||
"ja": "ADFS\u30a2\u30a4\u30c7\u30f3\u30c6\u30a3\u30c6\u30a3\u30d7\u30ed\u30d0\u30a4\u30c0(\u30db\u30b9\u30c8)",
|
||||
"lt": "ADFS Tapatybi\u0173 teik\u0117jas (vietinis)",
|
||||
"zh-tw": "ADFS \u9a57\u8b49\u63d0\u4f9b\u8005(\u4e3b\u6a5f)",
|
||||
"et": "ADFS identiteedipakkuja (hostitud)",
|
||||
"he": "\u05e1\u05e4\u05e7 \u05d6\u05d4\u05d5\u05ea \u05de\u05e7\u05d5\u05de\u05d9 \u05de\u05e1\u05d5\u05d2 ADFS",
|
||||
"zh": "ADFS \u8eab\u4efd\u63d0\u4f9b\u8005\uff08\u672c\u5730\uff09",
|
||||
"ar": "\u0645\u0642\u062f\u0645 \u0647\u0648\u064a\u0629 ADFS \u0627\u0644\u0645\u0633\u062a\u0636\u0627\u0641",
|
||||
"lv": "ADFS identit\u0101tes pieg\u0101d\u0101t\u0101js (host\u0113ts)",
|
||||
"id": "Identity Provider ADFS (Hosted)",
|
||||
"sr": "ADFS Davalac Identiteta (lokalni)",
|
||||
"ro": "Furnizor de identitate ADFS (g\u0103zduit)",
|
||||
"ru": "\u041f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 ADFS (\u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u0438\u0435)"
|
||||
},
|
||||
"metaover_group_metadata.wsfed-sp-hosted": {
|
||||
"no": "WS-Federation tjenesteleverand\u00f8r (intern)",
|
||||
"nn": "WS-Federation Service Provider (Hosted)",
|
||||
|
@ -1144,7 +1206,69 @@
|
|||
"ro": "Metadate furnizor de identitate (IdP) Shib 1.3",
|
||||
"ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 Shib 1.3 IdP"
|
||||
},
|
||||
"metadata_intro": {
|
||||
"metadata_adfs-sp": {
|
||||
"no": "ADFS SP metadata",
|
||||
"nn": "ADFS SP Metadata",
|
||||
"sv": "ADFS SP Metadata",
|
||||
"es": "Metadatos SP ADFS",
|
||||
"nl": "ADFS SP Metadata",
|
||||
"sl": "ADFS SP Metapodatki",
|
||||
"da": "Shibboleth 1.3 tjenesteudbyders metadata",
|
||||
"hr": "ADFS metapodaci o davatelju usluge",
|
||||
"hu": "ADFS SP Metaadatok",
|
||||
"pt-br": "ADFS SP Metadata",
|
||||
"pt": "Metadados ADFS SP",
|
||||
"pl": "ADFS SP - Metadane",
|
||||
"cs": "ADFS SP Metadata",
|
||||
"tr": "ADFS SP \u00dcstveri (Metadata)",
|
||||
"de": "ADFS SP Metadaten",
|
||||
"fr": "M\u00e9tadonn\u00e9es de SP ADFS",
|
||||
"it": "Metadati ADFS SP",
|
||||
"ja": "ADFS SP\u30e1\u30bf\u30c7\u30fc\u30bf",
|
||||
"lt": "ADFS SP Metaduomenys",
|
||||
"zh-tw": "ADFS SP \u8a6e\u91cb\u8cc7\u6599",
|
||||
"et": "ADFS SP metaandmed",
|
||||
"he": "\u05de\u05d8\u05d0-\u05de\u05d9\u05d3\u05e2 \u05e9\u05dc \u05e1\u05e9 \u05de\u05e1\u05d5\u05d2 ADFS",
|
||||
"zh": "ADFS SP \u5143\u4fe1\u606f",
|
||||
"ar": "\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644ADFS SP",
|
||||
"lv": "ADFS SP metadati",
|
||||
"id": "Metadata ADFS SP",
|
||||
"sr": "ADFS SP metapodaci",
|
||||
"ro": "Metadate furnizor de servicii (SP) ADFS",
|
||||
"ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 ADFS SP"
|
||||
},
|
||||
"metadata_adfs-idp": {
|
||||
"no": "ADFS IdP metadata",
|
||||
"nn": "ADFS IdP Metadata",
|
||||
"sv": "ADFS IdP Metadata",
|
||||
"es": "Metadatos IdP ADFS",
|
||||
"nl": "ADFS IdP Metadata",
|
||||
"sl": "ADFS IdP Metapodatki",
|
||||
"da": "ADFS identitetsudbyders metadata",
|
||||
"hr": "ADFS metapodaci o autentifikacijskom servisu",
|
||||
"hu": "ADFS IdP Metaadatok",
|
||||
"pt-br": "ADFS IdP Metadata",
|
||||
"pt": "Metadados ADFS IdP",
|
||||
"pl": "ADFS IdP - Metadane",
|
||||
"cs": "ADFS IdP Metadata",
|
||||
"tr": "ADFS IdP \u00dcstveri (Metadata)",
|
||||
"de": "ADFS IdP Metadaten",
|
||||
"fr": "M\u00e9tadonn\u00e9es d'IdP ADFS",
|
||||
"it": "Metadati ADFS IdP",
|
||||
"ja": "ADFS IdP\u30e1\u30bf\u30c7\u30fc\u30bf",
|
||||
"lt": "ADFS IdP Metaduomenys",
|
||||
"zh-tw": "ADFS IdP \u8a6e\u91cb\u8cc7\u6599",
|
||||
"et": "ADFS IdP metaandmed",
|
||||
"he": "\u05de\u05d8\u05d0-\u05de\u05d9\u05d3\u05e2 \u05e9\u05dc \u05e1\u05d6 \u05de\u05e1\u05d5\u05d2 ADFS ",
|
||||
"zh": "ADFS IdP \u5143\u4fe1\u606f",
|
||||
"ar": "\u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0635\u0641\u064a\u0629 \u0644 ADFS IdP",
|
||||
"lv": "ADFS IdP metadati",
|
||||
"id": "Metadata ADFS IdP",
|
||||
"sr": "ADFS IdP metapodaci",
|
||||
"ro": "Metadate furnizor de identitate (IdP) ADFS",
|
||||
"ru": "\u041c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 ADFS IdP"
|
||||
},
|
||||
"metadata_intro": {
|
||||
"no": "Her er metadata som simpleSAMLphp har generert for deg. Du m\u00e5 utveksle metadata med de partene du stoler p\u00e5 for \u00e5 sette opp en f\u00f8derasjon.",
|
||||
"nn": "Her er metadata generert av simpleSAMLphp for deg. Du kan senda dette metadata-dokumentet til dine partnarar, slik at de kan setja opp ein tillitsf\u00f8derasjon.",
|
||||
"sv": "simpleSAMLphp har har genererat f\u00f6ljande metadata. F\u00f6r att s\u00e4tta upp en betrodd federation kan du skicka metadata till de parter du har f\u00f6rtroende f\u00f6r.",
|
||||
|
|
|
@ -85,6 +85,20 @@ class SimpleSAML_Metadata_SAMLBuilder {
|
|||
return $xml->ownerDocument->saveXML();
|
||||
}
|
||||
|
||||
public function addSecurityTokenServiceType($metadata) {
|
||||
assert('is_array($metadata)');
|
||||
assert('isset($metadata["entityid"])');
|
||||
assert('isset($metadata["metadata-set"])');
|
||||
|
||||
$metadata = SimpleSAML_Configuration::loadFromArray($metadata, $metadata['entityid']);
|
||||
$defaultEndpoint = $metadata->getDefaultEndpoint('SingleSignOnService');
|
||||
$e = new sspmod_adfs_SAML2_XML_fed_SecurityTokenServiceType();
|
||||
$e->Location = $defaultEndpoint['Location'];
|
||||
|
||||
$this->addCertificate($e, $metadata);
|
||||
|
||||
$this->entityDescriptor->RoleDescriptor[] = $e;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param SimpleSAML_Configuration $metadata Metadata.
|
||||
|
|
|
@ -5,6 +5,10 @@ $metadata['__DYNAMIC:1__'] = array(
|
|||
'privatekey' => 'server.pem',
|
||||
'certificate' => 'server.crt',
|
||||
'auth' => 'example-userpass',
|
||||
'authproc' => array(
|
||||
// Convert LDAP names to WS-Fed Claims.
|
||||
100 => array('class' => 'core:AttributeMap', 'name2claim'),
|
||||
),
|
||||
);
|
||||
|
||||
?>
|
||||
|
|
|
@ -0,0 +1,83 @@
|
|||
Enables AD FS IdP
|
||||
Compatible with VS 2012 Identity and Access
|
||||
|
||||
Basic Setup Companion based on:
|
||||
http://simplesamlphp.org/docs/stable/simplesamlphp-idp
|
||||
|
||||
1. Enabling the Identity Provider functionality
|
||||
|
||||
In config/config.php, the option will be:
|
||||
'enable.adfs-idp' => true
|
||||
|
||||
2. Authentication module
|
||||
|
||||
Follow as is.
|
||||
|
||||
3. Configuring the authentication module
|
||||
|
||||
In addition to enabling authentication module, enable adfs module by creating a file named 'enable' in modules/adfs
|
||||
|
||||
In unix from installation directory:
|
||||
touch modules/adfs/enable
|
||||
|
||||
4. Configuring the IdP
|
||||
|
||||
ADFS IdP is configured by metadata stored in /metadata/adfs-idp-hosted.php and metadata/adfs-sp-remote.php
|
||||
|
||||
If they are not present, copy them from /metadata-templates to the metadata
|
||||
directory.
|
||||
|
||||
5. Using the uri NameFormat on attributes
|
||||
|
||||
WS-FED likes a few parameters to be very specifically named. This is
|
||||
especially true if .net clients will be treating this as a Microsoft ADFS
|
||||
IdP.
|
||||
|
||||
The recommended settings for /metadata/adfs-idp-hosted.php is:
|
||||
|
||||
'authproc' => array(
|
||||
// Convert LDAP names to WS-Fed Claims.
|
||||
100 => array('class' => 'core:AttributeMap', 'name2claim'),
|
||||
),
|
||||
|
||||
6. Adding SPs to the IdP
|
||||
|
||||
The minimal configuration for /metadata/adfs-sp-remote.php is:
|
||||
|
||||
$metadata['urn:federation:localhost'] = array(
|
||||
prp' => 'https://localhost/adfs/ls/',
|
||||
);
|
||||
|
||||
7. Creating a SSL self signed certificate
|
||||
|
||||
Follow as is.
|
||||
|
||||
8. Adding this IdP to other SPs
|
||||
|
||||
Metadata should be available from /module.php/adfs/idp/metadata.php
|
||||
|
||||
9. This module tries its best to emulate a Microsoft ADFS endpoint, and as
|
||||
such, it is simplest to test using a .net client.
|
||||
|
||||
To build the test client, follow the tutorial at:
|
||||
http://code.msdn.microsoft.com/Claims-Aware-Web-d94a89ca
|
||||
|
||||
This will build a .net app that uses a dev machine running STS (their name for
|
||||
an IdP).
|
||||
|
||||
To point to your SimpleSamlPHP ADFS IdP, in VS 2012:
|
||||
|
||||
a. Right-click the project in Solution Explorer and select the Identity and
|
||||
Access option.
|
||||
|
||||
b. In the Identity and Access Window, Select Use a business identity
|
||||
provider.
|
||||
|
||||
c. Under “Enter the path to the STS metadata document” enter the url you have
|
||||
|
||||
from step 8. Something like
|
||||
https://.../module.php/adfs/idp/metadata.php
|
||||
|
||||
d. Click Ok
|
||||
|
||||
For more information in regards to .NET: http://msdn.microsoft.com/en-us/library/hh377151.aspx
|
|
@ -0,0 +1,13 @@
|
|||
<?php
|
||||
/**
|
||||
* Class representing fed Constants.
|
||||
*
|
||||
* @package simpleSAMLphp
|
||||
* @version $Id$
|
||||
*/
|
||||
class sspmod_adfs_SAML2_XML_fed_Const {
|
||||
/**
|
||||
* The namespace for WS-FED protocol.
|
||||
*/
|
||||
const NS_FED = 'http://docs.oasis-open.org/wsfed/federation/200706';
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
<?php
|
||||
/**
|
||||
* Class representing fed Endpoint.
|
||||
*
|
||||
* @package simpleSAMLphp
|
||||
* @version $Id$
|
||||
*/
|
||||
class sspmod_adfs_SAML2_XML_fed_Endpoint {
|
||||
/**
|
||||
* Add this endpoint to an XML element.
|
||||
*
|
||||
* @param DOMElement $parent The element we should append this endpoint to.
|
||||
* @param string $name The name of the element we should create.
|
||||
*/
|
||||
public static function appendXML(DOMElement $parent, $name, $address) {
|
||||
assert('is_string($name)');
|
||||
assert('is_string($address)');
|
||||
|
||||
$e = $parent->ownerDocument->createElement($name);
|
||||
$parent->appendChild($e);
|
||||
|
||||
$endpoint = $parent->ownerDocument->createElement('EndpointReference');
|
||||
$endpoint->setAttribute('xmlns', 'http://www.w3.org/2005/08/addressing');
|
||||
$e->appendChild($endpoint);
|
||||
|
||||
$address = $parent->ownerDocument->createElement('Address', $address);
|
||||
$endpoint->appendChild($address);
|
||||
|
||||
return $e;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
<?php
|
||||
/**
|
||||
* Class representing SecurityTokenServiceType RoleDescriptor.
|
||||
*
|
||||
* @package simpleSAMLphp
|
||||
* @version $Id$
|
||||
*/
|
||||
class sspmod_adfs_SAML2_XML_fed_SecurityTokenServiceType extends SAML2_XML_md_RoleDescriptor {
|
||||
|
||||
/**
|
||||
* List of supported protocols.
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
public $protocolSupportEnumeration = array(sspmod_adfs_SAML2_XML_fed_Const::NS_FED);
|
||||
|
||||
/**
|
||||
* The Location of Services.
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
public $Location;
|
||||
|
||||
/**
|
||||
* Initialize a SecurityTokenServiceType element.
|
||||
*
|
||||
* @param DOMElement|NULL $xml The XML element we should load.
|
||||
*/
|
||||
public function __construct(DOMElement $xml = NULL) {
|
||||
|
||||
parent::__construct('RoleDescriptor', $xml);
|
||||
|
||||
if ($xml === NULL) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert this SecurityTokenServiceType RoleDescriptor to XML.
|
||||
*
|
||||
* @param DOMElement $parent The element we should add this contact to.
|
||||
* @return DOMElement The new ContactPerson-element.
|
||||
*/
|
||||
public function toXML(DOMElement $parent) {
|
||||
assert('is_string($this->Location)');
|
||||
|
||||
$e = parent::toXML($parent);
|
||||
$e->setAttributeNS('http://www.w3.org/2000/xmlns/', 'xmlns:fed', sspmod_adfs_SAML2_XML_fed_Const::NS_FED);
|
||||
$e->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', 'fed:SecurityTokenServiceType');
|
||||
sspmod_adfs_SAML2_XML_fed_TokenTypesOffered::appendXML($e);
|
||||
sspmod_adfs_SAML2_XML_fed_Endpoint::appendXML($e, 'SecurityTokenServiceEndpoint', $this->Location);
|
||||
sspmod_adfs_SAML2_XML_fed_Endpoint::appendXML($e, 'fed:PassiveRequestorEndpoint', $this->Location);
|
||||
|
||||
return $e;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
<?php
|
||||
/**
|
||||
* Class representing fed TokenTypesOffered.
|
||||
*
|
||||
* @package simpleSAMLphp
|
||||
* @version $Id$
|
||||
*/
|
||||
class sspmod_adfs_SAML2_XML_fed_TokenTypesOffered {
|
||||
/**
|
||||
* Add tokentypesoffered to an XML element.
|
||||
*
|
||||
* @param DOMElement $parent The element we should append this endpoint to.
|
||||
*/
|
||||
public static function appendXML(DOMElement $parent) {
|
||||
|
||||
$e = $parent->ownerDocument->createElementNS(sspmod_adfs_SAML2_XML_fed_Const::NS_FED, 'fed:TokenTypesOffered');
|
||||
$parent->appendChild($e);
|
||||
|
||||
$tokentype = $parent->ownerDocument->createElementNS(sspmod_adfs_SAML2_XML_fed_Const::NS_FED, 'fed:TokenType');
|
||||
$tokentype->setAttribute('Uri', 'urn:oasis:names:tc:SAML:1.0:assertion');
|
||||
$e->appendChild($tokentype);
|
||||
|
||||
return $e;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,156 @@
|
|||
<?php
|
||||
|
||||
/* Load simpleSAMLphp, configuration and metadata */
|
||||
$config = SimpleSAML_Configuration::getInstance();
|
||||
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
|
||||
|
||||
if (!$config->getBoolean('enable.adfs-idp', false))
|
||||
throw new SimpleSAML_Error_Error('NOACCESS');
|
||||
|
||||
/* Check if valid local session exists.. */
|
||||
if ($config->getBoolean('admin.protectmetadata', false)) {
|
||||
SimpleSAML_Utilities::requireAdmin();
|
||||
}
|
||||
|
||||
|
||||
try {
|
||||
$idpentityid = isset($_GET['idpentityid']) ? $_GET['idpentityid'] : $metadata->getMetaDataCurrentEntityID('adfs-idp-hosted');
|
||||
$idpmeta = $metadata->getMetaDataConfig($idpentityid, 'adfs-idp-hosted');
|
||||
|
||||
$availableCerts = array();
|
||||
|
||||
$keys = array();
|
||||
$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, FALSE, 'new_');
|
||||
if ($certInfo !== NULL) {
|
||||
$availableCerts['new_idp.crt'] = $certInfo;
|
||||
$keys[] = array(
|
||||
'type' => 'X509Certificate',
|
||||
'signing' => TRUE,
|
||||
'encryption' => TRUE,
|
||||
'X509Certificate' => $certInfo['certData'],
|
||||
);
|
||||
$hasNewCert = TRUE;
|
||||
} else {
|
||||
$hasNewCert = FALSE;
|
||||
}
|
||||
|
||||
$certInfo = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE);
|
||||
$availableCerts['idp.crt'] = $certInfo;
|
||||
$keys[] = array(
|
||||
'type' => 'X509Certificate',
|
||||
'signing' => TRUE,
|
||||
'encryption' => ($hasNewCert ? FALSE : TRUE),
|
||||
'X509Certificate' => $certInfo['certData'],
|
||||
);
|
||||
|
||||
if ($idpmeta->hasValue('https.certificate')) {
|
||||
$httpsCert = SimpleSAML_Utilities::loadPublicKey($idpmeta, TRUE, 'https.');
|
||||
assert('isset($httpsCert["certData"])');
|
||||
$availableCerts['https.crt'] = $httpsCert;
|
||||
$keys[] = array(
|
||||
'type' => 'X509Certificate',
|
||||
'signing' => TRUE,
|
||||
'encryption' => FALSE,
|
||||
'X509Certificate' => $httpsCert['certData'],
|
||||
);
|
||||
}
|
||||
|
||||
$adfs_service_location = SimpleSAML_Module::getModuleURL('adfs') . '/idp/prp.php';
|
||||
$metaArray = array(
|
||||
'metadata-set' => 'adfs-idp-remote',
|
||||
'entityid' => $idpentityid,
|
||||
'SingleSignOnService' => array(0 => array(
|
||||
'Binding' => SAML2_Const::BINDING_HTTP_REDIRECT,
|
||||
'Location' => $adfs_service_location)),
|
||||
'SingleLogoutService' => array(0 => array(
|
||||
'Binding' => SAML2_Const::BINDING_HTTP_REDIRECT,
|
||||
'Location' => $adfs_service_location)),
|
||||
);
|
||||
|
||||
if (count($keys) === 1) {
|
||||
$metaArray['certData'] = $keys[0]['X509Certificate'];
|
||||
} else {
|
||||
$metaArray['keys'] = $keys;
|
||||
}
|
||||
|
||||
$metaArray['NameIDFormat'] = $idpmeta->getString('NameIDFormat', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient');
|
||||
|
||||
if ($idpmeta->hasValue('OrganizationName')) {
|
||||
$metaArray['OrganizationName'] = $idpmeta->getLocalizedString('OrganizationName');
|
||||
$metaArray['OrganizationDisplayName'] = $idpmeta->getLocalizedString('OrganizationDisplayName', $metaArray['OrganizationName']);
|
||||
|
||||
if (!$idpmeta->hasValue('OrganizationURL')) {
|
||||
throw new SimpleSAML_Error_Exception('If OrganizationName is set, OrganizationURL must also be set.');
|
||||
}
|
||||
$metaArray['OrganizationURL'] = $idpmeta->getLocalizedString('OrganizationURL');
|
||||
}
|
||||
|
||||
if ($idpmeta->hasValue('scope')) {
|
||||
$metaArray['scope'] = $idpmeta->getArray('scope');
|
||||
}
|
||||
|
||||
if ($idpmeta->hasValue('EntityAttributes')) {
|
||||
$metaArray['EntityAttributes'] = $idpmeta->getArray('EntityAttributes');
|
||||
}
|
||||
|
||||
if ($idpmeta->hasValue('UIInfo')) {
|
||||
$metaArray['UIInfo'] = $idpmeta->getArray('UIInfo');
|
||||
}
|
||||
|
||||
if ($idpmeta->hasValue('DiscoHints')) {
|
||||
$metaArray['DiscoHints'] = $idpmeta->getArray('DiscoHints');
|
||||
}
|
||||
|
||||
if ($idpmeta->hasValue('RegistrationInfo')) {
|
||||
$metaArray['RegistrationInfo'] = $idpmeta->getArray('RegistrationInfo');
|
||||
}
|
||||
|
||||
$metaflat = '$metadata[' . var_export($idpentityid, TRUE) . '] = ' . var_export($metaArray, TRUE) . ';';
|
||||
|
||||
$metaBuilder = new SimpleSAML_Metadata_SAMLBuilder($idpentityid);
|
||||
$metaBuilder->addSecurityTokenServiceType($metaArray);
|
||||
$metaBuilder->addOrganizationInfo($metaArray);
|
||||
$technicalContactEmail = $config->getString('technicalcontact_email', NULL);
|
||||
if ($technicalContactEmail && $technicalContactEmail !== 'na@example.org') {
|
||||
$metaBuilder->addContact('technical', array(
|
||||
'emailAddress' => $technicalContactEmail,
|
||||
'name' => $config->getString('technicalcontact_name', NULL),
|
||||
));
|
||||
}
|
||||
$metaxml = explode("\n", $metaBuilder->getEntityDescriptorText());
|
||||
unset($metaxml[0]);
|
||||
$metaxml = implode("\n", $metaxml);
|
||||
|
||||
/* Sign the metadata if enabled. */
|
||||
$metaxml = SimpleSAML_Metadata_Signer::sign($metaxml, $idpmeta->toArray(), 'ADFS IdP');
|
||||
|
||||
if (array_key_exists('output', $_GET) && $_GET['output'] == 'xhtml') {
|
||||
$defaultidp = $config->getString('default-adfs-idp', NULL);
|
||||
|
||||
$t = new SimpleSAML_XHTML_Template($config, 'metadata.php', 'admin');
|
||||
|
||||
$t->data['available_certs'] = $availableCerts;
|
||||
$t->data['header'] = 'adfs-idp';
|
||||
$t->data['metaurl'] = SimpleSAML_Utilities::selfURLNoQuery();
|
||||
$t->data['metadata'] = htmlspecialchars($metaxml);
|
||||
$t->data['metadataflat'] = htmlspecialchars($metaflat);
|
||||
$t->data['defaultidp'] = $defaultidp;
|
||||
$t->show();
|
||||
|
||||
} else {
|
||||
|
||||
header('Content-Type: application/xml');
|
||||
|
||||
echo $metaxml;
|
||||
exit(0);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
} catch(Exception $exception) {
|
||||
|
||||
throw new SimpleSAML_Error_Error('METADATA', $exception);
|
||||
|
||||
}
|
||||
|
|
@ -42,6 +42,10 @@ function mtype($set) {
|
|||
case 'shib13-sp-hosted': return '{admin:metadata_shib13-sp}';
|
||||
case 'shib13-idp-remote': return '{admin:metadata_shib13-idp}';
|
||||
case 'shib13-idp-hosted': return '{admin:metadata_shib13-idp}';
|
||||
case 'adfs-sp-remote'; return '{admin:metadata_adfs-sp}';
|
||||
case 'adfs-sp-hosted'; return '{admin:metadata_adfs-sp}';
|
||||
case 'adfs-idp-remote'; return '{admin:metadata_adfs-idp}';
|
||||
case 'adfs-idp-hosted'; return '{admin:metadata_adfs-idp}';
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -79,13 +79,15 @@ if ($config->getBoolean('enable.saml20-sp', TRUE) === true) {
|
|||
try {
|
||||
$metaentries['hosted']['saml20-sp'] = $metadata->getMetaDataCurrent('saml20-sp-hosted');
|
||||
$metaentries['hosted']['saml20-sp']['deprecated'] = TRUE;
|
||||
$metaentries['hosted']['saml20-sp']['metadata-url'] = '/' . $config->getBaseURL() . 'saml2/sp/metadata.php?output=xhtml';
|
||||
$metaentries['hosted']['saml20-sp']['metadata-url'] = '/' . $config->getBaseURL() .
|
||||
'saml2/sp/metadata.php?output=xhtml';
|
||||
} catch(Exception $e) {}
|
||||
}
|
||||
if ($config->getBoolean('enable.saml20-idp', FALSE) === true) {
|
||||
try {
|
||||
$metaentries['hosted']['saml20-idp'] = $metadata->getMetaDataCurrent('saml20-idp-hosted');
|
||||
$metaentries['hosted']['saml20-idp']['metadata-url'] = '/' . $config->getBaseURL() . 'saml2/idp/metadata.php?output=xhtml';
|
||||
$metaentries['hosted']['saml20-idp']['metadata-url'] = '/' . $config->getBaseURL() .
|
||||
'saml2/idp/metadata.php?output=xhtml';
|
||||
if ($isadmin)
|
||||
$metaentries['remote']['saml20-sp-remote'] = $metadata->getList('saml20-sp-remote');
|
||||
} catch(Exception $e) {}
|
||||
|
@ -94,17 +96,28 @@ if ($config->getBoolean('enable.shib13-sp', FALSE) === true) {
|
|||
try {
|
||||
$metaentries['hosted']['shib13-sp'] = $metadata->getMetaDataCurrent('shib13-sp-hosted');
|
||||
$metaentries['hosted']['shib13-sp']['deprecated'] = TRUE;
|
||||
$metaentries['hosted']['shib13-sp']['metadata-url'] = '/' . $config->getBaseURL() . 'shib13/sp/metadata.php?output=xhtml';
|
||||
$metaentries['hosted']['shib13-sp']['metadata-url'] = '/' . $config->getBaseURL() .
|
||||
'shib13/sp/metadata.php?output=xhtml';
|
||||
} catch(Exception $e) {}
|
||||
}
|
||||
if ($config->getBoolean('enable.shib13-idp', FALSE) === true) {
|
||||
try {
|
||||
$metaentries['hosted']['shib13-idp'] = $metadata->getMetaDataCurrent('shib13-idp-hosted');
|
||||
$metaentries['hosted']['shib13-idp']['metadata-url'] = '/' . $config->getBaseURL() . 'shib13/idp/metadata.php?output=xhtml';
|
||||
$metaentries['hosted']['shib13-idp']['metadata-url'] = '/' . $config->getBaseURL() .
|
||||
'shib13/idp/metadata.php?output=xhtml';
|
||||
if ($isadmin)
|
||||
$metaentries['remote']['shib13-sp-remote'] = $metadata->getList('shib13-sp-remote');
|
||||
} catch(Exception $e) {}
|
||||
}
|
||||
if ($config->getBoolean('enable.adfs-idp', FALSE) === true) {
|
||||
try {
|
||||
$metaentries['hosted']['adfs-idp'] = $metadata->getMetaDataCurrent('adfs-idp-hosted');
|
||||
$metaentries['hosted']['adfs-idp']['metadata-url'] = SimpleSAML_Module::getModuleURL('adfs/idp/metadata.php',
|
||||
array('output' => 'xhtml'));
|
||||
if ($isadmin)
|
||||
$metaentries['remote']['adfs-sp-remote'] = $metadata->getList('adfs-sp-remote');
|
||||
} catch(Exception $e) {}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
|
Reference in New Issue