diff options
| author | Andreas Åkre Solberg <andreas.solberg@uninett.no> | 2008-03-06 16:49:54 +0000 |
|---|---|---|
| committer | Andreas Åkre Solberg <andreas.solberg@uninett.no> | 2008-03-06 16:49:54 +0000 |
| commit | f4798cc2fb8c8abeac5b2bcfda5003055f3de1ad (patch) | |
| tree | 254bcb40c5190cb257e06a1667a20c478d6fd00e | |
| parent | af7cc392cac9ba9fd87c863a5a598cd3b39bfc3e (diff) | |
| download | simplesamlphp-f4798cc2fb8c8abeac5b2bcfda5003055f3de1ad.zip simplesamlphp-f4798cc2fb8c8abeac5b2bcfda5003055f3de1ad.tar.gz simplesamlphp-f4798cc2fb8c8abeac5b2bcfda5003055f3de1ad.tar.bz2 | |
Cleaning up authentication request code, and saml 2 sp hosted metadata
git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@373 44740490-163a-0410-bde0-09ae8108e29a
| -rw-r--r-- | lib/SimpleSAML/MemcacheStore.php | 2 | ||||
| -rw-r--r-- | lib/SimpleSAML/XML/SAML20/AuthnRequest.php | 102 | ||||
| -rw-r--r-- | www/_include.php | 2 | ||||
| -rw-r--r-- | www/saml2/sp/initSSO.php | 2 |
4 files changed, 64 insertions, 44 deletions
diff --git a/lib/SimpleSAML/MemcacheStore.php b/lib/SimpleSAML/MemcacheStore.php index 485e029..90c7cd1 100644 --- a/lib/SimpleSAML/MemcacheStore.php +++ b/lib/SimpleSAML/MemcacheStore.php @@ -27,7 +27,7 @@ require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSA * have the same clock (as measured by the time()-function). Different clock * values will lead to incorrect behaviour. * - * @author Olav Morken, UNINETT AS. <andreas.solberg@uninett.no> + * @author Olav Morken, UNINETT AS. * @package simpleSAMLphp * @version $Id$ */ diff --git a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php index fa8f8db..e479227 100644 --- a/lib/SimpleSAML/XML/SAML20/AuthnRequest.php +++ b/lib/SimpleSAML/XML/SAML20/AuthnRequest.php @@ -1,13 +1,14 @@ <?php require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php'); +require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Utilities.php'); require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Metadata/MetaDataStorageHandler.php'); /** * The Shibboleth 1.3 Authentication Request. Not part of SAML 1.1, * but an extension using query paramters no XML. * - * @author Andreas �kre Solberg, UNINETT AS. <andreas.solberg@uninett.no> + * @author Andreas Aakre Solberg, UNINETT AS. <andreas.solberg@uninett.no> * @package simpleSAMLphp * @version $Id$ */ @@ -106,58 +107,79 @@ class SimpleSAML_XML_SAML20_AuthnRequest { } + /** + * Generate a new SAML 2.0 Authentication Request + * + * @param $spentityid SP Entity ID + * @param $destination SingleSignOnService endpoint + */ public function generate($spentityid, $destination) { $md = $this->metadata->getMetaData($spentityid); - $id = self::generateID(); - $issueInstant = self::generateIssueInstant(); + $id = SimpleSAML_Utilities::generateID(); + $issueInstant = SimpleSAML_Utilities::generateTimestamp(); - //$assertionConsumerServiceURL = $md['AssertionConsumerService']; $assertionConsumerServiceURL = $this->metadata->getGenerated('AssertionConsumerService', 'saml20-sp-hosted'); - $nameidformat = isset($md['NameIDFormat']) ? $md['NameIDFormat'] : 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; - - $forceauthn = isset($md['ForceAuthn']) ? $md['ForceAuthn'] : 'false'; - - // TODO: Make an option in the metadata to allow adding a RequestedAuthnContext - $requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact"> - <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> - </samlp:RequestedAuthnContext>'; + /* + * Process the SAML 2.0 SP hosted metadata parameter: NameIDFormat + */ + $nameidformat = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'; + if (isset($md['NameIDFormat'])) { + if (!is_string($md['NameIDFormat'])) { + throw new Exception('SAML 2.0 SP hosted metadata parameter [NameIDFormat] must be a string.'); + } + $nameidformat = $md['NameIDFormat']; + } + /* + * Process the SAML 2.0 SP hosted metadata parameter: ForceAuthn + */ + $forceauthn = 'false'; + if (isset($md['ForceAuthn'])) { + if (is_bool($md['ForceAuthn'])) { + $forceauthn = ($md['ForceAuthn'] ? 'true' : 'false'); + } else { + throw new Exception('Illegal format of the ForceAuthn parameter in the SAML 2.0 SP hosted metadata for entity [' . $spentityid . ']. This value should be set to a PHP boolean value.'); + } + } + + /* + * Process the SAML 2.0 SP hosted metadata parameter: AuthnContextClassRef + */ + $requestauthncontext = ''; + if (!empty($md['AuthnContextClassRef'])) { + if (!is_string($md['AuthnContextClassRef'])) { + throw new Exception('SAML 2.0 SP hosted metadata parameter [AuthnContextClassRef] must be a string.'); + } + + $requestauthncontext = '<samlp:RequestedAuthnContext Comparison="exact"> + <saml:AuthnContextClassRef>' . $md['AuthnContextClassRef'] . '</saml:AuthnContextClassRef> + </samlp:RequestedAuthnContext>'; + } + + /* + * Create the complete SAML 2.0 Authentication Request + */ $authnRequest = '<samlp:AuthnRequest - xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" - ID="' . $id . '" Version="2.0" - IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '" - Destination="' . htmlspecialchars($destination) . '" - ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" - AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '"> - <saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer> - <samlp:NameIDPolicy - Format="' . htmlspecialchars($nameidformat) . '" - AllowCreate="true"/> - ' . ' + xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" + ID="' . $id . '" Version="2.0" + IssueInstant="' . $issueInstant . '" ForceAuthn="' . $forceauthn . '" + Destination="' . htmlspecialchars($destination) . '" + ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + AssertionConsumerServiceURL="' . htmlspecialchars($assertionConsumerServiceURL) . '"> + <saml:Issuer >' . htmlspecialchars($spentityid) . '</saml:Issuer> + <samlp:NameIDPolicy + Format="' . htmlspecialchars($nameidformat) . '" + AllowCreate="true"/> + ' . $requestauthncontext . ' </samlp:AuthnRequest> '; - - - + return $authnRequest; } - public static function generateID() { - - $length = 42; - $key = "_"; - for ( $i=0; $i < $length; $i++ ) - { - $key .= dechex( rand(0,15) ); - } - return $key; - } - - public static function generateIssueInstant() { - return gmdate("Y-m-d\TH:i:s\Z"); - } + } diff --git a/www/_include.php b/www/_include.php index 9881d00..b804e3f 100644 --- a/www/_include.php +++ b/www/_include.php @@ -35,8 +35,6 @@ ini_set('include_path', $path); */ //$SIMPLESAML_INCPREFIX = $path_extra . '/'; - - require_once((isset($SIMPLESAML_INCPREFIX)?$SIMPLESAML_INCPREFIX:'') . 'SimpleSAML/Configuration.php'); $configdir = dirname(dirname(__FILE__)) . '/config'; diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php index e4756b4..7219e4e 100644 --- a/www/saml2/sp/initSSO.php +++ b/www/saml2/sp/initSSO.php @@ -73,7 +73,7 @@ try { $httpredirect->sendMessage($req, $spentityid, $idpentityid, $_GET['RelayState']); -} catch(Exception $exception) { +} catch(Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'CREATEREQUEST', $exception); } |