diff options
| -rw-r--r-- | attributealter/alterfunctions.php | 10 | ||||
| -rw-r--r-- | lib/SimpleSAML/Logger.php | 118 | ||||
| -rw-r--r-- | lib/SimpleSAML/Logger/LoggingHandlerFile.php | 9 | ||||
| -rw-r--r-- | lib/SimpleSAML/Logger/LoggingHandlerSyslog.php | 9 | ||||
| -rw-r--r-- | lib/SimpleSAML/Metadata/MetaDataStorageHandlerSAML2Meta.php | 14 | ||||
| -rw-r--r-- | lib/SimpleSAML/Session.php | 8 | ||||
| -rw-r--r-- | lib/SimpleSAML/Utilities.php | 2 | ||||
| -rw-r--r-- | lib/SimpleSAML/XHTML/Template.php | 6 | ||||
| -rw-r--r-- | www/aselect/handler.php | 4 | ||||
| -rw-r--r-- | www/auth/login-admin.php | 4 | ||||
| -rw-r--r-- | www/auth/login-feide.php | 8 | ||||
| -rw-r--r-- | www/auth/login-ldapmulti.php | 8 | ||||
| -rw-r--r-- | www/auth/login-radius.php | 14 | ||||
| -rw-r--r-- | www/auth/login.php | 8 | ||||
| -rw-r--r-- | www/saml2/idp/SSOService.php | 75 | ||||
| -rw-r--r-- | www/saml2/idp/SingleLogoutService.php | 18 | ||||
| -rw-r--r-- | www/saml2/sp/AssertionConsumerService.php | 4 | ||||
| -rw-r--r-- | www/saml2/sp/SingleLogoutService.php | 10 | ||||
| -rw-r--r-- | www/saml2/sp/initSLO.php | 6 | ||||
| -rw-r--r-- | www/saml2/sp/initSSO.php | 8 | ||||
| -rw-r--r-- | www/shib13/idp/SSOService.php | 57 |
21 files changed, 257 insertions, 143 deletions
diff --git a/attributealter/alterfunctions.php b/attributealter/alterfunctions.php index cb0e960..7d247bf 100644 --- a/attributealter/alterfunctions.php +++ b/attributealter/alterfunctions.php @@ -7,12 +7,18 @@ function attributealter_test(&$attributes, $spentityid = null, $idpentityid = nu function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = null) { - if (array_key_exists('eduPersonPrincipalName', $attributes)) { - $eduppn = $attributes['eduPersonPrincipalName'][0]; + $attributename = 'eduPersonPrincipalName'; +# $attributename = 'edupersonprincipalname'; + if (array_key_exists($attributename, $attributes)) { + $eduppn = $attributes[$attributename][0]; $splitted = explode('@', $eduppn); if (count($splitted) > 1) { $attributes['realm'] = array($splitted[1]); + } else { + SimpleSAML_Logger::debug('attributealter_realm: Wrong format on ' . $attributename . ' (not including @)'); } + } else { + SimpleSAML_Logger::debug('attributealter_realm: Could not find ' . $attributename); } } diff --git a/lib/SimpleSAML/Logger.php b/lib/SimpleSAML/Logger.php index 7468fe1..2a2cdb8 100644 --- a/lib/SimpleSAML/Logger.php +++ b/lib/SimpleSAML/Logger.php @@ -6,64 +6,30 @@ require_once('SimpleSAML/Session.php'); /** * A class for logging * + * @author Lasse Birnbaum Jensen, SDU. * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no> * @package simpleSAMLphp * @version $ID$ */ -class SimpleSAML_Logger { - - - private $configuration = null; - private $loglevel = LOG_NOTICE; - - public function __construct() { - - $this->configuration = SimpleSAML_Configuration::getInstance(); - $this->loglevel = $this->configuration->getValue('logging.level'); - - define_syslog_variables(); - openlog("simpleSAMLphp", LOG_PID, $this->configuration->getValue('logging.facility') ); - - } - - /* - * Log a message to syslog. - */ - public function log($priority, $trackid = null, $module, $submodule, $eventtype, $content, $message) { - /* - error_log('This entry: ' . $message ); - error_log('This entry is ' . $priority . ' and will be loged if <= ' . $this->loglevel); - error_log('LOG_ERR is ' . LOG_ERR . ' and LOGINFO is ' . LOG_INFO . " LOG_DEBUG is " . LOG_DEBUG); - */ - if ($priority > $this->loglevel) return; - if ($trackid == null) { - $trackid = 'na'; - //$session = SimpleSAML_Session::getInstance(true); - //$trackid = $session->getTrackID(); - } - - $contentstring = ''; - if (is_array($content)) { - $contentstring = implode('|', $content); - } else { - $contentstring = $content; - } - - $logstring = implode(',', array($priority, $trackid, $module, $submodule, $eventtype, $contentstring, $message)); - syslog($priority, " OLD ".$logstring); - - } -} interface SimpleSAML_Logger_LoggingHandler { function log_internal($level,$string); } -class Logger { +class SimpleSAML_Logger { private static $loggingHandler = null; private static $logLevel = null; private static $trackid = null; +/* + * LOG_ERR No statistics, only errors + * LOG_WARNING No statistics, only warnings/errors + * LOG_NOTICE Statistics and errors + * LOG_INFO Verbose logs + * LOG_DEBUG Full debug logs - not reccomended for production + +*/ + static function emergency($string) { self::log_internal(LOG_EMERG,$string); } @@ -84,21 +50,39 @@ class Logger { self::log_internal(LOG_WARNING,$string); } + /** + * We reserve the notice level for statistics, so do not use + * this level for other kind of log messages. + */ static function notice($string) { self::log_internal(LOG_NOTICE,$string); } + /** + * Info messages is abit less verbose than debug messages. This is useful + * for tracing a session. + */ static function info($string) { self::log_internal(LOG_INFO,$string); } - + + /** + * Debug messages is very verbose, and will contain more inforation than + * what is neccessary for a production system. + */ static function debug($string) { self::log_internal(LOG_DEBUG,$string); } + /** + * Statisitics + */ static function stats($string) { - self::log_internal(LOG_INFO,$string,true); + self::log_internal(LOG_NOTICE,$string,true); } + + + public static function createLoggingHandler() { /* Get the configuration. */ $config = SimpleSAML_Configuration::getInstance(); @@ -158,6 +142,46 @@ class Logger { self::$loggingHandler->log_internal($level,$string); } } + +} + + + /* +class SimpleSAML_Logger { + + + private $configuration = null; + private $loglevel = LOG_NOTICE; + + public function __construct() { + + $this->configuration = SimpleSAML_Configuration::getInstance(); + $this->loglevel = $this->configuration->getValue('logging.level'); + + define_syslog_variables(); + openlog("simpleSAMLphp", LOG_PID, $this->configuration->getValue('logging.facility') ); + + } + public function log($priority, $trackid = null, $module, $submodule, $eventtype, $content, $message) { + + if ($priority > $this->loglevel) return; + if ($trackid == null) { + $trackid = 'na'; + } + + $contentstring = ''; + if (is_array($content)) { + $contentstring = implode('|', $content); + } else { + $contentstring = $content; + } + + $logstring = implode(',', array($priority, $trackid, $module, $submodule, $eventtype, $contentstring, $message)); + syslog($priority, " OLD ".$logstring); + + } } +*/ + ?>
\ No newline at end of file diff --git a/lib/SimpleSAML/Logger/LoggingHandlerFile.php b/lib/SimpleSAML/Logger/LoggingHandlerFile.php index dd77cd6..b0239ef 100644 --- a/lib/SimpleSAML/Logger/LoggingHandlerFile.php +++ b/lib/SimpleSAML/Logger/LoggingHandlerFile.php @@ -3,6 +3,15 @@ require_once('SimpleSAML/Configuration.php'); require_once('SimpleSAML/Logger.php'); +/** + * A class for logging + * + * @author Lasse Birnbaum Jensen, SDU. + * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no> + * @package simpleSAMLphp + * @version $ID$ + */ + class SimpleSAML_Logger_LoggingHandlerFile implements SimpleSAML_Logger_LoggingHandler { private $logFile = null; diff --git a/lib/SimpleSAML/Logger/LoggingHandlerSyslog.php b/lib/SimpleSAML/Logger/LoggingHandlerSyslog.php index 4ad3130..a897b91 100644 --- a/lib/SimpleSAML/Logger/LoggingHandlerSyslog.php +++ b/lib/SimpleSAML/Logger/LoggingHandlerSyslog.php @@ -3,6 +3,15 @@ require_once('SimpleSAML/Configuration.php'); require_once('SimpleSAML/Logger.php'); +/** + * A class for logging + * + * @author Lasse Birnbaum Jensen, SDU. + * @author Andreas Åkre Solberg, UNINETT AS. <andreas.solberg@uninett.no> + * @package simpleSAMLphp + * @version $ID$ + */ + class SimpleSAML_Logger_LoggingHandlerSyslog implements SimpleSAML_Logger_LoggingHandler { function __construct() { diff --git a/lib/SimpleSAML/Metadata/MetaDataStorageHandlerSAML2Meta.php b/lib/SimpleSAML/Metadata/MetaDataStorageHandlerSAML2Meta.php index 22eab31..3e45a82 100644 --- a/lib/SimpleSAML/Metadata/MetaDataStorageHandlerSAML2Meta.php +++ b/lib/SimpleSAML/Metadata/MetaDataStorageHandlerSAML2Meta.php @@ -102,7 +102,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met $metadata = $this->loadFile($metadatasetfile); } - Logger::info('MetaData - Handler.SAML2Meta: Loading metadata set [' . $set . '] from [' . $metadatasetfile . ']' ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Loading metadata set [' . $set . '] from [' . $metadatasetfile . ']' ); if (!is_array($metadata)) throw new Exception('Could not load metadata set [' . $set . '] from file: ' . $metadatasetfile); @@ -178,7 +178,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } @@ -215,7 +215,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met $metadata[$entityid]['ForceAuthn'] = (isset($seek_forceauth) ? ($seek_forceauth === 'true') : false); } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } @@ -260,7 +260,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met $metadata[$entityid]['requireconsent'] = (isset($seek_requireconsent) ? ($seek_requireconsent === 'true') : false); } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } @@ -325,7 +325,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } @@ -371,7 +371,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } @@ -455,7 +455,7 @@ class SimpleSAML_Metadata_MetaDataStorageHandlerSAML2Meta extends SimpleSAML_Met } catch (Exception $e) { - Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); + SimpleSAML_Logger::info('MetaData - Handler.SAML2Meta: Error parsing [' . __FUNCTION__ . '] ' . $e->getMessage() ); } } diff --git a/lib/SimpleSAML/Session.php b/lib/SimpleSAML/Session.php index 7bc1092..7ce74f9 100644 --- a/lib/SimpleSAML/Session.php +++ b/lib/SimpleSAML/Session.php @@ -218,7 +218,7 @@ class SimpleSAML_Session { public function getAuthnRequest($protocol, $requestid) { - Logger::debug('Library - Session: Get authnrequest from cache ' . $protocol . ' time:' . time() . ' id: '. $requestid ); + SimpleSAML_Logger::debug('Library - Session: Get authnrequest from cache ' . $protocol . ' time:' . time() . ' id: '. $requestid ); $configuration = SimpleSAML_Configuration::getInstance(); if (isset($this->authnrequests[$protocol])) { @@ -231,7 +231,7 @@ class SimpleSAML_Session { * simply delete it :) */ if ($cache['date'] < time() - $configuration->getValue('session.requestcache', 4*(60*60)) ) { - Logger::debug('Library - Session: Deleting expired authn request with id ' . $id); + SimpleSAML_Logger::debug('Library - Session: Deleting expired authn request with id ' . $id); unset($this->authnrequests[$protocol][$id]); } } @@ -258,7 +258,7 @@ class SimpleSAML_Session { */ public function setAuthnRequest($protocol, $requestid, array $cache) { - Logger::debug('Library - Session: Set authnrequest ' . $protocol . ' time:' . time() . ' size:' . count($cache) . ' id: '. $requestid ); + SimpleSAML_Logger::debug('Library - Session: Set authnrequest ' . $protocol . ' time:' . time() . ' size:' . count($cache) . ' id: '. $requestid ); $this->dirty = true; $cache['date'] = time(); @@ -375,7 +375,7 @@ class SimpleSAML_Session { */ public function clean($cleancache = false) { - Logger::debug('Library - Session: Cleaning Session. Clean cache: ' . ($cleancache ? 'yes' : 'no') ); + SimpleSAML_Logger::debug('Library - Session: Cleaning Session. Clean cache: ' . ($cleancache ? 'yes' : 'no') ); if ($cleancache) { $this->authnrequests = array(); diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php index 0553695..ac6d1a2 100644 --- a/lib/SimpleSAML/Utilities.php +++ b/lib/SimpleSAML/Utilities.php @@ -287,7 +287,7 @@ class SimpleSAML_Utilities { $etrace = (empty($e) ? 'No exception available' : $e->getTraceAsString()); // Log a error message - Logger::error($_SERVER['PHP_SELF'].' - UserError: ErrCode:'.(!empty($errorcode) ? $errorcode : 'na').': '.urlencode($emsg) ); + SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - UserError: ErrCode:'.(!empty($errorcode) ? $errorcode : 'na').': '.urlencode($emsg) ); $languagefile = null; if (isset($errorcode)) $languagefile = 'error_' . $errorcode . '.php'; diff --git a/lib/SimpleSAML/XHTML/Template.php b/lib/SimpleSAML/XHTML/Template.php index e09f99a..2ccc135 100644 --- a/lib/SimpleSAML/XHTML/Template.php +++ b/lib/SimpleSAML/XHTML/Template.php @@ -85,7 +85,7 @@ class SimpleSAML_XHTML_Template { if (!file_exists($filebase . $file) ) { - Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); + SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); return; } } @@ -97,7 +97,7 @@ class SimpleSAML_XHTML_Template { $filebase = $this->configuration->getBaseDir() . $this->configuration->getValue('dictionarydir'); if (!file_exists($filebase . $file)) { - Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filebase . $file . ']'); + SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filebase . $file . ']'); return; } include($filebase . $file); @@ -128,7 +128,7 @@ class SimpleSAML_XHTML_Template { if (!file_exists($filename)) { - Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); + SimpleSAML_Logger::error($_SERVER['PHP_SELF'].' - Template: Could not find template file [' . $this->template . '] at [' . $filename . ']'); echo 'Fatal error: Could not find template file [' . $this->template . '] at [' . $filename . ']'; exit(0); diff --git a/www/aselect/handler.php b/www/aselect/handler.php index d24b3a9..38dbf2a 100644 --- a/www/aselect/handler.php +++ b/www/aselect/handler.php @@ -122,7 +122,7 @@ session_start(); // log an error and throw an exception function as_error_exception($msg) { - Logger::notice(array('1', 'aselect', 'handler', 'request', 'access', $msg)); + SimpleSAML_Logger::notice(array('1', 'aselect', 'handler', 'request', 'access', $msg)); throw new Exception($msg); } @@ -438,7 +438,7 @@ function as_request_bridge_return() { // demultiplex incoming request try { - Logger::notice(array('1', 'aselect', 'handler', 'request', 'access', $_SERVER['REQUEST_URI'])); + SimpleSAML_Logger::notice(array('1', 'aselect', 'handler', 'request', 'access', $_SERVER['REQUEST_URI'])); if ($_GET['request']) { $handler = 'as_request_' . $_GET['request']; $handler(); diff --git a/www/auth/login-admin.php b/www/auth/login-admin.php index 6bacd1c..65b2956 100644 --- a/www/auth/login-admin.php +++ b/www/auth/login-admin.php @@ -13,7 +13,7 @@ $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(); -Logger::info('AUTH -admin: Accessing auth endpoint login-admin'); +SimpleSAML_Logger::info('AUTH -admin: Accessing auth endpoint login-admin'); $error = null; $attributes = array(); @@ -60,7 +60,7 @@ if (isset($_POST['password'])) { 'value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); - Logger::notice('AUTH - admin: '. $username . ' successfully authenticated'); + SimpleSAML_Logger::notice('AUTH - admin: '. $username . ' successfully authenticated'); SimpleSAML_Utilities::redirect($relaystate); exit(0); diff --git a/www/auth/login-feide.php b/www/auth/login-feide.php index 5e9ddad..2723865 100644 --- a/www/auth/login-feide.php +++ b/www/auth/login-feide.php @@ -35,7 +35,7 @@ $session = SimpleSAML_Session::getInstance(); $ldapconfigfile = $config->getBaseDir() . 'config/ldapfeide.php'; require_once($ldapconfigfile); -Logger::info('AUTH - ldap-feide: Accessing auth endpoint login-feide'); +SimpleSAML_Logger::info('AUTH - ldap-feide: Accessing auth endpoint login-feide'); $error = null; $attributes = array(); @@ -112,7 +112,7 @@ if (isset($_REQUEST['username'])) { * Do LDAP bind using DN found from the search on ePPN. */ if (!$ldap->bind($dn, $password)) { - Logger::notice('AUTH - ldap-feide: '. $requestedUser . ' failed to authenticate. DN=' . $dn); + SimpleSAML_Logger::notice('AUTH - ldap-feide: '. $requestedUser . ' failed to authenticate. DN=' . $dn); throw new Exception('Wrong username or password'); } @@ -121,7 +121,7 @@ if (isset($_REQUEST['username'])) { */ $attributes = $ldap->getAttributes($dn, $ldapconfig['attributes']); - Logger::notice('AUTH - ldap-feide: '. $requestedUser . ' successfully authenticated'); + SimpleSAML_Logger::notice('AUTH - ldap-feide: '. $requestedUser . ' successfully authenticated'); $session->setAuthenticated(true, 'login-feide'); $session->setAttributes($attributes); @@ -135,7 +135,7 @@ if (isset($_REQUEST['username'])) { } catch (Exception $e) { - Logger::error('AUTH - ldap-feide: User: '.(isset($requestedUser) ? $requestedUser : 'na'). ':'. $e->getMessage()); + SimpleSAML_Logger::error('AUTH - ldap-feide: User: '.(isset($requestedUser) ? $requestedUser : 'na'). ':'. $e->getMessage()); $error = $e->getMessage(); } } diff --git a/www/auth/login-ldapmulti.php b/www/auth/login-ldapmulti.php index 78aa012..4b1d9ba 100644 --- a/www/auth/login-ldapmulti.php +++ b/www/auth/login-ldapmulti.php @@ -17,7 +17,7 @@ $ldapconfigfile = $config->getBaseDir() . 'config/ldapmulti.php'; require_once($ldapconfigfile); -Logger::info('AUTH - ldap-multi: Accessing auth endpoint login-ldapmulti'); +SimpleSAML_Logger::info('AUTH - ldap-multi: Accessing auth endpoint login-ldapmulti'); $error = null; @@ -47,7 +47,7 @@ if (isset($_POST['username'])) { if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) { - Logger::critical('AUTH - ldap-multi: Error setting LDAP protocol version to 3'); + SimpleSAML_Logger::critical('AUTH - ldap-multi: Error setting LDAP protocol version to 3'); $error = "Failed to set LDAP Protocol version to 3"; } @@ -64,7 +64,7 @@ if (isset($_POST['username'])) { ldap_error($ds) . "] ErrNo=[" . ldap_errno($ds) . "]"; - Logger::notice('AUTH - ldap-multi: '. $_POST['username'] . ' failed to authenticate'); + SimpleSAML_Logger::notice('AUTH - ldap-multi: '. $_POST['username'] . ' failed to authenticate'); } else { $sr = ldap_read($ds, $dn, $ldapconfig['attributes'] ); @@ -85,7 +85,7 @@ if (isset($_POST['username'])) { //print_r($ldapentries); //print_r($attributes); - Logger::notice('AUTH - ldap-multi: '. $_POST['username'] . ' successfully authenticated'); + SimpleSAML_Logger::notice('AUTH - ldap-multi: '. $_POST['username'] . ' successfully authenticated'); $session->setAuthenticated(true, 'login-ldapmulti'); diff --git a/www/auth/login-radius.php b/www/auth/login-radius.php index d1c9851..622d9c3 100644 --- a/www/auth/login-radius.php +++ b/www/auth/login-radius.php @@ -13,7 +13,7 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(); -Logger::info('AUTH - radius: Accessing auth endpoint login'); +SimpleSAML_Logger::info('AUTH - radius: Accessing auth endpoint login'); $error = null; $attributes = array(); @@ -35,12 +35,12 @@ if (isset($_POST['username'])) { if (! radius_add_server($radius, $config->getValue('auth.radius.hostname'), $config->getValue('auth.radius.port'), $config->getValue('auth.radius.secret'), 5, 3)) { - Logger::critical('AUTH - radius: Problem occured when connecting to Radius server: '.radius_strerror($radius)); + SimpleSAML_Logger::critical('AUTH - radius: Problem occured when connecting to Radius server: '.radius_strerror($radius)); throw new Exception('Problem occured when connecting to Radius server: ' . radius_strerror($radius)); } if (! radius_create_request($radius,RADIUS_ACCESS_REQUEST)) { - Logger::critical('AUTH - radius: Problem occured when creating the Radius request: '.radius_strerror($radius)); + SimpleSAML_Logger::critical('AUTH - radius: Problem occured when creating the Radius request: '.radius_strerror($radius)); throw new Exception('Problem occured when creating the Radius request: ' . radius_strerror($radius)); } @@ -81,7 +81,7 @@ if (isset($_POST['username'])) { //$attributes = array('urn:mace:eduroam.no:username' => array($_POST['username'])); - Logger::notice('AUTH - radius: '. $_POST['username'] . ' successfully authenticated'); + SimpleSAML_Logger::notice('AUTH - radius: '. $_POST['username'] . ' successfully authenticated'); $session->setAuthenticated(true, 'login-radius'); @@ -96,15 +96,15 @@ if (isset($_POST['username'])) { case RADIUS_ACCESS_REJECT: - Logger::notice('AUTH - radius: '. $_POST['username'] . ' failed to authenticate'); + SimpleSAML_Logger::notice('AUTH - radius: '. $_POST['username'] . ' failed to authenticate'); throw new Exception('Radius authentication error: Bad credentials '); break; case RADIUS_ACCESS_CHALLENGE: - Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius)); + SimpleSAML_Logger::critical('AUTH - radius: Challenge requested: ' . radius_strerror($radius)); throw new Exception('Radius authentication error: Challenge requested'); break; default: - Logger::critical('AUTH -radius: General radius error: ' . radius_strerror($radius)); + SimpleSAML_Logger::critical('AUTH -radius: General radius error: ' . radius_strerror($radius)); throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); } diff --git a/www/auth/login.php b/www/auth/login.php index 0a11d44..44806ff 100644 --- a/www/auth/login.php +++ b/www/auth/login.php @@ -16,7 +16,7 @@ $config = SimpleSAML_Configuration::getInstance(); $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(true); -Logger::info('AUTH - ldap: Accessing auth endpoint login'); +SimpleSAML_Logger::info('AUTH - ldap: Accessing auth endpoint login'); $error = null; $attributes = array(); @@ -69,7 +69,7 @@ if (isset($_POST['username'])) { if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) { - Logger::critical('AUTH - ldap: Error setting LDAP protocol version to 3'); + SimpleSAML_Logger::critical('AUTH - ldap: Error setting LDAP protocol version to 3'); throw new Exception("Failed to set LDAP Protocol version to 3"); } @@ -83,7 +83,7 @@ if (isset($_POST['username'])) { $error = "Bind failed, wrong username or password. Tried with DN=[" . $dn . "] DNPattern=[" . $config->getValue('auth.ldap.dnpattern') . "] Error=[" . ldap_error($ds) . "] ErrNo=[" . ldap_errno($ds) . "]"; - Logger::notice('AUTH - ldap: '. $username . ' failed to authenticate'); + SimpleSAML_Logger::notice('AUTH - ldap: '. $username . ' failed to authenticate'); } else { $sr = ldap_read($ds, $dn, $config->getValue('auth.ldap.attributes')); @@ -137,7 +137,7 @@ if (isset($_POST['username'])) { 'value' => SimpleSAML_Utilities::generateID(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')); - Logger::notice('AUTH - ldap: '. $username . ' successfully authenticated'); + SimpleSAML_Logger::notice('AUTH - ldap: '. $username . ' successfully authenticated'); SimpleSAML_Utilities::redirect($relaystate); diff --git a/www/saml2/idp/SSOService.php b/www/saml2/idp/SSOService.php index 15db347..55fe924 100644 --- a/www/saml2/idp/SSOService.php +++ b/www/saml2/idp/SSOService.php @@ -36,7 +36,7 @@ try { $requestid = null; -Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService'); +SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService'); /* * If the SAMLRequest query parameter is set, we got an incomming Authentication Request @@ -69,10 +69,10 @@ if (isset($_GET['SAMLRequest'])) { if ($binding->validateQuery($authnrequest->getIssuer(),'IdP')) { - Logger::info('SAML2.0 - IdP.SSOService: Valid signature found for '.$requestid); + SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Valid signature found for '.$requestid); } - Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: '.$authnrequest->getIssuer().' id '.$requestid); + SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Incomming Authentication request: '.$authnrequest->getIssuer().' id '.$requestid); } catch(Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception); @@ -95,7 +95,7 @@ if (isset($_GET['SAMLRequest'])) { $requestcache = $session->getAuthnRequest('saml2', $requestid); - Logger::info('SAML2.0 - IdP.SSOService: Got incomming RequestID'); + SimpleSAML_Logger::info('SAML2.0 - IdP.SSOService: Got incomming RequestID'); if (!$requestcache) throw new Exception('Could not retrieve cached RequestID = ' . $requestid); @@ -124,7 +124,7 @@ $authority = isset($idpmetadata['authority']) ? $idpmetadata['authority'] : null if (!isset($session) || !$session->isValid($authority) ) { - Logger::notice('SAML2.0 - IdP.SSOService: Will go to authentication module ' . $idpmetadata['auth']); + SimpleSAML_Logger::notice('SAML2.0 - IdP.SSOService: Will go to authentication module ' . $idpmetadata['auth']); $relaystate = SimpleSAML_Utilities::selfURLNoQuery() . '?RequestID=' . urlencode($requestid); @@ -153,7 +153,7 @@ if (!isset($session) || !$session->isValid($authority) ) { if (!isset($_GET['consent'])) { - Logger::notice('SAML2.0 - IdP.SSOService: Requires consent from user for attribute release'); + SimpleSAML_Logger::notice('SAML2.0 - IdP.SSOService: Requires consent from user for attribute release'); $t = new SimpleSAML_XHTML_Template($config, 'consent.php'); $t->data['header'] = 'Consent'; @@ -165,7 +165,7 @@ if (!isset($session) || !$session->isValid($authority) ) { } else { - Logger::notice('SAML2.0 - IdP.SSOService: Got consent from user'); + SimpleSAML_Logger::notice('SAML2.0 - IdP.SSOService: Got consent from user'); } } @@ -174,48 +174,81 @@ if (!isset($session) || !$session->isValid($authority) ) { // Right now the list is used for SAML 2.0 only. $session->add_sp_session($spentityid); - Logger::notice('SAML2.0 - IdP.SSOService: Sending back AuthnResponse to '.$spentityid); + SimpleSAML_Logger::notice('SAML2.0 - IdP.SSOService: Sending back AuthnResponse to '.$spentityid); + + + /* - * Filtering attributes. + * Attribute handling */ - $ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata); $afilter = new SimpleSAML_XML_AttributeFilter($config, $session->getAttributes()); if (isset($idpmetadata['attributemap'])) { + SimpleSAML_Logger::debug('Applying IdP specific attributemap: ' . $idpmetadata['attributemap']); $afilter->namemap($idpmetadata['attributemap']); } if (isset($spmetadata['attributemap'])) { + SimpleSAML_Logger::debug('Applying SP specific attributemap: ' . $spmetadata['attributemap']); $afilter->namemap($spmetadata['attributemap']); } if (isset($idpmetadata['attributealter'])) { - if (!is_array($idpmetadata['attributealter'])) + if (!is_array($idpmetadata['attributealter'])) { + SimpleSAML_Logger::debug('Applying IdP specific attribute alter: ' . $idpmetadata['attributealter']); $afilter->alter($idpmetadata['attributealter']); - else - foreach($idpmetadata['attributealter'] AS $alterfunc) + } else { + foreach($idpmetadata['attributealter'] AS $alterfunc) { + SimpleSAML_Logger::debug('Applying IdP specific attribute alter: ' . $alterfunc); $afilter->alter($alterfunc); + } + } } if (isset($spmetadata['attributealter'])) { - if (!is_array($spmetadata['attributealter'])) + if (!is_array($spmetadata['attributealter'])) { + SimpleSAML_Logger::debug('Applying SP specific attribute alter: ' . $spmetadata['attributealter']); $afilter->alter($spmetadata['attributealter']); - else - foreach($spmetadata['attributealter'] AS $alterfunc) + } else { + foreach($spmetadata['attributealter'] AS $alterfunc) { + SimpleSAML_Logger::debug('Applying SP specific attribute alter: ' . $alterfunc); $afilter->alter($alterfunc); + } + } } + + /** + * Make a log entry in the statistics for this SSO login. + */ + $tempattr = $afilter->getAttributes(); + $realmattr = $config->getValue('statistics.realmattr', null); + $realmstr = 'NA'; + if (!empty($realmattr)) { + if (array_key_exists($realmattr, $tempattr) && is_array($tempattr[$realmattr]) ) { + $realmstr = $tempattr[$realmattr][0]; + } else { + SimpleSAML_Logger::warning('Could not get realm attribute to log [' . $realmattr. ']'); + } + } + SimpleSAML_Logger::stats('saml20-idp-SSO ' . $spentityid . ' ' . $idpentityid . ' ' . $realmstr); + + /** + * Filter away attributes that are not allowed for this SP. + */ if (isset($spmetadata['attributes'])) { + SimpleSAML_Logger::debug('Applying SP specific attribute filter: ' . join(',', $spmetadata['attributes'])); $afilter->filter($spmetadata['attributes']); } $filteredattributes = $afilter->getAttributes(); - //echo '<pre>before filter:' ; print_r($session->getAttributes()); echo "\n\n"; print_r($filteredattributes); echo '</pre>'; exit; + + + // Generate an SAML 2.0 AuthNResponse message - $authnResponseXML = $ar->generate($idpentityid, $spentityid, - $requestid, null, $filteredattributes); + $ar = new SimpleSAML_XML_SAML20_AuthnResponse($config, $metadata); + $authnResponseXML = $ar->generate($idpentityid, $spentityid, $requestid, null, $filteredattributes); // Sending the AuthNResponse using HTTP-Post SAML 2.0 binding $httppost = new SimpleSAML_Bindings_SAML20_HTTPPost($config, $metadata); - $httppost->sendResponse($authnResponseXML, - $idpentityid, $spentityid, + $httppost->sendResponse($authnResponseXML, $idpentityid, $spentityid, isset($requestcache['RelayState']) ? $requestcache['RelayState'] : null ); diff --git a/www/saml2/idp/SingleLogoutService.php b/www/saml2/idp/SingleLogoutService.php index 91543a6..d33cc23 100644 --- a/www/saml2/idp/SingleLogoutService.php +++ b/www/saml2/idp/SingleLogoutService.php @@ -30,7 +30,7 @@ $session = SimpleSAML_Session::getInstance(); $idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted'); -Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); +SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Accessing SAML 2.0 IdP endpoint SingleLogoutService'); // TODO: if session is not set, give error or do something else. @@ -50,7 +50,7 @@ if (isset($_GET['SAMLRequest'])) { $logoutrequest = $binding->decodeLogoutRequest($_GET); if ($binding->validateQuery($logoutrequest->getIssuer(),'IdP')) { - Logger::info('SAML2.0 - IdP.SingleLogoutService: Valid signature found for '.$logoutrequest->getRequestID()); + SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Valid signature found for '.$logoutrequest->getRequestID()); } } catch(Exception $exception) { @@ -101,7 +101,7 @@ if (isset($_GET['SAMLRequest'])) { //echo '<pre>' . htmlentities($logoutrequest->getXML()) . '</pre>'; - Logger::notice('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer()); + SimpleSAML_Logger::notice('SAML2.0 - IdP.SingleLogoutService: got Logoutrequest from ' . $logoutrequest->getIssuer()); # $session->setLogoutRequest($logoutrequest); @@ -132,7 +132,7 @@ if (isset($_GET['SAMLRequest'])) { $loginresponse = $binding->decodeLogoutResponse($_GET); if ($binding->validateQuery($loginresponse->getIssuer(),'SP','SAMLResponse')) { - Logger::notice('SAML2.0 - IDP.SingleLogoutService: Valid signature found'); + SimpleSAML_Logger::notice('SAML2.0 - IDP.SingleLogoutService: Valid signature found'); } @@ -153,7 +153,7 @@ if (isset($_GET['SAMLRequest'])) { $session->set_sp_logout_completed($loginresponse->getIssuer()); - Logger::notice('SAML2.0 - IDP.SingleLogoutService: got LogoutResponse from ' . $loginresponse->getIssuer()); + SimpleSAML_Logger::notice('SAML2.0 - IDP.SingleLogoutService: got LogoutResponse from ' . $loginresponse->getIssuer()); } @@ -167,7 +167,7 @@ $session->dump_sp_sessions(); $spentityid = $session->get_next_sp_logout(); if ($spentityid) { - Logger::notice('SAML2.0 - IDP.SingleLogoutService: Logout next SP ' . $spentityid); + SimpleSAML_Logger::notice('SAML2.0 - IDP.SingleLogoutService: Logout next SP ' . $spentityid); try { $lr = new SimpleSAML_XML_SAML20_LogoutRequest($config, $metadata); @@ -203,7 +203,7 @@ if ($spentityid) { } if ($config->getValue('debug', false)) - Logger::info('SAML2.0 - IdP.SingleLogoutService: LogoutService: All SPs done '); + SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: LogoutService: All SPs done '); @@ -243,12 +243,12 @@ try { * Clean up session object to save storage. */ if ($config->getValue('debug', false)) - Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size before cleaning: ' . $session->getSize()); + SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size before cleaning: ' . $session->getSize()); $session->clean(); if ($config->getValue('debug', false)) - Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size after cleaning: ' . $session->getSize()); + SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutService: Session Size after cleaning: ' . $session->getSize()); /** diff --git a/www/saml2/sp/AssertionConsumerService.php b/www/saml2/sp/AssertionConsumerService.php index 2f459dc..4be5175 100644 --- a/www/saml2/sp/AssertionConsumerService.php +++ b/www/saml2/sp/AssertionConsumerService.php @@ -28,7 +28,7 @@ require_once('SimpleSAML/XHTML/Template.php'); */ $session = SimpleSAML_Session::getInstance(TRUE); -Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService'); +SimpleSAML_Logger::info('SAML2.0 - SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint AssertionConsumerService'); try { @@ -40,7 +40,7 @@ try { $authnResponse->process(); - Logger::notice('SAML2.0 - SP.AssertionConsumerService: Successfully created local session from Authentication Response'); + SimpleSAML_Logger::notice('SAML2.0 - SP.AssertionConsumerService: Successfully created local session from Authentication Response'); $relayState = $authnResponse->getRelayState(); if (isset($relayState)) { diff --git a/www/saml2/sp/SingleLogoutService.php b/www/saml2/sp/SingleLogoutService.php index 2193fc5..86a2ab0 100644 --- a/www/saml2/sp/SingleLogoutService.php +++ b/www/saml2/sp/SingleLogoutService.php @@ -20,7 +20,7 @@ $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler(); $session = SimpleSAML_Session::getInstance(true); -Logger::info('SAML2.0 - SP.SingleLogoutService: Accessing SAML 2.0 SP endpoint SingleLogoutService'); +SimpleSAML_Logger::info('SAML2.0 - SP.SingleLogoutService: Accessing SAML 2.0 SP endpoint SingleLogoutService'); // Destroy local session if exists. if (isset($session) ) { @@ -39,7 +39,7 @@ if (isset($_GET['SAMLRequest'])) { $logoutrequest = $binding->decodeLogoutRequest($_GET); if ($binding->validateQuery($logoutrequest->getIssuer(),'SP')) { - Logger::notice('SAML2.0 - SP.SingleLogoutService: Valid signature found for '.$requestid); + SimpleSAML_Logger::notice('SAML2.0 - SP.SingleLogoutService: Valid signature found for '.$requestid); } // Extract some parameters from the logout request @@ -50,7 +50,7 @@ if (isset($_GET['SAMLRequest'])) { //$responder = $config->getValue('saml2-hosted-sp'); $responder = $metadata->getMetaDataCurrentEntityID(); - Logger::notice('SAML2.0 - SP.SingleLogoutService: IdP (' . $requester . ') is sending logout request to me SP (' . $responder . ') requestid '.$requestid); + SimpleSAML_Logger::notice('SAML2.0 - SP.SingleLogoutService: IdP (' . $requester . ') is sending logout request to me SP (' . $responder . ') requestid '.$requestid); // Create a logout response @@ -62,7 +62,7 @@ if (isset($_GET['SAMLRequest'])) { $httpredirect = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata); - Logger::notice('SAML2.0 - SP.SingleLogoutService: SP me (' . $responder . ') is sending logout response to IdP (' . $requester . ')'); + SimpleSAML_Logger::notice('SAML2.0 - SP.SingleLogoutService: SP me (' . $responder . ') is sending logout response to IdP (' . $requester . ')'); // Send the Logout response using HTTP POST binding. $httpredirect->sendMessage($logoutResponseXML, $responser, $requester, $logoutrequest->getRelayState(), 'SingleLogoutServiceResponse', 'SAMLResponse'); @@ -83,7 +83,7 @@ if (isset($_GET['SAMLRequest'])) { $logoutresponse = $binding->decodeLogoutResponse($_GET); if ($binding->validateQuery($logoutresponse->getIssuer(),'SP','SAMLResponse')) { - Logger::notice('SAML2.0 - SP.SingleLogoutService: Valid signature found'); + SimpleSAML_Logger::notice('SAML2.0 - SP.SingleLogoutService: Valid signature found'); } } catch(Exception $exception) { diff --git a/www/saml2/sp/initSLO.php b/www/saml2/sp/initSLO.php index 7ac36ff..b1e975b 100644 --- a/www/saml2/sp/initSLO.php +++ b/www/saml2/sp/initSLO.php @@ -22,7 +22,7 @@ if (isset($session) ) { $idpentityid = $session->getIdP(); $spentityid = isset($_GET['spentityid']) ? $_GET['spentityid'] : $metadata->getMetaDataCurrentEntityID(); - Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO script'); + SimpleSAML_Logger::info('SAML2.0 - SP.initSLO: Accessing SAML 2.0 SP initSLO script'); /** * Create a logout request @@ -37,7 +37,7 @@ if (isset($session) ) { $relayState = $_REQUEST['RelayState']; } - Logger::notice('SAML2.0 - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')'); + SimpleSAML_Logger::notice('SAML2.0 - SP.initSLO: SP (' . $spentityid . ') is sending logout request to IdP (' . $idpentityid . ')'); $httpredirect->sendMessage($req, $spentityid, $idpentityid, $relayState, 'SingleLogoutService', 'SAMLRequest', 'SP'); @@ -53,7 +53,7 @@ if (isset($session) ) { $relaystate = $_REQUEST['RelayState']; - Logger::notice('SAML2.0 - SP.initSLO: User is already logged out. Go back to relaystate'); + SimpleSAML_Logger::notice('SAML2.0 - SP.initSLO: User is already logged out. Go back to relaystate'); SimpleSAML_Utilities::redirect($relaystate); diff --git a/www/saml2/sp/initSSO.php b/www/saml2/sp/initSSO.php index 5b61f07..5bc3167 100644 --- a/www/saml2/sp/initSSO.php +++ b/www/saml2/sp/initSSO.php @@ -24,7 +24,7 @@ $session = SimpleSAML_Session::getInstance(true); * */ -Logger::info('SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script'); +SimpleSAML_Logger::info('SAML2.0 - SP.initSSO: Accessing SAML 2.0 SP initSSO script'); try { @@ -41,7 +41,7 @@ if (!isset($session) || !$session->isValid('saml2') ) { if ($idpentityid == null) { - Logger::notice('SAML2.0 - SP.initSSO: No chosen or default IdP, go to SAML2disco'); + SimpleSAML_Logger::notice('SAML2.0 - SP.initSSO: No chosen or default IdP, go to SAML2disco'); $returnURL = urlencode(SimpleSAML_Utilities::selfURL()); $discservice = '/' . $config->getValue('baseurlpath') . 'saml2/sp/idpdisco.php?entityID=' . $spentityid . @@ -64,7 +64,7 @@ if (!isset($session) || !$session->isValid('saml2') ) { $relayState = $_GET['RelayState']; } - Logger::notice('SAML2.0 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); + SimpleSAML_Logger::notice('SAML2.0 - SP.initSSO: SP (' . $spentityid . ') is sending AuthNRequest to IdP (' . $idpentityid . ')'); $httpredirect->sendMessage($req, $spentityid, $idpentityid, $relayState); @@ -80,7 +80,7 @@ if (!isset($session) || !$session->isValid('saml2') ) { if (isset($relaystate) && !empty($relaystate)) { - Logger::notice('SAML2.0 - SP.initSSO: Already Authenticated, Go back to RelayState'); + SimpleSAML_Logger::notice('SAML2.0 - SP.initSSO: Already Authenticated, Go back to RelayState'); SimpleSAML_Utilities::redirect($relaystate); } else { diff --git a/www/shib13/idp/SSOService.php b/www/shib13/idp/SSOService.php index bc926ba..885cd90 100644 --- a/www/shib13/idp/SSOService.php +++ b/www/shib13/idp/SSOService.php @@ -33,7 +33,7 @@ $idpmetadata = $metadata->getMetaDataCurrent('shib13-idp-hosted'); $requestid = null; -Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService'); +SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Accessing Shibboleth 1.3 IdP endpoint SSOService'); /* * If the shire query parameter is set, we got an incomming Authentication Request @@ -64,7 +64,7 @@ if (isset($_GET['shire'])) { $session->setAuthnRequest('shib13', $requestid, $requestcache); - Logger::info('Shib1.3 - IdP.SSOService: Got incomming Shib authnRequest requestid: '.$requestid); + SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming Shib authnRequest requestid: '.$requestid); } catch(Exception $exception) { SimpleSAML_Utilities::fatalError($session->getTrackID(), 'PROCESSAUTHNREQUEST', $exception); @@ -88,7 +88,7 @@ if (isset($_GET['shire'])) { $requestcache = $session->getAuthnRequest('shib13', $requestid); - Logger::info('Shib1.3 - IdP.SSOService: Got incomming RequestID: '.$requestid); + SimpleSAML_Logger::info('Shib1.3 - IdP.SSOService: Got incomming RequestID: '.$requestid); if (!$requestcache) throw new Exception('Could not retrieve cached RequestID = ' . $requestid); @@ -136,34 +136,67 @@ if (!$session->isAuthenticated($authority) ) { $spentityid = $requestcache['Issuer']; $spmetadata = $metadata->getMetaData($spentityid, 'shib13-sp-remote'); + + /* - * Filtering attributes. + * Attribute handling */ $afilter = new SimpleSAML_XML_AttributeFilter($config, $session->getAttributes()); - + if (isset($idpmetadata['attributemap'])) { + SimpleSAML_Logger::debug('Applying IdP specific attributemap: ' . $idpmetadata['attributemap']); + $afilter->namemap($idpmetadata['attributemap']); + } if (isset($spmetadata['attributemap'])) { + SimpleSAML_Logger::debug('Applying SP specific attributemap: ' . $spmetadata['attributemap']); $afilter->namemap($spmetadata['attributemap']); } if (isset($idpmetadata['attributealter'])) { - if (!is_array($idpmetadata['attributealter'])) + if (!is_array($idpmetadata['attributealter'])) { + SimpleSAML_Logger::debug('Applying IdP specific attribute alter: ' . $idpmetadata['attributealter']); $afilter->alter($idpmetadata['attributealter']); - else - foreach($idpmetadata['attributealter'] AS $alterfunc) + } else { + foreach($idpmetadata['attributealter'] AS $alterfunc) { + SimpleSAML_Logger::debug('Applying IdP specific attribute alter: ' . $alterfunc); $afilter->alter($alterfunc); + } + } } if (isset($spmetadata['attributealter'])) { - if (!is_array($spmetadata['attributealter'])) + if (!is_array($spmetadata['attributealter'])) { + SimpleSAML_Logger::debug('Applying SP specific attribute alter: ' . $spmetadata['attributealter']); $afilter->alter($spmetadata['attributealter']); - else - foreach($spmetadata['attributealter'] AS $alterfunc) + } else { + foreach($spmetadata['attributealter'] AS $alterfunc) { + SimpleSAML_Logger::debug('Applying SP specific attribute alter: ' . $alterfunc); $afilter->alter($alterfunc); + } + } } + + /** + * Make a log entry in the statistics for this SSO login. + */ + $tempattr = $afilter->getAttributes(); + $realmattr = $config->getValue('statistics.realmattr', null); + $realmstr = 'NA'; + if (!empty($realmattr)) { + if (array_key_exists($realmattr, $tempattr) && is_array($tempattr[$realmattr]) ) { + $realmstr = $tempattr[$realmattr][0]; + } else { + SimpleSAML_Logger::warning('Could not get realm attribute to log [' . $realmattr. ']'); + } + } + SimpleSAML_Logger::stats('shib13-idp-SSO ' . $spentityid . ' ' . $idpentityid . ' ' . $realmstr); + + /** + * Filter away attributes that are not allowed for this SP. + */ if (isset($spmetadata['attributes'])) { + SimpleSAML_Logger::debug('Applying SP specific attribute filter: ' . join(',', $spmetadata['attributes'])); $afilter->filter($spmetadata['attributes']); } $filteredattributes = $afilter->getAttributes(); - |