| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
For #455
|
| | |
|
| |
|
|
| |
`noop()` is a method on the template after all.
|
| |
|
|
| |
This makes instanciating the Translate/Template-class unnecessary.
|
| |
|
|
| |
For #455
|
| |
|
|
| |
For #455
|
| |
|
|
|
|
| |
For #455. Note that if translation tags were domain-free strings, the
mapping from tab to tabtitle would be redundant. It would still be
necessary to mark the strings as noop however.
|
| |
|
|
| |
For #454, #455
|
| |
|
|
| |
For #455
|
| |\
| |
| | |
Deprecate the certFingerprint option.
|
| | |
| |
| |
| |
| |
| | |
Issue a notice when the option is used nonetheless.
Closes: #432
|
| | | |
|
| | |
| |
| |
| | |
There was a typo in the name of the class, where the module was referenced as "smartattribute" instead of "smartattributes".
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
This is needed for the autoloader to work, or code calling class_implements(), among others.
|
| | | |
|
| | |
| |
| |
| | |
Added checks for Date/Time, JSON, cURL and Session.
|
| | | |
|
| | |
| |
| |
| | |
For: #454
|
| | |
| |
| |
| | |
For: #454
|
| | |
| |
| |
| | |
Even though the default "exact" is used by most people, and few products support anything else, there's people asking for this.
|
| | |
| |
| |
| | |
Since we have updated the version of the SAML2 library in use, we should use SAML2\Constants now.
|
| | |
| |
| |
| | |
SimpleSAML_Error_ProxyCountExceeded exceptions.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.
|
| | |
| |
| |
| | |
This makes it easier to identify error conditions and return errors to an SP. More known errors should also be added here.
|
| | |
| |
| |
| | |
The SAML2 IdP should keep the RequestedAuthnContext in the state array, so that authentication sources (or processing filters) can use that information during authentication.
|
| |\ \
| | |
| | | |
Removed html extension in Twig files
|
| |/ / |
|
| | |
| |
| |
| |
| |
| | |
(i.e. DOMNodeList).
This is due to the update of the SAML2 library, that caused several other bugs, mainly with attributes like eduPersonTargetedID, which should always be an SAML NameID.
|
| |\ \
| | |
| | |
| | | |
It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
|
| | | |
| | |
| | |
| | | |
It is possible that the current script ($_SERVER['SCRIPT_FILENAME']) is inside SimpleSAMLphp's 'www' directory. However, even if that's the case, we should not enforce our base URL (as set in the 'baseurlpath' configuration option) if the request URI ($_SERVER['REQUEST_URI']) does not contain the relative path to the script. This is the case of AuthMemCookie, for example, where accessing a random URL protected by Apache, leads to the execution of a SimpleSAMLphp script, where SimpleSAML\Utils\HTTP::getSelfURL() must not try to be smart when guessing the current URL.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
We don't use the MySQL extension directly, but PDO instead. We should therefore check for the PDO extension.
This resolves #448.
|
| | | |
| | |
| | |
| | | |
proper CSS.
|
| |/ /
| |
| |
| | |
This reverts commit ce040885023434abb6a7362449d588f90888413e.
|
| |\ \
| | |
| | | |
Update module docs
|
| | | |
| | |
| | |
| | | |
file rather than touching 'enable'/'disable' files inside module directories
|
| |\ \ \
| | | |
| | | | |
Remove inline style sheet
|
| |/ / / |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester).
- The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response.
- We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList.
- Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
|
| | | |
| | |
| | |
| | | |
This was due to incorrect use of the SimpleSAML_SessionHandler::setCookie() method to set the cookie, instead of SimpleSAML\Utils\HTTP::setCookie().
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some things, like logging of SAML messages or backtraces, are controlled with the 'debug' configuration option. However, it might be possible that we don't want one while we want the other, but that's impossible with just one option.
This commit allows us to configure debugging options independently, but groupping all of them together. This is particularly useful if we want to log backtraces to debug errors, for example, but we don't want to log SAML messages to keep the privacy of the users. This also allows us to get rid of the 'debug.validatexml' configuration option, and group it with other debug options.
This changes are backwards-compatible. Old and new configurations will work at the same time.
|
| | | |
| | |
| | |
| | | |
It's not very useful to log backtraces always as debug, since that implies getting all the log messages, while backtraces would still help debug a particular error.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
attribute values.
Due to recent changes in the SAML2 library, when an attribute has a value that contains XML, its contents are returned as a DOMNodeList instead of a string. This causes problems when running as a proxy, since the SAML2 IdP will obtain attributes in a format that cannot be cast to string. Regardless of the attribute encoding configured in the IdP for a remote SP, we should handle those cases gracefully, so that the IdP don't end up in an uncaught exception.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs.
This resolves #84.
|
| | | |
| | |
| | |
| | | |
Basically, phpdoc formatting and fixing some classes not using namespaces.
|
| | |/
|/|
| |
| | |
For some reason, these changes were not applied in the previous commit. Make sure we use the current interface of the SAML2 library instead of abusing the autoloader.
|
| | |
| |
| |
| | |
Reformat to comply with our coding guidelines. Migrate all the code to use the newest version of the SAML2 library, using namespaces. Fix some bugs. Move it where it belongs under modules/saml instead of modules/core.
|
| | |
| |
| |
| | |
all over the place.
|
| |\ \
| | |
| | | |
Test for https://github.com/simplesamlphp/simplesamlphp/pull/400
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
"saml:NameID"
|
| |\ \ \
| |_|/
|/| | |
Add the existing Afrikaans translation into the list of supported languages
|
| |/ /
| |
| |
| | |
so that South African users don't need to go editing code.
|
| | |
| |
| |
| | |
If we want to access the sandbox, we can do that from admin/ or type the URL directly.
|
| | | |
|
| | |
| |
| |
| | |
The saml:FilterScopes filter was removing values that did not contain a scope. It shouldn't.
|
| | |
| |
| |
| |
| |
| | |
The new saml:FilterScopes allows a SAML Service Provider to remove the values from a scoped attribute whose scope is not declared in the IdP metadata and/or does not match with the domain in use by the IdP itself.
This closes #22.
|
| |\ \
| | |
| | | |
Fix issue with Facebook authentication retrieving only user id and name
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Mention the change in the way NameIDs are processed inside an eduPersonTargetedID, and offer an example on how to process the value.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
contents.
This way, we avoid completely any possible XXE attack, and simplify the code as we don't need to deal directly with the DOM. The entire AttributeValue will be saved to the backend as XML, and then recovered back when unserializing.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A recent change in simplesamlphp/saml2#60 made the library return a DOMNodeList object when the contents of the AttributeValue element are not text. This lead to a bug, since the returned value is not serializable, and when storing it in the session it will go away as soon as we serialize the session to store it in the backend (whatever that is). This is always, as the SP will always redirect to the URL originating authentication. The result was an empty DOMNodeList object where there should be some value.
This commit makes the SimpleSAML_Session to implement the Serializable interface. When obtaining the attributes during login (doLogin() method), the code will now look for DOMNodeList objects, and dump them as a string with the XML representation of their contents in the 'RawAttributes' array inside $this->authData[$authority]. This allows us to parse the XML back when unserializing, and restore the original DOMNodeList object as the value of the attribute.
The issue was reported originally in the mailing list by Enrico Cavalli, affecting eduPersonTargetedID. This resolves #424.
|
| | | |
| | |
| | |
| | | |
Now that the SAML2 library has been updated to use the new SimpleSAML\Logger, we can update the dependency here. Since both libraries are interdependent, we are pointing to a specific commit in master, aliasing it to 2.2. That way we can keep business as usual for any other package which may depend on 2.2, while getting the changes into SimpleSAMLphp.
|
| | | |
| | |
| | |
| | | |
Use the recently added SimpleSAML_Configuration::getBasePath() instead. It guarantees the path prepended with a slash, so no need to do that every time when calling the method. As a side effect, we get rid of buggy invocations (calling getBaseUrl() instead of getBaseURL()), and also of old-style convention for the 'baseurlpath' configuration option, allowing a star at the beginning.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
|
| | | |
| | |
| | |
| | | |
The 2.x branch of XMLSecLibs uses namespaces, so we need to make sure we can still load the XMLSec* classes after updating the dependency. We can do that in the autoloader, looking for the classes with namespaces, and creating class aliases.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The code was enforcing this option even if a configuration was passed as a parameter to the constructor. If there is something wrong with a configuration and we are passing it to the constructor, we should know if at least the 'baseurlpath' is correct, and if not, fix it somehow.
This bug was producing a default configuration without 'baseurlpath', when no configuration was passed. In that situation, only the default path (/simplesaml) was working correctly.
|
| | | |
| | |
| | |
| | | |
This is related to PR #313. The option was in use but not documented.
|
| |\ \ \
| | | |
| | | | |
Added port to the LDAP base filter configuration
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
PHP 5.3 and HHVM do not include the built-in server (or in the case of HHVM, not with the same syntax).
|
| | | | |
| | | |
| | | |
| | | | |
This test works as a demonstration on how to test our web interface endpoints.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
configuration.
With this script, which will be executed for every request performed to the built-in server, we can preload the configuration from a temporary file, making it possible to configure SimpleSAMLphp dynamically when testing.
|
| | | | |
| | | |
| | | |
| | | | |
With this class we can run PHP's built-in server specifying the document root (defaulting to the www directory) and a "router" file, which the server will execute for every request received. This is useful to allow testing of the web interfaces as part of our unit testing setup.
|
| |\ \ \ \
| | | | |
| | | | | |
Removed unnecessary exception
|
| |/ / / / |
|
| | | | |
| | | |
| | | |
| | | | |
The www/_include.php script, included by all scripts in www/, checks unconditionally for the existence of the config.php file. However, this prevents us from testing the scripts automatically. Instead of checking for the file, we just try to load the configuration, and live with it if it works. That way we can pre-load the configuration using SimpleSAML_Configuration::loadFromArray(), as we are doing in some tests.
|
| | | | |
| | | |
| | | |
| | | | |
in session.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
third-party script.
Recent fixes for URL guessing and building addressed bugs in the code that were preventing the 'baseurlpath' from being used properly. However, they introduced a new issue, as the code was assuming the current URL would always point to a SimpleSAMLphp script. This is not always true, of course, as any script can invoke our API and end up trying to get its own URL (for example, when calling requireAuth()).
In order to fix this, we monitor mismatches between SimpleSAMLphp's installation path and the absolute, real path to the current script. When there's a mismatch, it means we are running a third-party script outside SimpleSAMLphp, and therefore we should NOT enforce 'baseurlpath'. This introduces an additional issue, as applications behind a reverse proxy may cause trouble to guess the right URL (we will use the URL as seen by SimpleSAMLphp in the server, which is not necessarily the same as the user sees with a reverse proxy in between). For the moment, we'll leave the responsibility to sort that issue out to implementors. It might be a good idea to add a page to the wiki explaining how to do this.
This resolves #418.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
Add a configuration option named 'admin.checkforupdates' to enable or disable this feature.
|
| | | | |
| | | |
| | | |
| | | | |
We shouldn't wait for long when connecting to github's API to check for the latest release. Set a timeout of a couple of seconds. Also, remove commented debugging code.
|
| | | | |
| | | |
| | | |
| | | | |
Now that we have all our releases in github, we can use its API to see of the latest stable release there is newer than the version we are running. In that case, we show a warning in the configuration tab.
|
| | |_|/
|/| | |
|
| |\ \ \
| | | |
| | | |
| | | | |
YA Merge
|
| | | | |
| | | |
| | | |
| | | | |
Both have been migrated to use namespaces.
|
| |\ \ \ \
| |/ / /
|/| | |
| | | |
| | | | |
This allows for using twig templates, but does not include code for
localizing twig templates.
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
