summaryrefslogtreecommitdiffstats
path: root/modules/saml/lib/Auth
Commit message (Collapse)AuthorAgeFilesLines
* Allow setting the 'Comparison' attribute in authentication contexts.Jaime Pérez2016-09-051-1/+10
| | | | Even though the default "exact" is used by most people, and few products support anything else, there's people asking for this.
* Use the new SimpleSAML\Module\saml\Error\ProxyCountExceeded exception.Jaime Pérez2016-08-311-1/+4
|
* Use the new SAML error exceptions in the saml module.Jaime Pérez2016-08-311-4/+16
| | | | Instead of keeping SAML-specific error exceptions in lib/SimpleSAML/Error, it makes more sense to have those in the saml module. Now that we have the recent NoAvailableIDP and NoSupportedIDP errors moved there, it's time to change the code implemented recently that uses them.
* Multiple enhancements and fixes to IDPList support in proxy mode.Jaime Pérez2016-08-151-5/+41
| | | | | | | - Bugfix: the modules/saml/www/proxy/invalid_session.php shouldn't call directly the error handler in sspmod_saml_IdP_SAML2. Instead, it should use the SimpleSAML_Auth_State::throwException() method to let it handle the exception appropriately (in this case, it should always return back to the requester). - The standard specifies that a "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP" or "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP" second-level status code should be returned to the requester in case an error occurs. Add a couple of exceptions to represent both statuses, and use them to set the right status code in the response. - We shouldn't ask the user to logout in case the IDPList does not offer an IdP we recognize, or in case the proxy enforces the use of an IdP ('idp' configuration option in the auth source) and such IdP is in the IDPList. - Similarly, these two cases should also handled in case we are authenticating for the first time, not only when reauthenticating.
* bugfix: Make sure we log the user out before reauthenticating.Jaime Pérez2016-08-081-12/+97
| | | | | | When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs. This resolves #84.
* Merge pull request #417 from pmeulen/feature/authnreq-subject-nameid-testsJaime Pérez Crespo2016-08-051-0/+7
|\ | | | | Test for https://github.com/simplesamlphp/simplesamlphp/pull/400
| * Allow the optional Subject NameID to be set in a SAML AuthnRequest through ↵Pieter van der Meulen2016-07-131-0/+7
| | | | | | | | "saml:NameID"
* | bugfix: Do not remove attribute values that are not scoped.Jaime Pérez2016-07-291-0/+1
| | | | | | | | The saml:FilterScopes filter was removing values that did not contain a scope. It shouldn't.
* | authproc: Add new filter to remove invalid scopes.Jaime Pérez2016-07-291-0/+97
| | | | | | | | | | | | The new saml:FilterScopes allows a SAML Service Provider to remove the values from a scoped attribute whose scope is not declared in the IdP metadata and/or does not match with the domain in use by the IdP itself. This closes #22.
* | Bump the version of the SAML2 library.Jaime Pérez2016-07-266-20/+20
|/ | | | Now we are finally using the 2.x branch of the SAML2 library, which was also migrated to use namespaces. Even though the library provides an autoloader that allows loading the classes with the old names using class aliasing, we need to do the migration in one commit (at least for most part of it). This is due to the way SimpleSAMLphp checks data types, using inheritance to check objects agains abstract or more general classes. Even though class aliasing works, there's no way to replicate those relationships, and type checks that use the old class names will fail because the aliases are virtually new classes that don't inherit from others.
* Update the modules too.Jaime Perez Crespo2016-03-096-30/+30
|
* Clean one-liner comments.Jaime Perez Crespo2015-11-061-2/+2
|
* XML data is loaded using SAML2_DOMDocumentFactory classSergio Gómez2015-10-111-1/+1
|
* Duplicate the $state['SimpleSAML_Auth_Default.*'] entries to ↵Jaime Perez Crespo2015-08-311-2/+2
| | | | $state['SimpleSAML_Auth_Source.*'] where needed, while we are transitioning to 2.0. Leave those that will be removed in SimpleSAML_Auth_Default. Move the rest of the code to the new entries in the state array.
* Reformat sspmod_saml_Auth_Process_TransientNameID and fix some phpdoc comments.Jaime Perez Crespo2015-08-301-24/+27
|
* Reformat sspmod_saml_Auth_Process_NameIDAttribute.Jaime Perez Crespo2015-08-301-131/+137
|
* Reformat sspmod_saml_Auth_Process_ExpectedAuthnContextClassRef.Jaime Perez Crespo2015-08-301-59/+78
|
* Reformat sspmod_saml_Auth_Process_AuthnContextClassRef.Jaime Perez Crespo2015-08-301-40/+45
|
* Reformat sspmod_saml_Auth_Process_AttributeNameID.Jaime Perez Crespo2015-08-301-52/+65
|
* Reformat sspmod_saml_Auth_Process_PersistentNameID2TargetedID.Jaime Perez Crespo2015-08-301-59/+64
|
* Reformat sspmod_saml_Auth_Process_PersistentNameID and fix some phpdoc comments.Jaime Perez Crespo2015-08-301-59/+71
|
* Reformat sspmod_saml_Auth_Process_SQLPersistentNameID.Jaime Perez Crespo2015-08-301-130/+159
|
* Merge pull request #242 from ghalse/masterJaime Pérez Crespo2015-08-301-2/+47
|\ | | | | Make SQLPersistentNameID more flexible
| * Provide config options to allow SQLPersistentNameID to be less conservative ↵Guy Antony Halse2015-08-171-2/+47
| | | | | | | | about creating entries in the SQL datastore, whilst preserving default behaviour
* | Refactor SimpleSAML_Auth_State::extractPersistentAuthState() to ↵Jaime Perez Crespo2015-08-251-2/+2
| | | | | | | | getPersistentAuthData() to avoid confusions around the behaviour of this method.
* | The state array should not be modified after extracting (getting) the ↵Jaime Perez Crespo2015-08-251-2/+1
|/ | | | persistent authentication data. This resolves #247.
* Move SimpleSAML_Auth_Default::handleUnsolicitedAuth() to ↵Jaime Perez Crespo2015-08-121-1/+24
| | | | sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth() and deprecate the former.
* Move SimpleSAML_Auth_Default::extractPersistentAuthState() to ↵Jaime Perez Crespo2015-08-121-1/+3
| | | | SimpleSAML_Auth_State::extractPersistentAuthState() and deprecate the former.
* Move SimpleSAML_Utilities:: redirectTrustedURL() to SimpleSAML\Utils\HTTP:: ↵Jaime Perez Crespo2015-04-222-3/+3
| | | | redirectTrustedURL() and deprecate the former.
* Move SimpleSAML_Utils_Arrays to SimpleSAML\Utils\Arrays.Jaime Perez Crespo2015-04-201-1/+1
|
* Move SimpleSAML_Utils_Config to SimpleSAML\Utils\Config.Jaime Perez Crespo2015-04-201-1/+1
|
* Move SimpleSAML_Utils_Random to SimpleSAML\Utils\Random.Jaime Perez Crespo2015-04-201-1/+1
|
* Move SimpleSAML_Utilities::getSecretSalt() to ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | SimpleSAML_Utils_Config::getSecretSalt(). Deprecate the former and stop using it.
* Move SimpleSAML_Utilities::generateID() to ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | SimpleSAML_Utils_Random::generateID(). Deprecate the former and schedule it for removal in 2.0.
* Schedule SimpleSAML_Utilities::stringToHex() for removal. Deprecate and stop ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | using it.
* Schedule SimpleSAML_Utilities::generateRandomBytes() for removal. Deprecate ↵Jaime Perez Crespo2015-04-161-1/+1
| | | | and stop using it.
* Refactor SimpleSAML_Utilities::arrayize() to SimpleSAML_Utils_Arrays:: ↵Jaime Perez Crespo2015-04-151-1/+1
| | | | | | arrayize(). Schedule SimpleSAML_Utilities:: arrayize() for removal.
* Drop obsolete SVN $Id$ keywords.Thijs Kinkhorst2014-07-098-8/+0
|
* Rename SimpleSAML_Session::getInstance() to ↵Jaime Perez2014-07-081-2/+2
| | | | SimpleSAML_Session::getSessionFromRequest(), and leave the former as deprecated.
* Fix #82 and #83. Make the checks for an IDPList happen only when we are the ↵Jaime Perez2014-06-271-0/+55
| | | | IdP authenticating the user, not an intermediate proxy.
* Start using the redirectTrustedURL() and redirectUntrustedURL() wrappers.Jaime Pérez Crespo2014-01-172-3/+3
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3326 44740490-163a-0410-bde0-09ae8108e29a
* add isPassive to discovery request if about to send a passive request.Andreas Åkre Solberg2014-01-091-12/+16
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3319 44740490-163a-0410-bde0-09ae8108e29a
* Split binding prioritizing out of getDefaultEndpoint to a new ↵Jaime Pérez Crespo2013-11-261-1/+1
| | | | | | getEndpointPrioritizedByBinding function. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3303 44740490-163a-0410-bde0-09ae8108e29a
* Full support for HTTP-POST binding in WebSSO profile. Two new directives in ↵Jaime Pérez Crespo2013-07-171-3/+21
| | | | | | | | hosted metadata (SingleSignOnServiceBinding and SingleLogoutServiceBinding) to control the bindings published as supported in the metadata. Bugfix in the logout handler (SOAP binding should be reused when responding a request). git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3257 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix saml:sp:IdP for SAML 1.1Olav Morken2013-05-221-0/+4
| | | | | | | | | | The saml:sp:IdP authentication data was only saved for SAML 2.0 authentication. This patch moves this variable into common code, so that it is shared between SAML 2.0 and SAML 1.1. Thanks to Tim Jobling for reporting this bug! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3240 44740490-163a-0410-bde0-09ae8108e29a
* saml:PersistentNameID2TargetedID: New filter for storing persistent NameID ↵Olav Morken2013-01-111-0/+79
| | | | | | in eduPersonTargetedID attribute. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3221 44740490-163a-0410-bde0-09ae8108e29a
* The issuer of an AuthnResponse is now validated to check if we get the ↵Jaime Pérez Crespo2012-10-151-0/+3
| | | | | | response from the same entity ID we sent the request to. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3189 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add support for overriding SAML 2.0 SP authentication request generation.Olav Morken2012-06-221-1/+16
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3124 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add new filter "ExpectedAuthnContextClassRef".Olav Morken2012-02-131-0/+85
| | | | | | | | | This filter verifies the authentication context received from the IdP against a list of allowed values. Thanks to Gyula Szabó for creating this filter! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3031 44740490-163a-0410-bde0-09ae8108e29a
* Fix misspelling "unsoliced" => "unsolicited".Olav Morken2011-12-231-2/+2
| | | | | | Thanks to Thijs Kinkhorst for fixing this! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3005 44740490-163a-0410-bde0-09ae8108e29a
* saml/SP: support for samlp:Extensions.Andjelko Horvat2011-07-051-0/+4
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2868 44740490-163a-0410-bde0-09ae8108e29a
* saml:AuthnContextClassRef: Add missing code.Olav Morken2011-05-101-1/+14
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2834 44740490-163a-0410-bde0-09ae8108e29a
* saml:AuthnContextClassRef: Fix incorrect class name.Olav Morken2011-05-101-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2833 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add AuthnContextClassRef filter.Olav Morken2011-05-101-0/+35
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2832 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix warning about unset element when doing SAML 1.1 authentication.Olav Morken2011-04-121-2/+7
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2811 44740490-163a-0410-bde0-09ae8108e29a
* do not override discourl in authsources config...Andreas Åkre Solberg2011-03-311-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2784 44740490-163a-0410-bde0-09ae8108e29a
* Adding discojuice developer module :: for testing with some selected test ↵Andreas Åkre Solberg2011-03-311-0/+4
| | | | | | partners. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2783 44740490-163a-0410-bde0-09ae8108e29a
* saml:SQLPersistentNameID: New filter for storing persistent NameIDs in SQL ↵Olav Morken2011-03-151-0/+92
| | | | | | datastore. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2781 44740490-163a-0410-bde0-09ae8108e29a
* saml:PersistentNameID: Return NULL when we have more than one uid-attribute.Olav Morken2011-03-151-0/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2779 44740490-163a-0410-bde0-09ae8108e29a
* saml: Handle empty RelayState the same as missing RelayState.Olav Morken2011-03-071-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2763 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix error message when receiving response from wrong IdP.Olav Morken2011-03-071-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2762 44740490-163a-0410-bde0-09ae8108e29a
* saml: New configuration option: nameid.encryptionOlav Morken2011-03-071-0/+8
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2745 44740490-163a-0410-bde0-09ae8108e29a
* saml: Allow selecting value for AllowCreate.Olav Morken2011-03-071-4/+11
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2743 44740490-163a-0410-bde0-09ae8108e29a
* saml:NameIDAttribute: Update to use the new source for the NameID.Olav Morken2010-12-061-2/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2679 44740490-163a-0410-bde0-09ae8108e29a
* saml:SP: Fix NameID and SessionIndex access from authproc filter on saml:sp.Olav Morken2010-12-061-0/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2678 44740490-163a-0410-bde0-09ae8108e29a
* saml:SP: Save NameID, IdP & SessionIndex in persistent auth data.Olav Morken2010-12-061-1/+0
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2677 44740490-163a-0410-bde0-09ae8108e29a
* saml:PersistentNameID: Fix generation of persistent NameID.Olav Morken2010-10-261-4/+4
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2610 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add saml:NameIDAttribute filter.Olav Morken2010-09-151-0/+138
| | | | | | | This filter can create an attribute from the NameID we receive in the authentication response. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2548 44740490-163a-0410-bde0-09ae8108e29a
* Remove the old debug infrastructure.Olav Morken2010-09-101-2/+0
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2542 44740490-163a-0410-bde0-09ae8108e29a
* saml: Move Message-class from saml2 to saml module.Olav Morken2010-06-291-4/+4
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2372 44740490-163a-0410-bde0-09ae8108e29a
* saml:PersistentNameID: Make compatible with previous persistent NameID.Olav Morken2010-06-021-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2339 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add NameID generation filters.Olav Morken2010-06-013-0/+173
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2337 44740490-163a-0410-bde0-09ae8108e29a
* Fix spelling error of ForceAuthn.Olav Morken2010-05-281-1/+1
| | | | | | Thanks to Patrick Honing for providing this patch. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2327 44740490-163a-0410-bde0-09ae8108e29a
* Artifact support for the SP.Olav Morken2010-05-191-1/+0
| | | | | | | | | | This patch adds the necessary code for receiving authentication responses using the HTTP-Artifact binding. Thanks to Shoaib Ali and Bill Young from New Zealand for spending the time to implement this. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2305 44740490-163a-0410-bde0-09ae8108e29a
* Minor fix to standart discovery to support scopingJacob Christiansen2010-05-111-10/+16
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2297 44740490-163a-0410-bde0-09ae8108e29a
* saml:SP: Fix warning about unset variable.Olav Morken2010-05-111-1/+3
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2287 44740490-163a-0410-bde0-09ae8108e29a
* Scoping for authsources. Includes support for IDPList, ProxyCount,Mads Freek Petersen2010-05-041-7/+40
| | | | | | | AuthenticatingAuthority and RequesterID. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2278 44740490-163a-0410-bde0-09ae8108e29a
* saml: Fix exception when unable to find metadata for an IdP.Olav Morken2010-03-191-1/+1
| | | | | | Fixes issue 295. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2224 44740490-163a-0410-bde0-09ae8108e29a
* saml: More logging when sending and receiving logout messages.Olav Morken2010-02-111-0/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2170 44740490-163a-0410-bde0-09ae8108e29a
* Use the new argument to getModuleURL.Olav Morken2009-12-161-2/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2055 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add authentication parameter support.Olav Morken2009-11-181-2/+29
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2000 44740490-163a-0410-bde0-09ae8108e29a
* saml: Do not attempt to send logout request to IdP that does not support logout.Olav Morken2009-11-051-1/+7
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1969 44740490-163a-0410-bde0-09ae8108e29a
* saml: Set the IdP field in the session to the current IdP after authentication.Olav Morken2009-11-051-0/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1956 44740490-163a-0410-bde0-09ae8108e29a
* saml: Don't include restart url in authentication request id.Olav Morken2009-10-271-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1924 44740490-163a-0410-bde0-09ae8108e29a
* saml: Make it possible to go back to the discovery service page after ↵Olav Morken2009-10-261-3/+3
| | | | | | | | starting SSO. Fixes issue 230 git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1900 44740490-163a-0410-bde0-09ae8108e29a
* saml: Handle entityID === NULL.Olav Morken2009-10-121-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1841 44740490-163a-0410-bde0-09ae8108e29a
* saml: Restructure code to get correct error message for invalid entityID.Olav Morken2009-10-121-6/+6
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1840 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add SAML 1 artifact support.Olav Morken2009-10-081-1/+12
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1830 44740490-163a-0410-bde0-09ae8108e29a
* saml: Change entityId option to entityID.Olav Morken2009-09-291-2/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1798 44740490-163a-0410-bde0-09ae8108e29a
* saml: Use RelayState to save return URL for unsoliced response.Olav Morken2009-09-251-1/+9
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1786 44740490-163a-0410-bde0-09ae8108e29a
* saml: Change to use InResponseTo for the state id.Olav Morken2009-09-251-1/+1
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1785 44740490-163a-0410-bde0-09ae8108e29a
* saml: Support unsoliced authentication response.Olav Morken2009-09-241-0/+6
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1784 44740490-163a-0410-bde0-09ae8108e29a
* saml: Move sourceid into AssertionConsumerService url.Olav Morken2009-09-241-2/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1782 44740490-163a-0410-bde0-09ae8108e29a
* saml: Check that the responder is the same as the one the request was sent to.Olav Morken2009-09-101-0/+2
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1753 44740490-163a-0410-bde0-09ae8108e29a
* saml_Auth_Source_SP: Add getMetadataURL()-function.Olav Morken2009-09-031-1/+12
| | | | git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1742 44740490-163a-0410-bde0-09ae8108e29a
* saml: Add new authentication module which handles both Shibboleth 1.3 and ↵Olav Morken2009-08-191-0/+377
SAML 2.0. git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1695 44740490-163a-0410-bde0-09ae8108e29a
generated by cgit v1.1 at 2025-06-08 13:05:56 +0000