<?php
/**
* Assertion consumer service handler for SAML 2.0 SP authentication client.
*/
$sourceId = substr($_SERVER['PATH_INFO'], 1);
$source = SimpleSAML_Auth_Source::getById($sourceId, 'sspmod_saml_Auth_Source_SP');
$spMetadata = $source->getMetadata();
$b = SAML2_Binding::getCurrentBinding();
if ($b instanceof SAML2_HTTPArtifact) {
$b->setSPMetadata($spMetadata);
}
$response = $b->receive();
if (!($response instanceof SAML2_Response)) {
throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
}
$idp = $response->getIssuer();
if ($idp === NULL) {
/* No Issuer in the response. Look for an unencrypted assertion with an issuer. */
foreach ($response->getAssertions() as $a) {
if ($a instanceof SAML2_Assertion) {
/* We found an unencrypted assertion - there should be an issuer here. */
$idp = $a->getIssuer();
break;
}
}
if ($idp === NULL) {
/* No issuer found in the assertions. */
throw new Exception('Missing <saml:Issuer> in message delivered to AssertionConsumerService.');
}
}
$session = SimpleSAML_Session::getSessionFromRequest();
$prevAuth = $session->getAuthData($sourceId, 'saml:sp:prevAuth');
if ($prevAuth !== NULL && $prevAuth['id'] === $response->getId() && $prevAuth['issuer'] === $idp) {
/* OK, it looks like this message has the same issuer
* and ID as the SP session we already have active. We
* therefore assume that the user has somehow triggered
* a resend of the message.
* In that case we may as well just redo the previous redirect
* instead of displaying a confusing error message.
*/
SimpleSAML_Logger::info('Duplicate SAML 2 response detected - ignoring the response and redirecting the user to the correct page.');
SimpleSAML_Utilities::redirectTrustedURL($prevAuth['redirect']);
}
$idpMetadata = array();
$stateId = $response->getInResponseTo();
if (!empty($stateId)) {
// sanitize the input
$sid = SimpleSAML_Utilities::parseStateID($stateId);
if (!is_null($sid['url'])) {
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
}
/* This is a response to a request we sent earlier. */
$state = SimpleSAML_Auth_State::loadState($stateId, 'saml:sp:sso');
/* Check that the authentication source is correct. */
assert('array_key_exists("saml:sp:AuthId", $state)');
if ($state['saml:sp:AuthId'] !== $sourceId) {
throw new SimpleSAML_Error_Exception('The authentication source id in the URL does not match the authentication source which sent the request.');
}
/* Check that the issuer is the one we are expecting. */
assert('array_key_exists("ExpectedIssuer", $state)');
if ($state['ExpectedIssuer'] !== $idp) {
$idpMetadata = $source->getIdPMetadata($idp);
$idplist = $idpMetadata->getArrayize('IDPList', array());
if (!in_array($state['ExpectedIssuer'], $idplist)) {
throw new SimpleSAML_Error_Exception('The issuer of the response does not match to the identity provider we sent the request to.');
}
}
} else {
/* This is an unsolicited response. */
$state = array(
'saml:sp:isUnsolicited' => TRUE,
'saml:sp:AuthId' => $sourceId,
'saml:sp:RelayState' => SimpleSAML_Utilities::checkURLAllowed($response->getRelayState()),
);
}
SimpleSAML_Logger::debug('Received SAML2 Response from ' . var_export($idp, TRUE) . '.');
if (empty($idpMetadata)) {
$idpMetadata = $source->getIdPmetadata($idp);
}
try {
$assertions = sspmod_saml_Message::processResponse($spMetadata, $idpMetadata, $response);
} catch (sspmod_saml_Error $e) {
/* The status of the response wasn't "success". */
$e = $e->toException();
SimpleSAML_Auth_State::throwException($state, $e);
}
$authenticatingAuthority = NULL;
$nameId = NULL;
$sessionIndex = NULL;
$expire = NULL;
$attributes = array();
$foundAuthnStatement = FALSE;
foreach ($assertions as $assertion) {
/* Check for duplicate assertion (replay attack). */
$store = SimpleSAML_Store::getInstance();
if ($store !== FALSE) {
$aID = $assertion->getId();
if ($store->get('saml.AssertionReceived', $aID) !== NULL) {
$e = new SimpleSAML_Error_Exception('Received duplicate assertion.');
SimpleSAML_Auth_State::throwException($state, $e);
}
$notOnOrAfter = $assertion->getNotOnOrAfter();
if ($notOnOrAfter === NULL) {
$notOnOrAfter = time() + 24*60*60;
} else {
$notOnOrAfter += 60; /* We allow 60 seconds clock skew, so add it here also. */
}
$store->set('saml.AssertionReceived', $aID, TRUE, $notOnOrAfter);
}
if ($authenticatingAuthority === NULL) {
$authenticatingAuthority = $assertion->getAuthenticatingAuthority();
}
if ($nameId === NULL) {
$nameId = $assertion->getNameId();
}
if ($sessionIndex === NULL) {
$sessionIndex = $assertion->getSessionIndex();
}
if ($expire === NULL) {
$expire = $assertion->getSessionNotOnOrAfter();
}
$attributes = array_merge($attributes, $assertion->getAttributes());
if ($assertion->getAuthnInstant() !== NULL) {
/* Assertion contains AuthnStatement, since AuthnInstant is a required attribute. */
$foundAuthnStatement = TRUE;
}
}
if (!$foundAuthnStatement) {
$e = new SimpleSAML_Error_Exception('No AuthnStatement found in assertion(s).');
SimpleSAML_Auth_State::throwException($state, $e);
}
if ($expire !== NULL) {
$logoutExpire = $expire;
} else {
/* Just expire the logout associtaion 24 hours into the future. */
$logoutExpire = time() + 24*60*60;
}
/* Register this session in the logout store. */
sspmod_saml_SP_LogoutStore::addSession($sourceId, $nameId, $sessionIndex, $logoutExpire);
/* We need to save the NameID and SessionIndex for logout. */
$logoutState = array(
'saml:logout:Type' => 'saml2',
'saml:logout:IdP' => $idp,
'saml:logout:NameID' => $nameId,
'saml:logout:SessionIndex' => $sessionIndex,
);
$state['LogoutState'] = $logoutState;
$state['saml:AuthenticatingAuthority'] = $authenticatingAuthority;
$state['saml:AuthenticatingAuthority'][] = $idp;
$state['PersistentAuthData'][] = 'saml:AuthenticatingAuthority';
$state['saml:sp:NameID'] = $nameId;
$state['PersistentAuthData'][] = 'saml:sp:NameID';
$state['saml:sp:SessionIndex'] = $sessionIndex;
$state['PersistentAuthData'][] = 'saml:sp:SessionIndex';
$state['saml:sp:AuthnContext'] = $assertion->getAuthnContext();
$state['PersistentAuthData'][] = 'saml:sp:AuthnContext';
if ($expire !== NULL) {
$state['Expire'] = $expire;
}
if (isset($state['SimpleSAML_Auth_Default.ReturnURL'])) {
/* Just note some information about the authentication, in case we receive the
* same response again.
*/
$state['saml:sp:prevAuth'] = array(
'id' => $response->getId(),
'issuer' => $idp,
'redirect' => $state['SimpleSAML_Auth_Default.ReturnURL'],
);
$state['PersistentAuthData'][] = 'saml:sp:prevAuth';
}
$source->handleResponse($state, $idp, $attributes);
assert('FALSE');
|
Download
