From de4978c898d0c3a9593a4db369a0d58142b762f9 Mon Sep 17 00:00:00 2001 From: nod3zer0 <game1men@gmail.com> Date: Wed, 3 Jul 2024 01:34:07 +0200 Subject: [PATCH] SimpleSamlPHP support --- config/config_defaults.inc.php | 9 ++ .../StudipAuthSimpleSamlPHP.class.php | 113 ++++++++++++++++++ public/logout.php | 8 ++ 3 files changed, 130 insertions(+) create mode 100644 lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.class.php diff --git a/config/config_defaults.inc.php b/config/config_defaults.inc.php index 78d53569a9..267728fbe0 100644 --- a/config/config_defaults.inc.php +++ b/config/config_defaults.inc.php @@ -252,6 +252,7 @@ LdapReader authentication using an LDAP server, this plugin binds to the se this account must have read access to gather the attributes for the user who tries to authenticate. CAS authentication using a central authentication server (CAS) Shib authentication using a Shibboleth identity provider (IdP) +SimpleSamlPHP authentication using a SimpleSamlPHP identity provider (IdP) If you write your own plugin put it in studip-htdocs/lib/classes/auth_plugins and enable it here. The name of the plugin is the classname excluding "StudipAuth". @@ -267,6 +268,7 @@ $STUDIP_AUTH_PLUGIN[] = "Standard"; // $STUDIP_AUTH_PLUGIN[] = "LTI"; // $STUDIP_AUTH_PLUGIN[] = "Shib"; // $STUDIP_AUTH_PLUGIN[] = "IP"; +// $STUDIP_AUTH_PLUGIN[] = "SimpleSamlPHP"; $STUDIP_AUTH_CONFIG_STANDARD = ["error_head" => "intern"]; @@ -376,6 +378,13 @@ $STUDIP_AUTH_CONFIG_SHIB = array("session_initiator" => "https://sp.studip.de/Sh "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "surname"), "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"))); +$STUDIP_AUTH_CONFIG_SIMPLESAMLPHP = array("return_to_url" => '', + "sp_name" => 'default-sp', + "user_data_mapping" => array( + "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"), + "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "firstName"), + "auth_user_md5.Vorname" => array("callback" => "getUserData", "map_args" => "lastName"))); + $STUDIP_AUTH_CONFIG_IP = array('allowed_users' => array ('root' => array('127.0.0.1', '::1'))); */ diff --git a/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.class.php b/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.class.php new file mode 100644 index 0000000000..deb899cdd2 --- /dev/null +++ b/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.class.php @@ -0,0 +1,113 @@ +<?php + +/** + * Class: StudipAuthSimpleSamlPHP + * author: Rene Ceska <ceskar2001@gmail.com> + * This class is used to authenticate users through SimpleSAMLphp. + * This code was inspired by other Stud.IP auth plugins. + */ + +// Default location of SimpleSamlPHP _autoload. Change if needed. +require_once('/var/simplesamlphp/src/_autoload.php'); + +class StudipAuthSimpleSamlPHP extends StudipAuthSSO +{ + // Url to redirect to after successful login + public $return_to_url; + // Name of the SimpleSAMLphp SP + public $sp_name; + // Name of attribute that contains username (if empty it will use NameID as username) + public $username_attribute; + public $userdata; + public $as; + + /** + * Constructor: read auth information from remote SP. + */ + public function __construct($config = []) + { + parent::__construct($config); + // check if user chosen to login through this plugin + if (Request::get('sso') === $this->plugin_name) { + + $this->as = new \SimpleSAML\Auth\Simple($this->sp_name); + + // check if user is already authenticated and if not, authenticate them + if (!$this->as->isAuthenticated()) { + $this->as->requireAuth(['ReturnTo' => $this->return_to_url]); + } + $this->userdata = []; + // get username + if (empty($username_attribute)){ + $this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue(); + }else{ + $this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute]; + } + // get other user attributes + $this->userdata = array_merge($this->userdata, $this->as->getAttributes()); + + // cleanup session so it does not interfere with Stud.IP session + $session = \SimpleSAML\Session::getSessionFromRequest(); + $session->cleanup(); + } + + if (!isset($this->plugin_fullname)) { + $this->plugin_fullname = _('Federated'); + } + if (!isset($this->login_description)) { + $this->login_description = _('Login trough your institution'); + } + } + + /** + * Return the current username. + */ + public function getUser() + { + return $this->userdata['username']; + } + + /** + * Validate the username passed to the auth plugin. + * Note: This triggers authentication if needed. + */ + public function verifyUsername($username) + { + if (isset($this->userdata)) { + // use cached user information + return $this->getUser(); + } + + // check if user is already authenticated and if not, authenticate them + if (!$this->as->isAuthenticated()) { + $this->as->requireAuth(['ReturnTo' => $this->return_to_url]); + } + + if (empty($username_attribute)){ + $this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue(); + }else{ + $this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute]; + } + $session = \SimpleSAML\Session::getSessionFromRequest(); + $session->cleanup(); + return $this->getUser(); + } + + /** + * Callback that can be used in user_data_mapping array. + */ + function getUserData($key) + { + return $this->userdata[$key]; + } + + + /** + * Logout the user. + */ + public function logout() + { + $auth = new \SimpleSAML\Auth\Simple($this->sp_name); + $auth->Logout(); + } +} diff --git a/public/logout.php b/public/logout.php index 2f8fcd8c58..2dea954675 100644 --- a/public/logout.php +++ b/public/logout.php @@ -48,6 +48,11 @@ if ($auth->auth['uid'] !== 'nobody') { $casauth = StudipAuthAbstract::GetInstance('cas'); $docaslogout = true; } + if ($auth->auth["auth_plugin"] === "simplesamlphp"){ + $SimpleSamlPHPAuth = StudipAuthAbstract::GetInstance('simplesamlphp'); + $dosimplesamlphplogout = true; + } + //Logout aus dem Sessionmanagement $auth->logout(); $sess->delete(); @@ -62,6 +67,9 @@ if ($auth->auth['uid'] !== 'nobody') { if (!empty($docaslogout)) { $casauth->logout(); } + if (!empty($dosimplesamlphplogout)) { + $SimpleSamlPHPAuth->logout(); + } $sess->start(); $_SESSION['_language'] = $_language; if ($contrast) { -- GitLab