Skip to content
Snippets Groups Projects
Commit de4978c8 authored by René Češka's avatar René Češka
Browse files

SimpleSamlPHP support

parent 873c7f31
No related branches found
No related tags found
No related merge requests found
Pipeline #24904 passed
Stage: build
Stage: checks
Stage: analyse
Stage: test
Show whitespace changes
Inline Side-by-side
config/config_defaults.inc.php
+ 9
0
View file @ de4978c8
...@@ -252,6 +252,7 @@ LdapReader authentication using an LDAP server, this plugin binds to the se ...@@ -252,6 +252,7 @@ LdapReader authentication using an LDAP server, this plugin binds to the se
this account must have read access to gather the attributes for the user who tries to authenticate. this account must have read access to gather the attributes for the user who tries to authenticate.
CAS authentication using a central authentication server (CAS) CAS authentication using a central authentication server (CAS)
Shib authentication using a Shibboleth identity provider (IdP) Shib authentication using a Shibboleth identity provider (IdP)
SimpleSamlPHP authentication using a SimpleSamlPHP identity provider (IdP)
If you write your own plugin put it in studip-htdocs/lib/classes/auth_plugins If you write your own plugin put it in studip-htdocs/lib/classes/auth_plugins
and enable it here. The name of the plugin is the classname excluding "StudipAuth". and enable it here. The name of the plugin is the classname excluding "StudipAuth".
...@@ -267,6 +268,7 @@ $STUDIP_AUTH_PLUGIN[] = "Standard"; ...@@ -267,6 +268,7 @@ $STUDIP_AUTH_PLUGIN[] = "Standard";
// $STUDIP_AUTH_PLUGIN[] = "LTI"; // $STUDIP_AUTH_PLUGIN[] = "LTI";
// $STUDIP_AUTH_PLUGIN[] = "Shib"; // $STUDIP_AUTH_PLUGIN[] = "Shib";
// $STUDIP_AUTH_PLUGIN[] = "IP"; // $STUDIP_AUTH_PLUGIN[] = "IP";
// $STUDIP_AUTH_PLUGIN[] = "SimpleSamlPHP";
$STUDIP_AUTH_CONFIG_STANDARD = ["error_head" => "intern"]; $STUDIP_AUTH_CONFIG_STANDARD = ["error_head" => "intern"];
...@@ -376,6 +378,13 @@ $STUDIP_AUTH_CONFIG_SHIB = array("session_initiator" => "https://sp.studip.de/Sh ...@@ -376,6 +378,13 @@ $STUDIP_AUTH_CONFIG_SHIB = array("session_initiator" => "https://sp.studip.de/Sh
"auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "surname"), "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "surname"),
"auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"))); "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email")));
$STUDIP_AUTH_CONFIG_SIMPLESAMLPHP = array("return_to_url" => '',
"sp_name" => 'default-sp',
"user_data_mapping" => array(
"auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"),
"auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "firstName"),
"auth_user_md5.Vorname" => array("callback" => "getUserData", "map_args" => "lastName")));
$STUDIP_AUTH_CONFIG_IP = array('allowed_users' => $STUDIP_AUTH_CONFIG_IP = array('allowed_users' =>
array ('root' => array('127.0.0.1', '::1'))); array ('root' => array('127.0.0.1', '::1')));
*/ */
......
lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.class.php 0 → 100644
+ 113
0
View file @ de4978c8
<?php
/**
* Class: StudipAuthSimpleSamlPHP
* author: Rene Ceska <ceskar2001@gmail.com>
* This class is used to authenticate users through SimpleSAMLphp.
* This code was inspired by other Stud.IP auth plugins.
*/
// Default location of SimpleSamlPHP _autoload. Change if needed.
require_once('/var/simplesamlphp/src/_autoload.php');
class StudipAuthSimpleSamlPHP extends StudipAuthSSO
{
// Url to redirect to after successful login
public $return_to_url;
// Name of the SimpleSAMLphp SP
public $sp_name;
// Name of attribute that contains username (if empty it will use NameID as username)
public $username_attribute;
public $userdata;
public $as;
/**
* Constructor: read auth information from remote SP.
*/
public function __construct($config = [])
{
parent::__construct($config);
// check if user chosen to login through this plugin
if (Request::get('sso') === $this->plugin_name) {
$this->as = new \SimpleSAML\Auth\Simple($this->sp_name);
// check if user is already authenticated and if not, authenticate them
if (!$this->as->isAuthenticated()) {
$this->as->requireAuth(['ReturnTo' => $this->return_to_url]);
}
$this->userdata = [];
// get username
if (empty($username_attribute)){
$this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue();
}else{
$this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute];
}
// get other user attributes
$this->userdata = array_merge($this->userdata, $this->as->getAttributes());
// cleanup session so it does not interfere with Stud.IP session
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
}
if (!isset($this->plugin_fullname)) {
$this->plugin_fullname = _('Federated');
}
if (!isset($this->login_description)) {
$this->login_description = _('Login trough your institution');
}
}
/**
* Return the current username.
*/
public function getUser()
{
return $this->userdata['username'];
}
/**
* Validate the username passed to the auth plugin.
* Note: This triggers authentication if needed.
*/
public function verifyUsername($username)
{
if (isset($this->userdata)) {
// use cached user information
return $this->getUser();
}
// check if user is already authenticated and if not, authenticate them
if (!$this->as->isAuthenticated()) {
$this->as->requireAuth(['ReturnTo' => $this->return_to_url]);
}
if (empty($username_attribute)){
$this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue();
}else{
$this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute];
}
$session = \SimpleSAML\Session::getSessionFromRequest();
$session->cleanup();
return $this->getUser();
}
/**
* Callback that can be used in user_data_mapping array.
*/
function getUserData($key)
{
return $this->userdata[$key];
}
/**
* Logout the user.
*/
public function logout()
{
$auth = new \SimpleSAML\Auth\Simple($this->sp_name);
$auth->Logout();
}
}
public/logout.php
+ 8
0
View file @ de4978c8
...@@ -48,6 +48,11 @@ if ($auth->auth['uid'] !== 'nobody') { ...@@ -48,6 +48,11 @@ if ($auth->auth['uid'] !== 'nobody') {
$casauth = StudipAuthAbstract::GetInstance('cas'); $casauth = StudipAuthAbstract::GetInstance('cas');
$docaslogout = true; $docaslogout = true;
} }
if ($auth->auth["auth_plugin"] === "simplesamlphp"){
$SimpleSamlPHPAuth = StudipAuthAbstract::GetInstance('simplesamlphp');
$dosimplesamlphplogout = true;
}
//Logout aus dem Sessionmanagement //Logout aus dem Sessionmanagement
$auth->logout(); $auth->logout();
$sess->delete(); $sess->delete();
...@@ -62,6 +67,9 @@ if ($auth->auth['uid'] !== 'nobody') { ...@@ -62,6 +67,9 @@ if ($auth->auth['uid'] !== 'nobody') {
if (!empty($docaslogout)) { if (!empty($docaslogout)) {
$casauth->logout(); $casauth->logout();
} }
if (!empty($dosimplesamlphplogout)) {
$SimpleSamlPHPAuth->logout();
}
$sess->start(); $sess->start();
$_SESSION['_language'] = $_language; $_SESSION['_language'] = $_language;
if ($contrast) { if ($contrast) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment