diff --git a/config/config_defaults.inc.php b/config/config_defaults.inc.php
index 2f83fefc583fddad9474bc360b8cea3aed86a4dc..5b188622ee5d188c61ec7af0d3a631032ce32bb9 100644
--- a/config/config_defaults.inc.php
+++ b/config/config_defaults.inc.php
@@ -171,6 +171,7 @@ LdapReader authentication using an LDAP server, this plugin binds to the se
CAS authentication using a central authentication server (CAS)
Shib authentication using a Shibboleth identity provider (IdP)
OAuth2 authentication using an OAuth2 identity provider
+SimpleSamlPHP authentication using a SimpleSamlPHP identity provider (IdP)
If you write your own plugin put it in studip-htdocs/lib/classes/auth_plugins
and enable it here. The name of the plugin is the classname excluding "StudipAuth".
@@ -187,6 +188,7 @@ $STUDIP_AUTH_PLUGIN[] = "Standard";
// $STUDIP_AUTH_PLUGIN[] = "Shib";
// $STUDIP_AUTH_PLUGIN[] = "IP";
// $STUDIP_AUTH_PLUGIN[] = 'OAuth2';
+// $STUDIP_AUTH_PLUGIN[] = "SimpleSamlPHP";
$STUDIP_AUTH_CONFIG_STANDARD = ["error_head" => "intern"];
@@ -323,6 +325,14 @@ $STUDIP_AUTH_CONFIG_OAUTH2 = [
'auth_user_md5.EMail' => ['callback' => 'getUserData', 'map_args' => 'email'],
],
];
+
+$STUDIP_AUTH_CONFIG_SIMPLESAMLPHP = array("reverse_proxy_url" => '',
+ "sp_name" => 'default-sp',
+ "user_data_mapping" => array(
+ "auth_user_md5.Email" => array("callback" => "getUserData", "map_args" => "email"),
+ "auth_user_md5.Nachname" => array("callback" => "getUserData", "map_args" => "firstName"),
+ "auth_user_md5.Vorname" => array("callback" => "getUserData", "map_args" => "lastName")));
+
*/
//some additional authification-settings
diff --git a/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.php b/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.php
new file mode 100644
index 0000000000000000000000000000000000000000..469fe155576e3951a8890143952f5af49d5e82ce
--- /dev/null
+++ b/lib/classes/auth_plugins/StudipAuthSimpleSamlPHP.php
@@ -0,0 +1,130 @@
+<?php
+
+/**
+ * Class: StudipAuthSimpleSamlPHP
+ * author: Rene Ceska <ceskar2001@gmail.com>
+ * This class is used to authenticate users through SimpleSAMLphp.
+ * This code was inspired by other Stud.IP auth plugins.
+ */
+
+// Default location of SimpleSamlPHP _autoload. Change if needed.
+require_once('/var/simplesamlphp/src/_autoload.php');
+
+class StudipAuthSimpleSamlPHP extends StudipAuthSSO
+{
+ // Reverse proxy domain
+ public $reverse_proxy_url;
+ // Name of the SimpleSAMLphp SP
+ public $sp_name;
+ // Name of attribute that contains username (if empty it will use NameID as username)
+ public $username_attribute;
+ public $userdata;
+ public $as;
+
+ /**
+ * Constructor: read auth information from remote SP.
+ */
+ public function __construct($config = [])
+ {
+ parent::__construct($config);
+ // check if user chosen to login through this plugin
+ if (Request::get('sso') === $this->plugin_name) {
+
+ $this->as = new \SimpleSAML\Auth\Simple($this->sp_name);
+
+
+ //return to right url, otherwise stud.ip will break
+ if(empty($this->reverse_proxy_url)){
+ $return_to_url = (empty($_SERVER['HTTPS']) ? 'http' : 'https') . "://$_SERVER[HTTP_HOST]"."/dispatch.php/start?again=yes&sso=simplesamlphp&cancel_login=1";
+ }else{
+ $return_to_url = $this->reverse_proxy_url . "/dispatch.php/start?again=yes&sso=simplesamlphp&cancel_login=1";
+ }
+
+
+ // check if user is already authenticated and if not, authenticate them
+ if (!$this->as->isAuthenticated()) {
+ $this->as->requireAuth(['ReturnTo' => $return_to_url]);
+ }
+ $this->userdata = [];
+ // get username
+ if (empty($username_attribute)){
+ $this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue();
+ }else{
+ $this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute];
+ }
+ // get other user attributes
+ $this->userdata = array_merge($this->userdata, $this->as->getAttributes());
+
+ // cleanup session so it does not interfere with Stud.IP session
+ $session = \SimpleSAML\Session::getSessionFromRequest();
+ $session->cleanup();
+ }
+
+ if (!isset($this->plugin_fullname)) {
+ $this->plugin_fullname = _('Federated');
+ }
+ if (!isset($this->login_description)) {
+ $this->login_description = _('Login trough your institution');
+ }
+ }
+
+ /**
+ * Return the current username.
+ */
+ public function getUser()
+ {
+ return $this->userdata['username'];
+ }
+
+ /**
+ * Validate the username passed to the auth plugin.
+ * Note: This triggers authentication if needed.
+ */
+ public function verifyUsername($username)
+ {
+ if (isset($this->userdata)) {
+ // use cached user information
+ return $this->getUser();
+ }
+
+ //return to right url, otherwise stud.ip will break
+ if(empty($this->reverse_proxy_url)){
+ $return_to_url = (empty($_SERVER['HTTPS']) ? 'http' : 'https') . "://$_SERVER[HTTP_HOST]"."/dispatch.php/start?again=yes&sso=simplesamlphp&cancel_login=1";
+ }else{
+ $return_to_url = $this->reverse_proxy_url . "/dispatch.php/start?again=yes&sso=simplesamlphp&cancel_login=1";
+ }
+
+
+ // check if user is already authenticated and if not, authenticate them
+ if (!$this->as->isAuthenticated()) {
+ $this->as->requireAuth(['ReturnTo' => $return_to_url]);
+ }
+
+ if (empty($username_attribute)){
+ $this->userdata['username'] = $this->as->getAuthData('saml:sp:NameID')->getValue();
+ }else{
+ $this->userdata['username'] = $this->as->getAttributes()[$this->username_attribute];
+ }
+ $session = \SimpleSAML\Session::getSessionFromRequest();
+ $session->cleanup();
+ return $this->getUser();
+ }
+
+ /**
+ * Callback that can be used in user_data_mapping array.
+ */
+ function getUserData($key)
+ {
+ return $this->userdata[$key];
+ }
+
+
+ /**
+ * Logout the user.
+ */
+ public function logout()
+ {
+ $auth = new \SimpleSAML\Auth\Simple($this->sp_name);
+ $auth->Logout();
+ }
+}