2 // PukiWiki - Yet another WikiWikiWeb clone.
5 // 2018 PukiWiki Development Team
6 // License: GPL v2 or (at your option) any later version
8 // PukiWiki SAML Plugin
10 require 'vendor/autoload.php';
11 require_once 'vendor/onelogin/php-saml/_toolkit_loader.php';
13 define('PLUGIN_SAML_AUTHUSER_ID_ATTR', 'UserId');
14 define('PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR', 'DisplayName');
19 function plugin_saml_action() {
21 require 'saml_settings.php';
23 $auth = new OneLogin\Saml2\Auth($settingsInfo);
25 if (isset($vars['sso'])) {
26 // sso: Sign in endpoint before IdP
27 $url_after_login = $vars['url_after_login'];
28 $auth->login($url_after_login);
29 } else if (isset($vars['slo'])) {
30 // sso: Sign out endpoint before IdP
35 if (isset($_SESSION['samlNameId'])) {
36 $nameId = $_SESSION['samlNameId'];
38 if (isset($_SESSION['samlSessionIndex'])) {
39 $sessionIndex = $_SESSION['samlSessionIndex'];
41 $auth->logout($returnTo, $paramters, $nameId, $sessionIndex);
42 } else if (isset($vars['acs'])) {
43 // acs: Sign in endpoint after IdP
44 $auth->processResponse();
46 $errors = $auth->getErrors();
48 if (!empty($errors)) {
49 return array('msg' => 'SAML Error', print_r('<p>'.implode(', ', $errors).'</p>'));
52 if (!$auth->isAuthenticated()) {
53 return array('msg' => 'SAML sign in', 'body' => '<p>Not authenticated</p>');
55 $attrs = $auth->getAttributes();
56 $_SESSION['samlUserdata'] = $attrs;
57 $_SESSION['samlNameId'] = $auth->getNameId();
58 $_SESSION['samlSessionIndex'] = $auth->getSessionIndex();
59 if (isset($attrs[PLUGIN_SAML_AUTHUSER_ID_ATTR][0])) {
60 // PukiWiki ExternalAuth requirement
61 $_SESSION['authenticated_user'] = $attrs[PLUGIN_SAML_AUTHUSER_ID_ATTR][0];
63 $_SESSION['authenticated_user'] = $auth->getNameId();
65 if (isset($attrs[PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR][0])) {
66 // PukiWiki ExternalAuth requirement
67 $_SESSION['authenticated_user_fullname'] = $attrs[PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR][0];
70 if (isset($_POST['RelayState']) && OneLogin\Saml2\Utils::getSelfURL() != $_POST['RelayState']) {
71 $auth->redirectTo($_POST['RelayState']);
73 return array('msg' => 'SAML sign in', 'body' => 'SAML Sined in. but no redirection');
74 } else if (isset($vars['sls'])) {
75 // sls: Sign out endpoint after IdP
76 // onelone/php-saml only supports Redirect SingleLogout
77 $is_post = $_SERVER['REQUEST_METHOD'] === 'POST';
83 $errors = $auth->getErrors();
86 $msg .= '<p>Sucessfully logged out</p>';
88 $msg .= '<p>'.implode(', ', $errors).'</p>';
91 return array('msg' => 'SAML sign out', 'body' => 'SAML Sined out. ' . $msg);
92 } else if (isset($vars['metadata'])) {
93 // metadata: SP metadata endpoint
95 $auth = new OneLogin\Saml2\Auth($settingsInfo);
96 $settings = $auth->getSettings();
97 $metadata = $settings->getSPMetadata();
98 $errors = $settings->validateMetadata($metadata);
100 header('Content-Type: text/xml');
103 throw new OneLogin\Saml2\Error(
104 'Invalid SP metadata: '.implode(', ', $errors),
105 OneLogin\Saml2\Error::METADATA_SP_INVALID
108 } catch (Exception $e) {
109 echo $e->getMessage();
113 return array('msg' => 'Error', 'body' => 'SAML Invalid state srror');