plugin/saml.inc.php

   1 <?php
   2 // PukiWiki - Yet another WikiWikiWeb clone.
   3 // saml.inc.php
   4 // Copyright
   5 //   2017 PukiWiki Development Team
   6 // License: GPL v2 or (at your option) any later version
   7 //
   8 // PukiWiki SAML Plugin
   9
  10 require 'vendor/autoload.php';
  11 require_once 'vendor/onelogin/php-saml/_toolkit_loader.php';
  12
  13 define('PLUGIN_SAML_AUTHUSER_ID_ATTR', 'UserId');
  14 define('PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR', 'DisplayName');
  15
  16 /**
  17  *  SAML Handler
  18  */
  19 function plugin_saml_action() {
  20         global $vars;
  21         require 'saml_settings.php';
  22
  23         $auth = new OneLogin_Saml2_Auth($settingsInfo);
  24
  25         if (isset($vars['sso'])) {
  26                 // sso: Sign in endpoint before IdP
  27                 $url_after_login = $vars['url_after_login'];
  28                 $auth->login($url_after_login);
  29         } else if (isset($vars['slo'])) {
  30                 // sso: Sign out endpoint before IdP
  31                 $returnTo = null;
  32                 $paramters = array();
  33                 $nameId = null;
  34                 $sessionIndex = null;
  35                 if (isset($_SESSION['samlNameId'])) {
  36                         $nameId = $_SESSION['samlNameId'];
  37                 }
  38                 if (isset($_SESSION['samlSessionIndex'])) {
  39                         $sessionIndex = $_SESSION['samlSessionIndex'];
  40                 }
  41                 $auth->logout($returnTo, $paramters, $nameId, $sessionIndex);
  42         } else if (isset($vars['acs'])) {
  43                 // acs: Sign in endpoint after IdP
  44                 $auth->processResponse();
  45
  46                 $errors = $auth->getErrors();
  47
  48                 if (!empty($errors)) {
  49                         return array('msg' => 'SAML Error', print_r('<p>'.implode(', ', $errors).'</p>'));
  50                 }
  51
  52                 if (!$auth->isAuthenticated()) {
  53                         return array('msg' => 'SAML sign in', 'body' => '<p>Not authenticated</p>');
  54                 }
  55                 $attrs = $auth->getAttributes();
  56                 $_SESSION['samlUserdata'] = $attrs;
  57                 $_SESSION['samlNameId'] = $auth->getNameId();
  58                 $_SESSION['samlSessionIndex'] = $auth->getSessionIndex();
  59                 if (isset($attrs[PLUGIN_SAML_AUTHUSER_ID_ATTR][0])) {
  60                         // PukiWiki ExternalAuth requirement
  61                         $_SESSION['authenticated_user'] = $attrs[PLUGIN_SAML_AUTHUSER_ID_ATTR][0];
  62                 } else {
  63                         $_SESSION['authenticated_user'] = $auth->getNameId();
  64                 }
  65                 if (isset($attrs[PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR][0])) {
  66                         // PukiWiki ExternalAuth requirement
  67                         $_SESSION['authenticated_user_fullname'] = $attrs[PLUGIN_SAML_AUTHUSER_DISPLAYNAME_ATTR][0];
  68                 }
  69
  70                 if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) {
  71                         $auth->redirectTo($_POST['RelayState']);
  72                 }
  73                 return array('msg' => 'SAML sign in', 'body' => 'SAML Sined in. but no redirection');
  74         } else if (isset($vars['sls'])) {
  75                 // sls: Sign out endpoint after IdP
  76                 // onelone/php-saml only supports Redirect SingleLogout
  77                 $is_post = $_SERVER['REQUEST_METHOD'] === 'POST';
  78                 if ($is_post) {
  79                         session_destroy();
  80                         $_SESSION = array();
  81                 } else {
  82                         $auth->processSLO();
  83                         $errors = $auth->getErrors();
  84                         $msg = '';
  85                         if (empty($errors)) {
  86                                 $msg .= '<p>Sucessfully logged out</p>';
  87                         } else {
  88                                 $msg .= '<p>'.implode(', ', $errors).'</p>';
  89                         }
  90                 }
  91                 return array('msg' => 'SAML sign out', 'body' => 'SAML Sined out. ' . $msg);
  92         } else if (isset($vars['metadata'])) {
  93                 // metadata: SP metadata endpoint
  94                 try {
  95                         $auth = new OneLogin_Saml2_Auth($settingsInfo);
  96                         $settings = $auth->getSettings();
  97                         $metadata = $settings->getSPMetadata();
  98                         $errors = $settings->validateMetadata($metadata);
  99                         if (empty($errors)) {
 100                                 header('Content-Type: text/xml');
 101                                 echo $metadata;
 102                         } else {
 103                                 throw new OneLogin_Saml2_Error(
 104                                         'Invalid SP metadata: '.implode(', ', $errors),
 105                                         OneLogin_Saml2_Error::METADATA_SP_INVALID
 106                                 );
 107                         }
 108                 } catch (Exception $e) {
 109                         echo $e->getMessage();
 110                 }
 111                 exit;
 112         }
 113         return array('msg' => 'Error', 'body' => 'SAML Invalid state srror');
 114 }