2009-04-07 22:38:24 +02:00
|
|
|
## @file
|
2009-12-10 18:03:57 +01:00
|
|
|
# SAML Issuer file
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
## @class
|
2009-12-10 18:03:57 +01:00
|
|
|
# SAML Issuer class
|
|
|
|
package Lemonldap::NG::Portal::IssuerDBSAML;
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
use strict;
|
2010-04-22 19:01:37 +02:00
|
|
|
use Lemonldap::NG::Common::Conf::SAML::Metadata;
|
2009-04-07 22:38:24 +02:00
|
|
|
use Lemonldap::NG::Portal::Simple;
|
2010-02-26 11:53:43 +01:00
|
|
|
use Lemonldap::NG::Portal::_SAML;
|
|
|
|
our @ISA = qw(Lemonldap::NG::Portal::_SAML);
|
2009-04-07 22:38:24 +02:00
|
|
|
|
2011-06-09 17:24:15 +02:00
|
|
|
our $VERSION = '1.1.0';
|
2009-04-07 22:38:24 +02:00
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
## @method void issuerDBInit()
|
|
|
|
# Load and check SAML configuration
|
|
|
|
# @return Lemonldap::NG::Portal error code
|
|
|
|
sub issuerDBInit {
|
2009-04-07 22:38:24 +02:00
|
|
|
my $self = shift;
|
2010-03-25 12:24:52 +01:00
|
|
|
|
|
|
|
# Load SAML service
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_LOAD_SERVICE_ERROR unless $self->loadService();
|
2010-03-25 12:24:52 +01:00
|
|
|
|
2010-07-05 17:58:03 +02:00
|
|
|
# Load SAML service providers
|
|
|
|
return PE_SAML_LOAD_SP_ERROR unless $self->loadSPs();
|
2010-03-25 12:24:52 +01:00
|
|
|
|
2010-09-13 17:10:39 +02:00
|
|
|
# Load SAML identity providers
|
|
|
|
# Required to manage SLO in Proxy mode
|
|
|
|
return PE_SAML_LOAD_IDP_ERROR unless $self->loadIDPs();
|
|
|
|
|
2010-03-25 12:24:52 +01:00
|
|
|
PE_OK;
|
2009-04-07 22:38:24 +02:00
|
|
|
}
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
## @apmethod int issuerForUnAuthUser()
|
2010-04-07 14:27:50 +02:00
|
|
|
# Check if there is an SAML authentication request
|
|
|
|
# Called only for unauthenticated users, check isPassive flag
|
2009-04-07 22:38:24 +02:00
|
|
|
# @return Lemonldap::NG::Portal error code
|
2009-12-10 18:03:57 +01:00
|
|
|
sub issuerForUnAuthUser {
|
2010-03-26 17:47:17 +01:00
|
|
|
my $self = shift;
|
2010-03-26 14:56:37 +01:00
|
|
|
my $server = $self->{_lassoServer};
|
|
|
|
|
2010-03-26 17:02:27 +01:00
|
|
|
# Get configuration parameter
|
2010-03-26 14:56:37 +01:00
|
|
|
my $saml_sso_soap_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
|
|
|
|
my $saml_sso_soap_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );
|
2010-05-28 12:35:24 +02:00
|
|
|
my $saml_sso_get_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect", 1 );
|
|
|
|
my $saml_sso_get_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect", 2 );
|
|
|
|
my $saml_sso_post_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTPPost",
|
|
|
|
1 );
|
|
|
|
my $saml_sso_post_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTPPost",
|
|
|
|
2 );
|
2010-07-01 13:31:24 +02:00
|
|
|
my $saml_sso_art_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact", 1 );
|
|
|
|
my $saml_sso_art_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact", 2 );
|
2010-04-20 12:04:34 +02:00
|
|
|
my $saml_slo_soap_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceSOAP", 1 );
|
|
|
|
my $saml_slo_soap_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceSOAP", 2 );
|
2010-05-28 12:35:24 +02:00
|
|
|
my $saml_slo_get_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect", 1 );
|
|
|
|
my $saml_slo_get_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect", 2 );
|
|
|
|
my $saml_slo_post_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceHTTPPost",
|
|
|
|
1 );
|
|
|
|
my $saml_slo_post_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceHTTPPost",
|
|
|
|
2 );
|
2010-04-08 13:03:53 +02:00
|
|
|
my $saml_ars_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorArtifactResolutionServiceArtifact");
|
2010-05-04 12:10:34 +02:00
|
|
|
my $saml_slo_url_relay_soap =
|
|
|
|
$self->{portal} . '/saml/relaySingleLogoutSOAP';
|
2010-06-16 12:32:43 +02:00
|
|
|
my $saml_slo_url_relay_post =
|
|
|
|
$self->{portal} . '/saml/relaySingleLogoutPOST';
|
2010-06-21 18:24:50 +02:00
|
|
|
my $saml_slo_url_relay_term =
|
|
|
|
$self->{portal} . '/saml/relaySingleLogoutTermination';
|
2010-06-01 17:34:08 +02:00
|
|
|
my $saml_att_soap_url = $self->getMetaDataURL(
|
|
|
|
"samlAttributeAuthorityDescriptorAttributeServiceSOAP", 1 );
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-03-26 17:47:17 +01:00
|
|
|
# Get HTTP request informations to know
|
|
|
|
# if we are receving SAML request or response
|
|
|
|
my $url = $self->url();
|
|
|
|
my $request_method = $self->request_method();
|
|
|
|
my $content_type = $self->content_type();
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
# 1.1. SSO
|
2010-05-28 12:35:24 +02:00
|
|
|
if ( $url =~
|
2010-07-01 13:31:24 +02:00
|
|
|
/^(\Q$saml_sso_soap_url\E|\Q$saml_sso_soap_url_ret\E|\Q$saml_sso_get_url\E|\Q$saml_sso_get_url_ret\E|\Q$saml_sso_post_url\E|\Q$saml_sso_post_url_ret\E|\Q$saml_sso_art_url\E|\Q$saml_sso_art_url_ret\E)$/io
|
2010-05-28 12:35:24 +02:00
|
|
|
)
|
|
|
|
{
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-03-26 17:47:17 +01:00
|
|
|
$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-03-26 17:02:27 +01:00
|
|
|
# Check message
|
|
|
|
my ( $request, $response, $method, $relaystate, $artifact ) =
|
2010-03-26 17:47:17 +01:00
|
|
|
$self->checkMessage( $url, $request_method, $content_type );
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-05-05 09:10:13 +02:00
|
|
|
# Create Login object
|
|
|
|
my $login = $self->createLogin($server);
|
2010-03-26 17:02:27 +01:00
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Ignore signature verification
|
|
|
|
$self->disableSignatureVerification($login);
|
|
|
|
|
|
|
|
# Process the request
|
|
|
|
if ($request) {
|
|
|
|
|
2010-03-26 14:56:37 +01:00
|
|
|
# Process authentication request
|
|
|
|
my $result;
|
|
|
|
if ($artifact) {
|
2010-08-19 16:17:25 +02:00
|
|
|
$result = $self->processArtResponseMsg( $login, $request );
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$result = $self->processAuthnRequestMsg( $login, $request );
|
|
|
|
}
|
|
|
|
|
|
|
|
unless ($result) {
|
|
|
|
$self->lmLog( "SSO: Fail to process authentication request",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "SSO: authentication request is valid", 'debug' );
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $login->remote_providerID();
|
|
|
|
|
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
|
|
|
|
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_UNKNOWN_ENTITY;
|
2010-05-04 12:10:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
|
|
|
|
|
|
|
# Do we check signature?
|
2010-05-20 12:25:00 +02:00
|
|
|
my $checkSSOMessageSignature =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsCheckSSOMessageSignature};
|
|
|
|
|
|
|
|
if ($checkSSOMessageSignature) {
|
|
|
|
unless ( $self->checkSignatureStatus($login) ) {
|
|
|
|
$self->lmLog( "Signature is not valid", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SIGNATURE_ERROR;
|
2010-05-20 12:25:00 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Signature is valid", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Message signature will not be checked",
|
|
|
|
'debug' );
|
|
|
|
}
|
2010-05-04 12:10:34 +02:00
|
|
|
|
2010-03-26 14:56:37 +01:00
|
|
|
# Get SAML request
|
|
|
|
my $saml_request = $login->request();
|
|
|
|
unless ($saml_request) {
|
|
|
|
$self->lmLog( "No SAML request found", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
|
2010-05-21 15:44:16 +02:00
|
|
|
# Check Destination
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_DESTINATION_ERROR
|
2010-05-21 15:44:16 +02:00
|
|
|
unless ( $self->checkDestination( $saml_request, $url ) );
|
|
|
|
|
2010-03-26 14:56:37 +01:00
|
|
|
# Check isPassive flag
|
|
|
|
my $isPassive = $saml_request->IsPassive();
|
|
|
|
|
|
|
|
if ($isPassive) {
|
2010-04-07 12:11:21 +02:00
|
|
|
$self->lmLog(
|
|
|
|
"Found isPassive flag in SAML request, not compatible with unauthenticated user",
|
|
|
|
'error'
|
|
|
|
);
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
|
2010-07-02 13:29:00 +02:00
|
|
|
# Store SAML elements in memory in case of proxying
|
|
|
|
$self->{_proxiedSamlRequest} = $saml_request;
|
|
|
|
$self->{_proxiedRequest} = $request;
|
|
|
|
$self->{_proxiedMethod} = $method;
|
|
|
|
$self->{_proxiedRelayState} = $relaystate;
|
|
|
|
$self->{_proxiedArtifact} = $artifact;
|
2010-06-28 17:00:14 +02:00
|
|
|
|
2010-08-18 15:39:15 +02:00
|
|
|
# Create a back link on SP displayed on login page
|
|
|
|
my $html = "<a href=\"" . $self->referer() . "\">";
|
|
|
|
$html .=
|
|
|
|
&Lemonldap::NG::Portal::_i18n::msg( PM_BACKTOSP,
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE} );
|
|
|
|
$html .= "</a>";
|
|
|
|
$self->loginInfo($html);
|
|
|
|
|
2010-06-28 17:00:14 +02:00
|
|
|
return PE_OK;
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
|
2010-05-21 15:44:16 +02:00
|
|
|
elsif ($response) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Authentication responses are not managed by this module",
|
|
|
|
'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
# No request or response
|
|
|
|
# This should not happen
|
|
|
|
$self->lmLog( "No request or response found", 'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2010-03-26 14:56:37 +01:00
|
|
|
}
|
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
# 1.2. SLO
|
|
|
|
if ( $url =~
|
2010-07-01 13:31:24 +02:00
|
|
|
/^(\Q$saml_slo_soap_url\E|\Q$saml_slo_soap_url_ret\E|\Q$saml_slo_get_url\E|\Q$saml_slo_get_url_ret\E|\Q$saml_slo_post_url\E|\Q$saml_slo_post_url_ret\E)$/io
|
2010-04-20 12:04:34 +02:00
|
|
|
)
|
|
|
|
{
|
|
|
|
|
|
|
|
$self->lmLog( "URL $url detected as an SLO URL", 'debug' );
|
|
|
|
|
|
|
|
# Check SAML Message
|
|
|
|
my ( $request, $response, $method, $relaystate, $artifact ) =
|
|
|
|
$self->checkMessage( $url, $request_method, $content_type, "logout" );
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Create Logout object
|
|
|
|
my $logout = $self->createLogout($server);
|
|
|
|
|
|
|
|
# Ignore signature verification
|
|
|
|
$self->disableSignatureVerification($logout);
|
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
if ($request) {
|
|
|
|
|
|
|
|
# Process logout request
|
|
|
|
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
|
|
|
|
$self->lmLog( "SLO: Fail to process logout request", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
|
|
|
|
# Cannot send SLO error response if request not processed
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-04-20 12:04:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "SLO: Logout request is valid", 'debug' );
|
|
|
|
|
2010-06-28 10:34:15 +02:00
|
|
|
# We accept only SOAP here
|
|
|
|
unless ( $method eq $self->getHttpMethod('soap') ) {
|
|
|
|
$self->lmLog( "Only SOAP requests allowed here", 'error' );
|
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
|
|
|
}
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $logout->remote_providerID();
|
|
|
|
|
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
|
|
|
|
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration",
|
|
|
|
'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-05-04 12:10:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
|
|
|
|
|
|
|
# Do we check signature?
|
2010-05-20 12:25:00 +02:00
|
|
|
my $checkSLOMessageSignature =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsCheckSLOMessageSignature};
|
|
|
|
|
|
|
|
if ($checkSLOMessageSignature) {
|
|
|
|
unless ( $self->checkSignatureStatus($logout) ) {
|
|
|
|
$self->lmLog( "Signature is not valid", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-05-20 12:25:00 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Signature is valid", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Message signature will not be checked",
|
|
|
|
'debug' );
|
|
|
|
}
|
2010-05-04 12:10:34 +02:00
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
# Get SAML request
|
|
|
|
my $saml_request = $logout->request();
|
|
|
|
unless ($saml_request) {
|
|
|
|
$self->lmLog( "No SAML request found", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-04-20 12:04:34 +02:00
|
|
|
}
|
|
|
|
|
2010-05-21 15:44:16 +02:00
|
|
|
# Check Destination
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method )
|
2010-05-21 15:44:16 +02:00
|
|
|
unless ( $self->checkDestination( $saml_request, $url ) );
|
|
|
|
|
2010-06-11 12:17:43 +02:00
|
|
|
# Get session index
|
|
|
|
my $session_index;
|
|
|
|
eval { $session_index = $logout->request()->SessionIndex; };
|
|
|
|
|
|
|
|
# SLO requests without session index are not accepted
|
|
|
|
unless ( defined $session_index ) {
|
|
|
|
$self->lmLog(
|
|
|
|
"No session index in SLO request from $spConfKey SP",
|
|
|
|
'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-11 12:17:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Decrypt session index
|
|
|
|
my $local_session_id = $self->{cipher}->decrypt($session_index);
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Get session id $local_session_id (decrypted from $session_index)",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
|
|
|
|
# Open local session
|
|
|
|
my $local_session = $self->getApacheSession( $local_session_id, 1 );
|
|
|
|
|
2010-06-14 16:52:52 +02:00
|
|
|
unless ($local_session) {
|
|
|
|
$self->lmLog( "No local session found", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-14 16:52:52 +02:00
|
|
|
}
|
2010-06-14 16:18:27 +02:00
|
|
|
|
2010-06-11 12:17:43 +02:00
|
|
|
# Load Session and Identity if they exist
|
|
|
|
my $session = $local_session->{_lassoSessionDump};
|
|
|
|
my $identity = $local_session->{_lassoIdentityDump};
|
|
|
|
|
|
|
|
if ($session) {
|
|
|
|
unless ( $self->setSessionFromDump( $logout, $session ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-11 12:17:43 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($identity) {
|
2010-06-14 16:52:52 +02:00
|
|
|
unless ( $self->setIdentityFromDump( $logout, $identity ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Identity", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-11 12:17:43 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-06-11 16:13:26 +02:00
|
|
|
# Close SAML sessions
|
2010-06-14 16:52:52 +02:00
|
|
|
unless ( $self->deleteSAMLSecondarySessions($local_session_id) ) {
|
2010-06-11 16:13:26 +02:00
|
|
|
$self->lmLog( "Fail to delete SAML sessions", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-11 16:13:26 +02:00
|
|
|
}
|
|
|
|
|
2010-06-11 12:17:43 +02:00
|
|
|
# Close local session
|
|
|
|
unless ( $self->_deleteSession($local_session) ) {
|
|
|
|
$self->lmLog( "Fail to delete session $local_session_id",
|
|
|
|
'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-11 12:17:43 +02:00
|
|
|
}
|
|
|
|
|
2010-06-21 17:44:18 +02:00
|
|
|
# Validate request if no previous error
|
|
|
|
unless ( $self->validateLogoutRequest($logout) ) {
|
|
|
|
$self->lmLog( "SLO request is not valid", 'error' );
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-06-21 17:44:18 +02:00
|
|
|
}
|
|
|
|
|
2010-06-11 16:50:28 +02:00
|
|
|
# Try to send SLO request trough SOAP
|
|
|
|
$self->resetProviderIdIndex($logout);
|
|
|
|
while ( my $providerID = $self->getNextProviderId($logout) ) {
|
|
|
|
|
|
|
|
# Send logout request
|
|
|
|
my ( $rstatus, $rmethod, $rinfo ) =
|
2010-07-03 16:38:46 +02:00
|
|
|
$self->sendLogoutRequestToProvider( $logout, $providerID,
|
|
|
|
$self->getHttpMethod('soap'), 0 );
|
2010-06-11 16:50:28 +02:00
|
|
|
|
2010-06-14 17:42:32 +02:00
|
|
|
if ($rstatus) {
|
|
|
|
$self->lmLog( "SOAP SLO successful on $providerID",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "SOAP SLO error on $providerID", 'debug' );
|
|
|
|
}
|
2010-06-11 16:50:28 +02:00
|
|
|
}
|
2010-06-11 12:17:43 +02:00
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
# Set RelayState
|
|
|
|
if ($relaystate) {
|
|
|
|
$logout->msg_relayState($relaystate);
|
|
|
|
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-05-20 15:08:07 +02:00
|
|
|
# Signature
|
|
|
|
my $signSLOMessage =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsSignSLOMessage};
|
|
|
|
|
2010-07-01 18:05:57 +02:00
|
|
|
if ( $signSLOMessage == 0 ) {
|
|
|
|
$self->lmLog( "SLO response will not be signed", 'debug' );
|
|
|
|
$self->disableSignature($logout);
|
|
|
|
}
|
|
|
|
elsif ( $signSLOMessage == 1 ) {
|
|
|
|
$self->lmLog( "SLO response will be signed", 'debug' );
|
|
|
|
$self->forceSignature($logout);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "SLO response signature according to metadata",
|
|
|
|
'debug' );
|
2010-04-20 12:04:34 +02:00
|
|
|
}
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
# Send logout response
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method )
|
2010-04-26 12:02:26 +02:00
|
|
|
unless (
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->sendLogoutResponseToServiceProvider( $logout, $method )
|
2010-04-26 12:02:26 +02:00
|
|
|
);
|
2010-04-20 12:04:34 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2010-06-16 18:17:05 +02:00
|
|
|
elsif ($response) {
|
|
|
|
|
|
|
|
# Process logout response
|
|
|
|
my $result = $self->processLogoutResponseMsg( $logout, $response );
|
|
|
|
|
|
|
|
unless ($result) {
|
|
|
|
$self->lmLog( "Fail to process logout response", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "Logout response is valid", 'debug' );
|
|
|
|
|
|
|
|
# Check Destination
|
|
|
|
return PE_IMG_NOK
|
|
|
|
unless ( $self->checkDestination( $logout->response, $url ) );
|
|
|
|
|
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $logout->remote_providerID();
|
|
|
|
|
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
|
|
|
|
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration",
|
|
|
|
'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
|
|
|
|
|
|
|
# Do we check signature?
|
|
|
|
my $checkSLOMessageSignature =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsCheckSLOMessageSignature};
|
|
|
|
|
|
|
|
if ($checkSLOMessageSignature) {
|
|
|
|
unless ( $self->checkSignatureStatus($logout) ) {
|
|
|
|
$self->lmLog( "Signature is not valid", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Signature is valid", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Message signature will not be checked",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
|
2010-06-21 16:28:42 +02:00
|
|
|
# Store success status for this SLO request
|
|
|
|
my $sloStatusSessionInfos = $self->getSamlSession($relaystate);
|
|
|
|
|
|
|
|
if ($sloStatusSessionInfos) {
|
|
|
|
$sloStatusSessionInfos->{$spConfKey} = 1;
|
|
|
|
untie %$sloStatusSessionInfos;
|
|
|
|
$self->lmLog(
|
|
|
|
"Store SLO status for $spConfKey in session $relaystate",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unable to store SLO status for $spConfKey in session $relaystate",
|
|
|
|
'warn'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2010-06-16 18:17:05 +02:00
|
|
|
# SLO response is OK
|
|
|
|
$self->lmLog( "Display OK status for SLO on $spConfKey", 'debug' );
|
|
|
|
return PE_IMG_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
# No request or response
|
|
|
|
# This should not happen
|
|
|
|
$self->lmLog( "No request or response found", 'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2010-04-20 12:04:34 +02:00
|
|
|
}
|
|
|
|
|
2010-06-23 11:58:14 +02:00
|
|
|
# 1.3. SLO relay
|
2010-06-16 12:32:43 +02:00
|
|
|
|
|
|
|
# 1.3.1 SOAP
|
2010-04-29 15:47:57 +02:00
|
|
|
# This URL is used by IMG html tag, and should returned PE_IMG_*
|
2010-05-05 09:10:13 +02:00
|
|
|
if ( $url =~ /^(\Q$saml_slo_url_relay_soap\E)/io ) {
|
2010-04-28 19:16:38 +02:00
|
|
|
|
2010-06-16 12:32:43 +02:00
|
|
|
$self->lmLog( "URL $url detected as a SOAP relay service URL",
|
|
|
|
'debug' );
|
2010-04-28 19:16:38 +02:00
|
|
|
|
2010-04-29 15:39:26 +02:00
|
|
|
# Check if relay parameter is present (mandatory)
|
2010-06-21 16:28:42 +02:00
|
|
|
my $relayID;
|
|
|
|
unless ( $relayID = $self->param('relay') ) {
|
2010-04-29 15:39:26 +02:00
|
|
|
$self->lmLog( "No relayID detected", 'error' );
|
2010-05-04 12:10:34 +02:00
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Retrieve the corresponding data from samlStorage
|
2010-06-21 16:28:42 +02:00
|
|
|
my $relayInfos = $self->getSamlSession($relayID);
|
|
|
|
unless ($relayInfos) {
|
|
|
|
$self->lmLog( "Could not get relay session $relayID", 'error' );
|
2010-05-04 12:10:34 +02:00
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
|
2010-06-21 16:28:42 +02:00
|
|
|
$self->lmLog( "Found relay session $relayID", 'debug' );
|
|
|
|
|
2010-04-29 15:39:26 +02:00
|
|
|
# Rebuild the logout object
|
|
|
|
my $logout;
|
|
|
|
unless ( $logout = $self->createLogout($server) ) {
|
2010-05-04 12:10:34 +02:00
|
|
|
$self->lmLog( "Could not rebuild logout object", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Load Session and Identity if they exist
|
2010-06-21 16:28:42 +02:00
|
|
|
my $session = $relayInfos->{_lassoSessionDump};
|
|
|
|
my $identity = $relayInfos->{_lassoIdentityDump};
|
|
|
|
my $providerID = $relayInfos->{_providerID};
|
|
|
|
my $relayState = $relayInfos->{_relayState};
|
|
|
|
my $spConfKey = $self->{_spList}->{$providerID}->{confKey};
|
2010-04-29 15:39:26 +02:00
|
|
|
|
|
|
|
if ($session) {
|
|
|
|
unless ( $self->setSessionFromDump( $logout, $session ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
2010-05-04 12:10:34 +02:00
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($identity) {
|
|
|
|
unless ( $self->setIdentityFromDump( $logout, $identity ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Identity", 'error' );
|
2010-05-04 12:10:34 +02:00
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Send the logout request
|
|
|
|
my ( $rstatus, $rmethod, $rinfo ) =
|
2010-07-03 16:38:46 +02:00
|
|
|
$self->sendLogoutRequestToProvider( $logout, $providerID,
|
2010-05-04 12:10:34 +02:00
|
|
|
Lasso::Constants::HTTP_METHOD_SOAP );
|
2010-04-29 15:39:26 +02:00
|
|
|
unless ($rstatus) {
|
|
|
|
$self->lmLog( "Fail to process SOAP logout request to $providerID",
|
2010-05-05 09:10:13 +02:00
|
|
|
'error' );
|
2010-04-29 15:47:57 +02:00
|
|
|
return PE_IMG_NOK;
|
2010-04-29 15:39:26 +02:00
|
|
|
}
|
|
|
|
|
2010-06-21 16:28:42 +02:00
|
|
|
# Store success status for this SLO request
|
|
|
|
my $sloStatusSessionInfos = $self->getSamlSession($relayState);
|
2010-04-28 19:16:38 +02:00
|
|
|
|
2010-06-21 16:28:42 +02:00
|
|
|
if ($sloStatusSessionInfos) {
|
|
|
|
$sloStatusSessionInfos->{$spConfKey} = 1;
|
|
|
|
untie %$sloStatusSessionInfos;
|
|
|
|
$self->lmLog(
|
|
|
|
"Store SLO status for $spConfKey in session $relayState",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unable to store SLO status for $spConfKey in session $relayState",
|
|
|
|
'warn'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2010-08-31 16:36:45 +02:00
|
|
|
# Delete relay session
|
|
|
|
eval { tied(%$relayInfos)->delete(); };
|
|
|
|
|
2010-06-21 16:28:42 +02:00
|
|
|
# SLO response is OK
|
|
|
|
$self->lmLog( "Display OK status for SLO on $spConfKey", 'debug' );
|
|
|
|
return PE_IMG_OK;
|
2010-04-28 19:16:38 +02:00
|
|
|
}
|
|
|
|
|
2010-06-16 12:32:43 +02:00
|
|
|
# 1.3.2 POST
|
|
|
|
# This URL is used as iframe source, and autoPost a form
|
|
|
|
# Can return an error img
|
|
|
|
if ( $url =~ /^(\Q$saml_slo_url_relay_post\E)/io ) {
|
|
|
|
|
|
|
|
$self->lmLog( "URL $url detected as a POST relay service URL",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Check if relay parameter is present (mandatory)
|
|
|
|
my $relayID;
|
|
|
|
unless ( $relayID = $self->param('relay') ) {
|
|
|
|
$self->lmLog( "No relayID detected", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Retrieve the corresponding data from samlStorage
|
|
|
|
my $relayInfos = $self->getSamlSession($relayID);
|
|
|
|
unless ($relayInfos) {
|
|
|
|
$self->lmLog( "Could not get relay session $relayID", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "Found relay session $relayID", 'debug' );
|
|
|
|
|
|
|
|
# Get data to build POST form
|
2010-09-01 14:56:15 +02:00
|
|
|
$self->{postUrl} = $relayInfos->{url};
|
2010-06-16 15:08:18 +02:00
|
|
|
$self->{postFields}->{'SAMLRequest'} = $relayInfos->{body};
|
2010-06-21 16:28:42 +02:00
|
|
|
$self->{postFields}->{'RelayState'} = $relayInfos->{relayState};
|
2010-06-16 12:32:43 +02:00
|
|
|
|
2010-08-31 16:36:45 +02:00
|
|
|
# Delete relay session
|
|
|
|
eval { tied(%$relayInfos)->delete(); };
|
|
|
|
|
2010-06-16 12:32:43 +02:00
|
|
|
$self->_subProcess(qw(autoPost));
|
|
|
|
|
|
|
|
# If we are here, there was a problem with POST response
|
|
|
|
$self->lmLog( "Logout response was not sent trough POST", 'error' );
|
|
|
|
return PE_IMG_NOK;
|
|
|
|
}
|
|
|
|
|
2010-06-21 18:24:50 +02:00
|
|
|
# 1.3.3 Termination
|
|
|
|
# Used to send SLO response to SP issuing SLO request
|
|
|
|
if ( $url =~ /^(\Q$saml_slo_url_relay_term\E)/io ) {
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"URL $url detected as a SLO Termination relay service URL",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Check if relay parameter is present (mandatory)
|
|
|
|
my $relayID;
|
2010-06-23 16:03:18 +02:00
|
|
|
unless ( $relayID = $self->getHiddenFormValue('relay') ) {
|
2010-06-21 18:24:50 +02:00
|
|
|
$self->lmLog( "No relayID detected", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-21 18:24:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Retrieve the corresponding data from samlStorage
|
|
|
|
my $relayInfos = $self->getSamlSession($relayID);
|
|
|
|
unless ($relayInfos) {
|
|
|
|
$self->lmLog( "Could not get relay session $relayID", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SESSION_ERROR;
|
2010-06-21 18:24:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "Found relay session $relayID", 'debug' );
|
|
|
|
|
2010-06-23 11:58:14 +02:00
|
|
|
# Get data from relay session
|
|
|
|
my $logout_dump = $relayInfos->{_logout};
|
|
|
|
my $session_dump = $relayInfos->{_session};
|
|
|
|
my $method = $relayInfos->{_method};
|
|
|
|
|
|
|
|
unless ($logout_dump) {
|
|
|
|
$self->lmLog( "Could not get logout dump", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-23 11:58:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Rebuild Lasso::Logout object
|
|
|
|
my $logout = $self->createLogout( $server, $logout_dump );
|
|
|
|
|
|
|
|
unless ($logout) {
|
|
|
|
$self->lmLog( "Could not build Lasso::Logout", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-23 11:58:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Inject session
|
|
|
|
unless ($session_dump) {
|
|
|
|
$self->lmLog( "Could not get session dump", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-23 11:58:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
unless ( $self->setSessionFromDump( $logout, $session_dump ) ) {
|
|
|
|
$self->lmLog( "Could not set session from dump", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-23 11:58:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Get Lasso::Session
|
|
|
|
my $session = $logout->get_session();
|
|
|
|
|
|
|
|
unless ($session) {
|
|
|
|
$self->lmLog( "Could not get session from logout", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-23 11:58:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Loop on assertions and remove them if SLO status is OK
|
|
|
|
$self->resetProviderIdIndex($logout);
|
|
|
|
|
|
|
|
while ( my $sp = $self->getNextProviderId($logout) ) {
|
|
|
|
|
|
|
|
# Try to get SLO status from SLO session
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
my $status = $relayInfos->{$spConfKey};
|
|
|
|
|
|
|
|
# Remove assertion if status is OK
|
|
|
|
if ($status) {
|
|
|
|
eval { $session->remove_assertion($sp); };
|
|
|
|
|
|
|
|
if ($@) {
|
|
|
|
$self->lmLog( "Unable to remove assertion for $sp",
|
|
|
|
'warn' );
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Assertion removed for $sp", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog(
|
|
|
|
"SLO status was not ok for $sp, assertion not removed",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
# Reinject session
|
|
|
|
unless ( $session->is_empty() ) {
|
|
|
|
$self->setSessionFromDump( $logout, $session->dump );
|
|
|
|
}
|
|
|
|
|
2010-08-31 16:36:45 +02:00
|
|
|
# Delete relay session
|
|
|
|
eval { tied(%$relayInfos)->delete(); };
|
|
|
|
|
2010-06-23 11:58:14 +02:00
|
|
|
# Send SLO response
|
|
|
|
$self->sendLogoutResponseToServiceProvider( $logout, $method );
|
|
|
|
|
|
|
|
# If we are here, SLO response was not sent
|
|
|
|
$self->lmLog( "Fail to send SLO response", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-21 18:24:50 +02:00
|
|
|
}
|
|
|
|
|
2010-04-28 19:16:38 +02:00
|
|
|
# 1.4. Artifacts
|
2010-05-05 09:10:13 +02:00
|
|
|
if ( $url =~ /^(\Q$saml_ars_url\E)$/io ) {
|
2010-04-08 13:03:53 +02:00
|
|
|
|
2010-04-12 11:09:53 +02:00
|
|
|
$self->lmLog( "URL $url detected as an artifact resolution service URL",
|
2010-04-08 13:03:53 +02:00
|
|
|
'debug' );
|
|
|
|
|
2010-04-12 11:09:53 +02:00
|
|
|
# Artifact request are sent with SOAP trough POST
|
|
|
|
my $art_request = $self->param('POSTDATA');
|
|
|
|
my $art_response;
|
|
|
|
|
2010-04-08 18:28:10 +02:00
|
|
|
# Create Login object
|
|
|
|
my $login = $self->createLogin($server);
|
|
|
|
|
2010-05-21 15:44:16 +02:00
|
|
|
# Process request message
|
|
|
|
unless ( $self->processArtRequestMsg( $login, $art_request ) ) {
|
|
|
|
$self->lmLog( "Unable to process artifact request message",
|
|
|
|
'error' );
|
2010-06-01 17:39:18 +02:00
|
|
|
$self->returnSOAPMessage();
|
2010-05-21 15:44:16 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Check Destination
|
2010-06-01 17:39:18 +02:00
|
|
|
$self->returnSOAPMessage()
|
2010-05-21 15:44:16 +02:00
|
|
|
unless ( $self->checkDestination( $login->request, $url ) );
|
|
|
|
|
2010-04-12 11:09:53 +02:00
|
|
|
# Create artifact response
|
2010-05-21 15:44:16 +02:00
|
|
|
unless ( $art_response = $self->createArtifactResponse($login) ) {
|
2010-04-12 11:09:53 +02:00
|
|
|
$self->lmLog( "Unable to create artifact response message",
|
2010-04-08 18:28:10 +02:00
|
|
|
'error' );
|
2010-06-01 17:34:08 +02:00
|
|
|
$self->returnSOAPMessage();
|
2010-04-08 18:28:10 +02:00
|
|
|
}
|
|
|
|
|
2010-04-12 11:09:53 +02:00
|
|
|
$self->{SOAPMessage} = $art_response;
|
2010-04-09 18:42:50 +02:00
|
|
|
|
|
|
|
$self->lmLog( "Send SOAP Message: " . $self->{SOAPMessage}, 'debug' );
|
2010-04-08 18:28:10 +02:00
|
|
|
|
|
|
|
# Return SOAP message
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
|
2010-04-12 10:26:18 +02:00
|
|
|
# If we are here, there was a problem with SOAP request
|
|
|
|
$self->lmLog( "Artifact response was not sent trough SOAP", 'error' );
|
2010-06-01 17:34:08 +02:00
|
|
|
$self->quit();
|
2010-04-12 11:09:53 +02:00
|
|
|
|
2010-04-08 13:03:53 +02:00
|
|
|
}
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# 1.5 Attribute query
|
2010-06-01 17:34:08 +02:00
|
|
|
if ( $url =~ /^(\Q$saml_att_soap_url\E)$/io ) {
|
|
|
|
|
|
|
|
$self->lmLog( "URL $url detected as an attribute service URL",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Attribute request are sent with SOAP trough POST
|
|
|
|
my $att_request = $self->param('POSTDATA');
|
|
|
|
my $att_response;
|
|
|
|
|
2010-06-02 10:09:59 +02:00
|
|
|
# Process request
|
|
|
|
my $query = $self->processAttributeRequest( $server, $att_request );
|
2010-06-01 17:34:08 +02:00
|
|
|
unless ($query) {
|
2010-06-02 10:09:59 +02:00
|
|
|
$self->lmLog( "Unable to process attribute request", 'error' );
|
2010-06-01 17:34:08 +02:00
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
2010-06-02 11:04:07 +02:00
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $query->remote_providerID();
|
|
|
|
|
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
|
|
|
|
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_UNKNOWN_ENTITY;
|
2010-06-02 11:04:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
|
|
|
|
|
|
|
# Check Destination
|
|
|
|
$self->returnSOAPMessage()
|
|
|
|
unless ( $self->checkDestination( $query->request, $url ) );
|
|
|
|
|
2010-06-02 10:09:59 +02:00
|
|
|
# Validate request
|
|
|
|
unless ( $self->validateAttributeRequest($query) ) {
|
|
|
|
$self->lmLog( "Attribute request not valid", 'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
2010-06-01 17:34:08 +02:00
|
|
|
|
2010-06-02 11:04:07 +02:00
|
|
|
# Get NameID
|
2010-06-02 11:08:33 +02:00
|
|
|
my $name_id = $query->nameIdentifier();
|
2010-06-02 11:04:07 +02:00
|
|
|
|
|
|
|
unless ($name_id) {
|
|
|
|
$self->lmLog( "Fail to get NameID from attribute request",
|
|
|
|
'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
2010-06-02 11:08:33 +02:00
|
|
|
my $user = $name_id->content();
|
|
|
|
|
2010-06-02 11:04:07 +02:00
|
|
|
# Get sessionInfo for the given NameID
|
|
|
|
my $sessionInfo;
|
|
|
|
my $saml_sessions =
|
|
|
|
$self->{samlStorage}
|
|
|
|
->searchOn( $self->{samlStorageOptions}, "_nameID", $name_id->dump );
|
|
|
|
|
|
|
|
if ( my @saml_sessions_keys = keys %$saml_sessions ) {
|
|
|
|
|
|
|
|
# Warning if more than one session found
|
|
|
|
if ( $#saml_sessions_keys > 0 ) {
|
|
|
|
$self->lmLog( "More than one SAML session found for user $user",
|
|
|
|
'warn' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Take the first session
|
|
|
|
my $saml_session = shift @saml_sessions_keys;
|
|
|
|
|
|
|
|
# Get session
|
|
|
|
$self->lmLog( "Retrieve SAML session $saml_session for user $user",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
my $samlSessionInfo = $self->getSamlSession($saml_session);
|
|
|
|
|
|
|
|
# Get real session
|
2010-08-31 16:36:45 +02:00
|
|
|
my $real_session = $samlSessionInfo->{_saml_id};
|
2010-06-02 11:04:07 +02:00
|
|
|
|
|
|
|
$self->lmLog( "Retrieve real session $real_session for user $user",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
$sessionInfo = $self->getApacheSession( $real_session, 1 );
|
|
|
|
|
|
|
|
unless ($sessionInfo) {
|
|
|
|
$self->lmLog( "Cannot get session $real_session", 'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "No SAML session found for user $user", 'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
2010-06-02 15:45:37 +02:00
|
|
|
# Get requested attributes
|
|
|
|
my @requested_attributes;
|
|
|
|
eval { @requested_attributes = $query->request()->Attribute(); };
|
|
|
|
if ($@) {
|
|
|
|
$self->checkLassoError($@);
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
|
|
|
# Returned attributes
|
|
|
|
my @returned_attributes;
|
|
|
|
|
|
|
|
# Browse SP authorized attributes
|
|
|
|
foreach (
|
|
|
|
keys %{ $self->{samlSPMetaDataExportedAttributes}->{$spConfKey} } )
|
|
|
|
{
|
|
|
|
my $sp_attr = $_;
|
|
|
|
|
|
|
|
# Extract fields from exportedAttr value
|
|
|
|
my ( $mandatory, $name, $format, $friendly_name ) =
|
|
|
|
split( /;/,
|
|
|
|
$self->{samlSPMetaDataExportedAttributes}->{$spConfKey}
|
|
|
|
->{$sp_attr} );
|
|
|
|
|
|
|
|
foreach (@requested_attributes) {
|
|
|
|
my $req_attr = $_;
|
|
|
|
my $rname = $req_attr->Name();
|
|
|
|
my $rformat = $req_attr->NameFormat();
|
|
|
|
my $rfriendly_name = $req_attr->FriendlyName();
|
|
|
|
|
|
|
|
# Skip if name does not match
|
|
|
|
next unless ( $rname =~ /^$name$/ );
|
|
|
|
|
2010-06-02 16:51:39 +02:00
|
|
|
# Check format and friendly name
|
|
|
|
next if ( $rformat and $rformat !~ /^$format$/ );
|
|
|
|
next
|
|
|
|
if ( $rfriendly_name
|
|
|
|
and $rfriendly_name !~ /^$friendly_name$/ );
|
2010-06-02 15:45:37 +02:00
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"SP $spConfKey is authorized to access attribute $rname",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Attribute $rname is linked to $sp_attr session key",
|
|
|
|
'debug' );
|
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
# Check if values are given
|
|
|
|
my $rvalue =
|
|
|
|
$self->getAttributeValue( $rname, $rformat, $rfriendly_name,
|
|
|
|
[$req_attr] );
|
|
|
|
|
|
|
|
$self->lmLog( "Some values are explicitely requested: $rvalue",
|
|
|
|
'debug' )
|
|
|
|
if defined $rvalue;
|
|
|
|
|
2010-06-02 15:45:37 +02:00
|
|
|
# Get session value
|
|
|
|
if ( $sessionInfo->{$sp_attr} ) {
|
|
|
|
|
|
|
|
my @values = split $self->{multiValuesSeparator},
|
|
|
|
$sessionInfo->{$sp_attr};
|
|
|
|
my @saml2values;
|
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
# SAML2 attribute
|
|
|
|
my $ret_attr =
|
|
|
|
$self->createAttribute( $rname, $rformat,
|
|
|
|
$rfriendly_name );
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
unless ($ret_attr) {
|
|
|
|
$self->lmLog( "Unable to create a new SAML attribute",
|
|
|
|
'error' );
|
2010-06-07 17:36:45 +02:00
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
foreach (@values) {
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
my $local_value = $_;
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
# Check if values were set in requested attribute
|
|
|
|
# In this case, only requested values can be returned
|
|
|
|
if (
|
|
|
|
$rvalue
|
|
|
|
and !map( /^$local_value$/,
|
|
|
|
split( $self->{multiValuesSeparator}, $rvalue )
|
|
|
|
)
|
|
|
|
)
|
|
|
|
{
|
|
|
|
$self->lmLog(
|
|
|
|
"$local_value value is not in requested values, it will not be sent",
|
|
|
|
'warn'
|
|
|
|
);
|
|
|
|
next;
|
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
# SAML2 attribute value
|
|
|
|
my $saml2value =
|
|
|
|
$self->createAttributeValue($local_value);
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
unless ($saml2value) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unable to create a new SAML attribute value",
|
|
|
|
'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
|
|
|
push @saml2values, $saml2value;
|
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
$self->lmLog(
|
|
|
|
"Push $local_value in SAML attribute $name",
|
2010-06-02 15:45:37 +02:00
|
|
|
'debug' );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
$ret_attr->AttributeValue(@saml2values);
|
2010-06-02 15:45:37 +02:00
|
|
|
|
|
|
|
# Push attribute in attribute list
|
2010-06-04 16:23:41 +02:00
|
|
|
push @returned_attributes, $ret_attr;
|
2010-06-02 15:45:37 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "No session value for $sp_attr", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
# Create attribute statement
|
2010-06-18 09:50:37 +02:00
|
|
|
if ( scalar @returned_attributes ) {
|
2010-06-21 17:29:59 +02:00
|
|
|
my $attribute_statement;
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-18 09:50:37 +02:00
|
|
|
eval {
|
|
|
|
$attribute_statement = Lasso::Saml2AttributeStatement->new();
|
|
|
|
};
|
2010-06-21 17:29:59 +02:00
|
|
|
if ($@) {
|
|
|
|
$self->checkLassoError($@);
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Register attributes in attribute statement
|
|
|
|
$attribute_statement->Attribute(@returned_attributes);
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Create assetion
|
|
|
|
my $assertion;
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
eval { $assertion = Lasso::Saml2Assertion->new(); };
|
|
|
|
if ($@) {
|
|
|
|
$self->checkLassoError($@);
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Add attribute statement in response assertion
|
|
|
|
my @attributes_statement = ($attribute_statement);
|
|
|
|
$assertion->AttributeStatement(@attributes_statement);
|
2010-06-02 15:45:37 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Set response assertion
|
|
|
|
$query->response->Assertion( ($assertion) );
|
2010-06-18 09:50:37 +02:00
|
|
|
}
|
2010-06-02 15:45:37 +02:00
|
|
|
|
|
|
|
# Build response
|
|
|
|
$att_response = $self->buildAttributeResponse($query);
|
|
|
|
|
|
|
|
unless ($att_response) {
|
|
|
|
$self->lmLog( "Unable to build attribute response", 'error' );
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->{SOAPMessage} = $att_response;
|
2010-05-04 12:10:34 +02:00
|
|
|
|
2010-06-01 17:34:08 +02:00
|
|
|
# Return SOAP message
|
|
|
|
$self->returnSOAPMessage();
|
|
|
|
|
|
|
|
# If we are here, there was a problem with SOAP request
|
|
|
|
$self->lmLog( "Attribute response was not sent trough SOAP", 'error' );
|
|
|
|
$self->quit();
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2009-04-07 22:38:24 +02:00
|
|
|
PE_OK;
|
|
|
|
}
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
## @apmethod int issuerForAuthUser()
|
2009-04-07 22:38:24 +02:00
|
|
|
# Check if there is an SAML authentication request for an authenticated user
|
2010-04-07 14:27:50 +02:00
|
|
|
# Build assertions and redirect user
|
2009-04-07 22:38:24 +02:00
|
|
|
# @return Lemonldap::NG::Portal error code
|
2009-12-10 18:03:57 +01:00
|
|
|
sub issuerForAuthUser {
|
2010-04-14 17:37:57 +02:00
|
|
|
my $self = shift;
|
2010-04-02 18:19:10 +02:00
|
|
|
my $server = $self->{_lassoServer};
|
2010-04-07 14:27:50 +02:00
|
|
|
my $login;
|
2010-04-07 17:14:17 +02:00
|
|
|
my $protocolProfile;
|
|
|
|
my $artifact_method;
|
2010-04-07 18:37:23 +02:00
|
|
|
my $authn_context;
|
2010-04-02 18:19:10 +02:00
|
|
|
|
2010-04-12 17:42:38 +02:00
|
|
|
# Session ID
|
|
|
|
my $session_id = $self->{sessionInfo}->{_session_id} || $self->{id};
|
|
|
|
|
2010-06-07 16:48:59 +02:00
|
|
|
# Session creation timestamp
|
|
|
|
my $time = $self->{sessionInfo}->{_utime} || time();
|
|
|
|
|
2010-04-02 18:19:10 +02:00
|
|
|
# Get configuration parameter
|
|
|
|
my $saml_sso_soap_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
|
|
|
|
my $saml_sso_soap_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 2 );
|
2010-05-28 12:35:24 +02:00
|
|
|
my $saml_sso_get_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect", 1 );
|
|
|
|
my $saml_sso_get_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect", 2 );
|
|
|
|
my $saml_sso_post_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTPPost",
|
|
|
|
1 );
|
|
|
|
my $saml_sso_post_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceHTTPPost",
|
|
|
|
2 );
|
2010-07-01 13:31:24 +02:00
|
|
|
my $saml_sso_art_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact", 1 );
|
|
|
|
my $saml_sso_art_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact", 2 );
|
2010-04-20 12:04:34 +02:00
|
|
|
my $saml_slo_soap_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceSOAP", 1 );
|
|
|
|
my $saml_slo_soap_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceSOAP", 2 );
|
2010-05-28 12:35:24 +02:00
|
|
|
my $saml_slo_get_url = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect", 1 );
|
|
|
|
my $saml_slo_get_url_ret = $self->getMetaDataURL(
|
|
|
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect", 2 );
|
|
|
|
my $saml_slo_post_url =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceHTTPPost",
|
|
|
|
1 );
|
|
|
|
my $saml_slo_post_url_ret =
|
|
|
|
$self->getMetaDataURL( "samlIDPSSODescriptorSingleLogoutServiceHTTPPost",
|
|
|
|
2 );
|
2010-04-02 18:19:10 +02:00
|
|
|
|
|
|
|
# Get HTTP request informations to know
|
|
|
|
# if we are receving SAML request or response
|
|
|
|
my $url = $self->url();
|
|
|
|
my $request_method = $self->request_method();
|
|
|
|
my $content_type = $self->content_type();
|
|
|
|
|
2010-07-02 13:29:00 +02:00
|
|
|
# 1.1. SSO (SSO URL or Proxy Mode)
|
2010-05-28 12:35:24 +02:00
|
|
|
if ( $url =~
|
2010-07-01 13:31:24 +02:00
|
|
|
/^(\Q$saml_sso_soap_url\E|\Q$saml_sso_soap_url_ret\E|\Q$saml_sso_get_url\E|\Q$saml_sso_get_url_ret\E|\Q$saml_sso_post_url\E|\Q$saml_sso_post_url_ret\E|\Q$saml_sso_art_url\E|\Q$saml_sso_art_url_ret\E)$/io
|
2010-07-02 13:29:00 +02:00
|
|
|
or $self->{_proxiedRequest} )
|
2010-05-28 12:35:24 +02:00
|
|
|
{
|
2010-04-02 18:19:10 +02:00
|
|
|
|
|
|
|
$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );
|
|
|
|
|
|
|
|
# Check message
|
2010-07-02 13:29:00 +02:00
|
|
|
my ( $request, $response, $method, $relaystate, $artifact );
|
|
|
|
|
|
|
|
if ( $self->{_proxiedRequest} ) {
|
|
|
|
$request = $self->{_proxiedRequest};
|
|
|
|
$method = $self->{_proxiedMethod};
|
|
|
|
$relaystate = $self->{_proxiedRelayState};
|
|
|
|
$artifact = $self->{_proxiedArtifact};
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
( $request, $response, $method, $relaystate, $artifact ) =
|
2010-09-01 14:56:15 +02:00
|
|
|
$self->checkMessage( $url, $request_method, $content_type );
|
2010-07-02 13:29:00 +02:00
|
|
|
}
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Create Login object
|
|
|
|
my $login = $self->createLogin($server);
|
|
|
|
|
|
|
|
# Ignore signature verification
|
|
|
|
$self->disableSignatureVerification($login);
|
|
|
|
|
2010-04-02 18:19:10 +02:00
|
|
|
# Process the request
|
2010-04-07 12:11:21 +02:00
|
|
|
if ($request) {
|
2010-04-02 18:19:10 +02:00
|
|
|
|
2010-04-12 15:23:22 +02:00
|
|
|
# Load Session and Identity if they exist
|
|
|
|
my $session = $self->{sessionInfo}->{_lassoSessionDump};
|
|
|
|
my $identity = $self->{sessionInfo}->{_lassoIdentityDump};
|
|
|
|
|
|
|
|
if ($session) {
|
|
|
|
unless ( $self->setSessionFromDump( $login, $session ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-12 15:23:22 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($identity) {
|
|
|
|
unless ( $self->setIdentityFromDump( $login, $identity ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Identity", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-12 15:23:22 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-04-02 18:19:10 +02:00
|
|
|
# Process authentication request
|
|
|
|
my $result;
|
|
|
|
if ($artifact) {
|
2010-08-19 16:17:25 +02:00
|
|
|
$result = $self->processArtResponseMsg( $login, $request );
|
2010-04-02 18:19:10 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$result = $self->processAuthnRequestMsg( $login, $request );
|
|
|
|
}
|
|
|
|
|
|
|
|
unless ($result) {
|
|
|
|
$self->lmLog( "SSO: Fail to process authentication request",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-02 18:19:10 +02:00
|
|
|
}
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $login->remote_providerID();
|
2010-04-15 16:42:17 +02:00
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
2010-04-15 16:42:17 +02:00
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_UNKNOWN_ENTITY;
|
2010-04-15 16:42:17 +02:00
|
|
|
}
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
2010-04-15 17:40:07 +02:00
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Do we check signature?
|
2010-05-20 12:25:00 +02:00
|
|
|
my $checkSSOMessageSignature =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsCheckSSOMessageSignature};
|
|
|
|
|
|
|
|
if ($checkSSOMessageSignature) {
|
|
|
|
unless ( $self->checkSignatureStatus($login) ) {
|
|
|
|
$self->lmLog( "Signature is not valid", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SIGNATURE_ERROR;
|
2010-05-20 12:25:00 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Signature is valid", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Message signature will not be checked",
|
|
|
|
'debug' );
|
|
|
|
}
|
2010-04-15 16:42:17 +02:00
|
|
|
|
2010-04-07 14:27:50 +02:00
|
|
|
# Validate request
|
|
|
|
unless ( $self->validateRequestMsg( $login, 1, 1 ) ) {
|
|
|
|
$self->lmLog( "Unable to validate SSO request message",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-14 17:37:57 +02:00
|
|
|
}
|
2010-04-07 14:27:50 +02:00
|
|
|
|
2010-04-02 18:19:10 +02:00
|
|
|
$self->lmLog( "SSO: authentication request is valid", 'debug' );
|
|
|
|
|
2010-06-07 16:48:59 +02:00
|
|
|
# Get ForceAuthn flag
|
|
|
|
my $force_authn;
|
|
|
|
|
|
|
|
eval { $force_authn = $login->request()->ForceAuthn(); };
|
|
|
|
if ($@) {
|
|
|
|
$self->lmLog( "Unable to get ForceAuthn flag, set it to false",
|
|
|
|
'warn' );
|
|
|
|
$force_authn = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "Found ForceAuthn flag with value $force_authn",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Get ForceAuthn sessions for this session_id
|
|
|
|
my $forceAuthn_sessions =
|
2010-08-31 16:36:45 +02:00
|
|
|
$self->{samlStorage}
|
|
|
|
->searchOn( $self->{samlStorageOptions}, "_saml_id",
|
|
|
|
$session_id );
|
2010-06-07 16:48:59 +02:00
|
|
|
|
|
|
|
my $forceAuthn_session;
|
2010-06-07 17:36:45 +02:00
|
|
|
my $forceAuthnSessionInfo;
|
2010-06-07 16:48:59 +02:00
|
|
|
|
|
|
|
if ( my @forceAuthn_sessions_keys = keys %$forceAuthn_sessions ) {
|
|
|
|
|
|
|
|
# Warning if more than one session found
|
|
|
|
if ( $#forceAuthn_sessions_keys > 0 ) {
|
|
|
|
$self->lmLog(
|
|
|
|
"More than one ForceAuthn session found for session $session_id",
|
|
|
|
'warn'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
# Take the first session
|
|
|
|
$forceAuthn_session = shift @forceAuthn_sessions_keys;
|
|
|
|
|
|
|
|
# Get session
|
|
|
|
$self->lmLog(
|
|
|
|
"Retrieve ForceAuthn session $forceAuthn_session for session $session_id",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
|
2010-06-07 17:36:45 +02:00
|
|
|
$forceAuthnSessionInfo =
|
2010-06-07 16:48:59 +02:00
|
|
|
$self->getSamlSession($forceAuthn_session);
|
|
|
|
|
|
|
|
# Check forceAuthn flag for current SP
|
|
|
|
if ( $forceAuthnSessionInfo->{$spConfKey} ) {
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"User was already forced to reauthenticate for SP $spConfKey",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
$force_authn = 1;
|
|
|
|
}
|
2010-06-07 17:36:45 +02:00
|
|
|
|
|
|
|
untie %$forceAuthnSessionInfo;
|
2010-06-07 16:48:59 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog(
|
|
|
|
"No ForceAuthn session found for session $session_id",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Force authentication if flag is on, or previous flag still active
|
|
|
|
if ($force_authn) {
|
|
|
|
|
|
|
|
# Store flag for further requests
|
2010-06-07 17:36:45 +02:00
|
|
|
$forceAuthnSessionInfo =
|
2010-06-07 16:48:59 +02:00
|
|
|
$self->getSamlSession($forceAuthn_session);
|
|
|
|
$forceAuthnSessionInfo->{$spConfKey} = 1;
|
|
|
|
|
|
|
|
unless ($forceAuthn_session) {
|
2010-09-01 14:56:15 +02:00
|
|
|
$forceAuthnSessionInfo->{'_type'} = "forceAuthn";
|
2010-08-31 16:36:45 +02:00
|
|
|
$forceAuthnSessionInfo->{'_saml_id'} = $session_id;
|
2010-09-01 14:56:15 +02:00
|
|
|
$forceAuthnSessionInfo->{'_utime'} = $time;
|
2010-06-07 16:48:59 +02:00
|
|
|
$forceAuthn_session = $forceAuthnSessionInfo->{_session_id};
|
|
|
|
$self->lmLog(
|
|
|
|
"Create ForceAuthn session $forceAuthn_session",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
untie %$forceAuthnSessionInfo;
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Set ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
|
|
|
|
# Replay authentication process
|
|
|
|
$self->{updateSession} = 1;
|
|
|
|
$self->{error} = $self->_subProcess(
|
2010-07-02 17:14:54 +02:00
|
|
|
qw(issuerDBInit authInit issuerForUnAuthUser extractFormInfo
|
2010-06-07 16:48:59 +02:00
|
|
|
userDBInit getUser setAuthSessionInfo setSessionInfo
|
2010-10-21 12:28:47 +02:00
|
|
|
setMacros setLocalGroups setGroups setPersistentSessionInfo
|
|
|
|
authenticate store authFinish)
|
2010-06-07 16:48:59 +02:00
|
|
|
);
|
|
|
|
|
|
|
|
# Return error if any
|
|
|
|
return $self->{error} if $self->{error} > 0;
|
|
|
|
|
|
|
|
# Else remove flag
|
2010-06-07 17:36:45 +02:00
|
|
|
$forceAuthnSessionInfo =
|
2010-06-07 16:48:59 +02:00
|
|
|
$self->getSamlSession($forceAuthn_session);
|
|
|
|
$forceAuthnSessionInfo->{$spConfKey} = 0;
|
|
|
|
untie %$forceAuthnSessionInfo;
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Unset ForceAuthn flag for SP $spConfKey in ForceAuthn session $forceAuthn_session",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2010-07-02 13:29:00 +02:00
|
|
|
# Check Destination (only in non proxy mode)
|
|
|
|
unless ( $self->{_proxiedRequest} ) {
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_DESTINATION_ERROR
|
2010-09-01 14:56:15 +02:00
|
|
|
unless ( $self->checkDestination( $login->request, $url ) );
|
2010-07-02 13:29:00 +02:00
|
|
|
}
|
2010-05-21 15:44:16 +02:00
|
|
|
|
2010-04-14 18:22:55 +02:00
|
|
|
# Map authenticationLevel with SAML2 authentication context
|
2010-04-15 11:06:53 +02:00
|
|
|
my $authenticationLevel =
|
|
|
|
$self->{sessionInfo}->{authenticationLevel};
|
2010-04-07 18:37:23 +02:00
|
|
|
|
2010-05-12 17:56:27 +02:00
|
|
|
$authn_context =
|
|
|
|
$self->authnLevel2authnContext($authenticationLevel);
|
2010-04-07 18:37:23 +02:00
|
|
|
|
|
|
|
$self->lmLog( "Authentication context is $authn_context", 'debug' );
|
|
|
|
|
|
|
|
# Build Assertion
|
|
|
|
unless ( $self->buildAssertion( $login, $authn_context ) ) {
|
|
|
|
$self->lmLog( "Unable to build assertion", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-07 18:37:23 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "SSO: assertion is built", 'debug' );
|
2010-04-07 14:27:50 +02:00
|
|
|
|
2010-05-20 17:57:51 +02:00
|
|
|
# Get default NameID Format from configuration
|
|
|
|
# Set to "email" if no value in configuration
|
|
|
|
my $nameIDFormatKey =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsNameIDFormat} || "email";
|
2010-06-17 15:29:53 +02:00
|
|
|
my $nameIDFormat;
|
2010-04-14 13:14:24 +02:00
|
|
|
|
|
|
|
# Check NameID Policy in request
|
|
|
|
if ( $login->request()->NameIDPolicy ) {
|
|
|
|
$nameIDFormat = $login->request()->NameIDPolicy->Format();
|
2010-06-17 15:29:53 +02:00
|
|
|
$self->lmLog( "Get NameID format $nameIDFormat from request",
|
|
|
|
'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# NameID unspecified is forced to default NameID format
|
|
|
|
if ( !$nameIDFormat
|
|
|
|
or $nameIDFormat eq $self->getNameIDFormat("unspecified") )
|
|
|
|
{
|
|
|
|
$nameIDFormat = $self->getNameIDFormat($nameIDFormatKey);
|
2010-04-14 13:14:24 +02:00
|
|
|
}
|
|
|
|
|
2010-05-21 11:03:29 +02:00
|
|
|
# Get session key associated with NameIDFormat
|
|
|
|
# Not for unspecified, transient, persistent, entity, encrypted
|
|
|
|
my $nameIDFormatConfiguration = {
|
|
|
|
$self->getNameIDFormat("email") => 'samlNameIDFormatMapEmail',
|
|
|
|
$self->getNameIDFormat("x509") => 'samlNameIDFormatMapX509',
|
|
|
|
$self->getNameIDFormat("windows") =>
|
|
|
|
'samlNameIDFormatMapWindows',
|
|
|
|
$self->getNameIDFormat("kerberos") =>
|
|
|
|
'samlNameIDFormatMapKerberos',
|
|
|
|
};
|
|
|
|
|
|
|
|
my $nameIDSessionKey =
|
|
|
|
$self->{ $nameIDFormatConfiguration->{$nameIDFormat} };
|
|
|
|
|
2010-05-20 17:57:51 +02:00
|
|
|
my $nameIDContent;
|
2010-05-21 11:03:29 +02:00
|
|
|
if ( defined $self->{sessionInfo}->{$nameIDSessionKey} ) {
|
|
|
|
$nameIDContent =
|
|
|
|
$self->getFirstValue(
|
|
|
|
$self->{sessionInfo}->{$nameIDSessionKey} );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Manage Entity NameID format
|
|
|
|
if ( $nameIDFormat eq $self->getNameIDFormat("entity") ) {
|
2010-08-18 11:49:55 +02:00
|
|
|
$nameIDContent = $self->getMetaDataURL( "samlEntityID", 0 );
|
2010-05-21 11:03:29 +02:00
|
|
|
}
|
2010-04-14 13:14:24 +02:00
|
|
|
|
2010-04-26 16:30:54 +02:00
|
|
|
if ( $login->nameIdentifier ) {
|
|
|
|
$login->nameIdentifier->Format($nameIDFormat);
|
|
|
|
$login->nameIdentifier->content($nameIDContent)
|
|
|
|
if $nameIDContent;
|
|
|
|
}
|
|
|
|
else {
|
2010-04-28 21:57:16 +02:00
|
|
|
my $nameIdentifier = Lasso::Saml2NameID->new();
|
|
|
|
$nameIdentifier->Format($nameIDFormat);
|
|
|
|
$nameIdentifier->content($nameIDContent) if $nameIDContent;
|
|
|
|
$login->nameIdentifier($nameIdentifier);
|
2010-04-26 16:30:54 +02:00
|
|
|
}
|
2010-04-14 13:14:24 +02:00
|
|
|
|
2010-05-21 11:03:29 +02:00
|
|
|
$self->lmLog( "NameID Format is " . $login->nameIdentifier->Format,
|
|
|
|
'debug' );
|
|
|
|
$self->lmLog(
|
|
|
|
"NameID Content is " . $login->nameIdentifier->content,
|
|
|
|
'debug' );
|
2010-04-14 13:14:24 +02:00
|
|
|
|
2010-04-16 10:55:56 +02:00
|
|
|
# Push mandatory attributes
|
2010-04-15 17:40:07 +02:00
|
|
|
my @attributes;
|
|
|
|
|
|
|
|
foreach (
|
2010-05-04 12:10:34 +02:00
|
|
|
keys
|
|
|
|
%{ $self->{samlSPMetaDataExportedAttributes}->{$spConfKey} } )
|
2010-04-15 17:40:07 +02:00
|
|
|
{
|
|
|
|
|
|
|
|
# Extract fields from exportedAttr value
|
|
|
|
my ( $mandatory, $name, $format, $friendly_name ) =
|
|
|
|
split( /;/,
|
2010-05-04 12:10:34 +02:00
|
|
|
$self->{samlSPMetaDataExportedAttributes}->{$spConfKey}
|
|
|
|
->{$_} );
|
2010-04-15 17:40:07 +02:00
|
|
|
|
|
|
|
# Name is required
|
|
|
|
next unless $name;
|
|
|
|
|
|
|
|
# Do not send attribute if not mandatory
|
|
|
|
unless ($mandatory) {
|
|
|
|
$self->lmLog( "SAML2 attribute $name is not mandatory",
|
|
|
|
'debug' );
|
|
|
|
next;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Error if corresponding attribute is not in user session
|
|
|
|
my $value = $self->{sessionInfo}->{$_};
|
|
|
|
unless ( defined $value ) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Session key $_ is required to set SAML $name attribute",
|
|
|
|
'error'
|
|
|
|
);
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-15 17:40:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"SAML2 attribute $name will be set with $_ session key",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# SAML2 attribute
|
2010-06-04 16:23:41 +02:00
|
|
|
my $attribute =
|
|
|
|
$self->createAttribute( $name, $format, $friendly_name );
|
2010-04-15 17:40:07 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
unless ($attribute) {
|
|
|
|
$self->lmLog( "Unable to create a new SAML attribute",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-15 17:40:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Set attribute value(s)
|
|
|
|
my @values = split $self->{multiValuesSeparator}, $value;
|
|
|
|
my @saml2values;
|
|
|
|
|
|
|
|
foreach (@values) {
|
|
|
|
|
|
|
|
# SAML2 attribute value
|
2010-06-04 16:23:41 +02:00
|
|
|
my $saml2value = $self->createAttributeValue($_);
|
2010-04-15 17:40:07 +02:00
|
|
|
|
2010-06-04 16:23:41 +02:00
|
|
|
unless ($saml2value) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unable to create a new SAML attribute value",
|
|
|
|
'error' );
|
2010-04-15 17:40:07 +02:00
|
|
|
$self->checkLassoError($@);
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-15 17:40:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
push @saml2values, $saml2value;
|
|
|
|
|
|
|
|
$self->lmLog( "Push $_ in SAML attribute $name", 'debug' );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
$attribute->AttributeValue(@saml2values);
|
|
|
|
|
2010-04-16 10:55:56 +02:00
|
|
|
# Push attribute in attribute list
|
|
|
|
push @attributes, $attribute;
|
|
|
|
|
2010-04-15 17:40:07 +02:00
|
|
|
}
|
2010-04-07 14:27:50 +02:00
|
|
|
|
2010-06-18 09:50:37 +02:00
|
|
|
# Get response assertion
|
|
|
|
my @response_assertions = $login->response->Assertion;
|
|
|
|
|
|
|
|
unless ( $response_assertions[0] ) {
|
|
|
|
$self->lmLog( "Unable to get response assertion", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-06-18 09:50:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Set subject NameID
|
|
|
|
$response_assertions[0]
|
|
|
|
->set_subject_name_id( $login->nameIdentifier );
|
|
|
|
|
2011-06-09 17:24:15 +02:00
|
|
|
# Set basic conditions
|
|
|
|
my $oneTimeUse =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsOneTimeUse};
|
|
|
|
|
|
|
|
eval {
|
|
|
|
$response_assertions[0]
|
|
|
|
->set_basic_conditions( 60, 86400, $oneTimeUse );
|
|
|
|
};
|
|
|
|
if ($@) {
|
|
|
|
$self->lmLog( "Basic conditions not set: $@", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-04-16 10:55:56 +02:00
|
|
|
# Create attribute statement
|
2010-06-18 09:50:37 +02:00
|
|
|
if ( scalar @attributes ) {
|
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
my $attribute_statement;
|
2010-04-16 10:55:56 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
eval {
|
2010-06-18 09:50:37 +02:00
|
|
|
$attribute_statement =
|
|
|
|
Lasso::Saml2AttributeStatement->new();
|
2010-06-21 17:29:59 +02:00
|
|
|
};
|
|
|
|
if ($@) {
|
|
|
|
$self->checkLassoError($@);
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-06-21 17:29:59 +02:00
|
|
|
}
|
2010-04-16 10:55:56 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Register attributes in attribute statement
|
|
|
|
$attribute_statement->Attribute(@attributes);
|
2010-04-16 10:55:56 +02:00
|
|
|
|
2010-06-21 17:29:59 +02:00
|
|
|
# Add attribute statement in response assertion
|
|
|
|
my @attributes_statement = ($attribute_statement);
|
2010-06-18 09:50:37 +02:00
|
|
|
$response_assertions[0]
|
|
|
|
->AttributeStatement(@attributes_statement);
|
|
|
|
}
|
2010-04-16 10:55:56 +02:00
|
|
|
|
2010-06-01 10:03:24 +02:00
|
|
|
# Get AuthnStatement
|
|
|
|
my @authn_statements = $response_assertions[0]->AuthnStatement();
|
|
|
|
|
2010-04-26 17:47:09 +02:00
|
|
|
# Set sessionIndex
|
2010-05-12 17:56:27 +02:00
|
|
|
# sessionIndex is the encrypted session_id
|
2010-06-07 17:36:45 +02:00
|
|
|
my $sessionIndex = $self->{cipher}->encrypt($session_id);
|
2010-04-26 17:47:09 +02:00
|
|
|
$authn_statements[0]->SessionIndex($sessionIndex);
|
|
|
|
|
2010-05-12 17:56:27 +02:00
|
|
|
$self->lmLog(
|
|
|
|
"Set sessionIndex $sessionIndex (encrypted from $session_id)",
|
|
|
|
'debug' );
|
|
|
|
|
2010-06-01 10:03:24 +02:00
|
|
|
# Set SessionNotOnOrAfter
|
|
|
|
my $timeout = $time + $self->{timeout};
|
|
|
|
my $sessionNotOnOrAfter = $self->timestamp2samldate($timeout);
|
|
|
|
$authn_statements[0]->SessionNotOnOrAfter($sessionNotOnOrAfter);
|
|
|
|
|
|
|
|
$self->lmLog( "Set sessionNotOnOrAfter $sessionNotOnOrAfter",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Register AuthnStatement in assertion
|
|
|
|
$response_assertions[0]->AuthnStatement(@authn_statements);
|
|
|
|
|
2010-04-16 10:55:56 +02:00
|
|
|
# Set response assertion
|
|
|
|
$login->response->Assertion(@response_assertions);
|
|
|
|
|
2010-05-20 15:08:07 +02:00
|
|
|
# Signature
|
|
|
|
my $signSSOMessage =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsSignSSOMessage};
|
|
|
|
|
2010-07-01 18:05:57 +02:00
|
|
|
if ( $signSSOMessage == 0 ) {
|
|
|
|
$self->lmLog( "SSO response will not be signed", 'debug' );
|
|
|
|
$self->disableSignature($login);
|
|
|
|
}
|
|
|
|
elsif ( $signSSOMessage == 1 ) {
|
|
|
|
$self->lmLog( "SSO response will be signed", 'debug' );
|
|
|
|
$self->forceSignature($login);
|
|
|
|
}
|
|
|
|
else {
|
2010-08-19 16:17:25 +02:00
|
|
|
$self->lmLog( "SSO response signature according to metadata",
|
2010-07-01 18:05:57 +02:00
|
|
|
'debug' );
|
2010-05-20 15:08:07 +02:00
|
|
|
}
|
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
# Build SAML response
|
|
|
|
$protocolProfile = $login->protocolProfile();
|
|
|
|
|
|
|
|
# Artifact
|
|
|
|
if ( $protocolProfile ==
|
|
|
|
Lasso::Constants::LOGIN_PROTOCOL_PROFILE_BRWS_ART )
|
|
|
|
{
|
|
|
|
|
|
|
|
# Choose method
|
|
|
|
$artifact_method = $self->getHttpMethod("artifact-get")
|
2010-08-19 16:17:25 +02:00
|
|
|
if ( $method == $self->getHttpMethod("redirect")
|
|
|
|
|| $method == $self->getHttpMethod("artifact-get") );
|
2010-04-07 17:14:17 +02:00
|
|
|
$artifact_method = $self->getHttpMethod("artifact-post")
|
2010-08-19 16:17:25 +02:00
|
|
|
if ( $method == $self->getHttpMethod("post")
|
|
|
|
|| $method == $self->getHttpMethod("artifact-post") );
|
2010-04-07 17:14:17 +02:00
|
|
|
|
|
|
|
# Build artifact message
|
|
|
|
unless ( $self->buildArtifactMsg( $login, $artifact_method ) ) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Unable to build SSO artifact response message",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_ART_ERROR;
|
2010-04-07 17:14:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "SSO: artifact response is built", 'debug' );
|
2010-04-14 17:37:57 +02:00
|
|
|
|
2010-04-08 18:28:10 +02:00
|
|
|
# Get artifact ID and Content, and store them
|
2010-04-12 10:26:18 +02:00
|
|
|
my $artifact_id = $login->get_artifact;
|
|
|
|
my $artifact_message = $login->get_artifact_message;
|
2010-04-07 14:27:50 +02:00
|
|
|
|
2010-04-12 17:03:54 +02:00
|
|
|
$self->storeArtifact( $artifact_id, $artifact_message,
|
2010-04-12 17:42:38 +02:00
|
|
|
$session_id );
|
2010-04-14 17:37:57 +02:00
|
|
|
}
|
2010-04-02 18:19:10 +02:00
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
# No artifact
|
|
|
|
else {
|
|
|
|
|
|
|
|
unless ( $self->buildAuthnResponseMsg($login) ) {
|
|
|
|
$self->lmLog( "Unable to build SSO response message",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-14 17:37:57 +02:00
|
|
|
}
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
$self->lmLog( "SSO: authentication response is built",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2010-04-12 15:23:22 +02:00
|
|
|
# Save Identity and Session
|
|
|
|
if ( $login->is_identity_dirty ) {
|
2010-08-23 16:52:53 +02:00
|
|
|
|
|
|
|
# Update session
|
2010-04-12 15:23:22 +02:00
|
|
|
$self->lmLog( "Save Lasso identity in session", 'debug' );
|
2010-10-12 15:32:18 +02:00
|
|
|
$self->updatePersistentSession(
|
2010-04-12 17:42:38 +02:00
|
|
|
{ _lassoIdentityDump => $login->get_identity->dump },
|
2010-10-12 15:32:18 +02:00
|
|
|
undef, $session_id );
|
2010-04-12 15:23:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if ( $login->is_session_dirty ) {
|
|
|
|
$self->lmLog( "Save Lasso session in session", 'debug' );
|
|
|
|
$self->updateSession(
|
2010-04-12 17:42:38 +02:00
|
|
|
{ _lassoSessionDump => $login->get_session->dump },
|
|
|
|
$session_id );
|
2010-04-12 15:23:22 +02:00
|
|
|
}
|
|
|
|
|
2010-06-01 15:27:02 +02:00
|
|
|
# Keep SAML elements for later queries
|
2010-06-01 16:43:49 +02:00
|
|
|
my $nameid = $login->nameIdentifier;
|
2010-07-05 11:36:52 +02:00
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Store NameID "
|
|
|
|
. $nameid->dump
|
|
|
|
. " and SessionIndex $sessionIndex for session $session_id",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
|
2010-06-28 18:22:07 +02:00
|
|
|
my $samlSessionInfo = $self->getSamlSession();
|
|
|
|
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SESSION_ERROR unless $samlSessionInfo;
|
2010-06-01 15:27:02 +02:00
|
|
|
|
2010-09-01 14:56:15 +02:00
|
|
|
$samlSessionInfo->{type} = 'saml'; # Session type
|
|
|
|
$samlSessionInfo->{_utime} = $time; # Creation time
|
2010-08-31 16:36:45 +02:00
|
|
|
$samlSessionInfo->{_saml_id} = $session_id; # SSO session id
|
2010-09-01 14:56:15 +02:00
|
|
|
$samlSessionInfo->{_nameID} = $nameid->dump; # SAML NameID
|
2010-07-05 11:36:52 +02:00
|
|
|
$samlSessionInfo->{_sessionIndex} =
|
2010-09-01 14:56:15 +02:00
|
|
|
$sessionIndex; # SAML SessionIndex
|
2010-06-01 15:27:02 +02:00
|
|
|
|
2010-06-28 18:22:07 +02:00
|
|
|
my $saml_session_id = $samlSessionInfo->{_session_id};
|
2010-06-01 15:27:02 +02:00
|
|
|
|
2010-06-28 18:22:07 +02:00
|
|
|
untie %$samlSessionInfo;
|
2010-06-01 15:27:02 +02:00
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Link session $session_id to SAML session $saml_session_id",
|
|
|
|
'debug' );
|
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
# Send SSO Response
|
|
|
|
|
2010-09-27 10:40:18 +02:00
|
|
|
# Register IDP in Common Domain Cookie if needed
|
|
|
|
if ( $self->{samlCommonDomainCookieActivation}
|
|
|
|
and $self->{samlCommonDomainCookieWriter} )
|
|
|
|
{
|
|
|
|
my $cdc_idp = $self->getMetaDataURL( "samlEntityID", 0 );
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Will register IDP $cdc_idp in Common Domain Cookie",
|
|
|
|
'debug' );
|
|
|
|
|
|
|
|
# Redirection to CDC Writer page in a hidden iframe
|
2010-09-27 11:11:37 +02:00
|
|
|
my $cdc_writer_url = $self->{samlCommonDomainCookieWriter};
|
2010-09-27 10:40:18 +02:00
|
|
|
$cdc_writer_url .= (
|
2010-09-27 11:11:37 +02:00
|
|
|
$self->{samlCommonDomainCookieWriter} =~ /\?/
|
2010-09-27 10:40:18 +02:00
|
|
|
? '&idp=' . $cdc_idp
|
|
|
|
: '?url=' . $cdc_idp
|
|
|
|
);
|
|
|
|
|
|
|
|
my $cdc_iframe =
|
|
|
|
"<iframe src=\"$cdc_writer_url\""
|
|
|
|
. " alt=\"Common Dommain Cookie\" marginwidth=\"0\""
|
|
|
|
. " marginheight=\"0\" scrolling=\"no\" style=\"border: none;display: hidden;margin: 0\""
|
|
|
|
. " width=\"0\" height=\"0\" frameborder=\"0\">"
|
|
|
|
. "</iframe>";
|
|
|
|
|
|
|
|
$self->info(
|
|
|
|
"<h3>"
|
|
|
|
. &Lemonldap::NG::Portal::_i18n::msg
|
|
|
|
( Lemonldap::NG::Portal::Simple::PM_CDC_WRITER,
|
|
|
|
$ENV{HTTP_ACCEPT_LANGUAGE} )
|
|
|
|
. "</h3>"
|
|
|
|
);
|
|
|
|
|
|
|
|
$self->info($cdc_iframe);
|
|
|
|
}
|
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
# HTTP-REDIRECT
|
|
|
|
if ( $protocolProfile eq
|
|
|
|
Lasso::Constants::LOGIN_PROTOCOL_PROFILE_REDIRECT
|
|
|
|
or $artifact_method == $self->getHttpMethod("artifact-get") )
|
|
|
|
{
|
|
|
|
|
|
|
|
# Redirect user to response URL
|
|
|
|
my $sso_url = $login->msg_url;
|
|
|
|
$self->lmLog( "Redirect user to $sso_url", 'debug' );
|
|
|
|
|
|
|
|
$self->{urldc} = $sso_url;
|
|
|
|
|
|
|
|
$self->_subProcess(qw(autoRedirect));
|
|
|
|
|
|
|
|
# If we are here, there was a problem with GET request
|
|
|
|
$self->lmLog( "SSO response was not sent trough GET", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-07 17:14:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# HTTP-POST
|
|
|
|
if ( $protocolProfile eq
|
|
|
|
Lasso::Constants::LOGIN_PROTOCOL_PROFILE_BRWS_POST
|
|
|
|
or $artifact_method == $self->getHttpMethod("artifact-post") )
|
|
|
|
{
|
|
|
|
|
|
|
|
# Use autosubmit form
|
|
|
|
my $sso_url = $login->msg_url;
|
|
|
|
my $sso_body = $login->msg_body;
|
|
|
|
|
|
|
|
$self->{postUrl} = $sso_url;
|
2010-05-31 17:46:41 +02:00
|
|
|
|
|
|
|
if ( $artifact_method == $self->getHttpMethod("artifact-post") )
|
|
|
|
{
|
|
|
|
$self->{postFields} = { 'SAMLart' => $sso_body };
|
|
|
|
}
|
|
|
|
else {
|
2010-06-07 17:36:45 +02:00
|
|
|
$self->{postFields} = { 'SAMLResponse' => $sso_body };
|
2010-05-31 17:46:41 +02:00
|
|
|
}
|
2010-04-07 17:14:17 +02:00
|
|
|
|
|
|
|
# RelayState
|
|
|
|
$self->{postFields}->{'RelayState'} = $login->msg_relayState
|
|
|
|
if ( $login->msg_relayState );
|
|
|
|
|
|
|
|
$self->_subProcess(qw(autoPost));
|
|
|
|
|
|
|
|
# If we are here, there was a problem with POST request
|
|
|
|
$self->lmLog( "SSO response was not sent trough POST",
|
|
|
|
'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SSO_ERROR;
|
2010-04-07 17:14:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
elsif ($response) {
|
|
|
|
$self->lmLog(
|
|
|
|
"Authentication responses are not managed by this module",
|
|
|
|
'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
# No request or response
|
|
|
|
# This should not happen
|
|
|
|
$self->lmLog( "No request or response found", 'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
# 1.2. SLO
|
|
|
|
if ( $url =~
|
2010-07-01 13:31:24 +02:00
|
|
|
/^(\Q$saml_slo_soap_url\E|\Q$saml_slo_soap_url_ret\E|\Q$saml_slo_get_url\E|\Q$saml_slo_get_url_ret\E|\Q$saml_slo_post_url\E|\Q$saml_slo_post_url_ret\E)$/io
|
2010-04-20 17:31:21 +02:00
|
|
|
)
|
|
|
|
{
|
|
|
|
|
|
|
|
$self->lmLog( "URL $url detected as an SLO URL", 'debug' );
|
|
|
|
|
|
|
|
# Check SAML Message
|
|
|
|
my ( $request, $response, $method, $relaystate, $artifact ) =
|
|
|
|
$self->checkMessage( $url, $request_method, $content_type, "logout" );
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Create Logout object
|
|
|
|
my $logout = $self->createLogout($server);
|
|
|
|
|
|
|
|
# Ignore signature verification
|
|
|
|
$self->disableSignatureVerification($logout);
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
if ($request) {
|
|
|
|
|
2010-06-28 10:34:15 +02:00
|
|
|
# Process logout request
|
|
|
|
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
|
|
|
|
$self->lmLog( "SLO: Fail to process logout request", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-06-28 10:34:15 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "SLO: Logout request is valid", 'debug' );
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
# Load Session and Identity if they exist
|
|
|
|
my $session = $self->{sessionInfo}->{_lassoSessionDump};
|
|
|
|
my $identity = $self->{sessionInfo}->{_lassoIdentityDump};
|
|
|
|
|
|
|
|
if ($session) {
|
|
|
|
unless ( $self->setSessionFromDump( $logout, $session ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-04-20 17:31:21 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($identity) {
|
|
|
|
unless ( $self->setIdentityFromDump( $logout, $identity ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Identity", 'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-04-20 17:31:21 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-05-04 12:10:34 +02:00
|
|
|
# Get SP entityID
|
|
|
|
my $sp = $logout->remote_providerID();
|
|
|
|
|
|
|
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
|
|
|
|
|
|
|
# SP conf key
|
|
|
|
my $spConfKey = $self->{_spList}->{$sp}->{confKey};
|
|
|
|
|
|
|
|
unless ($spConfKey) {
|
|
|
|
$self->lmLog( "$sp do not match any SP in configuration",
|
|
|
|
'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-05-04 12:10:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
|
|
|
|
|
|
|
# Do we check signature?
|
2010-05-20 12:25:00 +02:00
|
|
|
my $checkSLOMessageSignature =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsCheckSLOMessageSignature};
|
|
|
|
|
|
|
|
if ($checkSLOMessageSignature) {
|
|
|
|
unless ( $self->checkSignatureStatus($logout) ) {
|
|
|
|
$self->lmLog( "Signature is not valid", 'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-05-20 12:25:00 +02:00
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Signature is valid", 'debug' );
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
$self->lmLog( "Message signature will not be checked",
|
|
|
|
'debug' );
|
|
|
|
}
|
2010-05-04 12:10:34 +02:00
|
|
|
|
2010-05-21 15:44:16 +02:00
|
|
|
# Check Destination
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method )
|
2010-05-21 15:44:16 +02:00
|
|
|
unless ( $self->checkDestination( $logout->request, $url ) );
|
|
|
|
|
2010-07-05 11:36:52 +02:00
|
|
|
# Get session index
|
|
|
|
my $session_index;
|
|
|
|
eval { $session_index = $logout->request()->SessionIndex; };
|
|
|
|
|
|
|
|
# SLO requests without session index are not accepted
|
|
|
|
if ( $@ or !defined $session_index ) {
|
|
|
|
$self->lmLog(
|
|
|
|
"No session index in SLO request from $spConfKey SP",
|
|
|
|
'error' );
|
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
|
|
|
}
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
# Validate request if no previous error
|
2010-04-21 18:54:05 +02:00
|
|
|
unless ( $self->validateLogoutRequest($logout) ) {
|
2010-04-20 17:31:21 +02:00
|
|
|
$self->lmLog( "SLO request is not valid", 'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-04-20 17:31:21 +02:00
|
|
|
}
|
|
|
|
|
2010-06-23 11:58:14 +02:00
|
|
|
# Set RelayState
|
|
|
|
if ($relaystate) {
|
|
|
|
$logout->msg_relayState($relaystate);
|
|
|
|
$self->lmLog( "Set $relaystate in RelayState", 'debug' );
|
|
|
|
}
|
|
|
|
|
2010-06-21 18:24:50 +02:00
|
|
|
# Create SLO status session and get ID
|
|
|
|
my $sloStatusSessionInfo = $self->getSamlSession();
|
|
|
|
$sloStatusSessionInfo->{type} = 'sloStatus';
|
2010-08-31 16:36:45 +02:00
|
|
|
$sloStatusSessionInfo->{_utime} = time;
|
2010-06-21 18:24:50 +02:00
|
|
|
$sloStatusSessionInfo->{_logout} = $logout->dump;
|
2010-06-30 10:05:20 +02:00
|
|
|
$sloStatusSessionInfo->{_session} =
|
|
|
|
$logout->get_session() ? $logout->get_session()->dump : "";
|
2010-09-01 14:56:15 +02:00
|
|
|
$sloStatusSessionInfo->{_method} = $method;
|
2010-06-21 18:24:50 +02:00
|
|
|
my $relayID = $sloStatusSessionInfo->{_session_id};
|
|
|
|
untie %$sloStatusSessionInfo;
|
|
|
|
|
2010-06-21 17:44:18 +02:00
|
|
|
# Prepare logout on all others SP
|
|
|
|
my $provider_nb =
|
2010-07-03 16:38:46 +02:00
|
|
|
$self->sendLogoutRequestToProviders( $logout, $relayID );
|
2010-04-20 17:31:21 +02:00
|
|
|
|
2010-05-17 14:44:26 +02:00
|
|
|
# Decrypt session index
|
2010-05-12 17:56:27 +02:00
|
|
|
my $local_session_id = $self->{cipher}->decrypt($session_index);
|
|
|
|
|
|
|
|
$self->lmLog(
|
|
|
|
"Get session id $local_session_id (decrypted from $session_index)",
|
|
|
|
'debug'
|
|
|
|
);
|
|
|
|
|
2010-04-21 18:54:05 +02:00
|
|
|
my $user = $self->{sessionInfo}->{user};
|
2010-05-12 17:56:27 +02:00
|
|
|
my $local_session = $self->getApacheSession( $local_session_id, 1 );
|
2010-06-11 16:13:26 +02:00
|
|
|
|
|
|
|
# Close SAML sessions
|
|
|
|
unless ( $self->deleteSAMLSecondarySessions($local_session_id) ) {
|
|
|
|
$self->lmLog( "Fail to delete SAML sessions", 'error' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Close local session
|
2010-04-28 21:57:16 +02:00
|
|
|
unless ( $self->_deleteSession($local_session) ) {
|
|
|
|
$self->lmLog(
|
2010-05-12 17:56:27 +02:00
|
|
|
"Fail to delete session $local_session_id for user $user",
|
2010-06-11 16:13:26 +02:00
|
|
|
'error' );
|
2010-04-21 18:54:05 +02:00
|
|
|
}
|
|
|
|
|
2010-05-20 15:08:07 +02:00
|
|
|
# Signature
|
|
|
|
my $signSLOMessage =
|
|
|
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
|
|
|
->{samlSPMetaDataOptionsSignSLOMessage};
|
|
|
|
|
|
|
|
unless ($signSLOMessage) {
|
|
|
|
$self->lmLog( "Do not sign this SLO response", 'debug' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method )
|
2010-06-28 10:34:15 +02:00
|
|
|
unless ( $self->disableSignature($logout) );
|
2010-05-20 15:08:07 +02:00
|
|
|
}
|
|
|
|
|
2010-06-21 18:24:50 +02:00
|
|
|
# If no waiting SP, return directly SLO response
|
|
|
|
unless ($provider_nb) {
|
|
|
|
unless (
|
|
|
|
$self->sendLogoutResponseToServiceProvider(
|
|
|
|
$logout, $method
|
|
|
|
)
|
|
|
|
)
|
|
|
|
{
|
|
|
|
$self->lmLog( "Fail to send SLO response", 'error' );
|
2010-07-02 17:42:22 +02:00
|
|
|
$self->sendSLOErrorResponse( $logout, $method );
|
2010-09-01 14:56:15 +02:00
|
|
|
}
|
2010-06-21 18:24:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# Else build SLO status relay URL and display info
|
|
|
|
else {
|
|
|
|
$self->{urldc} =
|
2010-06-28 10:34:15 +02:00
|
|
|
$self->{portal} . '/saml/relaySingleLogoutTermination';
|
|
|
|
$self->setHiddenFormValue( 'relay', $relayID );
|
2010-06-21 18:24:50 +02:00
|
|
|
return PE_INFO;
|
|
|
|
}
|
2010-04-20 17:31:21 +02:00
|
|
|
|
|
|
|
}
|
|
|
|
|
2010-06-16 18:17:05 +02:00
|
|
|
elsif ($response) {
|
|
|
|
|
|
|
|
# No SLO response should be here
|
|
|
|
# else it means SSO session was not closed
|
|
|
|
$self->lmLog(
|
|
|
|
"SLO response found on an active SSO session, ignoring it",
|
|
|
|
'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
else {
|
|
|
|
|
|
|
|
# No request or response
|
|
|
|
# This should not happen
|
|
|
|
$self->lmLog( "No request or response found", 'debug' );
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
2010-04-20 17:31:21 +02:00
|
|
|
}
|
|
|
|
|
2010-04-07 17:14:17 +02:00
|
|
|
return PE_OK;
|
2009-04-07 22:38:24 +02:00
|
|
|
}
|
|
|
|
|
2009-12-10 18:03:57 +01:00
|
|
|
## @apmethod int issuerLogout()
|
2010-05-04 12:10:34 +02:00
|
|
|
# Send logout to SP when logout is initiated by IDP
|
2009-12-10 18:03:57 +01:00
|
|
|
# @return Lemonldap::NG::Portal error code
|
|
|
|
sub issuerLogout {
|
2009-04-08 18:31:13 +02:00
|
|
|
my $self = shift;
|
2010-03-26 14:56:37 +01:00
|
|
|
|
2010-07-02 11:05:46 +02:00
|
|
|
# Session ID
|
|
|
|
my $session_id = $self->{sessionInfo}->{_session_id} || $self->{id};
|
|
|
|
|
|
|
|
# Close SAML sessions
|
|
|
|
unless ( $self->deleteSAMLSecondarySessions($session_id) ) {
|
|
|
|
$self->lmLog( "Fail to delete SAML sessions", 'error' );
|
|
|
|
}
|
|
|
|
|
2010-04-27 17:11:53 +02:00
|
|
|
# Create Logout object
|
2010-04-28 21:57:16 +02:00
|
|
|
my $logout = $self->createLogout( $self->{_lassoServer} );
|
2010-04-27 17:11:53 +02:00
|
|
|
|
|
|
|
# Load Session and Identity if they exist
|
|
|
|
my $session = $self->{sessionInfo}->{_lassoSessionDump};
|
|
|
|
my $identity = $self->{sessionInfo}->{_lassoIdentityDump};
|
|
|
|
|
|
|
|
if ($session) {
|
|
|
|
unless ( $self->setSessionFromDump( $logout, $session ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Session", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-04-27 17:11:53 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# No need to initiate logout requests on SP, if no SAML session is
|
|
|
|
# available into the session.
|
|
|
|
else {
|
|
|
|
return PE_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($identity) {
|
|
|
|
unless ( $self->setIdentityFromDump( $logout, $identity ) ) {
|
|
|
|
$self->lmLog( "Unable to load Lasso Identity", 'error' );
|
2010-07-05 17:58:03 +02:00
|
|
|
return PE_SAML_SLO_ERROR;
|
2010-04-27 17:11:53 +02:00
|
|
|
}
|
|
|
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
|
|
|
}
|
|
|
|
|
|
|
|
# Proceed to logout on all others SP.
|
|
|
|
# Verify that logout response is correctly sent. If we have to wait for
|
|
|
|
# providers during HTTP-REDIRECT process, return PE_INFO to notify to wait
|
|
|
|
# for them.
|
2010-08-31 17:21:17 +02:00
|
|
|
# Redirect on logout page when all is done.
|
2010-07-03 16:38:46 +02:00
|
|
|
if ( $self->sendLogoutRequestToProviders($logout) ) {
|
2010-08-31 17:21:17 +02:00
|
|
|
$self->{urldc} = $ENV{SCRIPT_NAME} . "?logout=1";
|
2010-04-27 17:11:53 +02:00
|
|
|
return PE_INFO;
|
|
|
|
}
|
|
|
|
|
|
|
|
return PE_OK;
|
2009-04-08 18:31:13 +02:00
|
|
|
}
|
|
|
|
|
2009-04-07 22:38:24 +02:00
|
|
|
1;
|
2009-12-10 18:03:57 +01:00
|
|
|
|
2009-04-07 22:38:24 +02:00
|
|
|
__END__
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2010-01-03 09:09:59 +01:00
|
|
|
=encoding utf8
|
|
|
|
|
2010-04-07 14:27:50 +02:00
|
|
|
Lemonldap::NG::Portal::IssuerDBSAML - SAML IssuerDB for LemonLDAP::NG
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
2010-04-07 14:27:50 +02:00
|
|
|
use Lemonldap::NG::Portal::SharedConf;
|
|
|
|
|
|
|
|
my $portal = Lemonldap::NG::Portal::SharedConf->new({
|
|
|
|
issuerDB => SAML,
|
|
|
|
});
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
2010-04-07 14:27:50 +02:00
|
|
|
SAML IssuerDB for LemonLDAP::NG
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
|
|
L<Lemonldap::NG::Portal>
|
|
|
|
|
|
|
|
=head1 AUTHOR
|
|
|
|
|
2009-12-13 16:40:33 +01:00
|
|
|
Clément Oudot, E<lt>coudot@linagora.comE<gt>
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
|
2010-10-23 10:35:38 +02:00
|
|
|
Copyright (C) 2009, 2010 by Clément Oudot
|
2009-04-07 22:38:24 +02:00
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
|
|
it under the same terms as Perl itself, either Perl version 5.10.0 or,
|
|
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
|
|
=cut
|