lemonldap-ng/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm

## @file
# SAML Service Provider - Authentication

## @class
# SAML Service Provider - Authentication
package Lemonldap::NG::Portal::AuthSAML;

use strict;
use Lemonldap::NG::Portal::Simple;
use Lemonldap::NG::Portal::_SAML;    #inherits
use Lemonldap::NG::Common::Conf::SAML::Metadata;

our $VERSION = '0.1';

## @apmethod int authInit()
# Load Lasso and metadata
# @return Lemonldap::NG::Portal error code
sub authInit {
    my $self = shift;

    # Load Lasso
    return PE_ERROR unless $self->loadLasso();

    # Activate SOAP
    $self->abort( 'To use SAML, you must activate SOAP (Soap => 1)', 'error' )
      unless ( $self->{Soap} );

    # Check presence of private key in configuration
    unless ( $self->{samlServicePrivateKey} ) {
        $self->lmLog( "SAML private key not found in configuration", 'error' );
        return PE_ERROR;
    }

    # Get metadata from configuration
    $self->lmLog( "Get Metadata for this service", 'debug' );
    my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();

    # Create Lasso server with service metadata
    my $server = $self->createServer(
        $service_metadata->serviceToXML(
            $ENV{DOCUMENT_ROOT} . "/skins/common/saml2-metadata.tpl", $self
        ),
        $self->{samlServicePrivateKey},
    );

    unless ($server) {
        $self->lmLog( 'Unable to create Lasso server', 'error' );
        return PE_ERROR;
    }

    $self->lmLog( "Service created", 'debug' );

    # Check presence of at least one identity provider in configuration
    unless ( $self->{samlIDPMetaData}
        and keys %{ $self->{samlIDPMetaData} } )
    {
        $self->lmLog( "No IDP found in configuration", 'error' );
        return PE_ERROR;
    }

    # Load identity provider metadata
    # IDP are listed in $self->{samlIDPMetaData}
    # Each key is the IDP name and value is the metadata
    # Build IDP list for later use in extractFormInfo
    foreach ( keys %{ $self->{samlIDPMetaData} } ) {

        $self->lmLog( "Get Metadata for IDP $_", 'debug' );

        # Get metadata from configuration
        my $idp_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();
        unless (
            $idp_metadata->initializeFromConfHash(
                $self->{samlIDPMetaData}->{$_}
            )
          )
        {
            $self->lmLog( "Fail to read IDP $_ Metadata from configuration",
                'error' );
            return PE_ERROR;
        }

        # Add this IDP to Lasso::Server
        my $result = $self->addIDP( $server, $idp_metadata->toXML() );

        unless ($result) {
            $self->lmLog( "Fail to use IDP $_ Metadata", 'error' );
            return PE_ERROR;
        }

        # Store IDP entityID and Organization Name
        my $entityID = $idp_metadata->{entityID};
        my $name = $self->getOrganizationName( $server, $entityID )
          || ucfirst($_);
        $self->{_idpList}->{$_}->{entityID} = $entityID;
        $self->{_idpList}->{$_}->{name}     = $name;

        $self->lmLog( "IDP $_ added", 'debug' );
    }

    # Store Lasso::Server object
    $self->{_lassoServer} = $server;

    PE_OK;
}

## @apmethod int extractFormInfo()
# Check authentication statement or create authentication request
# @return Lemonldap::NG::Portal error code
sub extractFormInfo {
    my $self   = shift;
    my $server = $self->{_lassoServer};
    my $login;
    my $idp;

    # 1. Get URL parameters to know if we are receving an assertion
    my $url              = $self->url();
    my $saml_acs_art_url = (
        split(
            /;/,
            $self->{samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact}
        )
    )[3];
    my $saml_acs_post_url = (
        split(
            /;/, $self->{samlSPSSODescriptorAssertionConsumerServiceHTTPPost}
        )
    )[3];
    my $saml_acs_get_url = (
        split(
            /;/,
            $self->{samlSPSSODescriptorAssertionConsumerServiceHTTPRedirect}
        )
    )[3];

    if ( $url =~ /^($saml_acs_art_url|$saml_acs_post_url|$saml_acs_get_url)$/i )
    {

        $self->lmLog( "URL $url detected as an assertion consumer URL",
            'debug' );

        # 1.1 HTTP REDIRECT
        if ( $url =~ /^$saml_acs_get_url$/i ) {

            # Response in query string
            my $response = $self->query_string();

            # TODO use CGI(-oldstyle_urls) in Common/CGI.pm to avoid this
            $response =~ s/;/&/g;

            $self->lmLog( "HTTP-REDIRECT: SAML Response $response", 'debug' );

            # Create Login object
            $login = $self->createLogin($server);

            # Process authentication response
            my $result = $self->processAuthnResponseMsg( $login, $response );

            unless ($result) {
                $self->lmLog(
                    "HTTP-REDIRECT: Fail to process authentication response",
                    'error' );
                return PE_ERROR;
            }

            # TODO validate response
            $self->lmLog( "HTTP-REDIRECT: authentication response is valid",
                'debug' );

            # Get NameID
            my $nameid = $self->getNameIdentifier($login);

            $self->abort("Work in progress");
        }

        # 1.2 POST
        # TODO

        # 1.3 ARTEFACT (SOAP)
        # TODO

        return PE_OK;
    }

    # 2. IDP resolution

    # Get IDP resolution cookie
    my %cookies    = fetch CGI::Cookie;
    my $idp_cookie = $cookies{ $self->{samlIdPResolveCookie} };
    if ($idp_cookie) {
        $idp = $idp_cookie->value;
        $self->lmLog( "IDP $idp found in IDP resolution cookie", 'debug' );
    }

    # If no IDP resolve cookie, find another way to get it
    # Case 1: IDP was choosen from portal IDP list
    $idp ||= $self->param("idp");

    # TODO - other case (IP resolution, etc.)

    # Get confirmation flag
    my $confirm_flag = $self->param("confirm");

    # If confirmation is -1, or IDP was not resolve, let the user choose its IDP
    if ( $confirm_flag == -1 or !$idp ) {
        $self->lmLog( "No IDP found, redirecting user to IDP list", 'debug' );

        # IDP list
        my $html = "<h3>"
          . &Lemonldap::NG::Portal::_i18n::msg( PM_SAML_IDPSELECT,
            $ENV{HTTP_ACCEPT_LANGUAGE} )
          . "</h3>\n<table>\n";

        foreach ( keys %{ $self->{_idpList} } ) {
            $html .=
                '<tr><td><input type="radio" name="idp" value="'
              . $self->{_idpList}->{$_}->{entityID}
              . '" /></td><td>'
              . $self->{_idpList}->{$_}->{name}
              . '</td></tr>';
        }

        $html .=
'<tr><td><input type="checkbox" name="cookie_type" value="1"></td><td>'
          . &Lemonldap::NG::Portal::_i18n::msg( PM_REMEMBERCHOICE,
            $ENV{HTTP_ACCEPT_LANGUAGE} )
          . "</td></tr></table>\n"

          # Script to autoselect first choice
          . '<script>$("[type=radio]:first").attr("checked","checked");</script>';

        $self->info($html);

        # Delete existing IDP resolution cookie
        push @{ $self->{cookie} },
          $self->cookie(
            -name    => $self->{samlIdPResolveCookie},
            -value   => 0,
            -domain  => $self->{domain},
            -path    => "/",
            -secure  => 0,
            -expires => '-1d',
          );

        return PE_CONFIRM;
    }

    # If IDP is found but not confirmed, let the user confirm it
    if ( $confirm_flag != 1 ) {
        $self->lmLog( "IDP $idp selected, need user confirmation", 'debug' );

        # Choosen IDP
        my $html = '<h3>'
          . &Lemonldap::NG::Portal::_i18n::msg( PM_SAML_IDPCHOOSEN,
            $ENV{HTTP_ACCEPT_LANGUAGE} )
          . "</h3>\n<h4>$idp</h4>\n<input type=\"hidden\" name=\"idp\" value=\"$idp\" />\n";

        $self->info($html);

        return PE_CONFIRM;
    }

    # Here confirmation is OK (confirm_flag == 1), store choosen IDP in cookie
    unless ( $idp_cookie and ( $idp eq $idp_cookie->value ) ) {
        $self->lmLog( "Build cookie to remember $idp as IDP choice", 'debug' );

        # User can choose temporary (0) or persistent cookie (1)
        my $cookie_type = $self->param("cookie_type") || "0";

        push @{ $self->{cookie} },
          $self->cookie(
            -name     => $self->{samlIdPResolveCookie},
            -value    => $idp,
            -domain   => $self->{domain},
            -path     => "/",
            -secure   => $self->{securedCookie},
            -httponly => $self->{httpOnly},
            -expires  => $cookie_type ? "+365d" : "",
          );
    }

    # 3. Build authentication request
    # TODO store urldc in RelayState
    $login = $self->createAuthnRequest( $server, $idp );

    unless ($login) {
        $self->lmLog( "Could not create authentication request on $idp",
            'error' );
        return PE_ERROR;
    }

    $self->lmLog( "Authentication request created", 'debug' );

    # Redirect user to IDP SSO URL
    # Replace urldc value by SSO URL value and call sub autoRedirect
    # TODO Manage other transport (POST, SOAP, ...)
    my $sso_url = $login->msg_url;
    $self->lmLog( "Redirect user to $sso_url", 'debug' );

    $self->{urldc} = $sso_url;
    $self->{error} = $self->_subProcess(qw(autoRedirect));

    return $self->{error};
}

## @apmethod int setAuthSessionInfo()
# Extract attributes sent in authentication statement
# @return Lemonldap::NG::Portal error code
sub setAuthSessionInfo {
    my $self = shift;

    # TODO

    PE_OK;
}

## @apmethod int authenticate()
# Accept SSO from IDP
# @return PE_OK
sub authenticate {
    my $self = shift;

    #TODO Lasso::Login::accept_sso( $login )

    PE_OK;
}

## @apmethod void authLogout()
# Logout SP
# @return nothing
sub authLogout {
    my $self = shift;

    # TODO

    return;
}

1;
__END__

=head1 NAME

=encoding utf8

Lemonldap::NG::Portal::AuthSAML - SAML Authentication backend

=head1 SYNOPSIS

  use Lemonldap::NG::Portal::AuthSAML;

=head1 DESCRIPTION

Use SAML to authenticate users

=head1 SEE ALSO

L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::UserDBSAML>, L<Lemonldap::NG::Portal::_SAML>

=head1 AUTHOR

Xavier Guimard, E<lt>x.guimard@free.frE<gt>, Clement Oudot, E<lt>coudot@linagora.comE<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2009 by Xavier Guimard

This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.10.0 or,
at your option, any later version of Perl 5 you may have available.

=cut
SAML skeleton 2009-04-07 22:38:24 +02:00			`## @file`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# SAML Service Provider - Authentication`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`## @class`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# SAML Service Provider - Authentication`
SAML skeleton 2009-04-07 22:38:24 +02:00			`package Lemonldap::NG::Portal::AuthSAML;`

			`use strict;`
			`use Lemonldap::NG::Portal::Simple;`
SAML: load Lasso method 2010-01-29 11:44:56 +01:00			`use Lemonldap::NG::Portal::_SAML; #inherits`
SAML: * perltidy * use XML::Simple instead of XML::LibXML to parse XML * Add initializeFromConfHash method to use directly configuration hash object * Create Lasso server with metadata in buffers rather than XML files 2010-02-01 15:01:28 +01:00			`use Lemonldap::NG::Common::Conf::SAML::Metadata;`
SAML skeleton 2009-04-07 22:38:24 +02:00
Beginning 0.9.4 publication works : version update 2009-06-08 18:29:13 +02:00			`our $VERSION = '0.1';`

SAML skeleton 2009-04-07 22:38:24 +02:00			`## @apmethod int authInit()`
SAML: create Lasso Server 2010-01-29 18:33:35 +01:00			`# Load Lasso and metadata`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# @return Lemonldap::NG::Portal error code`
			`sub authInit {`
			`my $self = shift;`
SAML: load Lasso method 2010-01-29 11:44:56 +01:00
			`# Load Lasso`
			`return PE_ERROR unless $self->loadLasso();`

SAML: create Lasso Server 2010-01-29 18:33:35 +01:00			`# Activate SOAP`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`$self->abort( 'To use SAML, you must activate SOAP (Soap => 1)', 'error' )`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`unless ( $self->{Soap} );`
SAML: create Lasso Server 2010-01-29 18:33:35 +01:00
SAML: use serviceToXML 2010-02-05 17:14:05 +01:00			`# Check presence of private key in configuration`
			`unless ( $self->{samlServicePrivateKey} ) {`
			`$self->lmLog( "SAML private key not found in configuration", 'error' );`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`return PE_ERROR;`
			`}`
SAML: add IDP in Lasso::Server 2010-02-01 18:07:40 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`# Get metadata from configuration`
			`$self->lmLog( "Get Metadata for this service", 'debug' );`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`my $service_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();`
SAML: add IDP in Lasso::Server 2010-02-01 18:07:40 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`# Create Lasso server with service metadata`
			`my $server = $self->createServer(`
SAML: use serviceToXML 2010-02-05 17:14:05 +01:00			`$service_metadata->serviceToXML(`
			`$ENV{DOCUMENT_ROOT} . "/skins/common/saml2-metadata.tpl", $self`
			`),`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`$self->{samlServicePrivateKey},`
			`);`
SAML: add IDP in Lasso::Server 2010-02-01 18:07:40 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`unless ($server) {`
			`$self->lmLog( 'Unable to create Lasso server', 'error' );`
			`return PE_ERROR;`
			`}`

			`$self->lmLog( "Service created", 'debug' );`
SAML: add IDP in Lasso::Server 2010-02-01 18:07:40 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`# Check presence of at least one identity provider in configuration`
			`unless ( $self->{samlIDPMetaData}`
			`and keys %{ $self->{samlIDPMetaData} } )`
			`{`
			`$self->lmLog( "No IDP found in configuration", 'error' );`
			`return PE_ERROR;`
			`}`

			`# Load identity provider metadata`
			`# IDP are listed in $self->{samlIDPMetaData}`
			`# Each key is the IDP name and value is the metadata`
			`# Build IDP list for later use in extractFormInfo`
			`foreach ( keys %{ $self->{samlIDPMetaData} } ) {`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`$self->lmLog( "Get Metadata for IDP $_", 'debug' );`

			`# Get metadata from configuration`
			`my $idp_metadata = Lemonldap::NG::Common::Conf::SAML::Metadata->new();`
			`unless (`
			`$idp_metadata->initializeFromConfHash(`
			`$self->{samlIDPMetaData}->{$_}`
			`)`
			`)`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`{`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`$self->lmLog( "Fail to read IDP $_ Metadata from configuration",`
			`'error' );`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`return PE_ERROR;`
			`}`

Fix some little bugs 2010-02-08 11:06:21 +01:00			`# Add this IDP to Lasso::Server`
			`my $result = $self->addIDP( $server, $idp_metadata->toXML() );`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`unless ($result) {`
			`$self->lmLog( "Fail to use IDP $_ Metadata", 'error' );`
			`return PE_ERROR;`
			`}`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
			`# Store IDP entityID and Organization Name`
			`my $entityID = $idp_metadata->{entityID};`
SAML: better organization name management 2010-02-05 18:18:09 +01:00			`my $name = $self->getOrganizationName( $server, $entityID )`
			`\|\| ucfirst($_);`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`$self->{_idpList}->{$_}->{entityID} = $entityID;`
			`$self->{_idpList}->{$_}->{name} = $name;`

Fix some little bugs 2010-02-08 11:06:21 +01:00			`$self->lmLog( "IDP $_ added", 'debug' );`
			`}`
SAML: load Lasso method 2010-01-29 11:44:56 +01:00
SAML: build authentication request 2010-02-04 17:02:02 +01:00			`# Store Lasso::Server object`
			`$self->{_lassoServer} = $server;`

SAML: load Lasso method 2010-01-29 11:44:56 +01:00			`PE_OK;`
SAML skeleton 2009-04-07 22:38:24 +02:00			`}`

			`## @apmethod int extractFormInfo()`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# Check authentication statement or create authentication request`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# @return Lemonldap::NG::Portal error code`
			`sub extractFormInfo {`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`my $self = shift;`
SAML: build authentication request 2010-02-04 17:02:02 +01:00			`my $server = $self->{_lassoServer};`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`my $login;`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`my $idp;`

SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`# 1. Get URL parameters to know if we are receving an assertion`
			`my $url = $self->url();`
			`my $saml_acs_art_url = (`
			`split(`
			`/;/,`
			`$self->{samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact}`
			`)`
			`)[3];`
			`my $saml_acs_post_url = (`
			`split(`
			`/;/, $self->{samlSPSSODescriptorAssertionConsumerServiceHTTPPost}`
			`)`
			`)[3];`
			`my $saml_acs_get_url = (`
			`split(`
			`/;/,`
			`$self->{samlSPSSODescriptorAssertionConsumerServiceHTTPRedirect}`
			`)`
			`)[3];`

			`if ( $url =~ /^($saml_acs_art_url\|$saml_acs_post_url\|$saml_acs_get_url)$/i )`
			`{`

			`$self->lmLog( "URL $url detected as an assertion consumer URL",`
			`'debug' );`

			`# 1.1 HTTP REDIRECT`
			`if ( $url =~ /^$saml_acs_get_url$/i ) {`

SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# Response in query string`
			`my $response = $self->query_string();`

			`# TODO use CGI(-oldstyle_urls) in Common/CGI.pm to avoid this`
			`$response =~ s/;/&/g;`

SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`$self->lmLog( "HTTP-REDIRECT: SAML Response $response", 'debug' );`

			`# Create Login object`
			`$login = $self->createLogin($server);`

			`# Process authentication response`
			`my $result = $self->processAuthnResponseMsg( $login, $response );`

			`unless ($result) {`
			`$self->lmLog(`
			`"HTTP-REDIRECT: Fail to process authentication response",`
			`'error' );`
			`return PE_ERROR;`
			`}`

SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# TODO validate response`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`$self->lmLog( "HTTP-REDIRECT: authentication response is valid",`
			`'debug' );`

SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# Get NameID`
			`my $nameid = $self->getNameIdentifier($login);`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`$self->abort("Work in progress");`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`}`

			`# 1.2 POST`
			`# TODO`

			`# 1.3 ARTEFACT (SOAP)`
			`# TODO`

			`return PE_OK;`
			`}`
Fix some little bugs 2010-02-08 11:06:21 +01:00
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# 2. IDP resolution`
Fix some little bugs 2010-02-08 11:06:21 +01:00
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# Get IDP resolution cookie`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`my %cookies = fetch CGI::Cookie;`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`my $idp_cookie = $cookies{ $self->{samlIdPResolveCookie} };`
			`if ($idp_cookie) {`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`$idp = $idp_cookie->value;`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`$self->lmLog( "IDP $idp found in IDP resolution cookie", 'debug' );`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`}`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
			`# If no IDP resolve cookie, find another way to get it`
			`# Case 1: IDP was choosen from portal IDP list`
			`$idp \|\|= $self->param("idp");`

SAML: build authentication request 2010-02-04 17:02:02 +01:00			`# TODO - other case (IP resolution, etc.)`

SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# Get confirmation flag`
			`my $confirm_flag = $self->param("confirm");`

			`# If confirmation is -1, or IDP was not resolve, let the user choose its IDP`
			`if ( $confirm_flag == -1 or !$idp ) {`
			`$self->lmLog( "No IDP found, redirecting user to IDP list", 'debug' );`

			`# IDP list`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`my $html = "<h3>"`
			`. &Lemonldap::NG::Portal::_i18n::msg( PM_SAML_IDPSELECT,`
			`$ENV{HTTP_ACCEPT_LANGUAGE} )`
			`. "</h3>\n<table>\n";`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
			`foreach ( keys %{ $self->{_idpList} } ) {`
			`$html .=`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`'<tr><td><input type="radio" name="idp" value="'`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`. $self->{_idpList}->{$_}->{entityID}`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`. '" /></td><td>'`
			`. $self->{_idpList}->{$_}->{name}`
			`. '</td></tr>';`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`}`

SAML: better organization name management 2010-02-05 18:18:09 +01:00			`$html .=`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`'<tr><td><input type="checkbox" name="cookie_type" value="1"></td><td>'`
			`. &Lemonldap::NG::Portal::_i18n::msg( PM_REMEMBERCHOICE,`
			`$ENV{HTTP_ACCEPT_LANGUAGE} )`
			`. "</td></tr></table>\n"`
SAML: better organization name management 2010-02-05 18:18:09 +01:00
Fix some little bugs 2010-02-08 11:06:21 +01:00			`# Script to autoselect first choice`
			`. '<script>$("[type=radio]:first").attr("checked","checked");</script>';`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
			`$self->info($html);`

			`# Delete existing IDP resolution cookie`
			`push @{ $self->{cookie} },`
			`$self->cookie(`
			`-name => $self->{samlIdPResolveCookie},`
			`-value => 0,`
			`-domain => $self->{domain},`
			`-path => "/",`
			`-secure => 0,`
			`-expires => '-1d',`
			`);`

Fix some little bugs 2010-02-08 11:06:21 +01:00			`return PE_CONFIRM;`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`}`
Fix some little bugs 2010-02-08 11:06:21 +01:00
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# If IDP is found but not confirmed, let the user confirm it`
			`if ( $confirm_flag != 1 ) {`
			`$self->lmLog( "IDP $idp selected, need user confirmation", 'debug' );`

			`# Choosen IDP`
Fix some little bugs 2010-02-08 11:06:21 +01:00			`my $html = '<h3>'`
			`. &Lemonldap::NG::Portal::_i18n::msg( PM_SAML_IDPCHOOSEN,`
			`$ENV{HTTP_ACCEPT_LANGUAGE} )`
			`. "</h3>\n<h4>$idp</h4>\n<input type=\"hidden\" name=\"idp\" value=\"$idp\" />\n";`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
			`$self->info($html);`

Fix some little bugs 2010-02-08 11:06:21 +01:00			`return PE_CONFIRM;`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`}`

			`# Here confirmation is OK (confirm_flag == 1), store choosen IDP in cookie`
			`unless ( $idp_cookie and ( $idp eq $idp_cookie->value ) ) {`
			`$self->lmLog( "Build cookie to remember $idp as IDP choice", 'debug' );`

Fix some little bugs 2010-02-08 11:06:21 +01:00			`# User can choose temporary (0) or persistent cookie (1)`
			`my $cookie_type = $self->param("cookie_type") \|\| "0";`

			`push @{ $self->{cookie} },`
			`$self->cookie(`
			`-name => $self->{samlIdPResolveCookie},`
			`-value => $idp,`
			`-domain => $self->{domain},`
			`-path => "/",`
			`-secure => $self->{securedCookie},`
			`-httponly => $self->{httpOnly},`
			`-expires => $cookie_type ? "+365d" : "",`
			`);`
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`}`
Fix some little bugs 2010-02-08 11:06:21 +01:00
SAML: IDP choice 2010-02-04 13:30:18 +01:00			`# 3. Build authentication request`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# TODO store urldc in RelayState`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`$login = $self->createAuthnRequest( $server, $idp );`
SAML: build authentication request 2010-02-04 17:02:02 +01:00
			`unless ($login) {`
			`$self->lmLog( "Could not create authentication request on $idp",`
			`'error' );`
			`return PE_ERROR;`
			`}`
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00
SAML: build authentication request 2010-02-04 17:02:02 +01:00			`$self->lmLog( "Authentication request created", 'debug' );`
SAML: IDP choice 2010-02-04 13:30:18 +01:00
SAML: * Redirect user to IDP SSO URL * Catch IDP response for HTTP-REDIRECT binding 2010-02-08 18:24:45 +01:00			`# Redirect user to IDP SSO URL`
			`# Replace urldc value by SSO URL value and call sub autoRedirect`
			`# TODO Manage other transport (POST, SOAP, ...)`
			`my $sso_url = $login->msg_url;`
			`$self->lmLog( "Redirect user to $sso_url", 'debug' );`

			`$self->{urldc} = $sso_url;`
			`$self->{error} = $self->_subProcess(qw(autoRedirect));`

			`return $self->{error};`
SAML skeleton 2009-04-07 22:38:24 +02:00			`}`

			`## @apmethod int setAuthSessionInfo()`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# Extract attributes sent in authentication statement`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# @return Lemonldap::NG::Portal error code`
			`sub setAuthSessionInfo {`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`my $self = shift;`

			`# TODO`

SAML skeleton 2009-04-07 22:38:24 +02:00			`PE_OK;`
			`}`

			`## @apmethod int authenticate()`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# Accept SSO from IDP`
SAML skeleton 2009-04-07 22:38:24 +02:00			`# @return PE_OK`
			`sub authenticate {`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`my $self = shift;`

			`#TODO Lasso::Login::accept_sso( $login )`

SAML skeleton 2009-04-07 22:38:24 +02:00			`PE_OK;`
			`}`

			`## @apmethod void authLogout()`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`# Logout SP`
			`# @return nothing`
SAML skeleton 2009-04-07 22:38:24 +02:00			`sub authLogout {`
SAML: use query_string and get name identifier 2010-02-09 10:02:39 +01:00			`my $self = shift;`

			`# TODO`

			`return;`
SAML skeleton 2009-04-07 22:38:24 +02:00			`}`

			`1;`
			`__END__`

			`=head1 NAME`

POD updates : * spelling errors found by Lintian * encoding utf8 2010-01-03 09:09:59 +01:00			`=encoding utf8`

SAML: IDP choice 2010-02-04 13:30:18 +01:00			`Lemonldap::NG::Portal::AuthSAML - SAML Authentication backend`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 SYNOPSIS`

			`use Lemonldap::NG::Portal::AuthSAML;`

			`=head1 DESCRIPTION`

SAML: IDP choice 2010-02-04 13:30:18 +01:00			`Use SAML to authenticate users`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 SEE ALSO`

SAML: IDP choice 2010-02-04 13:30:18 +01:00			`L<Lemonldap::NG::Portal>, L<Lemonldap::NG::Portal::UserDBSAML>, L<Lemonldap::NG::Portal::_SAML>`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 AUTHOR`

SAML: IDP choice 2010-02-04 13:30:18 +01:00			`Xavier Guimard, E<lt>x.guimard@free.frE<gt>, Clement Oudot, E<lt>coudot@linagora.comE<gt>`
SAML skeleton 2009-04-07 22:38:24 +02:00
			`=head1 COPYRIGHT AND LICENSE`

			`Copyright (C) 2009 by Xavier Guimard`

			`This library is free software; you can redistribute it and/or modify`
			`it under the same terms as Perl itself, either Perl version 5.10.0 or,`
			`at your option, any later version of Perl 5 you may have available.`

			`=cut`