Add an option to enable IDP initiated SSO for a SP (#208)
This commit is contained in:
parent
3f7bb4b9d2
commit
40513f75d9
|
@ -227,10 +227,14 @@ sub cstruct {
|
|||
},
|
||||
samlSPMetaDataOptionsSecurity => {
|
||||
|
||||
_nodes => [qw(samlSPMetaDataOptionsEncryptionMode)],
|
||||
_nodes => [
|
||||
qw(samlSPMetaDataOptionsEncryptionMode samlSPMetaDataOptionsEnableIDPInitiatedURL)
|
||||
],
|
||||
|
||||
samlSPMetaDataOptionsEncryptionMode =>
|
||||
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams",
|
||||
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||
"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -2124,6 +2128,7 @@ sub defaultConf {
|
|||
samlSPMetaDataOptionsSignSLOMessage => '1',
|
||||
samlSPMetaDataOptionsCheckSLOMessageSignature => '1',
|
||||
samlSPMetaDataOptionsEncryptionMode => 'none',
|
||||
samlSPMetaDataOptionsEnableIDPInitiatedURL => '0',
|
||||
samlSPSSODescriptorAuthnRequestsSigned => '1',
|
||||
samlSPSSODescriptorWantAssertionsSigned => '1',
|
||||
samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
|
||||
|
|
|
@ -452,13 +452,15 @@ sub en {
|
|||
samlSPMetaDataOptionsAuthnResponse => 'Authentication response',
|
||||
samlSPMetaDataOptionsSignature => 'Signature',
|
||||
samlSPMetaDataOptionsSecurity => 'Security',
|
||||
samlServiceMetaData => 'SAML 2 Service',
|
||||
samlEntityID => 'Entity Identifier',
|
||||
samlOrganization => 'Organization',
|
||||
samlOrganizationDisplayName => 'Display Name',
|
||||
samlOrganizationName => 'Name',
|
||||
samlOrganizationURL => 'URL',
|
||||
samlSPSSODescriptor => 'Service Provider',
|
||||
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||
'Enable use of IDP initiated URL',
|
||||
samlServiceMetaData => 'SAML 2 Service',
|
||||
samlEntityID => 'Entity Identifier',
|
||||
samlOrganization => 'Organization',
|
||||
samlOrganizationDisplayName => 'Display Name',
|
||||
samlOrganizationName => 'Name',
|
||||
samlOrganizationURL => 'URL',
|
||||
samlSPSSODescriptor => 'Service Provider',
|
||||
samlSPSSODescriptorAuthnRequestsSigned =>
|
||||
'Signed Authentication Request',
|
||||
samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
|
||||
|
@ -937,13 +939,15 @@ sub fr {
|
|||
samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification',
|
||||
samlSPMetaDataOptionsSignature => 'Signature',
|
||||
samlSPMetaDataOptionsSecurity => 'Sécurité',
|
||||
samlServiceMetaData => 'Service SAML 2',
|
||||
samlEntityID => 'Identifiant d\'entité',
|
||||
samlOrganization => 'Organisation',
|
||||
samlOrganizationDisplayName => 'Nom affiché',
|
||||
samlOrganizationName => 'Nom',
|
||||
samlOrganizationURL => 'URL',
|
||||
samlSPSSODescriptor => 'Fournisseur de service',
|
||||
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||
'Enable use of IDP initiated URL',
|
||||
samlServiceMetaData => 'Service SAML 2',
|
||||
samlEntityID => 'Identifiant d\'entité',
|
||||
samlOrganization => 'Organisation',
|
||||
samlOrganizationDisplayName => 'Nom affiché',
|
||||
samlOrganizationName => 'Nom',
|
||||
samlOrganizationURL => 'URL',
|
||||
samlSPSSODescriptor => 'Fournisseur de service',
|
||||
samlSPSSODescriptorAuthnRequestsSigned =>
|
||||
'Requêtes d\'authentification signées',
|
||||
samlSPSSODescriptorWantAssertionsSigned =>
|
||||
|
|
|
@ -1225,6 +1225,15 @@ sub issuerForAuthUser {
|
|||
# Create fake request if IDP initiated mode
|
||||
if ($idp_initiated) {
|
||||
|
||||
# Need sp or spConfKey parameter
|
||||
unless ( $idp_initiated_sp or $idp_initiated_spConfKey ) {
|
||||
$self->lmLog(
|
||||
"sp or spConfKey parameter needed to make IDP initiated SSO",
|
||||
'error'
|
||||
);
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
unless ($idp_initiated_sp) {
|
||||
|
||||
# Get SP from spConfKey
|
||||
|
@ -1237,6 +1246,28 @@ sub issuerForAuthUser {
|
|||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
unless ( defined $self->{_spList}->{$idp_initiated_sp} ) {
|
||||
$self->lmLog( "SP $idp_initiated_sp not known",
|
||||
'error' );
|
||||
return PE_SAML_UNKNOWN_ENTITY;
|
||||
}
|
||||
$idp_initiated_spConfKey =
|
||||
$self->{_spList}->{$idp_initiated_sp}->{confKey};
|
||||
}
|
||||
|
||||
# Check if IDP Initiated SSO is allowed
|
||||
unless (
|
||||
$self->{samlSPMetaDataOptions}->{$idp_initiated_spConfKey}
|
||||
->{samlSPMetaDataOptionsEnableIDPInitiatedURL} )
|
||||
{
|
||||
$self->lmLog(
|
||||
"IDP Initiated SSO not allowed for SP $idp_initiated_spConfKey",
|
||||
'error'
|
||||
);
|
||||
return PE_SAML_SSO_ERROR;
|
||||
}
|
||||
|
||||
$result =
|
||||
$self->initIdpInitiatedAuthnRequest( $login,
|
||||
$idp_initiated_sp );
|
||||
|
|
Loading…
Reference in New Issue
Block a user