From 40513f75d9db9f8c848777967340b6dee72332c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Sun, 9 Feb 2014 21:32:11 +0000 Subject: [PATCH] Add an option to enable IDP initiated SSO for a SP (#208) --- .../lib/Lemonldap/NG/Manager/_Struct.pm | 7 +++- .../lib/Lemonldap/NG/Manager/_i18n.pm | 32 +++++++++++-------- .../lib/Lemonldap/NG/Portal/IssuerDBSAML.pm | 31 ++++++++++++++++++ 3 files changed, 55 insertions(+), 15 deletions(-) diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm index ebe6c533e..70887fc21 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm @@ -227,10 +227,14 @@ sub cstruct { }, samlSPMetaDataOptionsSecurity => { - _nodes => [qw(samlSPMetaDataOptionsEncryptionMode)], + _nodes => [ + qw(samlSPMetaDataOptionsEncryptionMode samlSPMetaDataOptionsEnableIDPInitiatedURL) + ], samlSPMetaDataOptionsEncryptionMode => "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams", + samlSPMetaDataOptionsEnableIDPInitiatedURL => +"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEnableIDPInitiatedURL", }, }, } @@ -2124,6 +2128,7 @@ sub defaultConf { samlSPMetaDataOptionsSignSLOMessage => '1', samlSPMetaDataOptionsCheckSLOMessageSignature => '1', samlSPMetaDataOptionsEncryptionMode => 'none', + samlSPMetaDataOptionsEnableIDPInitiatedURL => '0', samlSPSSODescriptorAuthnRequestsSigned => '1', samlSPSSODescriptorWantAssertionsSigned => '1', samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm index 968971a36..1a68bf94c 100644 --- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm +++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm @@ -452,13 +452,15 @@ sub en { samlSPMetaDataOptionsAuthnResponse => 'Authentication response', samlSPMetaDataOptionsSignature => 'Signature', samlSPMetaDataOptionsSecurity => 'Security', - samlServiceMetaData => 'SAML 2 Service', - samlEntityID => 'Entity Identifier', - samlOrganization => 'Organization', - samlOrganizationDisplayName => 'Display Name', - samlOrganizationName => 'Name', - samlOrganizationURL => 'URL', - samlSPSSODescriptor => 'Service Provider', + samlSPMetaDataOptionsEnableIDPInitiatedURL => + 'Enable use of IDP initiated URL', + samlServiceMetaData => 'SAML 2 Service', + samlEntityID => 'Entity Identifier', + samlOrganization => 'Organization', + samlOrganizationDisplayName => 'Display Name', + samlOrganizationName => 'Name', + samlOrganizationURL => 'URL', + samlSPSSODescriptor => 'Service Provider', samlSPSSODescriptorAuthnRequestsSigned => 'Signed Authentication Request', samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed', @@ -937,13 +939,15 @@ sub fr { samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification', samlSPMetaDataOptionsSignature => 'Signature', samlSPMetaDataOptionsSecurity => 'Sécurité', - samlServiceMetaData => 'Service SAML 2', - samlEntityID => 'Identifiant d\'entité', - samlOrganization => 'Organisation', - samlOrganizationDisplayName => 'Nom affiché', - samlOrganizationName => 'Nom', - samlOrganizationURL => 'URL', - samlSPSSODescriptor => 'Fournisseur de service', + samlSPMetaDataOptionsEnableIDPInitiatedURL => + 'Enable use of IDP initiated URL', + samlServiceMetaData => 'Service SAML 2', + samlEntityID => 'Identifiant d\'entité', + samlOrganization => 'Organisation', + samlOrganizationDisplayName => 'Nom affiché', + samlOrganizationName => 'Nom', + samlOrganizationURL => 'URL', + samlSPSSODescriptor => 'Fournisseur de service', samlSPSSODescriptorAuthnRequestsSigned => 'Requêtes d\'authentification signées', samlSPSSODescriptorWantAssertionsSigned => diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm index 482c40922..25211e31f 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm @@ -1225,6 +1225,15 @@ sub issuerForAuthUser { # Create fake request if IDP initiated mode if ($idp_initiated) { + # Need sp or spConfKey parameter + unless ( $idp_initiated_sp or $idp_initiated_spConfKey ) { + $self->lmLog( +"sp or spConfKey parameter needed to make IDP initiated SSO", + 'error' + ); + return PE_SAML_SSO_ERROR; + } + unless ($idp_initiated_sp) { # Get SP from spConfKey @@ -1237,6 +1246,28 @@ sub issuerForAuthUser { } } } + else { + unless ( defined $self->{_spList}->{$idp_initiated_sp} ) { + $self->lmLog( "SP $idp_initiated_sp not known", + 'error' ); + return PE_SAML_UNKNOWN_ENTITY; + } + $idp_initiated_spConfKey = + $self->{_spList}->{$idp_initiated_sp}->{confKey}; + } + + # Check if IDP Initiated SSO is allowed + unless ( + $self->{samlSPMetaDataOptions}->{$idp_initiated_spConfKey} + ->{samlSPMetaDataOptionsEnableIDPInitiatedURL} ) + { + $self->lmLog( +"IDP Initiated SSO not allowed for SP $idp_initiated_spConfKey", + 'error' + ); + return PE_SAML_SSO_ERROR; + } + $result = $self->initIdpInitiatedAuthnRequest( $login, $idp_initiated_sp );