dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add an option to enable IDP initiated SSO for a SP (#208)

Browse Source
This commit is contained in:
Clément Oudot 2014-02-09 21:32:11 +00:00
parent 3f7bb4b9d2
commit 40513f75d9
3 changed files with 55 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
View File

@ -227,10 +227,14 @@ sub cstruct {
}, },
samlSPMetaDataOptionsSecurity => { samlSPMetaDataOptionsSecurity => {
_nodes => [qw(samlSPMetaDataOptionsEncryptionMode)], _nodes => [
qw(samlSPMetaDataOptionsEncryptionMode samlSPMetaDataOptionsEnableIDPInitiatedURL)
],
samlSPMetaDataOptionsEncryptionMode => samlSPMetaDataOptionsEncryptionMode =>
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams", "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams",
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEnableIDPInitiatedURL",
}, },
}, },
} }
@ -2124,6 +2128,7 @@ sub defaultConf {
samlSPMetaDataOptionsSignSLOMessage => '1', samlSPMetaDataOptionsSignSLOMessage => '1',
samlSPMetaDataOptionsCheckSLOMessageSignature => '1', samlSPMetaDataOptionsCheckSLOMessageSignature => '1',
samlSPMetaDataOptionsEncryptionMode => 'none', samlSPMetaDataOptionsEncryptionMode => 'none',
samlSPMetaDataOptionsEnableIDPInitiatedURL => '0',
samlSPSSODescriptorAuthnRequestsSigned => '1', samlSPSSODescriptorAuthnRequestsSigned => '1',
samlSPSSODescriptorWantAssertionsSigned => '1', samlSPSSODescriptorWantAssertionsSigned => '1',
samlSPSSODescriptorSingleLogoutServiceHTTPRedirect => samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>

4
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
View File

@ -452,6 +452,8 @@ sub en {
samlSPMetaDataOptionsAuthnResponse => 'Authentication response', samlSPMetaDataOptionsAuthnResponse => 'Authentication response',
samlSPMetaDataOptionsSignature => 'Signature', samlSPMetaDataOptionsSignature => 'Signature',
samlSPMetaDataOptionsSecurity => 'Security', samlSPMetaDataOptionsSecurity => 'Security',
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
'Enable use of IDP initiated URL',
samlServiceMetaData => 'SAML 2 Service', samlServiceMetaData => 'SAML 2 Service',
samlEntityID => 'Entity Identifier', samlEntityID => 'Entity Identifier',
samlOrganization => 'Organization', samlOrganization => 'Organization',
@ -937,6 +939,8 @@ sub fr {
samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification', samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification',
samlSPMetaDataOptionsSignature => 'Signature', samlSPMetaDataOptionsSignature => 'Signature',
samlSPMetaDataOptionsSecurity => 'Sécurité', samlSPMetaDataOptionsSecurity => 'Sécurité',
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
'Enable use of IDP initiated URL',
samlServiceMetaData => 'Service SAML 2', samlServiceMetaData => 'Service SAML 2',
samlEntityID => 'Identifiant d\'entité', samlEntityID => 'Identifiant d\'entité',
samlOrganization => 'Organisation', samlOrganization => 'Organisation',

31
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
View File

@ -1225,6 +1225,15 @@ sub issuerForAuthUser {
# Create fake request if IDP initiated mode # Create fake request if IDP initiated mode
if ($idp_initiated) { if ($idp_initiated) {
# Need sp or spConfKey parameter
unless ( $idp_initiated_sp or $idp_initiated_spConfKey ) {
$self->lmLog(
"sp or spConfKey parameter needed to make IDP initiated SSO",
'error'
);
return PE_SAML_SSO_ERROR;
}
unless ($idp_initiated_sp) { unless ($idp_initiated_sp) {
# Get SP from spConfKey # Get SP from spConfKey
@ -1237,6 +1246,28 @@ sub issuerForAuthUser {
} }
} }
} }
else {
unless ( defined $self->{_spList}->{$idp_initiated_sp} ) {
$self->lmLog( "SP $idp_initiated_sp not known",
'error' );
return PE_SAML_UNKNOWN_ENTITY;
}
$idp_initiated_spConfKey =
$self->{_spList}->{$idp_initiated_sp}->{confKey};
}
# Check if IDP Initiated SSO is allowed
unless (
$self->{samlSPMetaDataOptions}->{$idp_initiated_spConfKey}
->{samlSPMetaDataOptionsEnableIDPInitiatedURL} )
{
$self->lmLog(
"IDP Initiated SSO not allowed for SP $idp_initiated_spConfKey",
'error'
);
return PE_SAML_SSO_ERROR;
}
$result = $result =
$self->initIdpInitiatedAuthnRequest( $login, $self->initIdpInitiatedAuthnRequest( $login,
$idp_initiated_sp ); $idp_initiated_sp );