Add an option to enable IDP initiated SSO for a SP (#208)
This commit is contained in:
parent
3f7bb4b9d2
commit
40513f75d9
@ -227,10 +227,14 @@ sub cstruct {
|
|||||||
},
|
},
|
||||||
samlSPMetaDataOptionsSecurity => {
|
samlSPMetaDataOptionsSecurity => {
|
||||||
|
|
||||||
_nodes => [qw(samlSPMetaDataOptionsEncryptionMode)],
|
_nodes => [
|
||||||
|
qw(samlSPMetaDataOptionsEncryptionMode samlSPMetaDataOptionsEnableIDPInitiatedURL)
|
||||||
|
],
|
||||||
|
|
||||||
samlSPMetaDataOptionsEncryptionMode =>
|
samlSPMetaDataOptionsEncryptionMode =>
|
||||||
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams",
|
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:samlSPOptions:encryptionModeParams",
|
||||||
|
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||||
|
"bool:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEnableIDPInitiatedURL",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
@ -2124,6 +2128,7 @@ sub defaultConf {
|
|||||||
samlSPMetaDataOptionsSignSLOMessage => '1',
|
samlSPMetaDataOptionsSignSLOMessage => '1',
|
||||||
samlSPMetaDataOptionsCheckSLOMessageSignature => '1',
|
samlSPMetaDataOptionsCheckSLOMessageSignature => '1',
|
||||||
samlSPMetaDataOptionsEncryptionMode => 'none',
|
samlSPMetaDataOptionsEncryptionMode => 'none',
|
||||||
|
samlSPMetaDataOptionsEnableIDPInitiatedURL => '0',
|
||||||
samlSPSSODescriptorAuthnRequestsSigned => '1',
|
samlSPSSODescriptorAuthnRequestsSigned => '1',
|
||||||
samlSPSSODescriptorWantAssertionsSigned => '1',
|
samlSPSSODescriptorWantAssertionsSigned => '1',
|
||||||
samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
|
samlSPSSODescriptorSingleLogoutServiceHTTPRedirect =>
|
||||||
|
@ -452,13 +452,15 @@ sub en {
|
|||||||
samlSPMetaDataOptionsAuthnResponse => 'Authentication response',
|
samlSPMetaDataOptionsAuthnResponse => 'Authentication response',
|
||||||
samlSPMetaDataOptionsSignature => 'Signature',
|
samlSPMetaDataOptionsSignature => 'Signature',
|
||||||
samlSPMetaDataOptionsSecurity => 'Security',
|
samlSPMetaDataOptionsSecurity => 'Security',
|
||||||
samlServiceMetaData => 'SAML 2 Service',
|
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||||
samlEntityID => 'Entity Identifier',
|
'Enable use of IDP initiated URL',
|
||||||
samlOrganization => 'Organization',
|
samlServiceMetaData => 'SAML 2 Service',
|
||||||
samlOrganizationDisplayName => 'Display Name',
|
samlEntityID => 'Entity Identifier',
|
||||||
samlOrganizationName => 'Name',
|
samlOrganization => 'Organization',
|
||||||
samlOrganizationURL => 'URL',
|
samlOrganizationDisplayName => 'Display Name',
|
||||||
samlSPSSODescriptor => 'Service Provider',
|
samlOrganizationName => 'Name',
|
||||||
|
samlOrganizationURL => 'URL',
|
||||||
|
samlSPSSODescriptor => 'Service Provider',
|
||||||
samlSPSSODescriptorAuthnRequestsSigned =>
|
samlSPSSODescriptorAuthnRequestsSigned =>
|
||||||
'Signed Authentication Request',
|
'Signed Authentication Request',
|
||||||
samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
|
samlSPSSODescriptorWantAssertionsSigned => 'Want Assertions Signed',
|
||||||
@ -937,13 +939,15 @@ sub fr {
|
|||||||
samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification',
|
samlSPMetaDataOptionsAuthnResponse => 'Réponse d\'authentification',
|
||||||
samlSPMetaDataOptionsSignature => 'Signature',
|
samlSPMetaDataOptionsSignature => 'Signature',
|
||||||
samlSPMetaDataOptionsSecurity => 'Sécurité',
|
samlSPMetaDataOptionsSecurity => 'Sécurité',
|
||||||
samlServiceMetaData => 'Service SAML 2',
|
samlSPMetaDataOptionsEnableIDPInitiatedURL =>
|
||||||
samlEntityID => 'Identifiant d\'entité',
|
'Enable use of IDP initiated URL',
|
||||||
samlOrganization => 'Organisation',
|
samlServiceMetaData => 'Service SAML 2',
|
||||||
samlOrganizationDisplayName => 'Nom affiché',
|
samlEntityID => 'Identifiant d\'entité',
|
||||||
samlOrganizationName => 'Nom',
|
samlOrganization => 'Organisation',
|
||||||
samlOrganizationURL => 'URL',
|
samlOrganizationDisplayName => 'Nom affiché',
|
||||||
samlSPSSODescriptor => 'Fournisseur de service',
|
samlOrganizationName => 'Nom',
|
||||||
|
samlOrganizationURL => 'URL',
|
||||||
|
samlSPSSODescriptor => 'Fournisseur de service',
|
||||||
samlSPSSODescriptorAuthnRequestsSigned =>
|
samlSPSSODescriptorAuthnRequestsSigned =>
|
||||||
'Requêtes d\'authentification signées',
|
'Requêtes d\'authentification signées',
|
||||||
samlSPSSODescriptorWantAssertionsSigned =>
|
samlSPSSODescriptorWantAssertionsSigned =>
|
||||||
|
@ -1225,6 +1225,15 @@ sub issuerForAuthUser {
|
|||||||
# Create fake request if IDP initiated mode
|
# Create fake request if IDP initiated mode
|
||||||
if ($idp_initiated) {
|
if ($idp_initiated) {
|
||||||
|
|
||||||
|
# Need sp or spConfKey parameter
|
||||||
|
unless ( $idp_initiated_sp or $idp_initiated_spConfKey ) {
|
||||||
|
$self->lmLog(
|
||||||
|
"sp or spConfKey parameter needed to make IDP initiated SSO",
|
||||||
|
'error'
|
||||||
|
);
|
||||||
|
return PE_SAML_SSO_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
unless ($idp_initiated_sp) {
|
unless ($idp_initiated_sp) {
|
||||||
|
|
||||||
# Get SP from spConfKey
|
# Get SP from spConfKey
|
||||||
@ -1237,6 +1246,28 @@ sub issuerForAuthUser {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
unless ( defined $self->{_spList}->{$idp_initiated_sp} ) {
|
||||||
|
$self->lmLog( "SP $idp_initiated_sp not known",
|
||||||
|
'error' );
|
||||||
|
return PE_SAML_UNKNOWN_ENTITY;
|
||||||
|
}
|
||||||
|
$idp_initiated_spConfKey =
|
||||||
|
$self->{_spList}->{$idp_initiated_sp}->{confKey};
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check if IDP Initiated SSO is allowed
|
||||||
|
unless (
|
||||||
|
$self->{samlSPMetaDataOptions}->{$idp_initiated_spConfKey}
|
||||||
|
->{samlSPMetaDataOptionsEnableIDPInitiatedURL} )
|
||||||
|
{
|
||||||
|
$self->lmLog(
|
||||||
|
"IDP Initiated SSO not allowed for SP $idp_initiated_spConfKey",
|
||||||
|
'error'
|
||||||
|
);
|
||||||
|
return PE_SAML_SSO_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
$result =
|
$result =
|
||||||
$self->initIdpInitiatedAuthnRequest( $login,
|
$self->initIdpInitiatedAuthnRequest( $login,
|
||||||
$idp_initiated_sp );
|
$idp_initiated_sp );
|
||||||
|
Loading…
Reference in New Issue
Block a user