Merge branch 'fix-proxyrestriction-2801' into 'v2.0'
Remove broken samlIDPMetaDataOptionsAllowProxiedAuthn option See merge request lemonldap-ng/lemonldap-ng!292
This commit is contained in:
Maxime Besson
commit
579f0c70ca
|
|
@ -121,10 +121,6 @@ Authentication request
|
|||
request
|
||||
- **Passive authentication**: set IsPassive flag in authentication
|
||||
request
|
||||
- **Allow proxied authentication**: allow an authentication response to
|
||||
be issued from another IDP that the one we register (proxy IDP). If
|
||||
you disallow this, you should also disallow direct login form IDP,
|
||||
because proxy restriction is set in authentication requests.
|
||||
- **Allow login from IDP**: allow a user to connect directly from an
|
||||
IDP link. In this case, authentication is not a response to an issued
|
||||
authentication request, and we have less control on conditions.
|
||||
|
|
|
|||
|
|
@ -75,7 +75,6 @@ Adapt IDP options, for example:
|
|||
my $idpOptions = {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
|
|||
);
|
||||
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|ScopeRule|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|c(?:a(?:s(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|ptchaOptions)|(?:ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)s)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
|
||||
our $arrayParameters = qr/^mySessionAuthorizedRWKeys$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnectedBypassFG|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Logout(?:SessionRequired|BypassConfirm)|Re(?:freshToken|quirePKCE)|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|memberDefaultChecked|freshSessions)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|to(?:tp2f(?:UserCanRemoveKey|EncryptSecret)|kenUseGlobalStorage)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|w(?:ebauthn2fUserCanRemoveKey|sdlServer)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|findUser)$/;
|
||||
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:daptSessionUtime|llowLoginFromIDP)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnectedBypassFG|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Logout(?:SessionRequired|BypassConfirm)|Re(?:freshToken|quirePKCE)|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|memberDefaultChecked|freshSessions)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|to(?:tp2f(?:UserCanRemoveKey|EncryptSecret)|kenUseGlobalStorage)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|w(?:ebauthn2fUserCanRemoveKey|sdlServer)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|findUser)$/;
|
||||
|
||||
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:(?:UserAttribut|Servic
|
|||
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:Re(?:solutionRule|new)|ProxiedServices|DisplayName|SortNumber|Gateway|Icon|Url)|ExportedVars)';
|
||||
our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)|heckJWTSignature|onfigurationURI)|S(?:toreIDToken|ortNumber|cope)|(?:ResolutionRul|MaxAg)e|TokenEndpointAuthMethod|(?:JWKSTimeou|Promp)t|I(?:DTokenMaxAge|con)|U(?:iLocales|seNonce)|Display(?:Name)?|AcrValues)|ExportedVars|J(?:SON|WKS))';
|
||||
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|Logout(?:SessionRequired|BypassConfirm|Type|Url)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
|
||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
|
||||
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|Re(?:questedAuthnContext|solutionRule|layStateURL)|A(?:daptSessionUtime|llowLoginFromIDP)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
|
||||
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
|
||||
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|DevOpsRulesUrl|Https|Port)|(?:exportedHeader|locationRule)s|post)';
|
||||
|
||||
|
|
|
|||
|
|
@ -121,7 +121,6 @@ my $spOptions = {
|
|||
my $idpOptions = {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
|
|||
|
|
@ -91,7 +91,7 @@ is(
|
|||
$lmConf->{samlSPMetaDataOptions}->{$sp}
|
||||
->{samlSPMetaDataOptionsCheckSSOMessageSignature} = 0;
|
||||
$lmConf->{samlIDPMetaDataOptions}->{$idp}
|
||||
->{samlIDPMetaDataOptionsAllowProxiedAuthn} = 1;
|
||||
->{samlIDPMetaDataOptionsAllowLoginFromIDP} = 1;
|
||||
( $spCounters, $idpCounters ) = transform_config( $importConf, $lmConf, $xml );
|
||||
|
||||
# Check statistics
|
||||
|
|
@ -126,7 +126,7 @@ is(
|
|||
);
|
||||
is(
|
||||
$lmConf->{samlIDPMetaDataOptions}->{$idp}
|
||||
->{samlIDPMetaDataOptionsAllowProxiedAuthn},
|
||||
->{samlIDPMetaDataOptionsAllowLoginFromIDP},
|
||||
0, "Configuration was updated"
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -3405,10 +3405,6 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
|
|||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => {
|
||||
'default' => 0,
|
||||
'type' => 'bool'
|
||||
},
|
||||
'samlIDPMetaDataOptionsCheckAudience' => {
|
||||
'default' => 1,
|
||||
'type' => 'bool'
|
||||
|
|
|
|||
|
|
@ -3042,10 +3042,6 @@ sub attributes {
|
|||
type => 'bool',
|
||||
default => 0,
|
||||
},
|
||||
samlIDPMetaDataOptionsAllowProxiedAuthn => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
},
|
||||
samlIDPMetaDataOptionsAllowLoginFromIDP => {
|
||||
type => 'bool',
|
||||
default => 0,
|
||||
|
|
|
|||
|
|
@ -85,7 +85,6 @@ sub cTrees {
|
|||
'samlIDPMetaDataOptionsNameIDFormat',
|
||||
'samlIDPMetaDataOptionsForceAuthn',
|
||||
'samlIDPMetaDataOptionsIsPassive',
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn',
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP',
|
||||
'samlIDPMetaDataOptionsRequestedAuthnContext',
|
||||
'samlIDPMetaDataOptionsRelayStateURL',
|
||||
|
|
|
|||
|
|
@ -1059,13 +1059,6 @@ function templates(tpl,key) {
|
|||
"title" : "samlIDPMetaDataOptionsIsPassive",
|
||||
"type" : "bool"
|
||||
},
|
||||
{
|
||||
"default" : 0,
|
||||
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",
|
||||
"id" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowProxiedAuthn",
|
||||
"title" : "samlIDPMetaDataOptionsAllowProxiedAuthn",
|
||||
"type" : "bool"
|
||||
},
|
||||
{
|
||||
"default" : 0,
|
||||
"get" : tpl+"s/"+key+"/"+"samlIDPMetaDataOptionsAllowLoginFromIDP",
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"الخيارات",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"تكييف صلحية الجلسة",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"السماح بتسجيل الدخول من IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"سماح تَوْكِيل إثبات الهوية",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"طلب إثبات الهوية",
|
||||
"samlIDPMetaDataOptionsBinding":"ربط",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"تحقق من شروط السمع",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"خدمة أل يو أر ل",
|
||||
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
|
||||
"zeroConfExplanations":"لا يحتوي الخادم على إعدادات. استخدام قالب لحفظ الأول"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Options",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Adapt session lifetime",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Allow login from IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Allow proxied authentication",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Authentication request",
|
||||
"samlIDPMetaDataOptionsBinding":"Binding",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Check audience conditions",
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Opciones",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Adapt session lifetime",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Allow login from IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Allow proxied authentication",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Authentication request",
|
||||
"samlIDPMetaDataOptionsBinding":"Binding",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Check audience conditions",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"URL de servicio",
|
||||
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
|
||||
"zeroConfExplanations":"Server has no configuration. Use template to save the first."
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Options",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Adapatation de la durée de vie de la session",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Authentification depuis le fournisseur autorisée",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Authentification proxy autorisée",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Requête d'authentification",
|
||||
"samlIDPMetaDataOptionsBinding":"Méthode",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Vérifier les conditions d'audience",
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"אפשרויות",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Adapt session lifetime",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"לאפשר כניסה מ־IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Allow proxied authentication",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"בקשת אימות",
|
||||
"samlIDPMetaDataOptionsBinding":"איגוד",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"בדיקת מצב הקהל",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"כתובת שירות",
|
||||
"yubikey2fUserCanRemoveKey":"לאפשר למשתמש להסיר Yubikey",
|
||||
"zeroConfExplanations":"Server has no configuration. Use template to save the first."
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Opzioni",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Adatta la durata della sessione",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Consenti l'accesso da IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Consenti l'autenticazione proxied",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Richiesta di autenticazione",
|
||||
"samlIDPMetaDataOptionsBinding":"Vincolante",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Controllare le condizioni del pubblico",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"URL del servizio",
|
||||
"yubikey2fUserCanRemoveKey":"Autorizza l'utente a rimuovere la Yubikey",
|
||||
"zeroConfExplanations":"Il server non ha alcuna configurazione. Utilizza il modello per salvare il primo."
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Opcje",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Dostosuj czas życia sesji",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Zezwalaj na logowanie od IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Zezwalaj na uwierzytelnianie proxy",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Żądanie uwierzytelnienia",
|
||||
"samlIDPMetaDataOptionsBinding":"Przywiązania",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Sprawdź warunki widowni",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"URL usługi",
|
||||
"yubikey2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć Yubikey",
|
||||
"zeroConfExplanations":"Serwer nie ma konfiguracji. Użyj szablonu, aby zapisać pierwszy."
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Seçenekler",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Oturum kullanım ömrünü uyarla",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"IDP'den girişe izin ver",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Vekilleştirilmiş doğrulamaya izin ver",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Doğrulama isteği",
|
||||
"samlIDPMetaDataOptionsBinding":"Bağlayıcı",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Hedef kitle koşullarını kontrol et",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"Servis URL'si",
|
||||
"yubikey2fUserCanRemoveKey":"Yubikey'i kaldırmak için kullanıcıya izin ver",
|
||||
"zeroConfExplanations":"Sunucunun yapılandırması yok. Şimdi bir tane kaydetmek için şablonu kullanın."
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"Tùy chọn",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"Tương thích phiên toàn bộ thời gian",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"Cho phép đăng nhập từ IDP",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"Cho phép xác thực qua proxy",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"Yêu cầu xác thực",
|
||||
"samlIDPMetaDataOptionsBinding":"Liên kết",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"Điều kiện kiểm tra đối tượng",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"Dịch vụ URL",
|
||||
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
|
||||
"zeroConfExplanations":"Máy chủ không có cấu hình. Sử dụng mẫu để lưu đầu tiên. "
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"选项",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"調整工作階段壽命",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"允許從 IDP 登入",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"允許代理驗證",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"驗證請求",
|
||||
"samlIDPMetaDataOptionsBinding":"綁定",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"檢查觀眾條件",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"服务 URL",
|
||||
"yubikey2fUserCanRemoveKey":"允許使用者移除 Yubikey",
|
||||
"zeroConfExplanations":"伺服器未設定。使用飯本來儲存第一個。"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -956,7 +956,6 @@
|
|||
"samlIDPMetaDataOptions":"選項",
|
||||
"samlIDPMetaDataOptionsAdaptSessionUtime":"調整工作階段壽命",
|
||||
"samlIDPMetaDataOptionsAllowLoginFromIDP":"允許從 IDP 登入",
|
||||
"samlIDPMetaDataOptionsAllowProxiedAuthn":"允許代理驗證",
|
||||
"samlIDPMetaDataOptionsAuthnRequest":"驗證請求",
|
||||
"samlIDPMetaDataOptionsBinding":"綁定",
|
||||
"samlIDPMetaDataOptionsCheckAudience":"檢查觀眾條件",
|
||||
|
|
@ -1263,4 +1262,4 @@
|
|||
"yubikey2fUrl":"服務 URL",
|
||||
"yubikey2fUserCanRemoveKey":"允許使用者移除 Yubikey",
|
||||
"zeroConfExplanations":"伺服器未設定。使用飯本來儲存第一個。"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1026,10 +1026,6 @@ sub extractFormInfo {
|
|||
->{samlIDPMetaDataOptionsNameIDFormat};
|
||||
$nameIDFormat = $self->getNameIDFormat($nameIDFormat) if $nameIDFormat;
|
||||
|
||||
# IDP ProxyRestriction
|
||||
my $allowProxiedAuthn = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsAllowProxiedAuthn};
|
||||
|
||||
# IDP HTTP method
|
||||
my $method = $self->conf->{samlIDPMetaDataOptions}->{$idpConfKey}
|
||||
->{samlIDPMetaDataOptionsSSOBinding};
|
||||
|
|
@ -1068,7 +1064,7 @@ sub extractFormInfo {
|
|||
my $login = $self->createAuthnRequest(
|
||||
$req, $self->lassoServer, $idp,
|
||||
$method, $forceAuthn, $isPassive,
|
||||
$nameIDFormat, $allowProxiedAuthn, $signSSOMessage,
|
||||
$nameIDFormat, 0, $signSSOMessage,
|
||||
$requestedAuthnContext
|
||||
);
|
||||
|
||||
|
|
|
|||
|
|
@ -875,7 +875,7 @@ sub resetProviderIdIndex {
|
|||
# @param forceAuthn force authentication on IDP
|
||||
# @param isPassive require passive authentication
|
||||
# @param nameIDFormat SAML2 NameIDFormat
|
||||
# @param allowProxiedAuthn allow proxy on IDP
|
||||
# @param allowProxiedAuthn allow proxy on IDP // Not used anymore but kept to avoid API break
|
||||
# @param signSSOMessage sign request
|
||||
# @param requestedAuthnContext authentication context
|
||||
# @return Lasso::Login object
|
||||
|
|
@ -981,24 +981,6 @@ sub createAuthnRequest {
|
|||
$request->IsPassive(1);
|
||||
}
|
||||
|
||||
# Allow proxy
|
||||
unless ($allowProxiedAuthn) {
|
||||
$self->logger->debug("Do not allow this request to be proxied");
|
||||
eval {
|
||||
my $proxyRestriction = Lasso::Saml2ProxyRestriction->new();
|
||||
$proxyRestriction->Audience($idp);
|
||||
$proxyRestriction->Count(0);
|
||||
my $conditions = $request->Conditions()
|
||||
|| Lasso::Saml2Conditions->new();
|
||||
$conditions->ProxyRestriction($proxyRestriction);
|
||||
$request->Conditions($conditions);
|
||||
};
|
||||
if ($@) {
|
||||
$self->checkLassoError($@);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
# Signature
|
||||
if ( $signSSOMessage == 0 ) {
|
||||
$self->logger->debug("SSO request will not be signed");
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ use Exporter 'import';
|
|||
our $VERSION = '2.0.15';
|
||||
|
||||
use constant HANDLER => 'Lemonldap::NG::Handler::PSGI::Main';
|
||||
use constant URIRE =>
|
||||
use constant URIRE =>
|
||||
qr{(((?^:https?))://((?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-9]*[a-zA-Z0-9]|[a-zA-Z])[.]?)|(?:[0-9]+[.][0-9]+[.][0-9]+[.][0-9]+)))(?::((?:[0-9]*)))?(/(((?:(?:(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)(?:;(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*))*)(?:/(?:(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)(?:;(?:(?:[a-zA-Z0-9\-_.!~*'():\@&=+\$,]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*))*))*))(?:[?]((?:(?:[;/?:\@&=+\$,a-zA-Z0-9\-_.!~*'()]+|(?:%[a-fA-F0-9][a-fA-F0-9]))*)))?))?)};
|
||||
use constant {
|
||||
PE_IDPCHOICE => -5,
|
||||
|
|
|
|||
|
|
@ -289,7 +289,6 @@ sub proxy {
|
|||
'idp' => {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
@ -390,7 +389,6 @@ sub sp {
|
|||
'proxy' => {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
|
|||
|
|
@ -368,7 +368,6 @@ sub op {
|
|||
'idp' => {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
|
|||
|
|
@ -372,7 +372,6 @@ sub op {
|
|||
'idp' => {
|
||||
'samlIDPMetaDataOptionsAdaptSessionUtime' => 0,
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => 0,
|
||||
'samlIDPMetaDataOptionsAllowProxiedAuthn' => 0,
|
||||
'samlIDPMetaDataOptionsCheckAudience' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
|
||||
'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
|
||||
|
|
|
|||
Loading…
Reference in New Issue