dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAML: check OneTimeUse and Issuer (for proxy test)

Browse Source
This commit is contained in:
Clément Oudot 2010-03-05 15:23:49 +00:00
parent 8f82f47231
commit 8d1793b7bc
1 changed files with 34 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
View File

@ -327,10 +327,15 @@ sub extractFormInfo {
}
# Check OneTimeUse flag
# TODO
my $oneTimeUse = $assertion->Conditions()->OneTimeUse();
# Check ProxyRestriction flag
# TODO
if ($oneTimeUse) {
$self->lmLog( "Found oneTimeUse flag in assertion conditions",
'debug' );
# Set a small cookie duration
$self->{cookieExpiration} = "+1m";
}
# Extract RelayState information
if ( $self->extractRelayState($relaystate) ) {
@ -362,6 +367,32 @@ sub extractFormInfo {
}
}
# Check if assertion was proxied
# This mean the Issuer is not our IDP entityID
my $allowProxiedAuthn =
$self->{samlIDPMetaDataOptions}->{$idp}
->{samlIDPMetaDataOptionsAllowProxiedAuthn};
unless ($allowProxiedAuthn) {
$self->lmLog(
"Proxied authentication are not allowed, check Assertion Issuer",
'debug'
);
my $assertion_issuer = $assertion->Issuer()->content();
$self->lmLog(
"Found Issuer $assertion_issuer in $idp Assertion",
'debug' );
if (
$assertion_issuer ne $self->{_idpList}->{$idp}->{entityID} )
{
$self->lmLog(
"Assertion was proxied, and this is not allowed for IDP $idp",
'error'
);
return PE_ERROR;
}
}
# Force redirection to portal if no urldc found
# (avoid displaying the whole SAML URL in user browser URL field)
$self->{mustRedirect} = 1 unless ( $self->{urldc} );