SAML: add AllowLoginFromIDP option

2010-03-24 13:01:14 +00:00 · 2010-03-24 13:01:14 +00:00 · aa5831493a
commit aa5831493a
parent 5c26f07d27
4 changed files with 25 additions and 2 deletions
--- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
+++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
@ -364,7 +364,9 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
      request</li>

      <li>Allow proxied authentication: allow an authentication response to be
-      issued from another IDP that the one we register (proxy IDP)</li>
+      issued from another IDP that the one we register (proxy IDP). If you
+      disallow this, you should also disallow direct login form IDP, because
+      proxy restiction is set in authentication requests.</li>

      <li>SSO binding: force binding to use for SSO (http-redirect, http-post,
      etc.)</li>
@ -375,6 +377,10 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
      <li>Resolution rule: Perl expression that will be evaluate to know if
      this IDP is the default for the connected user. You can use for example
      $ENV{ to get user's IP.</li>
+
+      <li>Allow login from IDP: allow a user to connect directly from an IDP
+      link. In this case, authentication is not a response to an issued
+      authentication request, and we have less control on conditions.</li>
    </ul>

    <h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -60,7 +60,7 @@ sub cstruct {
                      . ":samlIDPMetaDataXML:filearea",
                    samlIDPMetaDataOptions => {
                        _nodes => [
-                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule)
+                            qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP)
                        ],
                        samlIDPMetaDataOptionsNameIDFormat =>
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat",
@ -74,6 +74,8 @@ sub cstruct {
 "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding",
                        samlIDPMetaDataOptionsResolutionRule =>
 "textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule",
+                        samlIDPMetaDataOptionsAllowLoginFromIDP =>
+"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP",
                    },
                }
            }
@ -1103,6 +1105,7 @@ sub defaultConf {
                'samlIDPMetaDataOptionsSSOBinding'        => '',
                'samlIDPMetaDataOptionsSLOBinding'        => '',
                'samlIDPMetaDataOptionsResolutionRule'    => '',
+                'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
            }
        },
        samlServicePrivateKey                  => '',
@ -1194,6 +1197,7 @@ sub subDefaultConf {
            'samlIDPMetaDataOptionsSSOBinding'        => '',
            'samlIDPMetaDataOptionsSLOBinding'        => '',
            'samlIDPMetaDataOptionsResolutionRule'    => '',
+            'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
        },
    };
 }
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -206,6 +206,7 @@ sub en {
        samlIDPMetaDataOptionsForceAuthn   => 'Force authentication',
        samlIDPMetaDataOptionsAllowProxiedAuthn =>
          'Allow proxied authentication',
+        samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP',
        samlIDPMetaDataOptionsSSOBinding     => 'SSO binding',
        samlIDPMetaDataOptionsSLOBinding     => 'SLO binding',
        samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
@ -419,6 +420,8 @@ sub fr {
        samlIDPMetaDataOptionsForceAuthn   => 'Authentification forcée',
        samlIDPMetaDataOptionsAllowProxiedAuthn =>
          'Authentification proxy autorisée',
+        samlIDPMetaDataOptionsAllowLoginFromIDP =>
+          'Authentification depuis le fournisseur autorisée',
        samlIDPMetaDataOptionsSSOBinding     => 'Méthode SSO',
        samlIDPMetaDataOptionsSLOBinding     => 'Méthode SLO',
        samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@ -367,6 +367,16 @@ sub extractFormInfo {
                }
            }

+            # Check if we accept direct login from IDP
+            my $allowLoginFromIDP =
+              $self->{samlIDPMetaDataOptions}->{$idp}
+              ->{samlIDPMetaDataOptionsAllowLoginFromIDP};
+            if ( !$assertion_responded and !$allowLoginFromIDP ) {
+                $self->lmLog( "Direct login from IDP $idp is not allowed",
+                    'error' );
+                return PE_ERROR;
+            }
+
            # Force redirection to portal if no urldc found
            # (avoid displaying the whole SAML URL in user browser URL field)
            $self->{mustRedirect} = 1 unless ( $self->{urldc} );