From aa5831493a02b03c8039b2491d580d1c275e00cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Wed, 24 Mar 2010 13:01:14 +0000 Subject: [PATCH] SAML: add AllowLoginFromIDP option --- .../doc/4.5-SAML-authentication-backend.html | 8 +++++++- .../lib/Lemonldap/NG/Manager/_Struct.pm | 6 +++++- .../lib/Lemonldap/NG/Manager/_i18n.pm | 3 +++ .../lib/Lemonldap/NG/Portal/AuthSAML.pm | 10 ++++++++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html index 1a07d68e8..7a484ce75 100644 --- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html +++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html @@ -364,7 +364,9 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem request
  • Allow proxied authentication: allow an authentication response to be - issued from another IDP that the one we register (proxy IDP)
    • + issued from another IDP that the one we register (proxy IDP). If you + disallow this, you should also disallow direct login form IDP, because + proxy restiction is set in authentication requests.
  • SSO binding: force binding to use for SSO (http-redirect, http-post, etc.)
    • @@ -375,6 +377,10 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
  • Resolution rule: Perl expression that will be evaluate to know if this IDP is the default for the connected user. You can use for example $ENV{ to get user's IP.
    • + +
  • Allow login from IDP: allow a user to connect directly from an IDP + link. In this case, authentication is not a response to an issued + authentication request, and we have less control on conditions.

    • Partner IDP diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm index 6af012468..330fee827 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm @@ -60,7 +60,7 @@ sub cstruct { . ":samlIDPMetaDataXML:filearea", samlIDPMetaDataOptions => { _nodes => [ - qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule) + qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP) ], samlIDPMetaDataOptionsNameIDFormat => "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat", @@ -74,6 +74,8 @@ sub cstruct { "text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding", samlIDPMetaDataOptionsResolutionRule => "textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule", + samlIDPMetaDataOptionsAllowLoginFromIDP => +"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP", }, } } @@ -1103,6 +1105,7 @@ sub defaultConf { 'samlIDPMetaDataOptionsSSOBinding' => '', 'samlIDPMetaDataOptionsSLOBinding' => '', 'samlIDPMetaDataOptionsResolutionRule' => '', + 'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1', } }, samlServicePrivateKey => '', @@ -1194,6 +1197,7 @@ sub subDefaultConf { 'samlIDPMetaDataOptionsSSOBinding' => '', 'samlIDPMetaDataOptionsSLOBinding' => '', 'samlIDPMetaDataOptionsResolutionRule' => '', + 'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1', }, }; } diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm index 335c2892a..71b8fd1fe 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm @@ -206,6 +206,7 @@ sub en { samlIDPMetaDataOptionsForceAuthn => 'Force authentication', samlIDPMetaDataOptionsAllowProxiedAuthn => 'Allow proxied authentication', + samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP', samlIDPMetaDataOptionsSSOBinding => 'SSO binding', samlIDPMetaDataOptionsSLOBinding => 'SLO binding', samlIDPMetaDataOptionsResolutionRule => 'Resolution rule', @@ -419,6 +420,8 @@ sub fr { samlIDPMetaDataOptionsForceAuthn => 'Authentification forcée', samlIDPMetaDataOptionsAllowProxiedAuthn => 'Authentification proxy autorisée', + samlIDPMetaDataOptionsAllowLoginFromIDP => + 'Authentification depuis le fournisseur autorisée', samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO', samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO', samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution', diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm index 808f4aaad..d79961d0a 100644 --- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm +++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm @@ -367,6 +367,16 @@ sub extractFormInfo { } } + # Check if we accept direct login from IDP + my $allowLoginFromIDP = + $self->{samlIDPMetaDataOptions}->{$idp} + ->{samlIDPMetaDataOptionsAllowLoginFromIDP}; + if ( !$assertion_responded and !$allowLoginFromIDP ) { + $self->lmLog( "Direct login from IDP $idp is not allowed", + 'error' ); + return PE_ERROR; + } + # Force redirection to portal if no urldc found # (avoid displaying the whole SAML URL in user browser URL field) $self->{mustRedirect} = 1 unless ( $self->{urldc} );