Possibility to use IDP initiated mode in SAML IDP module (#208)
This commit is contained in:
parent
533b2153f6
commit
db5b4e8a95
|
@ -11,7 +11,7 @@ use Lemonldap::NG::Portal::Simple;
|
||||||
use Lemonldap::NG::Portal::_SAML;
|
use Lemonldap::NG::Portal::_SAML;
|
||||||
our @ISA = qw(Lemonldap::NG::Portal::_SAML);
|
our @ISA = qw(Lemonldap::NG::Portal::_SAML);
|
||||||
|
|
||||||
our $VERSION = '1.2.3';
|
our $VERSION = '1.3.2';
|
||||||
|
|
||||||
## @method void issuerDBInit()
|
## @method void issuerDBInit()
|
||||||
# Load and check SAML configuration
|
# Load and check SAML configuration
|
||||||
|
@ -1127,6 +1127,7 @@ sub issuerForAuthUser {
|
||||||
my $url = $self->url( -absolute => 1 );
|
my $url = $self->url( -absolute => 1 );
|
||||||
my $request_method = $self->request_method();
|
my $request_method = $self->request_method();
|
||||||
my $content_type = $self->content_type();
|
my $content_type = $self->content_type();
|
||||||
|
my $idp_initiated = $self->param('IDPInitiated');
|
||||||
|
|
||||||
# 1.1. SSO (SSO URL or Proxy Mode)
|
# 1.1. SSO (SSO URL or Proxy Mode)
|
||||||
if ( $url =~
|
if ( $url =~
|
||||||
|
@ -1156,8 +1157,8 @@ sub issuerForAuthUser {
|
||||||
# Ignore signature verification
|
# Ignore signature verification
|
||||||
$self->disableSignatureVerification($login);
|
$self->disableSignatureVerification($login);
|
||||||
|
|
||||||
# Process the request
|
# Process the request or use IDP initiated mode
|
||||||
if ($request) {
|
if ( $request or $idp_initiated ) {
|
||||||
|
|
||||||
# Load Session and Identity if they exist
|
# Load Session and Identity if they exist
|
||||||
my $session = $self->{sessionInfo}->{_lassoSessionDump};
|
my $session = $self->{sessionInfo}->{_lassoSessionDump};
|
||||||
|
@ -1179,23 +1180,9 @@ sub issuerForAuthUser {
|
||||||
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
$self->lmLog( "Lasso Identity loaded", 'debug' );
|
||||||
}
|
}
|
||||||
|
|
||||||
# Process authentication request
|
|
||||||
my $result;
|
|
||||||
if ($artifact) {
|
|
||||||
$result = $self->processArtResponseMsg( $login, $request );
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
$result = $self->processAuthnRequestMsg( $login, $request );
|
|
||||||
}
|
|
||||||
|
|
||||||
unless ($result) {
|
|
||||||
$self->lmLog( "SSO: Fail to process authentication request",
|
|
||||||
'error' );
|
|
||||||
return PE_SAML_SSO_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Get SP entityID
|
# Get SP entityID
|
||||||
my $sp = $login->remote_providerID();
|
my $sp =
|
||||||
|
$request ? $login->remote_providerID() : $self->param("sp");
|
||||||
|
|
||||||
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
$self->lmLog( "Found entityID $sp in SAML message", 'debug' );
|
||||||
|
|
||||||
|
@ -1210,6 +1197,34 @@ sub issuerForAuthUser {
|
||||||
|
|
||||||
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
$self->lmLog( "$sp match $spConfKey SP in configuration", 'debug' );
|
||||||
|
|
||||||
|
my $result;
|
||||||
|
|
||||||
|
# Create fake request if IDP initiated mode
|
||||||
|
if ($idp_initiated) {
|
||||||
|
$result = $self->initIdpInitiatedAuthnRequest( $login, $sp );
|
||||||
|
unless ($result) {
|
||||||
|
$self->lmLog(
|
||||||
|
"SSO: Fail to init IDP Initiated authentication request",
|
||||||
|
'error'
|
||||||
|
);
|
||||||
|
return PE_SAML_SSO_ERROR;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Process authentication request
|
||||||
|
if ($artifact) {
|
||||||
|
$result = $self->processArtResponseMsg( $login, $request );
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$result = $self->processAuthnRequestMsg( $login, $request );
|
||||||
|
}
|
||||||
|
|
||||||
|
unless ($result) {
|
||||||
|
$self->lmLog( "SSO: Fail to process authentication request",
|
||||||
|
'error' );
|
||||||
|
return PE_SAML_SSO_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
# Do we check signature?
|
# Do we check signature?
|
||||||
my $checkSSOMessageSignature =
|
my $checkSSOMessageSignature =
|
||||||
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
$self->{samlSPMetaDataOptions}->{$spConfKey}
|
||||||
|
|
|
@ -21,7 +21,7 @@ use URI; # Get metadata URL path
|
||||||
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
|
#inherits Lemonldap::NG::Common::Conf::SAML::Metadata protected service_metadata
|
||||||
|
|
||||||
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
|
our @ISA = (qw(Lemonldap::NG::Portal::_Browser));
|
||||||
our $VERSION = '1.3.0';
|
our $VERSION = '1.3.2';
|
||||||
our $samlCache;
|
our $samlCache;
|
||||||
our $initGlibDone;
|
our $initGlibDone;
|
||||||
|
|
||||||
|
@ -978,6 +978,19 @@ sub initAuthnRequest {
|
||||||
return $self->checkLassoError($@);
|
return $self->checkLassoError($@);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
## @method boolean initIdpInitiatedAuthnRequest(Lasso::Login login, string idp)
|
||||||
|
# Init authentication request
|
||||||
|
# @param login Lasso::Login
|
||||||
|
# @param idp entityID
|
||||||
|
# @return boolean result
|
||||||
|
sub initIdpInitiatedAuthnRequest {
|
||||||
|
my ( $self, $login, $idp ) = splice @_;
|
||||||
|
|
||||||
|
eval { Lasso::Login::init_idp_initiated_authn_request( $login, $idp ); };
|
||||||
|
|
||||||
|
return $self->checkLassoError($@);
|
||||||
|
}
|
||||||
|
|
||||||
## @method boolean buildAuthnRequestMsg(Lasso::Login login)
|
## @method boolean buildAuthnRequestMsg(Lasso::Login login)
|
||||||
# Build authentication request message
|
# Build authentication request message
|
||||||
# @param login Lasso::Login
|
# @param login Lasso::Login
|
||||||
|
@ -3057,6 +3070,10 @@ Create Lasso::Login object
|
||||||
|
|
||||||
Init authentication request
|
Init authentication request
|
||||||
|
|
||||||
|
=head2 initIdpInitiatedAuthnRequest
|
||||||
|
|
||||||
|
Init authentication request for IDP initiated
|
||||||
|
|
||||||
=head2 buildAuthnRequestMsg
|
=head2 buildAuthnRequestMsg
|
||||||
|
|
||||||
Build authentication request message
|
Build authentication request message
|
||||||
|
|
Loading…
Reference in New Issue
Block a user