SAML: artifact for sending authn request, work in progress (#32)

2010-07-01 09:48:50 +00:00 · 2010-07-01 09:48:50 +00:00 · f46c3b4224
commit f46c3b4224
parent edb345f23c
5 changed files with 48 additions and 12 deletions
--- a/modules/lemonldap-ng-manager/example/skins/default/manager.js
+++ b/modules/lemonldap-ng-manager/example/skins/default/manager.js
@ -591,6 +591,7 @@ function samlService(id) {
 	formateSelect('samlServiceBinding',[
 		'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect=HTTP Redirect',
 		'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=HTTP POST',
+		'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact=HTTP Artifact',
 		'urn:oasis:names:tc:SAML:2.0:bindings:SOAP=SOAP'
 		],t[0]);
 	$('#samlServiceLocation').attr('value',t[1]);
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@ -197,8 +197,7 @@ sub cstruct {
                        },
                        samlSPMetaDataOptionsSecurity => {

-                            _nodes =>
-                              [ qw(samlSPMetaDataOptionsEncryptionMode) ],
+                            _nodes => [qw(samlSPMetaDataOptionsEncryptionMode)],

                        samlSPMetaDataOptionsEncryptionMode =>
 "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:default:encryptionModeParams",
@ -830,6 +829,7 @@ sub struct {
                    _nodes => [
                        qw(samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect
                          samlIDPSSODescriptorSingleSignOnServiceHTTPPost
+                          samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact
                          samlIDPSSODescriptorSingleSignOnServiceSOAP)
                    ],
                    _help => 'default',
@ -837,6 +837,8 @@ sub struct {
 'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect',
                    samlIDPSSODescriptorSingleSignOnServiceHTTPPost =>
 'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPPost',
+                    samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact =>
+'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact',
                    samlIDPSSODescriptorSingleSignOnServiceSOAP =>
 'samlService:/samlIDPSSODescriptorSingleSignOnServiceSOAP',
                },
@ -1224,6 +1226,7 @@ sub testStruct {
        samlIDPSSODescriptorWantAuthnRequestsSigned          => $boolean,
        samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect  => $testNotDefined,
        samlIDPSSODescriptorSingleSignOnServiceHTTPPost      => $testNotDefined,
+        samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact  => $testNotDefined,
        samlIDPSSODescriptorSingleSignOnServiceSOAP          => $testNotDefined,
        samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect  => $testNotDefined,
        samlIDPSSODescriptorSingleLogoutServiceHTTPPost      => $testNotDefined,
@ -1434,6 +1437,10 @@ sub defaultConf {
          'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;' 
          . $portal
          . '/saml/singleSignOn;',
+        samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact =>
+          'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;' 
+          . $portal
+          . '/saml/singleSignOnArtifact;',
        samlIDPSSODescriptorSingleSignOnServiceSOAP =>
          'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' 
          . $portal
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@ -299,6 +299,7 @@ sub en {
        samlIDPSSODescriptorSingleSignOnService             => 'Single Sign On',
        samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect',
        samlIDPSSODescriptorSingleSignOnServiceHTTPPost     => 'HTTP POST',
+        samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact',
        samlIDPSSODescriptorSingleSignOnServiceSOAP         => 'SOAP',
        samlIDPSSODescriptorSingleLogoutService             => 'Single Logout',
        samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect',
@ -585,6 +586,7 @@ sub fr {
        samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
          'Redirection HTTP',
        samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP',
+        samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact',
        samlIDPSSODescriptorSingleSignOnServiceSOAP     => 'SOAP',
        samlIDPSSODescriptorSingleLogoutService         => 'Single Logout',
        samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect =>
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm
@ -1173,8 +1173,6 @@ sub issuerForAuthUser {

            $self->lmLog( "SSO: authentication request is valid", 'debug' );

-            # TODO Check AuthnRequest conditions
-
            # Get ForceAuthn flag
            my $force_authn;

--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm
@ -881,11 +881,35 @@ sub createAuthnRequest {
    }

    # Build authentication request
+
+    # Artifact
+    if (   $method == $self->getHttpMethod("artifact-get")
+        or $method == $self->getHttpMethod("artifact-post") )
+    {
+
+        # Build artifact message
+        unless ( $self->buildArtifactMsg( $login, $method ) ) {
+            $self->lmLog( "Unable to build SSO artifact response message",
+                'error' );
+            return;
+        }
+
+        $self->lmLog( "SSO: artifact response is built", 'debug' );
+
+        # Get artifact ID and Content, and store them
+        my $artifact_id      = $login->get_artifact;
+        my $artifact_message = $login->get_artifact_message;
+
+        $self->storeArtifact( $artifact_id, $artifact_message );
+    }
+
+    else {
    unless ( $self->buildAuthnRequestMsg($login) ) {
        $self->lmLog( "Could not build authentication request on $idp",
            'error' );
        return;
    }
+    }

    return $login;
 }
@ -1631,7 +1655,7 @@ sub storeArtifact {
    $samlSessionInfo->{_utime}     = time();        # Creation time
    $samlSessionInfo->{ID}         = $id;
    $samlSessionInfo->{message}    = $message;
-    $samlSessionInfo->{session_id} = $session_id;
+    $samlSessionInfo->{session_id} = $session_id if $session_id;

    my $art_session_id = $samlSessionInfo->{_session_id};

@ -1716,12 +1740,11 @@ sub createArtifactResponse {

    $self->lmLog( "Response loaded", 'debug' );

-    # Get Lasso session
+    # Try to get Lasso session
    my $session_id = $art_session->{session_id};
-    unless ($session_id) {
-        $self->lmLog( "Cannot find session_id in artifact session", 'error' );
-        return;
-    }
+    if ($session_id) {
+        $self->lmLog( "Find session_id $session_id in artifact session",
+            'manage' );

    my $session = $self->getApacheSession( $session_id, 1 );
    unless ( defined $session ) {
@ -1739,6 +1762,11 @@ sub createArtifactResponse {
        $self->lmLog( "Lasso Session loaded", 'debug' );
    }

+    }
+    else {
+        $self->lmLog( "No session_id in artifact session", 'manage' );
+    }
+
    # Build artifact response
    eval { Lasso::Login::build_response_msg($login); };
    if ($@) {
@ -1748,8 +1776,8 @@ sub createArtifactResponse {
    }
    $self->lmLog( "Artifact response built", 'debug' );

-    # Store Lasso session
-    if ( $login->is_session_dirty ) {
+    # Store Lasso session if session opened
+    if ( $session_id and $login->is_session_dirty ) {
        $self->lmLog( "Save Lasso session in session", 'debug' );
        $self->updateSession(
            { _lassoSessionDump => $login->get_session->dump }, $session_id );