diff --git a/modules/lemonldap-ng-manager/example/skins/default/manager.js b/modules/lemonldap-ng-manager/example/skins/default/manager.js index a6832ba03..9e637a049 100644 --- a/modules/lemonldap-ng-manager/example/skins/default/manager.js +++ b/modules/lemonldap-ng-manager/example/skins/default/manager.js @@ -591,6 +591,7 @@ function samlService(id) { formateSelect('samlServiceBinding',[ 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect=HTTP Redirect', 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=HTTP POST', + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact=HTTP Artifact', 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP=SOAP' ],t[0]); $('#samlServiceLocation').attr('value',t[1]); diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm index 9775a864c..a8c4f6d90 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm @@ -197,8 +197,7 @@ sub cstruct { }, samlSPMetaDataOptionsSecurity => { - _nodes => - [ qw(samlSPMetaDataOptionsEncryptionMode) ], + _nodes => [qw(samlSPMetaDataOptionsEncryptionMode)], samlSPMetaDataOptionsEncryptionMode => "text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:default:encryptionModeParams", @@ -830,6 +829,7 @@ sub struct { _nodes => [ qw(samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleSignOnServiceSOAP) ], _help => 'default', @@ -837,6 +837,8 @@ sub struct { 'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect', samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPPost', + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => +'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact', samlIDPSSODescriptorSingleSignOnServiceSOAP => 'samlService:/samlIDPSSODescriptorSingleSignOnServiceSOAP', }, @@ -1224,6 +1226,7 @@ sub testStruct { samlIDPSSODescriptorWantAuthnRequestsSigned => $boolean, samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => $testNotDefined, samlIDPSSODescriptorSingleSignOnServiceHTTPPost => $testNotDefined, + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => $testNotDefined, samlIDPSSODescriptorSingleSignOnServiceSOAP => $testNotDefined, samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => $testNotDefined, samlIDPSSODescriptorSingleLogoutServiceHTTPPost => $testNotDefined, @@ -1434,6 +1437,10 @@ sub defaultConf { 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;' . $portal . '/saml/singleSignOn;', + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => + 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;' + . $portal + . '/saml/singleSignOnArtifact;', samlIDPSSODescriptorSingleSignOnServiceSOAP => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;' . $portal diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm index 9fad8761a..be5089dca 100644 --- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm +++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm @@ -299,6 +299,7 @@ sub en { samlIDPSSODescriptorSingleSignOnService => 'Single Sign On', samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect', samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'HTTP POST', + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact', samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP', samlIDPSSODescriptorSingleLogoutService => 'Single Logout', samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect', @@ -585,6 +586,7 @@ sub fr { samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'Redirection HTTP', samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP', + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact', samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP', samlIDPSSODescriptorSingleLogoutService => 'Single Logout', samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm index 1fce1e2fb..3be9b662a 100644 --- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm +++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/IssuerDBSAML.pm @@ -1173,8 +1173,6 @@ sub issuerForAuthUser { $self->lmLog( "SSO: authentication request is valid", 'debug' ); - # TODO Check AuthnRequest conditions - # Get ForceAuthn flag my $force_authn; diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm index 8f16d82d0..58848fcec 100644 --- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm +++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_SAML.pm @@ -881,11 +881,35 @@ sub createAuthnRequest { } # Build authentication request + + # Artifact + if ( $method == $self->getHttpMethod("artifact-get") + or $method == $self->getHttpMethod("artifact-post") ) + { + + # Build artifact message + unless ( $self->buildArtifactMsg( $login, $method ) ) { + $self->lmLog( "Unable to build SSO artifact response message", + 'error' ); + return; + } + + $self->lmLog( "SSO: artifact response is built", 'debug' ); + + # Get artifact ID and Content, and store them + my $artifact_id = $login->get_artifact; + my $artifact_message = $login->get_artifact_message; + + $self->storeArtifact( $artifact_id, $artifact_message ); + } + + else { unless ( $self->buildAuthnRequestMsg($login) ) { $self->lmLog( "Could not build authentication request on $idp", 'error' ); return; } + } return $login; } @@ -1631,7 +1655,7 @@ sub storeArtifact { $samlSessionInfo->{_utime} = time(); # Creation time $samlSessionInfo->{ID} = $id; $samlSessionInfo->{message} = $message; - $samlSessionInfo->{session_id} = $session_id; + $samlSessionInfo->{session_id} = $session_id if $session_id; my $art_session_id = $samlSessionInfo->{_session_id}; @@ -1716,12 +1740,11 @@ sub createArtifactResponse { $self->lmLog( "Response loaded", 'debug' ); - # Get Lasso session + # Try to get Lasso session my $session_id = $art_session->{session_id}; - unless ($session_id) { - $self->lmLog( "Cannot find session_id in artifact session", 'error' ); - return; - } + if ($session_id) { + $self->lmLog( "Find session_id $session_id in artifact session", + 'manage' ); my $session = $self->getApacheSession( $session_id, 1 ); unless ( defined $session ) { @@ -1739,6 +1762,11 @@ sub createArtifactResponse { $self->lmLog( "Lasso Session loaded", 'debug' ); } + } + else { + $self->lmLog( "No session_id in artifact session", 'manage' ); + } + # Build artifact response eval { Lasso::Login::build_response_msg($login); }; if ($@) { @@ -1748,8 +1776,8 @@ sub createArtifactResponse { } $self->lmLog( "Artifact response built", 'debug' ); - # Store Lasso session - if ( $login->is_session_dirty ) { + # Store Lasso session if session opened + if ( $session_id and $login->is_session_dirty ) { $self->lmLog( "Save Lasso session in session", 'debug' ); $self->updateSession( { _lassoSessionDump => $login->get_session->dump }, $session_id );