SAML: artifact for sending authn request, work in progress (#32)
This commit is contained in:
parent
edb345f23c
commit
f46c3b4224
@ -591,6 +591,7 @@ function samlService(id) {
|
|||||||
formateSelect('samlServiceBinding',[
|
formateSelect('samlServiceBinding',[
|
||||||
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect=HTTP Redirect',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect=HTTP Redirect',
|
||||||
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=HTTP POST',
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=HTTP POST',
|
||||||
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact=HTTP Artifact',
|
||||||
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP=SOAP'
|
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP=SOAP'
|
||||||
],t[0]);
|
],t[0]);
|
||||||
$('#samlServiceLocation').attr('value',t[1]);
|
$('#samlServiceLocation').attr('value',t[1]);
|
||||||
|
@ -197,8 +197,7 @@ sub cstruct {
|
|||||||
},
|
},
|
||||||
samlSPMetaDataOptionsSecurity => {
|
samlSPMetaDataOptionsSecurity => {
|
||||||
|
|
||||||
_nodes =>
|
_nodes => [qw(samlSPMetaDataOptionsEncryptionMode)],
|
||||||
[ qw(samlSPMetaDataOptionsEncryptionMode) ],
|
|
||||||
|
|
||||||
samlSPMetaDataOptionsEncryptionMode =>
|
samlSPMetaDataOptionsEncryptionMode =>
|
||||||
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:default:encryptionModeParams",
|
"text:/samlSPMetaDataOptions/$k2/samlSPMetaDataOptionsEncryptionMode:default:encryptionModeParams",
|
||||||
@ -830,6 +829,7 @@ sub struct {
|
|||||||
_nodes => [
|
_nodes => [
|
||||||
qw(samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect
|
qw(samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPPost
|
samlIDPSSODescriptorSingleSignOnServiceHTTPPost
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP)
|
samlIDPSSODescriptorSingleSignOnServiceSOAP)
|
||||||
],
|
],
|
||||||
_help => 'default',
|
_help => 'default',
|
||||||
@ -837,6 +837,8 @@ sub struct {
|
|||||||
'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect',
|
'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPPost =>
|
samlIDPSSODescriptorSingleSignOnServiceHTTPPost =>
|
||||||
'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPPost',
|
'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPPost',
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact =>
|
||||||
|
'samlService:/samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP =>
|
samlIDPSSODescriptorSingleSignOnServiceSOAP =>
|
||||||
'samlService:/samlIDPSSODescriptorSingleSignOnServiceSOAP',
|
'samlService:/samlIDPSSODescriptorSingleSignOnServiceSOAP',
|
||||||
},
|
},
|
||||||
@ -1224,6 +1226,7 @@ sub testStruct {
|
|||||||
samlIDPSSODescriptorWantAuthnRequestsSigned => $boolean,
|
samlIDPSSODescriptorWantAuthnRequestsSigned => $boolean,
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => $testNotDefined,
|
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => $testNotDefined,
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => $testNotDefined,
|
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => $testNotDefined,
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => $testNotDefined,
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP => $testNotDefined,
|
samlIDPSSODescriptorSingleSignOnServiceSOAP => $testNotDefined,
|
||||||
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => $testNotDefined,
|
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => $testNotDefined,
|
||||||
samlIDPSSODescriptorSingleLogoutServiceHTTPPost => $testNotDefined,
|
samlIDPSSODescriptorSingleLogoutServiceHTTPPost => $testNotDefined,
|
||||||
@ -1434,6 +1437,10 @@ sub defaultConf {
|
|||||||
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;'
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;'
|
||||||
. $portal
|
. $portal
|
||||||
. '/saml/singleSignOn;',
|
. '/saml/singleSignOn;',
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact =>
|
||||||
|
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;'
|
||||||
|
. $portal
|
||||||
|
. '/saml/singleSignOnArtifact;',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP =>
|
samlIDPSSODescriptorSingleSignOnServiceSOAP =>
|
||||||
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;'
|
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;'
|
||||||
. $portal
|
. $portal
|
||||||
|
@ -299,6 +299,7 @@ sub en {
|
|||||||
samlIDPSSODescriptorSingleSignOnService => 'Single Sign On',
|
samlIDPSSODescriptorSingleSignOnService => 'Single Sign On',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect',
|
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect => 'HTTP Redirect',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'HTTP POST',
|
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'HTTP POST',
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP',
|
samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP',
|
||||||
samlIDPSSODescriptorSingleLogoutService => 'Single Logout',
|
samlIDPSSODescriptorSingleLogoutService => 'Single Logout',
|
||||||
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect',
|
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect => 'HTTP Redirect',
|
||||||
@ -585,6 +586,7 @@ sub fr {
|
|||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
|
samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect =>
|
||||||
'Redirection HTTP',
|
'Redirection HTTP',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP',
|
samlIDPSSODescriptorSingleSignOnServiceHTTPPost => 'POST HTTP',
|
||||||
|
samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact => 'HTTP Artifact',
|
||||||
samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP',
|
samlIDPSSODescriptorSingleSignOnServiceSOAP => 'SOAP',
|
||||||
samlIDPSSODescriptorSingleLogoutService => 'Single Logout',
|
samlIDPSSODescriptorSingleLogoutService => 'Single Logout',
|
||||||
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect =>
|
samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect =>
|
||||||
|
@ -1173,8 +1173,6 @@ sub issuerForAuthUser {
|
|||||||
|
|
||||||
$self->lmLog( "SSO: authentication request is valid", 'debug' );
|
$self->lmLog( "SSO: authentication request is valid", 'debug' );
|
||||||
|
|
||||||
# TODO Check AuthnRequest conditions
|
|
||||||
|
|
||||||
# Get ForceAuthn flag
|
# Get ForceAuthn flag
|
||||||
my $force_authn;
|
my $force_authn;
|
||||||
|
|
||||||
|
@ -881,11 +881,35 @@ sub createAuthnRequest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Build authentication request
|
# Build authentication request
|
||||||
|
|
||||||
|
# Artifact
|
||||||
|
if ( $method == $self->getHttpMethod("artifact-get")
|
||||||
|
or $method == $self->getHttpMethod("artifact-post") )
|
||||||
|
{
|
||||||
|
|
||||||
|
# Build artifact message
|
||||||
|
unless ( $self->buildArtifactMsg( $login, $method ) ) {
|
||||||
|
$self->lmLog( "Unable to build SSO artifact response message",
|
||||||
|
'error' );
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$self->lmLog( "SSO: artifact response is built", 'debug' );
|
||||||
|
|
||||||
|
# Get artifact ID and Content, and store them
|
||||||
|
my $artifact_id = $login->get_artifact;
|
||||||
|
my $artifact_message = $login->get_artifact_message;
|
||||||
|
|
||||||
|
$self->storeArtifact( $artifact_id, $artifact_message );
|
||||||
|
}
|
||||||
|
|
||||||
|
else {
|
||||||
unless ( $self->buildAuthnRequestMsg($login) ) {
|
unless ( $self->buildAuthnRequestMsg($login) ) {
|
||||||
$self->lmLog( "Could not build authentication request on $idp",
|
$self->lmLog( "Could not build authentication request on $idp",
|
||||||
'error' );
|
'error' );
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $login;
|
return $login;
|
||||||
}
|
}
|
||||||
@ -1631,7 +1655,7 @@ sub storeArtifact {
|
|||||||
$samlSessionInfo->{_utime} = time(); # Creation time
|
$samlSessionInfo->{_utime} = time(); # Creation time
|
||||||
$samlSessionInfo->{ID} = $id;
|
$samlSessionInfo->{ID} = $id;
|
||||||
$samlSessionInfo->{message} = $message;
|
$samlSessionInfo->{message} = $message;
|
||||||
$samlSessionInfo->{session_id} = $session_id;
|
$samlSessionInfo->{session_id} = $session_id if $session_id;
|
||||||
|
|
||||||
my $art_session_id = $samlSessionInfo->{_session_id};
|
my $art_session_id = $samlSessionInfo->{_session_id};
|
||||||
|
|
||||||
@ -1716,12 +1740,11 @@ sub createArtifactResponse {
|
|||||||
|
|
||||||
$self->lmLog( "Response loaded", 'debug' );
|
$self->lmLog( "Response loaded", 'debug' );
|
||||||
|
|
||||||
# Get Lasso session
|
# Try to get Lasso session
|
||||||
my $session_id = $art_session->{session_id};
|
my $session_id = $art_session->{session_id};
|
||||||
unless ($session_id) {
|
if ($session_id) {
|
||||||
$self->lmLog( "Cannot find session_id in artifact session", 'error' );
|
$self->lmLog( "Find session_id $session_id in artifact session",
|
||||||
return;
|
'manage' );
|
||||||
}
|
|
||||||
|
|
||||||
my $session = $self->getApacheSession( $session_id, 1 );
|
my $session = $self->getApacheSession( $session_id, 1 );
|
||||||
unless ( defined $session ) {
|
unless ( defined $session ) {
|
||||||
@ -1739,6 +1762,11 @@ sub createArtifactResponse {
|
|||||||
$self->lmLog( "Lasso Session loaded", 'debug' );
|
$self->lmLog( "Lasso Session loaded", 'debug' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$self->lmLog( "No session_id in artifact session", 'manage' );
|
||||||
|
}
|
||||||
|
|
||||||
# Build artifact response
|
# Build artifact response
|
||||||
eval { Lasso::Login::build_response_msg($login); };
|
eval { Lasso::Login::build_response_msg($login); };
|
||||||
if ($@) {
|
if ($@) {
|
||||||
@ -1748,8 +1776,8 @@ sub createArtifactResponse {
|
|||||||
}
|
}
|
||||||
$self->lmLog( "Artifact response built", 'debug' );
|
$self->lmLog( "Artifact response built", 'debug' );
|
||||||
|
|
||||||
# Store Lasso session
|
# Store Lasso session if session opened
|
||||||
if ( $login->is_session_dirty ) {
|
if ( $session_id and $login->is_session_dirty ) {
|
||||||
$self->lmLog( "Save Lasso session in session", 'debug' );
|
$self->lmLog( "Save Lasso session in session", 'debug' );
|
||||||
$self->updateSession(
|
$self->updateSession(
|
||||||
{ _lassoSessionDump => $login->get_session->dump }, $session_id );
|
{ _lassoSessionDump => $login->get_session->dump }, $session_id );
|
||||||
|
Loading…
Reference in New Issue
Block a user