Removing deprecated attributealter. Use authproc instead. Questions on the mailinglist...
git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@1112 44740490-163a-0410-bde0-09ae8108e29a
This commit is contained in:
andreassolberg@gmail.com
parent
1bc3e51d40
commit
9c68d411e1
|
|
@ -1,10 +0,0 @@
|
|||
<?php
|
||||
function attributealter_edupersontargetedid(&$attributes, $spEntityId = null, $idpEntityId = null) {
|
||||
assert('$spEntityId !== NULL');
|
||||
assert('$idpEntityId !== NULL');
|
||||
|
||||
$userid = SimpleSAML_Utilities::generateUserIdentifier($idpEntityId, $spEntityId, $attributes);
|
||||
|
||||
$attributes['eduPersonTargetedID'] = array($userid);
|
||||
}
|
||||
?>
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
<?php
|
||||
function attributealter_feideaccess(&$attributes, $spEntityId = null, $idpEntityId = null) {
|
||||
assert('$spEntityId !== NULL');
|
||||
assert('$idpEntityId !== NULL');
|
||||
|
||||
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
|
||||
$spMetadata = $metadata->getMetadata($spEntityId, 'saml20-sp-remote');
|
||||
if(!array_key_exists('feide.allowedorgs', $spMetadata)) {
|
||||
SimpleSAML_Logger::info('FEIDE access control: No limits set for SP: ' . $spEntityId);
|
||||
return;
|
||||
}
|
||||
$allowedOrgs = $spMetadata['feide.allowedorgs'];
|
||||
|
||||
if(!array_key_exists('eduPersonPrincipalName', $attributes)) {
|
||||
throw new Exception('FEIDE access control requires the eduPersonPrincipalName to be present.');
|
||||
}
|
||||
|
||||
$eppn = $attributes['eduPersonPrincipalName'][0];
|
||||
$org = explode('@', $eppn);
|
||||
$org = $org[1];
|
||||
|
||||
if(!in_array($org, $allowedOrgs, TRUE)) {
|
||||
SimpleSAML_Logger::error('FEIDE access control: Organization "' . $org .
|
||||
'" not in list of allowed organization for SP "' . $spEntityId . '".');
|
||||
$config = SimpleSAML_Configuration::getInstance();
|
||||
$t = new SimpleSAML_XHTML_Template($config, 'no_access.php', 'no_access_dictionary');
|
||||
if(array_key_exists('name', $spMetadata)) {
|
||||
$t->data['sp_name'] = $spMetadata['name'];
|
||||
} else {
|
||||
$t->data['sp_name'] = $spEntityId;
|
||||
}
|
||||
$t->show();
|
||||
exit();
|
||||
}
|
||||
|
||||
SimpleSAML_Logger::info('FEIDE access control: Organization "' . $org .
|
||||
'" is allowed for SP "' . $spEntityId . '".');
|
||||
}
|
||||
?>
|
||||
|
|
@ -1,75 +0,0 @@
|
|||
<?php
|
||||
function encodeIllegalChars($input) {
|
||||
return preg_replace("/[^a-zA-Z0-9_@=.]/", "_", $input);
|
||||
}
|
||||
|
||||
function getRealmPart($userid) {
|
||||
|
||||
$decomposedID = explode("@", $userid);
|
||||
if (isset($decomposedID[1])) {
|
||||
return encodeIllegalChars($decomposedID[1]);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
function attributealter_groups(&$attributes, $spentityid = null, $idpentityid = null) {
|
||||
|
||||
// We start off with an empty list of groups.
|
||||
$groups = array();
|
||||
|
||||
/*
|
||||
* Then we add the realm of the user. The part after the @ of the eduPersonPrincipalName
|
||||
*/
|
||||
if(array_key_exists('eduPersonPrincipalName', $attributes)) {
|
||||
$realmpart = getRealmPart($attributes['eduPersonPrincipalName'][0]);
|
||||
} else {
|
||||
$realmpart = NULL;
|
||||
}
|
||||
if (isset($realmpart)) {
|
||||
$groups[] = 'realm-' . $realmpart;
|
||||
} else {
|
||||
$realmpart = 'NA';
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Create group membership by the eduPersonAffiliation attribute.
|
||||
*/
|
||||
if (isset($attributes['eduPersonAffiliation']) && is_array($attributes['eduPersonAffiliation']) ) {
|
||||
foreach ($attributes['eduPersonAffiliation'] AS $affiliation) {
|
||||
$groups[] = 'affiliation-' . $realmpart . '-' . encodeIllegalChars($affiliation);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Create group membership by the eduPersonOrgUnitDN attribute.
|
||||
*/
|
||||
if (isset($attributes['eduPersonOrgUnitDN']) && is_array($attributes['eduPersonOrgUnitDN']) ) {
|
||||
foreach ($attributes['eduPersonOrgUnitDN'] AS $orgunit) {
|
||||
$groups[] = 'orgunit-' . $realmpart . '-' . encodeIllegalChars($orgunit);
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($attributes['eduPersonEntitlement']) && is_array($attributes['eduPersonEntitlement']) ) {
|
||||
foreach ($attributes['eduPersonEntitlement'] AS $orgunit) {
|
||||
$groups[] = 'entitlement-' . $realmpart . '-' . encodeIllegalChars($orgunit);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Read custom groups from the group file specified in the
|
||||
|
||||
if (file_exists('/etc/simplesamlphpgroups.txt')) {
|
||||
include($conf['groupfile']);
|
||||
}
|
||||
if (isset($customgroups[$user]) && is_array($customgroups[$user])) {
|
||||
foreach ($customgroups[$user] AS $ng) {
|
||||
$groups[] = $ng;
|
||||
}
|
||||
}
|
||||
*/
|
||||
$attributes['groups'] = $groups;
|
||||
|
||||
}
|
||||
?>
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
<?php
|
||||
function attributealter_realm(&$attributes, $spentityid = null, $idpentityid = null) {
|
||||
|
||||
$attributename = 'eduPersonPrincipalName';
|
||||
# $attributename = 'edupersonprincipalname';
|
||||
if (array_key_exists($attributename, $attributes)) {
|
||||
$eduppn = $attributes[$attributename][0];
|
||||
$splitted = explode('@', $eduppn);
|
||||
if (count($splitted) > 1) {
|
||||
$attributes['realm'] = array($splitted[1]);
|
||||
} else {
|
||||
SimpleSAML_Logger::debug('attributealter_realm: Wrong format on ' . $attributename . ' (not including @)');
|
||||
}
|
||||
} else {
|
||||
SimpleSAML_Logger::debug('attributealter_realm: Could not find ' . $attributename);
|
||||
}
|
||||
|
||||
}
|
||||
?>
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
<?php
|
||||
function attributealter_test(&$attributes, $spentityid = null, $idpentityid = null) {
|
||||
$attributes['injected'] = array('newvalue');
|
||||
}
|
||||
?>
|
||||
|
|
@ -98,7 +98,12 @@ function updateslostatus() {
|
|||
|
||||
$idpentityid = $metadata->getMetaDataCurrentEntityID('saml20-idp-hosted');
|
||||
|
||||
$listofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
|
||||
$templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
|
||||
$listofsps = array();
|
||||
foreach ($templistofsps AS $spentityid) {
|
||||
if (!empty($_COOKIE['spstate-' . sha1($spentityid)])) $listofsps[] = $spentityid;
|
||||
}
|
||||
|
||||
|
||||
// Using template object to be able to translate name of service provider.
|
||||
$t = new SimpleSAML_XHTML_Template($config, 'logout-iframe.php');
|
||||
|
|
@ -124,6 +129,11 @@ function updateslostatus() {
|
|||
|
||||
if ($session->sp_logout_completed() === TRUE) {
|
||||
|
||||
$templistofsps = $session->get_sp_list(SimpleSAML_Session::STATE_LOGGEDOUT);
|
||||
foreach ($templistofsps AS $spentityid) {
|
||||
$session->set_sp_logout_completed($spentityid);
|
||||
}
|
||||
|
||||
$objResponse->addScriptCall('slocompleted');
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -44,7 +44,15 @@ if (isset($_GET['SAMLResponse'])) {
|
|||
$binding = new SimpleSAML_Bindings_SAML20_HTTPRedirect($config, $metadata);
|
||||
$logoutresponse = $binding->decodeLogoutResponse($_GET);
|
||||
|
||||
$session->set_sp_logout_completed($logoutresponse->getIssuer());
|
||||
/*
|
||||
* This would be the normal way to end SP sessions. But because we do not want concurrent
|
||||
* updates on the session ojbect, we do set a cookie instead.
|
||||
*
|
||||
* $session->set_sp_logout_completed($logoutresponse->getIssuer());
|
||||
*/
|
||||
$sphash = sha1($logoutresponse->getIssuer());
|
||||
setcookie('spstate-' . $sphash , '1'); // Duration: 2 hours
|
||||
|
||||
|
||||
SimpleSAML_Logger::info('SAML2.0 - IdP.SingleLogoutServiceiFrameResponse: Logging out completed');
|
||||
|
||||
|
|
|
|||
Reference in New Issue