PHP SimpleSAML_Auth_ProcessingChain类代码示例

function driveProcessingChain($idp_metadata, $source, $sp_metadata, $sp_entityid, $attributes, $userid, $hashAttributes = FALSE)
{
    /* 
     * Create a new processing chain 
     */
    $pc = new SimpleSAML_Auth_ProcessingChain($idp_metadata, $sp_metadata, 'idp');
    /* 
     * Construct the state.
     * REMEMBER: Do not set Return URL if you are calling processStatePassive
     */
    $authProcState = array('Attributes' => $attributes, 'Destination' => $sp_metadata, 'Source' => $idp_metadata, 'isPassive' => TRUE);
    /* 
     * Call processStatePAssive.
     * We are not interested in any user interaction, only modifications to the attributes
     */
    $pc->processStatePassive($authProcState);
    $attributes = $authProcState['Attributes'];
    /*
     * Generate identifiers and hashes
     */
    $destination = $sp_metadata['metadata-set'] . '|' . $sp_entityid;
    $targeted_id = sspmod_consent_Auth_Process_Consent::getTargetedID($userid, $source, $destination);
    $attribute_hash = sspmod_consent_Auth_Process_Consent::getAttributeHash($attributes, $hashAttributes);
    SimpleSAML_Logger::info('consentAdmin: user: ' . $userid);
    SimpleSAML_Logger::info('consentAdmin: target: ' . $targeted_id);
    SimpleSAML_Logger::info('consentAdmin: attribute: ' . $attribute_hash);
    /* Return values */
    return array($targeted_id, $attribute_hash, $attributes);
}

<?php

/**
 * Show a warning to an user about the SP requesting SSO a short time after
 * doing it previously.
 *
 * @package SimpleSAMLphp
 */
if (!array_key_exists('StateId', $_REQUEST)) {
    throw new SimpleSAML_Error_BadRequest('Missing required StateId query parameter.');
}
$id = $_REQUEST['StateId'];
$state = SimpleSAML_Auth_State::loadState($id, 'core:short_sso_interval');
$session = SimpleSAML_Session::getSessionFromRequest();
if (array_key_exists('continue', $_REQUEST)) {
    // The user has pressed the continue/retry-button
    SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:short_sso_interval.php');
$t->data['target'] = SimpleSAML\Module::getModuleURL('core/short_sso_interval.php');
$t->data['params'] = array('StateId' => $id);
$t->data['trackId'] = $session->getTrackID();
$t->show();

 /**
  * The user is authenticated.
  *
  * @param array $state  The authentication request state arrray.
  */
 public static function postAuth(array $state)
 {
     $idp = SimpleSAML_IdP::getByState($state);
     if (!$idp->isAuthenticated()) {
         throw new SimpleSAML_Error_Exception('Not authenticated.');
     }
     $state['Attributes'] = $idp->authSource->getAttributes();
     if (isset($state['SPMetadata'])) {
         $spMetadata = $state['SPMetadata'];
     } else {
         $spMetadata = array();
     }
     if (isset($state['core:SP'])) {
         $session = SimpleSAML_Session::getSessionFromRequest();
         $previousSSOTime = $session->getData('core:idp-ssotime', $state['core:IdP'] . ';' . $state['core:SP']);
         if ($previousSSOTime !== NULL) {
             $state['PreviousSSOTimestamp'] = $previousSSOTime;
         }
     }
     $idpMetadata = $idp->getConfig()->toArray();
     $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadata, $spMetadata, 'idp');
     $state['ReturnCall'] = array('SimpleSAML_IdP', 'postAuthProc');
     $state['Destination'] = $spMetadata;
     $state['Source'] = $idpMetadata;
     $pc->processState($state);
     self::postAuthProc($state);
 }

    $authProcState = SimpleSAML_Auth_ProcessingChain::fetchProcessedState($authProcId);
    finishLogin($authProcState);
}
if (empty($_POST['SAMLResponse'])) {
    throw new SimpleSAML_Error_Error('ACSPARAMS', $exception);
}
try {
    $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
    $binding = new SimpleSAML_Bindings_Shib13_HTTPPost($config, $metadata);
    $authnResponse = $binding->decodeResponse($_POST);
    $authnResponse->validate();
    /* Successfully authenticated. */
    $idpmetadata = $metadata->getMetadata($authnResponse->getIssuer(), 'shib13-idp-remote');
    SimpleSAML_Logger::info('Shib1.3 - SP.AssertionConsumerService: Successful authentication to IdP ' . $idpmetadata['entityid']);
    SimpleSAML_Logger::stats('shib13-sp-SSO ' . $metadata->getMetaDataCurrentEntityID('shib13-sp-hosted') . ' ' . $idpmetadata['entityid'] . ' NA');
    $relayState = $authnResponse->getRelayState();
    if (!isset($relayState)) {
        throw new SimpleSAML_Error_Error('NORELAYSTATE');
    }
    $spmetadata = $metadata->getMetaData(NULL, 'shib13-sp-hosted');
    /* Begin module attribute processing */
    $pc = new SimpleSAML_Auth_ProcessingChain($idpmetadata, $spmetadata, 'sp');
    $authProcState = array('core:shib13-sp:NameID' => $authnResponse->getNameID(), 'core:shib13-sp:SessionIndex' => $authnResponse->getSessionIndex(), 'core:shib13-sp:TargetURL' => SimpleSAML_Utilities::checkURLAllowed($relayState), 'ReturnURL' => SimpleSAML_Utilities::selfURLNoQuery(), 'Attributes' => $authnResponse->getAttributes(), 'Destination' => $spmetadata, 'Source' => $idpmetadata);
    $pc->processState($authProcState);
    /* Since this function returns, processing has completed and attributes have
     * been updated.
     */
    finishLogin($authProcState);
} catch (Exception $exception) {
    throw new SimpleSAML_Error_Error('GENERATEAUTHNRESPONSE', $exception);
}

 /**
  * Handle a response from a SSO operation.
  *
  * @param array $state  The authentication state.
  * @param string $idp  The entity id of the IdP.
  * @param array $attributes  The attributes.
  */
 public function handleResponse(array $state, $idp, array $attributes)
 {
     assert('is_string($idp)');
     assert('array_key_exists("LogoutState", $state)');
     assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
     $idpMetadata = $this->getIdpMetadata($idp);
     $spMetadataArray = $this->metadata->toArray();
     $idpMetadataArray = $idpMetadata->toArray();
     /* Save the IdP in the state array. */
     $state['saml:sp:IdP'] = $idp;
     $state['PersistentAuthData'][] = 'saml:sp:IdP';
     $authProcState = array('saml:sp:IdP' => $idp, 'saml:sp:State' => $state, 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray);
     if (isset($state['saml:sp:NameID'])) {
         $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
     }
     if (isset($state['saml:sp:SessionIndex'])) {
         $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
     }
     $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
     $pc->processState($authProcState);
     self::onProcessingCompleted($authProcState);
 }

 /**
  * Process a request.
  *
  * This function never returns.
  *
  * @param Auth_OpenID_Request $request  The request we are processing.
  */
 public function processRequest(array $state)
 {
     assert('isset($state["request"])');
     $request = $state['request'];
     $sreg_req = Auth_OpenID_SRegRequest::fromOpenIDRequest($request);
     $ax_req = Auth_OpenId_AX_FetchRequest::fromOpenIDRequest($request);
     /* In resume.php there should be a way to display data requested through sreg or ax. */
     if (!$this->authSource->isAuthenticated()) {
         if ($request->immediate) {
             /* Not logged in, and we cannot show a login form. */
             $this->sendResponse($request->answer(FALSE));
         }
         $resumeURL = $this->getStateURL('resume.php', $state);
         $this->authSource->requireAuth(array('ReturnTo' => $resumeURL));
     }
     $identity = $this->getIdentity();
     assert('$identity !== FALSE');
     /* Should always be logged in here. */
     if (!$request->idSelect() && $identity !== $request->identity) {
         /* The identity in the request doesn't match the one of the logged in user. */
         throw new SimpleSAML_Error_Exception('Logged in as different user than the one requested.');
     }
     if ($this->isTrusted($identity, $request->trust_root)) {
         $trusted = TRUE;
     } elseif (isset($state['TrustResponse'])) {
         $trusted = (bool) $state['TrustResponse'];
     } else {
         if ($request->immediate) {
             /* Not trusted, and we cannot show a trust-form. */
             $this->sendResponse($request->answer(FALSE));
         }
         $trustURL = $this->getStateURL('trust.php', $state);
         SimpleSAML_Utilities::redirectTrustedURL($trustURL);
     }
     if (!$trusted) {
         /* The user doesn't trust this site. */
         $this->sendResponse($request->answer(FALSE));
     }
     $response = $request->answer(TRUE, NULL, $identity);
     //Process attributes
     $attributes = $this->authSource->getAttributes();
     foreach ($attributes as $key => $attr) {
         if (is_array($attr) && count($attr) === 1) {
             $attributes[$key] = $attr[0];
         }
     }
     $pc = new SimpleSAML_Auth_ProcessingChain($this->authProc, array(), 'idp');
     $state = array('Attributes' => $attributes, 'isPassive' => TRUE);
     $pc->processStatePassive(&$state);
     $attributes = $state['Attributes'];
     //Process SREG requests
     $sreg_resp = Auth_OpenID_SRegResponse::extractResponse($sreg_req, $attributes);
     $sreg_resp->toMessage($response->fields);
     //Process AX requests
     $ax_resp = new Auth_OpenID_AX_FetchResponse();
     foreach ($ax_req->iterTypes() as $type_uri) {
         if (isset($attributes[$type_uri])) {
             $ax_resp->addValue($type_uri, $attributes[$type_uri]);
         }
     }
     $ax_resp->toMessage($response->fields);
     /* The user is authenticated, and trusts this site. */
     $this->sendResponse($response);
 }

 private function processFilters(&$attributes)
 {
     $spMetadataArray = $this->spMetadata->toArray();
     $aaMetadataArray = $this->aaMetadata->toArray();
     $pc = new SimpleSAML_Auth_ProcessingChain($aaMetadataArray, $spMetadataArray, 'aa');
     $authProcState = array('Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $aaMetadataArray);
     $pc->processStatePassive($authProcState);
     // backend, passive processing, no user interaction
     $attributes = $authProcState['Attributes'];
 }

 /**
  * Handle a response from a SSO operation.
  *
  * @param array $state  The authentication state.
  * @param string $idp  The entity id of the IdP.
  * @param array $attributes  The attributes.
  */
 public function handleResponse(array $state, $idp, array $attributes)
 {
     assert('is_string($idp)');
     assert('array_key_exists("LogoutState", $state)');
     assert('array_key_exists("saml:logout:Type", $state["LogoutState"])');
     $idpMetadata = $this->getIdpMetadata($idp);
     $spMetadataArray = $this->metadata->toArray();
     $idpMetadataArray = $idpMetadata->toArray();
     $authProcState = array('saml:sp:IdP' => $idp, 'saml:sp:State' => $state, 'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'), 'Attributes' => $attributes, 'Destination' => $spMetadataArray, 'Source' => $idpMetadataArray);
     $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
     $pc->processState($authProcState);
     self::onProcessingCompleted($authProcState);
 }

 */
if (isset($_POST['sig_response'])) {
    /*
     * Verify sig response and log in user. Make sure that verifyResponse
     * does not return NULL, if it is NOT NULL then it will return a username.
     * You can then set any cookies/session data for that username and complete
     * the login process.
     */
    $resp = Duo::verifyResponse(IKEY, SKEY, AKEY, $_POST['sig_response']);
    if (isset($attributes[$username_attribute])) {
        $username = $attributes[$username_attribute][0];
    } else {
        throw new SimpleSAML_Error_BadRequest('Missing required username attribute.');
    }
    if ($resp != NULL and $resp === $username) {
        SimpleSAML_Auth_ProcessingChain::resumeProcessing($this->data['state']);
    } else {
        throw new SimpleSAML_Error_BadRequest('Response verification failed.');
    }
}
/*
 * Verify username and password. If the user and pass are good, then generate
 * a sig_request and load up the Duo iframe for secondary authentication.
 */
if (isset($attributes[$username_attribute])) {
    $username = $attributes[$username_attribute][0];
    // Generate sig request and then load up Duo javascript and iframe
    $sig_request = Duo::signRequest(IKEY, SKEY, AKEY, $username);
    ?>
    <script src="Duo-Web-v2.min.js"></script>
    <link rel="stylesheet" type="text/css" href="Duo-Frame.css">

 public static function completeLogin($authStateId)
 {
     $state = self::_validateAuthState($authStateId);
     $server = self::getServer(false);
     $session = SimpleSAML_Session::getSessionFromRequest();
     $sessionId = $session->getSessionId();
     $user = $server->getAuthenticatedUser($sessionId);
     if (empty($user)) {
         $url = SimpleSAML_Module::getModuleURL('authTiqr/login.php');
         SimpleSAML_Utilities::redirect($url, array('AuthState' => $authStateId));
     } else {
         if (!isset($state["tiqrUser"])) {
             // Single factor. We can now continue to login.
             $attributes = array('uid' => array($user), 'displayName' => array(self::getUserStorage()->getDisplayName($user)));
             $attributes = array_merge($attributes, self::getUserStorage()->getAdditionalAttributes($user));
             $state['Attributes'] = $attributes;
             SimpleSAML_Auth_Source::completeAuth($state);
         } else {
             // Two factor, we can now complete the processing filter process.
             SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
         }
     }
 }

 /**
  * Process a authentication response
  *
  * This function saves the state, and redirects the user to the Attribute Authority for
  * entitlements.
  *
  * @param array &$state The state of the response.
  *
  * @return void
  */
 public function process(&$state)
 {
     assert('is_array($state)');
     $state['attributeaggregator:authsourceId'] = $state["saml:sp:State"]["saml:sp:AuthId"];
     $state['attributeaggregator:entityId'] = $this->entityId;
     $state['attributeaggregator:attributeId'] = $state['Attributes'][$this->attributeId];
     $state['attributeaggregator:nameIdFormat'] = $this->nameIdFormat;
     $state['attributeaggregator:attributes'] = $this->attributes;
     $state['attributeaggregator:attributeNameFormat'] = $this->attributeNameFormat;
     if (!$state['attributeaggregator:attributeId']) {
         if (!$this->required) {
             SimpleSAML_Logger::info('[attributeaggregator] This user session does not have ' . $this->attributeId . ', which is required for querying the AA! Continue processing.');
             SimpleSAML_Logger::debug('[attributeaggregator] Attributes are: ' . var_export($state['Attributes'], true));
             SimpleSAML_Auth_ProcessingChain::resumeProcessing($state);
         }
         throw new SimpleSAML_Error_Exception("This user session does not have " . $this->attributeId . ", which is required for querying the AA! Attributes are: " . var_export($state['Attributes'], 1));
     }
     // Save state and redirect
     $id = SimpleSAML_Auth_State::saveState($state, 'attributeaggregator:request');
     $url = SimpleSAML_Module::getModuleURL('attributeaggregator/attributequery.php');
     SimpleSAML_Utilities::redirect($url, array('StateId' => $id));
     // FIXME: redirect is deprecated
 }