1<?php
2
3/**
4 * ADFS SAML authentication plugin
5 *
6 * @author     Andreas Gohr <gohr@cosmocode.de>
7 */
8class helper_plugin_adfs extends auth_plugin_authplain
9{
10    /** @var OneLogin_Saml2_Auth */
11    protected $saml;
12
13    /**
14     * Get the initialized SAML library
15     *
16     * @return OneLogin_Saml2_Auth
17     */
18    public function getSamlLib()
19    {
20        if ($this->saml === null) {
21            require_once __DIR__ . '/phpsaml/_toolkit_loader.php';
22            $this->saml = new OneLogin_Saml2_Auth($this->createSettings());
23        }
24        return $this->saml;
25    }
26
27    /**
28     * Initializes the settings array for the PHP SAML library
29     *
30     * @return array
31     */
32    protected function createSettings()
33    {
34        global $conf;
35		$xml_wiki_title = htmlentities($conf['title']);
36
37        $cert = $this->getConf('certificate');
38        $cert = wordwrap($cert, 65, "\n", true);
39        $cert = trim($cert);
40        if (!preg_match('/^-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----$/s', $cert)) {
41            $cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----";
42        }
43
44        return [
45            'strict' => true,
46            'debug' => false,
47            'baseurl' => DOKU_URL,
48
49            // Our own meta data
50            'sp' => [
51                'entityId' => DOKU_URL,
52                'assertionConsumerService' => [
53                    'url' => DOKU_URL . DOKU_SCRIPT,
54                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST,
55                ],
56                'attributeConsumingService' => [
57                    'serviceName' => $xml_wiki_title,
58                    "serviceDescription" => 'ADFS auth plugin',
59                    "requestedAttributes" => [],
60                ],
61                'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_EMAIL_ADDRESS,
62            ],
63
64            // The ADFS server we talk to
65            'idp' => [
66                'entityId' => $this->getConf('idPEntityID'),
67                'singleSignOnService' => [
68                    'url' => $this->getConf('endpoint'),
69                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
70                ],
71                'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_UNSPECIFIED,
72                'x509cert' => $cert,
73            ],
74
75            'security' => [
76                'requestedAuthnContext' => false, // We let the AD decide what kind of authentication it uses
77                'wantNameId' => false // Seems not to work otherwise
78            ],
79
80            'organization' => array(
81                'en-US' => array(
82                    'name' => $xml_wiki_title,
83                    'displayname' => $xml_wiki_title,
84                    'url' => DOKU_URL
85                ),
86            ),
87        ];
88    }
89}
90