1 <?php
2 
3 /**
4  * ADFS SAML authentication plugin
5  *
6  * @author     Andreas Gohr <gohr@cosmocode.de>
7  */
8 class helper_plugin_adfs extends auth_plugin_authplain
9 {
10     /** @var OneLogin_Saml2_Auth */
11     protected $saml;
12 
13     /**
14      * Get the initialized SAML library
15      *
16      * @return OneLogin_Saml2_Auth
17      */
18     public function getSamlLib()
19     {
20         if ($this->saml === null) {
21             require_once __DIR__ . '/phpsaml/_toolkit_loader.php';
22             $this->saml = new OneLogin_Saml2_Auth($this->createSettings());
23         }
24         return $this->saml;
25     }
26 
27     /**
28      * Initializes the settings array for the PHP SAML library
29      *
30      * @return array
31      */
32     protected function createSettings()
33     {
34         global $conf;
35 		$xml_wiki_title = htmlentities($conf['title']);
36 
37         $cert = $this->getConf('certificate');
38         $cert = wordwrap($cert, 65, "\n", true);
39         $cert = trim($cert);
40         if (!preg_match('/^-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----$/s', $cert)) {
41             $cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----";
42         }
43 
44         return [
45             'strict' => true,
46             'debug' => false,
47             'baseurl' => DOKU_URL,
48 
49             // Our own meta data
50             'sp' => [
51                 'entityId' => DOKU_URL,
52                 'assertionConsumerService' => [
53                     'url' => DOKU_URL . DOKU_SCRIPT,
54                     'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST,
55                 ],
56                 'attributeConsumingService' => [
57                     'serviceName' => $xml_wiki_title,
58                     "serviceDescription" => 'ADFS auth plugin',
59                     "requestedAttributes" => [],
60                 ],
61                 'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_EMAIL_ADDRESS,
62             ],
63 
64             // The ADFS server we talk to
65             'idp' => [
66                 'entityId' => $this->getConf('idPEntityID'),
67                 'singleSignOnService' => [
68                     'url' => $this->getConf('endpoint'),
69                     'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
70                 ],
71                 'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_UNSPECIFIED,
72                 'x509cert' => $cert,
73             ],
74 
75             'security' => [
76                 'requestedAuthnContext' => false, // We let the AD decide what kind of authentication it uses
77                 'wantNameId' => false // Seems not to work otherwise
78             ],
79 
80             'organization' => array(
81                 'en-US' => array(
82                     'name' => $xml_wiki_title,
83                     'displayname' => $xml_wiki_title,
84                     'url' => DOKU_URL
85                 ),
86             ),
87         ];
88     }
89 }
90