1<?php
2
3/**
4 * SAML authentication plugin
5 *
6 * @author     Andreas Gohr <gohr@cosmocode.de>
7 * @author     Sam Yelman <sam.yelman@temple.edu>
8 */
9class helper_plugin_saml extends auth_plugin_authplain
10{
11    /** @var OneLogin_Saml2_Auth */
12    protected $saml;
13
14    /**
15     * Get the initialized SAML library
16     *
17     * @return OneLogin_Saml2_Auth
18     */
19    public function getSamlLib()
20    {
21        if ($this->saml === null) {
22            require_once __DIR__ . '/phpsaml/_toolkit_loader.php';
23            $this->saml = new OneLogin_Saml2_Auth($this->createSettings());
24        }
25        return $this->saml;
26    }
27
28    /**
29     * Initializes the settings array for the PHP SAML library
30     *
31     * @return array
32     */
33    protected function createSettings()
34    {
35        global $conf;
36		$xml_wiki_title = htmlentities($conf['title']);
37
38        $cert = $this->getConf('certificate');
39        $cert = wordwrap($cert, 65, "\n", true);
40        $cert = trim($cert);
41        if (!preg_match('/^-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----$/s', $cert)) {
42            $cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----";
43        }
44
45        return [
46            'strict' => true,
47            'debug' => false,
48            'baseurl' => DOKU_URL,
49
50            // Our own meta data
51            'sp' => [
52                'entityId' => DOKU_URL,
53                'assertionConsumerService' => [
54                    'url' => DOKU_URL . DOKU_SCRIPT,
55                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST,
56                ],
57                'attributeConsumingService' => [
58                    'serviceName' => $xml_wiki_title,
59                    "serviceDescription" => 'SAML auth plugin',
60                    "requestedAttributes" => [],
61                ],
62                'singleLogoutService' => [
63                    'url' => wl('', array('do' => 'logout'), true, '&'),
64                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
65                ],
66                'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_EMAIL_ADDRESS,
67            ],
68
69            // The SAML server we talk to
70            'idp' => [
71                'entityId' => $this->getConf('idPEntityID'),
72                'singleSignOnService' => [
73                    'url' => $this->getConf('endpoint'),
74                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
75                ],
76                'singleLogoutService' => [
77                    'url' => $this->getConf('slo_endpoint'),
78                    'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
79                ],
80                'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_UNSPECIFIED,
81                'x509cert' => $cert,
82            ],
83
84            'security' => [
85                'requestedAuthnContext' => false, // We let the AD decide what kind of authentication it uses
86                'wantNameId' => false, // Seems not to work otherwise
87                'destinationStrictlyMatches' => false
88            ],
89
90            'organization' => array(
91                'en-US' => array(
92                    'name' => $xml_wiki_title,
93                    'displayname' => $xml_wiki_title,
94                    'url' => DOKU_URL
95                ),
96            ),
97        ];
98    }
99}
100