1<?php 2 3/** 4 * SAML authentication plugin 5 * 6 * @author Andreas Gohr <gohr@cosmocode.de> 7 * @author Sam Yelman <sam.yelman@temple.edu> 8 */ 9class helper_plugin_saml extends auth_plugin_authplain 10{ 11 /** @var OneLogin_Saml2_Auth */ 12 protected $saml; 13 14 /** 15 * Get the initialized SAML library 16 * 17 * @return OneLogin_Saml2_Auth 18 */ 19 public function getSamlLib() 20 { 21 if ($this->saml === null) { 22 require_once __DIR__ . '/phpsaml/_toolkit_loader.php'; 23 $this->saml = new OneLogin_Saml2_Auth($this->createSettings()); 24 } 25 return $this->saml; 26 } 27 28 /** 29 * Initializes the settings array for the PHP SAML library 30 * 31 * @return array 32 */ 33 protected function createSettings() 34 { 35 global $conf; 36 $xml_wiki_title = htmlentities($conf['title']); 37 38 $cert = $this->getConf('certificate'); 39 $cert = wordwrap($cert, 65, "\n", true); 40 $cert = trim($cert); 41 if (!preg_match('/^-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----$/s', $cert)) { 42 $cert = "-----BEGIN CERTIFICATE-----\n$cert\n-----END CERTIFICATE-----"; 43 } 44 45 return [ 46 'strict' => true, 47 'debug' => false, 48 'baseurl' => DOKU_URL, 49 50 // Our own meta data 51 'sp' => [ 52 'entityId' => DOKU_URL, 53 'assertionConsumerService' => [ 54 'url' => DOKU_URL . DOKU_SCRIPT, 55 'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST, 56 ], 57 'attributeConsumingService' => [ 58 'serviceName' => $xml_wiki_title, 59 "serviceDescription" => 'SAML auth plugin', 60 "requestedAttributes" => [], 61 ], 62 'singleLogoutService' => [ 63 'url' => wl('', array('do' => 'logout'), true, '&'), 64 'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, 65 ], 66 'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_EMAIL_ADDRESS, 67 ], 68 69 // The SAML server we talk to 70 'idp' => [ 71 'entityId' => $this->getConf('idPEntityID'), 72 'singleSignOnService' => [ 73 'url' => $this->getConf('endpoint'), 74 'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, 75 ], 76 'singleLogoutService' => [ 77 'url' => $this->getConf('slo_endpoint'), 78 'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT, 79 ], 80 'NameIDFormat' => OneLogin_Saml2_Constants::NAMEID_UNSPECIFIED, 81 'x509cert' => $cert, 82 ], 83 84 'security' => [ 85 'requestedAuthnContext' => false, // We let the AD decide what kind of authentication it uses 86 'wantNameId' => false, // Seems not to work otherwise 87 'destinationStrictlyMatches' => false 88 ], 89 90 'organization' => array( 91 'en-US' => array( 92 'name' => $xml_wiki_title, 93 'displayname' => $xml_wiki_title, 94 'url' => DOKU_URL 95 ), 96 ), 97 ]; 98 } 99} 100