From 39b3d52746d9aa1765fe50753ede74ee57ea9027 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 10 Jul 2018 18:07:34 +0200 Subject: [PATCH] make sure to redirect to correct idp Signed-off-by: Bjoern Schiessle --- appinfo/app.php | 2 +- lib/Controller/SAMLController.php | 5 +-- lib/SAMLSettings.php | 51 +++++++++++++++++++------------ 3 files changed, 35 insertions(+), 23 deletions(-) diff --git a/appinfo/app.php b/appinfo/app.php index 1ec876a..ecaca6b 100644 --- a/appinfo/app.php +++ b/appinfo/app.php @@ -57,7 +57,7 @@ $type = ''; switch($config->getAppValue('user_saml', 'type')) { case 'saml': try { - $oneLoginSettings = new \OneLogin_Saml2_Settings($samlSettings->getOneLoginSettingsArray()); + $oneLoginSettings = new \OneLogin_Saml2_Settings($samlSettings->getOneLoginSettingsArray(1)); } catch (OneLogin_Saml2_Error $e) { $returnScript = true; } diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php index 6fc588d..ade38b5 100644 --- a/lib/Controller/SAMLController.php +++ b/lib/Controller/SAMLController.php @@ -149,14 +149,15 @@ class SAMLController extends Controller { * @UseSession * @OnlyUnauthenticatedUsers * + * @param int $idp id of the idp * @return Http\RedirectResponse * @throws \Exception */ - public function login() { + public function login($idp) { $type = $this->config->getAppValue($this->appName, 'type'); switch($type) { case 'saml': - $auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray()); + $auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray($idp)); $ssoUrl = $auth->login(null, [], false, false, true); $this->session->set('user_saml.AuthNRequestID', $auth->getLastRequestID()); $this->session->set('user_saml.OriginalUrl', $this->request->getParam('originalUrl', '')); diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php index 84d21a6..0f97b63 100644 --- a/lib/SAMLSettings.php +++ b/lib/SAMLSettings.php @@ -76,26 +76,37 @@ class SAMLSettings { return $setting === '1'; } - public function getOneLoginSettingsArray() { + /** + * get config for given IDP + * + * @param int $idp + * @return array + */ + public function getOneLoginSettingsArray($idp) { + + $prefix = ''; + if ($idp > 1) { + $prefix = $idp . '-'; + } $settings = [ 'strict' => true, 'debug' => $this->config->getSystemValue('debug', false), 'baseurl' => $this->request->getServerProtocol() . '://' . $this->request->getServerHost(), 'security' => [ - 'nameIdEncrypted' => ($this->config->getAppValue('user_saml', 'security-nameIdEncrypted', '0') === '1') ? true : false, - 'authnRequestsSigned' => ($this->config->getAppValue('user_saml', 'security-authnRequestsSigned', '0') === '1') ? true : false, - 'logoutRequestSigned' => ($this->config->getAppValue('user_saml', 'security-logoutRequestSigned', '0') === '1') ? true : false, - 'logoutResponseSigned' => ($this->config->getAppValue('user_saml', 'security-logoutResponseSigned', '0') === '1') ? true : false, - 'signMetadata' => ($this->config->getAppValue('user_saml', 'security-signMetadata', '0') === '1') ? true : false, - 'wantMessagesSigned' => ($this->config->getAppValue('user_saml', 'security-wantMessagesSigned', '0') === '1') ? true : false, - 'wantAssertionsSigned' => ($this->config->getAppValue('user_saml', 'security-wantAssertionsSigned', '0') === '1') ? true : false, - 'wantAssertionsEncrypted' => ($this->config->getAppValue('user_saml', 'security-wantAssertionsEncrypted', '0') === '1') ? true : false, - 'wantNameId' => ($this->config->getAppValue('user_saml', 'security-wantNameId', '0') === '1') ? true : false, - 'wantNameIdEncrypted' => ($this->config->getAppValue('user_saml', 'security-wantNameIdEncrypted', '0') === '1') ? true : false, - 'wantXMLValidation' => ($this->config->getAppValue('user_saml', 'security-wantXMLValidation', '0') === '1') ? true : false, + 'nameIdEncrypted' => ($this->config->getAppValue('user_saml', $prefix . 'security-nameIdEncrypted', '0') === '1') ? true : false, + 'authnRequestsSigned' => ($this->config->getAppValue('user_saml', $prefix . 'security-authnRequestsSigned', '0') === '1') ? true : false, + 'logoutRequestSigned' => ($this->config->getAppValue('user_saml', $prefix . 'security-logoutRequestSigned', '0') === '1') ? true : false, + 'logoutResponseSigned' => ($this->config->getAppValue('user_saml', $prefix . 'security-logoutResponseSigned', '0') === '1') ? true : false, + 'signMetadata' => ($this->config->getAppValue('user_saml', $prefix . 'security-signMetadata', '0') === '1') ? true : false, + 'wantMessagesSigned' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantMessagesSigned', '0') === '1') ? true : false, + 'wantAssertionsSigned' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantAssertionsSigned', '0') === '1') ? true : false, + 'wantAssertionsEncrypted' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantAssertionsEncrypted', '0') === '1') ? true : false, + 'wantNameId' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantNameId', '0') === '1') ? true : false, + 'wantNameIdEncrypted' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantNameIdEncrypted', '0') === '1') ? true : false, + 'wantXMLValidation' => ($this->config->getAppValue('user_saml', $prefix . 'security-wantXMLValidation', '0') === '1') ? true : false, 'requestedAuthnContext' => false, - 'lowercaseUrlencoding' => ($this->config->getAppValue('user_saml', 'security-lowercaseUrlencoding', '0') === '1') ? true : false, + 'lowercaseUrlencoding' => ($this->config->getAppValue('user_saml', $prefix . 'security-lowercaseUrlencoding', '0') === '1') ? true : false, ], 'sp' => [ 'entityId' => $this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.getMetadata'), @@ -104,15 +115,15 @@ class SAMLSettings { ], ], 'idp' => [ - 'entityId' => $this->config->getAppValue('user_saml', 'idp-entityId', ''), + 'entityId' => $this->config->getAppValue('user_saml', $prefix . 'idp-entityId', ''), 'singleSignOnService' => [ - 'url' => $this->config->getAppValue('user_saml', 'idp-singleSignOnService.url', ''), + 'url' => $this->config->getAppValue('user_saml', $prefix . 'idp-singleSignOnService.url', ''), ], ], ]; - $spx509cert = $this->config->getAppValue('user_saml', 'sp-x509cert', ''); - $spxprivateKey = $this->config->getAppValue('user_saml', 'sp-privateKey', ''); + $spx509cert = $this->config->getAppValue('user_saml', $prefix . 'sp-x509cert', ''); + $spxprivateKey = $this->config->getAppValue('user_saml', $prefix . 'sp-privateKey', ''); if($spx509cert !== '') { $settings['sp']['x509cert'] = $spx509cert; } @@ -120,15 +131,15 @@ class SAMLSettings { $settings['sp']['privateKey'] = $spxprivateKey; } - $idpx509cert = $this->config->getAppValue('user_saml', 'idp-x509cert', ''); + $idpx509cert = $this->config->getAppValue('user_saml', $prefix . 'idp-x509cert', ''); if($idpx509cert !== '') { $settings['idp']['x509cert'] = $idpx509cert; } - $slo = $this->config->getAppValue('user_saml', 'idp-singleLogoutService.url', ''); + $slo = $this->config->getAppValue('user_saml', $prefix . 'idp-singleLogoutService.url', ''); if($slo !== '') { $settings['idp']['singleLogoutService'] = [ - 'url' => $this->config->getAppValue('user_saml', 'idp-singleLogoutService.url', ''), + 'url' => $this->config->getAppValue('user_saml', $prefix . 'idp-singleLogoutService.url', ''), ]; $settings['sp']['singleLogoutService'] = [ 'url' => $this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.singleLogoutService'),