GEANT / CAT

web/admin/action_enrollment.php

Switch Indentation +8 added lines, -8 removed lines

@@ -49,14 +49,14 @@
 }
 
 switch ($_GET['token']) {
-    case "SELF-REGISTER":
-        $token = "SELF-REGISTER";
-        $checkval = \core\UserManagement::TOKENSTATUS_OK_NEW;
-        $federation = \config\ConfAssistant::CONSORTIUM['selfservice_registration'];
-        break;
-    default:
-        $token = $validator->token(filter_input(INPUT_GET,'token',FILTER_SANITIZE_STRING));
-        $checkval = $usermgmt->checkTokenValidity($token);
+        case "SELF-REGISTER":
+            $token = "SELF-REGISTER";
+            $checkval = \core\UserManagement::TOKENSTATUS_OK_NEW;
+            $federation = \config\ConfAssistant::CONSORTIUM['selfservice_registration'];
+            break;
+        default:
+            $token = $validator->token(filter_input(INPUT_GET,'token',FILTER_SANITIZE_STRING));
+            $checkval = $usermgmt->checkTokenValidity($token);
 }
 
 if ($checkval < 0) {

web/admin/inc/sendinvite.inc.php

Switch Indentation +87 added lines, -87 removed lines

@@ -98,98 +98,98 @@
 }
 
 switch ($operationMode) {
-    case OPERATION_MODE_EDIT:
-        $idp = $validator->existingIdP($_GET['inst_id']);
-        // editing IdPs is done from within the popup. When we're done, send the 
-        // user back to the popup (append the result of the operation later)
-        $redirectDestination = "manageAdmins.inc.php?inst_id=" . $idp->identifier . "&";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination" . "invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // is the user primary admin of this IdP?
-        $is_owner = $idp->isPrimaryOwner($_SESSION['user']);
-        // check if he is (also) federation admin for the federation this IdP is in. His invitations have more blessing then.
-        $fedadmin = $userObject->isFederationAdmin($idp->federation);
-        // check if he is either one, if not, complain
-        if (!$is_owner && !$fedadmin) {
-            echo "<p>" . sprintf(_("Something's wrong... you are a %s admin, but not for the %s the requested %s belongs to!"), $uiElements->nomenclatureFed, $uiElements->nomenclatureFed, $uiElements->nomenclatureParticipant) . "</p>";
-            exit(1);
-        }
+        case OPERATION_MODE_EDIT:
+            $idp = $validator->existingIdP($_GET['inst_id']);
+            // editing IdPs is done from within the popup. When we're done, send the 
+            // user back to the popup (append the result of the operation later)
+            $redirectDestination = "manageAdmins.inc.php?inst_id=" . $idp->identifier . "&";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination" . "invitation=INVALIDSYNTAX");
+                exit(1);
+            }
+            // is the user primary admin of this IdP?
+            $is_owner = $idp->isPrimaryOwner($_SESSION['user']);
+            // check if he is (also) federation admin for the federation this IdP is in. His invitations have more blessing then.
+            $fedadmin = $userObject->isFederationAdmin($idp->federation);
+            // check if he is either one, if not, complain
+            if (!$is_owner && !$fedadmin) {
+                echo "<p>" . sprintf(_("Something's wrong... you are a %s admin, but not for the %s the requested %s belongs to!"), $uiElements->nomenclatureFed, $uiElements->nomenclatureFed, $uiElements->nomenclatureParticipant) . "</p>";
+                exit(1);
+            }
 
-        $prettyprintname = $idp->name;
-        $newtokens = $mgmt->createTokens($fedadmin, $validAddresses, $idp);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $idp->identifier . " - Token created for " . implode(",", $validAddresses));
-        $introtext = "CO-ADMIN";
-        $participant_type = $idp->type;
-        break;
-    case OPERATION_MODE_NEWUNLINKED:
-        $redirectDestination = "../overview_federation.php?";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // run an input check and conversion of the raw inputs... just in case
-        $newinstname = $validator->string($_POST['name']);
-        $newcountry = $validator->string($_POST['country']);
-        $participant_type = $validator->partType($_POST['participant_type']);
-        $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($newcountry);
-        if ($new_idp_authorized_fedadmin !== TRUE) {
-            throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
-        }
-        $federation = $validator->existingFederation($newcountry);
-        $prettyprintname = $newinstname;
-        $introtext = "NEW-FED";
-        // send the user back to his federation overview page, append the result of the operation later
-        // do the token creation magic
-        $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $newinstname, 0, $newcountry, $participant_type);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "ORG FUTURE  - Token created for $participant_type " . implode(",", $validAddresses));
-        break;
-    case OPERATION_MODE_NEWFROMDB:
-        $redirectDestination = "../overview_federation.php?";
-        if (count($validAddresses) == 0) {
-            header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
-            exit(1);
-        }
-        // a real external DB entry was submitted and all the required parameters are there
-        $newexternalid = $validator->string($_POST['externals']);
-        $extinfo = $catInstance->getExternalDBEntityDetails($newexternalid);
-        $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($extinfo['country']);
-        if ($new_idp_authorized_fedadmin !== TRUE) {
-            throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
-        }
-        $federation = $validator->existingFederation($extinfo['country']);
-        $newcountry = $extinfo['country'];
-        // see if the inst name is defined in the currently set language; if not, pick its English name; if N/A, pick the last in the list
-        $prettyprintname = "";
-        foreach ($extinfo['names'] as $lang => $name) {
-            if ($lang == $languageInstance->getLang()) {
-                $prettyprintname = $name;
+            $prettyprintname = $idp->name;
+            $newtokens = $mgmt->createTokens($fedadmin, $validAddresses, $idp);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $idp->identifier . " - Token created for " . implode(",", $validAddresses));
+            $introtext = "CO-ADMIN";
+            $participant_type = $idp->type;
+            break;
+        case OPERATION_MODE_NEWUNLINKED:
+            $redirectDestination = "../overview_federation.php?";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
+                exit(1);
             }
-        }
-        if ($prettyprintname == "" && isset($extinfo['names']['en'])) {
-            $prettyprintname = $extinfo['names']['en'];
-        }
-        if ($prettyprintname == "") {
-            foreach ($extinfo['names'] as $name) {
-                $prettyprintname = $name;
+            // run an input check and conversion of the raw inputs... just in case
+            $newinstname = $validator->string($_POST['name']);
+            $newcountry = $validator->string($_POST['country']);
+            $participant_type = $validator->partType($_POST['participant_type']);
+            $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($newcountry);
+            if ($new_idp_authorized_fedadmin !== TRUE) {
+                throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
             }
-        }
-        $participant_type = $extinfo['type'];
-        // fill the rest of the text
-        $introtext = "EXISTING-FED";
-        // do the token creation magic
-        $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $prettyprintname, $newexternalid);
-        $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP FUTURE  - Token created for " . implode(",", $validAddresses));
-        break;
-    default: // includes OPERATION_MODE_INVALID
-        // second param is TRUE, so the variable *will* contain a string
-        // i.e. ignore Scrutinizer type warning later
-        $wrongcontent = print_r($_POST, TRUE);
-        echo "<pre>Wrong parameters in POST:
+            $federation = $validator->existingFederation($newcountry);
+            $prettyprintname = $newinstname;
+            $introtext = "NEW-FED";
+            // send the user back to his federation overview page, append the result of the operation later
+            // do the token creation magic
+            $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $newinstname, 0, $newcountry, $participant_type);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "ORG FUTURE  - Token created for $participant_type " . implode(",", $validAddresses));
+            break;
+        case OPERATION_MODE_NEWFROMDB:
+            $redirectDestination = "../overview_federation.php?";
+            if (count($validAddresses) == 0) {
+                header("Location: $redirectDestination"."invitation=INVALIDSYNTAX");
+                exit(1);
+            }
+            // a real external DB entry was submitted and all the required parameters are there
+            $newexternalid = $validator->string($_POST['externals']);
+            $extinfo = $catInstance->getExternalDBEntityDetails($newexternalid);
+            $new_idp_authorized_fedadmin = $userObject->isFederationAdmin($extinfo['country']);
+            if ($new_idp_authorized_fedadmin !== TRUE) {
+                throw new Exception("Something's wrong... you want to create a new " . $uiElements->nomenclatureParticipant . ", but are not a " . $uiElements->nomenclatureFed . " admin for the " . $uiElements->nomenclatureFed . " it should be in!");
+            }
+            $federation = $validator->existingFederation($extinfo['country']);
+            $newcountry = $extinfo['country'];
+            // see if the inst name is defined in the currently set language; if not, pick its English name; if N/A, pick the last in the list
+            $prettyprintname = "";
+            foreach ($extinfo['names'] as $lang => $name) {
+                if ($lang == $languageInstance->getLang()) {
+                    $prettyprintname = $name;
+                }
+            }
+            if ($prettyprintname == "" && isset($extinfo['names']['en'])) {
+                $prettyprintname = $extinfo['names']['en'];
+            }
+            if ($prettyprintname == "") {
+                foreach ($extinfo['names'] as $name) {
+                    $prettyprintname = $name;
+                }
+            }
+            $participant_type = $extinfo['type'];
+            // fill the rest of the text
+            $introtext = "EXISTING-FED";
+            // do the token creation magic
+            $newtokens = $mgmt->createTokens(TRUE, $validAddresses, $prettyprintname, $newexternalid);
+            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP FUTURE  - Token created for " . implode(",", $validAddresses));
+            break;
+        default: // includes OPERATION_MODE_INVALID
+            // second param is TRUE, so the variable *will* contain a string
+            // i.e. ignore Scrutinizer type warning later
+            $wrongcontent = print_r($_POST, TRUE);
+            echo "<pre>Wrong parameters in POST:
 " . htmlspecialchars(/** @scrutinizer ignore-type */ $wrongcontent) . "
 </pre>";
-        exit(1);
+            exit(1);
 }
 
 // send, and invalidate the token immediately if the mail could not be sent!

web/admin/edit_hotspot.php

Switch Indentation +6 added lines, -6 removed lines

@@ -156,12 +156,12 @@
     }
     if (isset($_POST['command'])) {
         switch ($_POST['command']) {
-        case web\lib\common\FormElements::BUTTON_CLOSE:
-            header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
-            exit(0);
-        default:
-            header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
-            exit(0);
+            case web\lib\common\FormElements::BUTTON_CLOSE:
+                header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
+                exit(0);
+            default:
+                header("Location: overview_org.php?inst_id=" . $my_inst->identifier);
+                exit(0);
         }
     }
     $vlan = $deployment->getAttributes("managedsp:vlan")[0]['value'] ?? NULL;

web/admin/API.php

Switch Indentation +400 added lines, -400 removed lines

@@ -84,231 +84,231 @@ 
 }
 
 switch ($inputDecoded['ACTION']) {
-    case web\lib\admin\API::ACTION_NEWINST:
-        // create the inst, no admin, no attributes
-        $typeRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_INSTTYPE);
-        if ($typeRaw === FALSE) {
-            throw new Exception("We did not receive a valid participant type!");
-        }
-        $type = $validator->partType($typeRaw);
-        $idp = new \core\IdP($fed->newIdP($type, "PENDING", "API"));
-        // now add all submitted attributes
-        $inputs = $adminApi->uglify($scrubbedParameters);
-        $optionParser->processSubmittedFields($idp, $inputs["POST"], $inputs["FILES"]);
-        $adminApi->returnSuccess([web\lib\admin\API::AUXATTRIB_CAT_INST_ID => $idp->identifier]);
-        break;
-    case web\lib\admin\API::ACTION_DELINST:
-        try {
-            $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
-        } catch (Exception $e) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
-            exit(1);
-        }
-        $idp->destroy();
-        $adminApi->returnSuccess([]);
-        break;
-    case web\lib\admin\API::ACTION_ADMIN_LIST:
-        try {
-            $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
-        } catch (Exception $e) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
-            exit(1);
-        }
-        $adminApi->returnSuccess($idp->listOwners());
-        break;
-    case web\lib\admin\API::ACTION_ADMIN_ADD:
-        // IdP in question
-        try {
-            $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
-        } catch (Exception $e) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
-            exit(1);
-        }
-        // here is the token
-        $mgmt = new core\UserManagement();
-        // we know we have an admin ID but scrutinizer wants this checked more explicitly
-        $admin = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_ADMINID);
-        if ($admin === FALSE) {
-            throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
-        }
-        $newtokens = $mgmt->createTokens(true, [$admin], $idp);
-        $URL = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['SCRIPT_NAME']) . "/action_enrollment.php?token=" . array_keys($newtokens)[0];
-        $success = ["TOKEN URL" => $URL, "TOKEN" => array_keys($newtokens)[0]];
-        // done with the essentials - display in response. But if we also have an email address, send it there
-        $email = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_TARGETMAIL);
-        if ($email !== FALSE) {
-            $sent = \core\common\OutsideComm::adminInvitationMail($email, "EXISTING-FED", array_keys($newtokens)[0], $idp->name, $fed, $idp->type);
-            $success["EMAIL SENT"] = $sent["SENT"];
-            if ($sent["SENT"] === TRUE) {
-                $success["EMAIL TRANSPORT SECURE"] = $sent["TRANSPORT"];
+        case web\lib\admin\API::ACTION_NEWINST:
+            // create the inst, no admin, no attributes
+            $typeRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_INSTTYPE);
+            if ($typeRaw === FALSE) {
+                throw new Exception("We did not receive a valid participant type!");
             }
-        }
-        $adminApi->returnSuccess($success);
-        break;
-    case web\lib\admin\API::ACTION_ADMIN_DEL:
-        // IdP in question
-        try {
-            $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
-        } catch (Exception $e) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
-            exit(1);
-        }
-        $currentAdmins = $idp->listOwners();
-        $toBeDeleted = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_ADMINID);
-        if ($toBeDeleted === FALSE) {
-            throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
-        }
-        $found = FALSE;
-        foreach ($currentAdmins as $oneAdmin) {
-            if ($oneAdmin['MAIL'] == $toBeDeleted) {
-                $found = TRUE;
-                $mgmt = new core\UserManagement();
-                $mgmt->removeAdminFromIdP($idp, $oneAdmin['ID']);
+            $type = $validator->partType($typeRaw);
+            $idp = new \core\IdP($fed->newIdP($type, "PENDING", "API"));
+            // now add all submitted attributes
+            $inputs = $adminApi->uglify($scrubbedParameters);
+            $optionParser->processSubmittedFields($idp, $inputs["POST"], $inputs["FILES"]);
+            $adminApi->returnSuccess([web\lib\admin\API::AUXATTRIB_CAT_INST_ID => $idp->identifier]);
+            break;
+        case web\lib\admin\API::ACTION_DELINST:
+            try {
+                $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
+            } catch (Exception $e) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                exit(1);
             }
-        }
-        if ($found) {
+            $idp->destroy();
             $adminApi->returnSuccess([]);
-        }
-        $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "The admin with ID $toBeDeleted is not associated to IdP " . $idp->identifier);
-        break;
-    case web\lib\admin\API::ACTION_STATISTICS_FED:
-        $adminApi->returnSuccess($fed->downloadStats("array"));
-        break;
-    case \web\lib\admin\API::ACTION_FEDERATION_LISTIDP:
-        $retArray = [];
-        $idpIdentifier = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID);
-        if ($idpIdentifier === FALSE) {
-            $allIdPs = $fed->listIdentityProviders(0);
-            foreach ($allIdPs as $instanceId => $oneIdP) {
-                $theIdP = $oneIdP["instance"];
-                $retArray[$instanceId] = $theIdP->getAttributes();
-            }
-        } else {
+            break;
+        case web\lib\admin\API::ACTION_ADMIN_LIST:
             try {
-                $thisIdP = $validator->existingIdP($idpIdentifier, NULL, $fed);
+                $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
             } catch (Exception $e) {
                 $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
                 exit(1);
             }
-            $retArray[$idpIdentifier] = $thisIdP->getAttributes();
-            foreach ($thisIdP->listProfiles() as $oneProfile) {
-                $retArray[$idpIdentifier]["PROFILES"][$oneProfile->identifier] = $oneProfile->getAttributes();
+            $adminApi->returnSuccess($idp->listOwners());
+            break;
+        case web\lib\admin\API::ACTION_ADMIN_ADD:
+            // IdP in question
+            try {
+                $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
+            } catch (Exception $e) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                exit(1);
             }
-        }
-        foreach ($retArray as $instNumber => $oneInstData) {
-            foreach ($oneInstData as $attribNumber => $oneAttrib) {
-                if ($oneAttrib['name'] == "general:logo_file") {
-                    // JSON doesn't cope well with raw binary data, so b64 it
-                    $retArray[$instNumber][$attribNumber]['value'] = base64_encode($oneAttrib['value']);
+            // here is the token
+            $mgmt = new core\UserManagement();
+            // we know we have an admin ID but scrutinizer wants this checked more explicitly
+            $admin = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_ADMINID);
+            if ($admin === FALSE) {
+                throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
+            }
+            $newtokens = $mgmt->createTokens(true, [$admin], $idp);
+            $URL = "https://" . $_SERVER['SERVER_NAME'] . dirname($_SERVER['SCRIPT_NAME']) . "/action_enrollment.php?token=" . array_keys($newtokens)[0];
+            $success = ["TOKEN URL" => $URL, "TOKEN" => array_keys($newtokens)[0]];
+            // done with the essentials - display in response. But if we also have an email address, send it there
+            $email = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_TARGETMAIL);
+            if ($email !== FALSE) {
+                $sent = \core\common\OutsideComm::adminInvitationMail($email, "EXISTING-FED", array_keys($newtokens)[0], $idp->name, $fed, $idp->type);
+                $success["EMAIL SENT"] = $sent["SENT"];
+                if ($sent["SENT"] === TRUE) {
+                    $success["EMAIL TRANSPORT SECURE"] = $sent["TRANSPORT"];
+                }
+            }
+            $adminApi->returnSuccess($success);
+            break;
+        case web\lib\admin\API::ACTION_ADMIN_DEL:
+            // IdP in question
+            try {
+                $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
+            } catch (Exception $e) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                exit(1);
+            }
+            $currentAdmins = $idp->listOwners();
+            $toBeDeleted = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_ADMINID);
+            if ($toBeDeleted === FALSE) {
+                throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
+            }
+            $found = FALSE;
+            foreach ($currentAdmins as $oneAdmin) {
+                if ($oneAdmin['MAIL'] == $toBeDeleted) {
+                    $found = TRUE;
+                    $mgmt = new core\UserManagement();
+                    $mgmt->removeAdminFromIdP($idp, $oneAdmin['ID']);
+                }
+            }
+            if ($found) {
+                $adminApi->returnSuccess([]);
+            }
+            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "The admin with ID $toBeDeleted is not associated to IdP " . $idp->identifier);
+            break;
+        case web\lib\admin\API::ACTION_STATISTICS_FED:
+            $adminApi->returnSuccess($fed->downloadStats("array"));
+            break;
+        case \web\lib\admin\API::ACTION_FEDERATION_LISTIDP:
+            $retArray = [];
+            $idpIdentifier = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID);
+            if ($idpIdentifier === FALSE) {
+                $allIdPs = $fed->listIdentityProviders(0);
+                foreach ($allIdPs as $instanceId => $oneIdP) {
+                    $theIdP = $oneIdP["instance"];
+                    $retArray[$instanceId] = $theIdP->getAttributes();
+                }
+            } else {
+                try {
+                    $thisIdP = $validator->existingIdP($idpIdentifier, NULL, $fed);
+                } catch (Exception $e) {
+                    $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                    exit(1);
                 }
-                if ($attribNumber == "PROFILES") {
-                    // scan for included fed:logo_file and b64 escape it, t2oo
-                    foreach ($oneAttrib as $profileNumber => $profileContent) {
-                            foreach ($profileContent as $oneProfileIterator => $oneProfileContent) {
-                                    if ($oneProfileContent['name'] == "fed:logo_file" || $oneProfileContent['name'] == "general:logo_file" || $oneProfileContent['name'] == "eap:ca_file") {
-                                            $retArray[$instNumber]["PROFILES"][$profileNumber][$oneProfileIterator]['value'] = base64_encode($oneProfileContent['value']);
-                                    }
-                            }
+                $retArray[$idpIdentifier] = $thisIdP->getAttributes();
+                foreach ($thisIdP->listProfiles() as $oneProfile) {
+                    $retArray[$idpIdentifier]["PROFILES"][$oneProfile->identifier] = $oneProfile->getAttributes();
+                }
+            }
+            foreach ($retArray as $instNumber => $oneInstData) {
+                foreach ($oneInstData as $attribNumber => $oneAttrib) {
+                    if ($oneAttrib['name'] == "general:logo_file") {
+                        // JSON doesn't cope well with raw binary data, so b64 it
+                        $retArray[$instNumber][$attribNumber]['value'] = base64_encode($oneAttrib['value']);
+                    }
+                    if ($attribNumber == "PROFILES") {
+                        // scan for included fed:logo_file and b64 escape it, t2oo
+                        foreach ($oneAttrib as $profileNumber => $profileContent) {
+                                foreach ($profileContent as $oneProfileIterator => $oneProfileContent) {
+                                        if ($oneProfileContent['name'] == "fed:logo_file" || $oneProfileContent['name'] == "general:logo_file" || $oneProfileContent['name'] == "eap:ca_file") {
+                                                $retArray[$instNumber]["PROFILES"][$profileNumber][$oneProfileIterator]['value'] = base64_encode($oneProfileContent['value']);
+                                        }
+                                }
+                        }
                     }
                 }
             }
-        }
-        $adminApi->returnSuccess($retArray);
-        break;
-    case \web\lib\admin\API::ACTION_NEWPROF_RADIUS:
-    // fall-through intended: both get mostly identical treatment
-    case web\lib\admin\API::ACTION_NEWPROF_SB:
-        try {
-            $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
-        } catch (Exception $e) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
-            exit(1);
-        }
-        if ($inputDecoded['ACTION'] == web\lib\admin\API::ACTION_NEWPROF_RADIUS) {
-            $type = "RADIUS";
-        } else {
-            $type = "SILVERBULLET";
-        }
-        $profile = $idp->newProfile($type);
-        if ($profile === NULL) {
-            $adminApi->returnError(\web\lib\admin\API::ERROR_INTERNAL_ERROR, "Unable to create a new Profile, for no apparent reason. Please contact support.");
-            exit(1);
-        }
-        $inputs = $adminApi->uglify($scrubbedParameters);
-        $optionParser->processSubmittedFields($profile, $inputs["POST"], $inputs["FILES"]);
-        if ($inputDecoded['ACTION'] == web\lib\admin\API::ACTION_NEWPROF_SB) {
-            // auto-accept ToU?
-            if ($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_TOU) !== FALSE) {
-                $profile->addAttribute("hiddenprofile:tou_accepted", NULL, 1);
-            }
-            // we're done at this point
-            $adminApi->returnSuccess([\web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID => $profile->identifier]);
+            $adminApi->returnSuccess($retArray);
             break;
-        }
-        if (!$profile instanceof core\ProfileRADIUS) {
-            throw new Exception("Can't be. This is only here to convince Scrutinizer that we're really talking RADIUS.");
-        }
-        /* const AUXATTRIB_PROFILE_REALM = 'ATTRIB-PROFILE-REALM';
-          const AUXATTRIB_PROFILE_OUTERVALUE = 'ATTRIB-PROFILE-OUTERVALUE'; */
-        $realm = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_REALM);
-        $outer = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_OUTERVALUE);
-        if ($realm !== FALSE) {
-            if ($outer === FALSE) {
-                $outer = "";
-                $profile->setAnonymousIDSupport(FALSE);
+        case \web\lib\admin\API::ACTION_NEWPROF_RADIUS:
+        // fall-through intended: both get mostly identical treatment
+        case web\lib\admin\API::ACTION_NEWPROF_SB:
+            try {
+                $idp = $validator->existingIdP($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID), NULL, $fed);
+            } catch (Exception $e) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                exit(1);
+            }
+            if ($inputDecoded['ACTION'] == web\lib\admin\API::ACTION_NEWPROF_RADIUS) {
+                $type = "RADIUS";
             } else {
-                $outer = $outer . "@";
-                $profile->setAnonymousIDSupport(TRUE);
+                $type = "SILVERBULLET";
             }
-            $profile->setRealm($outer . $realm);
-        }
-        /* const AUXATTRIB_PROFILE_TESTUSER = 'ATTRIB-PROFILE-TESTUSER'; */
-        $testuser = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_TESTUSER);
-        if ($testuser !== FALSE) {
-            $profile->setRealmCheckUser(TRUE, $testuser);
-        }
-        /* const AUXATTRIB_PROFILE_INPUT_HINT = 'ATTRIB-PROFILE-HINTREALM';
+            $profile = $idp->newProfile($type);
+            if ($profile === NULL) {
+                $adminApi->returnError(\web\lib\admin\API::ERROR_INTERNAL_ERROR, "Unable to create a new Profile, for no apparent reason. Please contact support.");
+                exit(1);
+            }
+            $inputs = $adminApi->uglify($scrubbedParameters);
+            $optionParser->processSubmittedFields($profile, $inputs["POST"], $inputs["FILES"]);
+            if ($inputDecoded['ACTION'] == web\lib\admin\API::ACTION_NEWPROF_SB) {
+                // auto-accept ToU?
+                if ($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_TOU) !== FALSE) {
+                    $profile->addAttribute("hiddenprofile:tou_accepted", NULL, 1);
+                }
+                // we're done at this point
+                $adminApi->returnSuccess([\web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID => $profile->identifier]);
+                break;
+            }
+            if (!$profile instanceof core\ProfileRADIUS) {
+                throw new Exception("Can't be. This is only here to convince Scrutinizer that we're really talking RADIUS.");
+            }
+            /* const AUXATTRIB_PROFILE_REALM = 'ATTRIB-PROFILE-REALM';
+          const AUXATTRIB_PROFILE_OUTERVALUE = 'ATTRIB-PROFILE-OUTERVALUE'; */
+            $realm = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_REALM);
+            $outer = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_OUTERVALUE);
+            if ($realm !== FALSE) {
+                if ($outer === FALSE) {
+                    $outer = "";
+                    $profile->setAnonymousIDSupport(FALSE);
+                } else {
+                    $outer = $outer . "@";
+                    $profile->setAnonymousIDSupport(TRUE);
+                }
+                $profile->setRealm($outer . $realm);
+            }
+            /* const AUXATTRIB_PROFILE_TESTUSER = 'ATTRIB-PROFILE-TESTUSER'; */
+            $testuser = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_TESTUSER);
+            if ($testuser !== FALSE) {
+                $profile->setRealmCheckUser(TRUE, $testuser);
+            }
+            /* const AUXATTRIB_PROFILE_INPUT_HINT = 'ATTRIB-PROFILE-HINTREALM';
           const AUXATTRIB_PROFILE_INPUT_VERIFY = 'ATTRIB-PROFILE-VERIFYREALM'; */
-        $hint = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_INPUT_HINT);
-        $enforce = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_INPUT_VERIFY);
-        if ($enforce !== FALSE) {
-            $profile->setInputVerificationPreference($enforce, $hint);
-        }
-        /* const AUXATTRIB_PROFILE_EAPTYPE */
-        $iterator = 1;
-        foreach ($scrubbedParameters as $oneParam) {
-            if ($oneParam['NAME'] == web\lib\admin\API::AUXATTRIB_PROFILE_EAPTYPE && is_int($oneParam["VALUE"])) {
-                $type = new \core\common\EAP($oneParam["VALUE"]);
-                $profile->addSupportedEapMethod($type, $iterator);
-                $iterator = $iterator + 1;
+            $hint = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_INPUT_HINT);
+            $enforce = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_PROFILE_INPUT_VERIFY);
+            if ($enforce !== FALSE) {
+                $profile->setInputVerificationPreference($enforce, $hint);
             }
-        }
-        // reinstantiate $profile freshly from DB - it was updated in the process
-        $profileFresh = new core\ProfileRADIUS($profile->identifier);
-        $profileFresh->prepShowtime();
-        $adminApi->returnSuccess([\web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID => $profileFresh->identifier]);
-        break;
-    case web\lib\admin\API::ACTION_ENDUSER_NEW:
-    // fall-through intentional, those two actions are doing nearly identical things
-    case web\lib\admin\API::ACTION_ENDUSER_CHANGEEXPIRY:
-        $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($prof_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        $user = $validator->string($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERNAME));
-        $expiryRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_EXPIRY);
-        if ($expiryRaw === FALSE) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "The expiry date wasn't found in the request.");
+            /* const AUXATTRIB_PROFILE_EAPTYPE */
+            $iterator = 1;
+            foreach ($scrubbedParameters as $oneParam) {
+                if ($oneParam['NAME'] == web\lib\admin\API::AUXATTRIB_PROFILE_EAPTYPE && is_int($oneParam["VALUE"])) {
+                    $type = new \core\common\EAP($oneParam["VALUE"]);
+                    $profile->addSupportedEapMethod($type, $iterator);
+                    $iterator = $iterator + 1;
+                }
+            }
+            // reinstantiate $profile freshly from DB - it was updated in the process
+            $profileFresh = new core\ProfileRADIUS($profile->identifier);
+            $profileFresh->prepShowtime();
+            $adminApi->returnSuccess([\web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID => $profileFresh->identifier]);
             break;
-        }
-        $expiry = new DateTime($expiryRaw);
-        try {
-            switch ($inputDecoded['ACTION']) {
+        case web\lib\admin\API::ACTION_ENDUSER_NEW:
+        // fall-through intentional, those two actions are doing nearly identical things
+        case web\lib\admin\API::ACTION_ENDUSER_CHANGEEXPIRY:
+            $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($prof_id === FALSE) {
+                exit(1);
+            }
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
+            if ($evaluation === FALSE) {
+                exit(1);
+            }
+            list($idp, $profile) = $evaluation;
+            $user = $validator->string($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERNAME));
+            $expiryRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_EXPIRY);
+            if ($expiryRaw === FALSE) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "The expiry date wasn't found in the request.");
+                break;
+            }
+            $expiry = new DateTime($expiryRaw);
+            try {
+                switch ($inputDecoded['ACTION']) {
                 case web\lib\admin\API::ACTION_ENDUSER_NEW:
                     $retval = $profile->addUser($user, $expiry);
                     break;
@@ -321,7 +321,7 @@ 
                         $retval = 1; // function doesn't have any failure vectors not raising an Exception and doesn't return a value
                     }
                     break;
-            }
+                }
         } catch (Exception $e) {
             $adminApi->returnError(web\lib\admin\API::ERROR_INTERNAL_ERROR, "The operation failed. Maybe a duplicate username, or malformed expiry date?");
             exit(1);
@@ -332,25 +332,25 @@ 
         }
         $adminApi->returnSuccess([web\lib\admin\API::AUXATTRIB_SB_USERNAME => $user, \web\lib\admin\API::AUXATTRIB_SB_USERID => $retval]);
         break;
-    case \web\lib\admin\API::ACTION_ENDUSER_DEACTIVATE:
-    // fall-through intended: both actions are very similar
-    case \web\lib\admin\API::ACTION_TOKEN_NEW:
-        $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($profile_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        $userId = $validator->integer($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID));
-        if ($userId === FALSE) {
-            $adminApi->returnError(\web\lib\admin\API::ERROR_INVALID_PARAMETER, "User ID is not an integer.");
-            exit(1);
-        }
-        $additionalInfo = [];
-        switch ($inputDecoded['ACTION']) { // this is where the two differ
+        case \web\lib\admin\API::ACTION_ENDUSER_DEACTIVATE:
+        // fall-through intended: both actions are very similar
+        case \web\lib\admin\API::ACTION_TOKEN_NEW:
+            $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($profile_id === FALSE) {
+                exit(1);
+            }
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
+            if ($evaluation === FALSE) {
+                exit(1);
+            }
+            list($idp, $profile) = $evaluation;
+            $userId = $validator->integer($adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID));
+            if ($userId === FALSE) {
+                $adminApi->returnError(\web\lib\admin\API::ERROR_INVALID_PARAMETER, "User ID is not an integer.");
+                exit(1);
+            }
+            $additionalInfo = [];
+            switch ($inputDecoded['ACTION']) { // this is where the two differ
             case \web\lib\admin\API::ACTION_ENDUSER_DEACTIVATE:
                 $result = $profile->deactivateUser($userId);
                 break;
@@ -383,7 +383,7 @@ 
                     }
                 }
                 break;
-        }
+            }
 
         if ($result !== TRUE) {
             $adminApi->returnError(\web\lib\admin\API::ERROR_INVALID_PARAMETER, "These parameters did not lead to an existing, active user.");
@@ -391,69 +391,69 @@ 
         }
         $adminApi->returnSuccess($additionalInfo);
         break;
-    case \web\lib\admin\API::ACTION_ENDUSER_IDENTIFY:
-        $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($profile_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        $userId = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID);
-        $userName = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERNAME);
-        $certSerial = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
-		$certCN = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTCN);
-        if ($userId === FALSE && $userName === FALSE && $certSerial === FALSE && $certCN === FALSE) {
-            // we need at least one of those
-            $adminApi->returnError(\web\lib\admin\API::ERROR_MISSING_PARAMETER, "At least one of User ID, Username, certificate serial, or certificate CN is required.");
-            break;
-        }
-        if ($certSerial !== FALSE) { // we got a cert serial
-            $serial = explode(":", $certSerial);
-            $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
+        case \web\lib\admin\API::ACTION_ENDUSER_IDENTIFY:
+            $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($profile_id === FALSE) {
+                exit(1);
             }
-        if ($certCN !== FALSE) { // we got a cert CN
-            $cert = new \core\SilverbulletCertificate($certCN);
-        }
-        if ($cert !== NULL) { // we found a cert; verify it and extract userId
-            if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
-                return $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Certificate not found.");
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
+            if ($evaluation === FALSE) {
+                exit(1);
             }
-            if ($cert->profileId != $profile->identifier) {
-                return $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Certificate does not belong to this profile.");
+            list($idp, $profile) = $evaluation;
+            $userId = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID);
+            $userName = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERNAME);
+            $certSerial = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
+		    $certCN = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTCN);
+            if ($userId === FALSE && $userName === FALSE && $certSerial === FALSE && $certCN === FALSE) {
+                // we need at least one of those
+                $adminApi->returnError(\web\lib\admin\API::ERROR_MISSING_PARAMETER, "At least one of User ID, Username, certificate serial, or certificate CN is required.");
+                break;
             }
-            $userId = $cert->userId;
-        }
-        if ($userId !== FALSE) {
-            $userList = $profile->getUserById($userId);
-        }
-        if ($userName !== FALSE) {
-            $userList = $profile->getUserByName($userName);
-        }
-        if (count($userList) === 1) {
-            foreach ($userList as $oneUserId => $oneUserName) {
-                return $adminApi->returnSuccess([web\lib\admin\API::AUXATTRIB_SB_USERNAME => $oneUserName, \web\lib\admin\API::AUXATTRIB_SB_USERID => $oneUserId]);
+            if ($certSerial !== FALSE) { // we got a cert serial
+                $serial = explode(":", $certSerial);
+                $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
+                }
+            if ($certCN !== FALSE) { // we got a cert CN
+                $cert = new \core\SilverbulletCertificate($certCN);
             }
-        }
-        $adminApi->returnError(\web\lib\admin\API::ERROR_INVALID_PARAMETER, "No matching user found in this profile.");
-        break;
-    case \web\lib\admin\API::ACTION_ENDUSER_LIST:
-    // fall-through: those two are similar
-    case \web\lib\admin\API::ACTION_TOKEN_LIST:
-        $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($profile_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        $allUsers = $profile->listAllUsers();
-        // this is where they differ
-        switch ($inputDecoded['ACTION']) {
+            if ($cert !== NULL) { // we found a cert; verify it and extract userId
+                if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
+                    return $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Certificate not found.");
+                }
+                if ($cert->profileId != $profile->identifier) {
+                    return $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Certificate does not belong to this profile.");
+                }
+                $userId = $cert->userId;
+            }
+            if ($userId !== FALSE) {
+                $userList = $profile->getUserById($userId);
+            }
+            if ($userName !== FALSE) {
+                $userList = $profile->getUserByName($userName);
+            }
+            if (count($userList) === 1) {
+                foreach ($userList as $oneUserId => $oneUserName) {
+                    return $adminApi->returnSuccess([web\lib\admin\API::AUXATTRIB_SB_USERNAME => $oneUserName, \web\lib\admin\API::AUXATTRIB_SB_USERID => $oneUserId]);
+                }
+            }
+            $adminApi->returnError(\web\lib\admin\API::ERROR_INVALID_PARAMETER, "No matching user found in this profile.");
+            break;
+        case \web\lib\admin\API::ACTION_ENDUSER_LIST:
+        // fall-through: those two are similar
+        case \web\lib\admin\API::ACTION_TOKEN_LIST:
+            $profile_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($profile_id === FALSE) {
+                exit(1);
+            }
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $profile_id);
+            if ($evaluation === FALSE) {
+                exit(1);
+            }
+            list($idp, $profile) = $evaluation;
+            $allUsers = $profile->listAllUsers();
+            // this is where they differ
+            switch ($inputDecoded['ACTION']) {
             case \web\lib\admin\API::ACTION_ENDUSER_LIST:
                 $adminApi->returnSuccess($allUsers);
                 break;
@@ -472,123 +472,123 @@ 
                     $infoSet[$oneTokenObject->userId] = [\web\lib\admin\API::AUXATTRIB_TOKEN => $oneTokenObject->invitationTokenString, "STATUS" => $oneTokenObject->invitationTokenStatus];
                 }
                 $adminApi->returnSuccess($infoSet);
-        }
-        break;
-    case \web\lib\admin\API::ACTION_TOKEN_REVOKE:
-        $tokenRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_TOKEN);
-        if ($tokenRaw === FALSE) {
-            exit(1);
-        }
-        $token = new core\SilverbulletInvitation($tokenRaw);
-        if ($token->invitationTokenStatus !== core\SilverbulletInvitation::SB_TOKENSTATUS_VALID && $token->invitationTokenStatus !== core\SilverbulletInvitation::SB_TOKENSTATUS_PARTIALLY_REDEEMED) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "This is not a currently valid token.");
-            exit(1);
-        }
-        $token->revokeInvitation();
-        $adminApi->returnSuccess([]);
-        break;
-    case \web\lib\admin\API::ACTION_CERT_LIST:
-        $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        $user_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID);
-        if ($prof_id === FALSE || !is_int($user_id)) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        $invitations = $profile->userStatus($user_id);
-        // now pull out cert information from the object
-        $certs = [];
-        foreach ($invitations as $oneInvitation) {
-            $certs = array_merge($certs, $oneInvitation->associatedCertificates);
-        }
-        // extract relevant subset of information from cert objects
-        $certDetails = [];
-        foreach ($certs as $cert) {
-            $certDetails[$cert->ca_type . ":" . $cert->serial] = ["ISSUED" => $cert->issued, "EXPIRY" => $cert->expiry, "STATUS" => $cert->status, "DEVICE" => $cert->device, "CN" => $cert->username, "ANNOTATION" => $cert->annotation];
-        }
-        $adminApi->returnSuccess($certDetails);
-        break;
-    case \web\lib\admin\API::ACTION_CERT_REVOKE:
-        $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($prof_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        // tear apart the serial
-        $serialRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
-        if ($serialRaw === FALSE) {
-            exit(1);
-        }
-        $serial = explode(":", $serialRaw);
-        $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
-        if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial not found.");
-        }
-        if ($cert->profileId != $profile->identifier) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial does not belong to this profile.");
-        }
-        $cert->revokeCertificate();
-        $adminApi->returnSuccess([]);
+            }
         break;
-    case \web\lib\admin\API::ACTION_CERT_ANNOTATE:
-        $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
-        if ($prof_id === FALSE) {
-            exit(1);
-        }
-        $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
-        if ($evaluation === FALSE) {
-            exit(1);
-        }
-        list($idp, $profile) = $evaluation;
-        // tear apart the serial
-        $serialRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
-        if ($serialRaw === FALSE) {
-            exit(1);
-        }
-        $serial = explode(":", $serialRaw);
-        $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
-        if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial not found.");
-        }
-        if ($cert->profileId != $profile->identifier) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial does not belong to this profile.");
-        }
-        $annotationRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTANNOTATION);
-        if ($annotationRaw === FALSE) {
-            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Unable to extract annotation.");
+        case \web\lib\admin\API::ACTION_TOKEN_REVOKE:
+            $tokenRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_TOKEN);
+            if ($tokenRaw === FALSE) {
+                exit(1);
+            }
+            $token = new core\SilverbulletInvitation($tokenRaw);
+            if ($token->invitationTokenStatus !== core\SilverbulletInvitation::SB_TOKENSTATUS_VALID && $token->invitationTokenStatus !== core\SilverbulletInvitation::SB_TOKENSTATUS_PARTIALLY_REDEEMED) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "This is not a currently valid token.");
+                exit(1);
+            }
+            $token->revokeInvitation();
+            $adminApi->returnSuccess([]);
             break;
-        }
-        $annotation = json_decode($annotationRaw, TRUE);
-        $cert->annotate($annotation);
-        $adminApi->returnSuccess([]);
-
-        break;
-    case web\lib\admin\API::ACTION_STATISTICS_INST:
-        $retArray = [];
-        $idpIdentifier = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID);
-        if ($idpIdentifier === FALSE) {
-            throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
-        } else {
-            try {
-                $thisIdP = $validator->existingIdP($idpIdentifier, NULL, $fed);
-            } catch (Exception $e) {
-                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+        case \web\lib\admin\API::ACTION_CERT_LIST:
+            $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            $user_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_USERID);
+            if ($prof_id === FALSE || !is_int($user_id)) {
                 exit(1);
             }
-            $retArray[$idpIdentifier] = [];
-            foreach ($thisIdP->listProfiles() as $oneProfile) {
-                $retArray[$idpIdentifier][$oneProfile->identifier] = $oneProfile->getUserDownloadStats();
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
+            if ($evaluation === FALSE) {
+                exit(1);
             }
-        }
-        $adminApi->returnSuccess($retArray);
-        break;
-    default:
-        $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_ACTION, "Not implemented yet.");
+            list($idp, $profile) = $evaluation;
+            $invitations = $profile->userStatus($user_id);
+            // now pull out cert information from the object
+            $certs = [];
+            foreach ($invitations as $oneInvitation) {
+                $certs = array_merge($certs, $oneInvitation->associatedCertificates);
+            }
+            // extract relevant subset of information from cert objects
+            $certDetails = [];
+            foreach ($certs as $cert) {
+                $certDetails[$cert->ca_type . ":" . $cert->serial] = ["ISSUED" => $cert->issued, "EXPIRY" => $cert->expiry, "STATUS" => $cert->status, "DEVICE" => $cert->device, "CN" => $cert->username, "ANNOTATION" => $cert->annotation];
+            }
+            $adminApi->returnSuccess($certDetails);
+            break;
+        case \web\lib\admin\API::ACTION_CERT_REVOKE:
+            $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($prof_id === FALSE) {
+                exit(1);
+            }
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
+            if ($evaluation === FALSE) {
+                exit(1);
+            }
+            list($idp, $profile) = $evaluation;
+            // tear apart the serial
+            $serialRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
+            if ($serialRaw === FALSE) {
+                exit(1);
+            }
+            $serial = explode(":", $serialRaw);
+            $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
+            if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial not found.");
+            }
+            if ($cert->profileId != $profile->identifier) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial does not belong to this profile.");
+            }
+            $cert->revokeCertificate();
+            $adminApi->returnSuccess([]);
+            break;
+        case \web\lib\admin\API::ACTION_CERT_ANNOTATE:
+            $prof_id = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_PROFILE_ID);
+            if ($prof_id === FALSE) {
+                exit(1);
+            }
+            $evaluation = $adminApi->commonSbProfileChecks($fed, $prof_id);
+            if ($evaluation === FALSE) {
+                exit(1);
+            }
+            list($idp, $profile) = $evaluation;
+            // tear apart the serial
+            $serialRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTSERIAL);
+            if ($serialRaw === FALSE) {
+                exit(1);
+            }
+            $serial = explode(":", $serialRaw);
+            $cert = new \core\SilverbulletCertificate($serial[1], $serial[0]);
+            if ($cert->status == \core\SilverbulletCertificate::CERTSTATUS_INVALID) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial not found.");
+            }
+            if ($cert->profileId != $profile->identifier) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Serial does not belong to this profile.");
+            }
+            $annotationRaw = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_SB_CERTANNOTATION);
+            if ($annotationRaw === FALSE) {
+                $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "Unable to extract annotation.");
+                break;
+            }
+            $annotation = json_decode($annotationRaw, TRUE);
+            $cert->annotate($annotation);
+            $adminApi->returnSuccess([]);
+
+            break;
+        case web\lib\admin\API::ACTION_STATISTICS_INST:
+            $retArray = [];
+            $idpIdentifier = $adminApi->firstParameterInstance($scrubbedParameters, web\lib\admin\API::AUXATTRIB_CAT_INST_ID);
+            if ($idpIdentifier === FALSE) {
+                throw new Exception("A required parameter is missing, and this wasn't caught earlier?!");
+            } else {
+                try {
+                    $thisIdP = $validator->existingIdP($idpIdentifier, NULL, $fed);
+                } catch (Exception $e) {
+                    $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_PARAMETER, "IdP identifier does not exist!");
+                    exit(1);
+                }
+                $retArray[$idpIdentifier] = [];
+                foreach ($thisIdP->listProfiles() as $oneProfile) {
+                    $retArray[$idpIdentifier][$oneProfile->identifier] = $oneProfile->getUserDownloadStats();
+                }
+            }
+            $adminApi->returnSuccess($retArray);
+            break;
+        default:
+            $adminApi->returnError(web\lib\admin\API::ERROR_INVALID_ACTION, "Not implemented yet.");
 }
\ No newline at end of file

web/admin/edit_profile_result.php

Switch Indentation +268 added lines, -268 removed lines

@@ -40,80 +40,80 @@ 
 }
 
 switch ($_POST['submitbutton']) {
-    case web\lib\common\FormElements::BUTTON_DELETE:
-        if (!isset($_GET['profile_id'])) {
-            throw new Exception("Can only delete a profile that exists and is named!");
-        }
-        $profileToBeDel = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
-        $profileToBeDel->destroy();
-        $loggerInstance->writeAudit($_SESSION['user'], "DEL", "Profile " . $profileToBeDel->identifier);
-        header("Location: overview_org.php?inst_id=$my_inst->identifier");
-        exit;
-    case web\lib\common\FormElements::BUTTON_SAVE:
-        if (isset($_GET['profile_id'])) {
-            $profile = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
-            echo $deco->pageheader(sprintf(_("%s: Edit Profile - Result"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
-        } else {
-            $profile = $my_inst->newProfile(core\AbstractProfile::PROFILETYPE_RADIUS);
-            $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $my_inst->identifier . " - Profile created");
-            echo $deco->pageheader(sprintf(_("%s: Profile wizard (step 3 completed)"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
-        }
-        if (!$profile instanceof \core\ProfileRADIUS) {
-            throw new Exception("This page should only be called to submit RADIUS Profile information!");
-        }
-// extended input checks
-        $realm = FALSE;
-        if (isset($_POST['realm']) && $_POST['realm'] != "") {
-            $realm = $validator->realm(filter_input(INPUT_POST, 'realm', FILTER_SANITIZE_STRING));
-        }
+        case web\lib\common\FormElements::BUTTON_DELETE:
+            if (!isset($_GET['profile_id'])) {
+                throw new Exception("Can only delete a profile that exists and is named!");
+            }
+            $profileToBeDel = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
+            $profileToBeDel->destroy();
+            $loggerInstance->writeAudit($_SESSION['user'], "DEL", "Profile " . $profileToBeDel->identifier);
+            header("Location: overview_org.php?inst_id=$my_inst->identifier");
+            exit;
+        case web\lib\common\FormElements::BUTTON_SAVE:
+            if (isset($_GET['profile_id'])) {
+                $profile = $validator->existingProfile($_GET['profile_id'], $my_inst->identifier);
+                echo $deco->pageheader(sprintf(_("%s: Edit Profile - Result"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
+            } else {
+                $profile = $my_inst->newProfile(core\AbstractProfile::PROFILETYPE_RADIUS);
+                $loggerInstance->writeAudit($_SESSION['user'], "NEW", "IdP " . $my_inst->identifier . " - Profile created");
+                echo $deco->pageheader(sprintf(_("%s: Profile wizard (step 3 completed)"), \config\Master::APPEARANCE['productname']), "ADMIN-IDP");
+            }
+            if (!$profile instanceof \core\ProfileRADIUS) {
+                throw new Exception("This page should only be called to submit RADIUS Profile information!");
+            }
+    // extended input checks
+            $realm = FALSE;
+            if (isset($_POST['realm']) && $_POST['realm'] != "") {
+                $realm = $validator->realm(filter_input(INPUT_POST, 'realm', FILTER_SANITIZE_STRING));
+            }
 
-        $anon = FALSE;
-        if (isset($_POST['anon_support'])) {
-            $anon = $validator->boolean($_POST['anon_support']);
-        }
+            $anon = FALSE;
+            if (isset($_POST['anon_support'])) {
+                $anon = $validator->boolean($_POST['anon_support']);
+            }
 
-        $anonLocal = "anonymous";
-        if (isset($_POST['anon_local'])) {
-            $anonLocal = $validator->string(filter_input(INPUT_POST, 'anon_local', FILTER_SANITIZE_STRING));
-        } else { // get the old anon outer id from DB. People don't appreciate "forgetting" it when unchecking anon id
-            $local = $profile->getAttributes("internal:anon_local_value");
-            if (isset($local[0])) {
-                $anonLocal = $local[0]['value'];
+            $anonLocal = "anonymous";
+            if (isset($_POST['anon_local'])) {
+                $anonLocal = $validator->string(filter_input(INPUT_POST, 'anon_local', FILTER_SANITIZE_STRING));
+            } else { // get the old anon outer id from DB. People don't appreciate "forgetting" it when unchecking anon id
+                $local = $profile->getAttributes("internal:anon_local_value");
+                if (isset($local[0])) {
+                    $anonLocal = $local[0]['value'];
+                }
             }
-        }
 
-        $checkuser = FALSE;
-        if (isset($_POST['checkuser_support'])) {
-            $checkuser = $validator->boolean($_POST['checkuser_support']);
-        }
+            $checkuser = FALSE;
+            if (isset($_POST['checkuser_support'])) {
+                $checkuser = $validator->boolean($_POST['checkuser_support']);
+            }
 
-        $checkuser_name1 = "anonymous";
-        if (isset($_POST['checkuser_local'])) {
-            $checkuser_name1 = $validator->string($_POST['checkuser_local']);
-        } else { // get the old value from profile settings. People don't appreciate "forgetting" it when unchecking
-            $checkuser_name1 = $profile->getAttributes("internal:checkuser_value")[0]['value'];
-        }
-// it's a RADIUS username; and it's displayed later on. Be sure it contains no
-// "interesting" HTML characters before further processing
-        $checkuser_name = htmlentities($checkuser_name1);
+            $checkuser_name1 = "anonymous";
+            if (isset($_POST['checkuser_local'])) {
+                $checkuser_name1 = $validator->string($_POST['checkuser_local']);
+            } else { // get the old value from profile settings. People don't appreciate "forgetting" it when unchecking
+                $checkuser_name1 = $profile->getAttributes("internal:checkuser_value")[0]['value'];
+            }
+    // it's a RADIUS username; and it's displayed later on. Be sure it contains no
+    // "interesting" HTML characters before further processing
+            $checkuser_name = htmlentities($checkuser_name1);
 
-        $verify = FALSE;
-        $hint = FALSE;
-        $redirect = FALSE;
-        if (isset($_POST['verify_support'])) {
-            $verify = $validator->boolean($_POST['verify_support']);
-        }
-        if (isset($_POST['hint_support'])) {
-            $hint = $validator->boolean($_POST['hint_support']);
-        }
-        if (isset($_POST['redirect'])) {
-            $redirect = $validator->boolean($_POST['redirect']);
-        }
-        ?>
-        <h1><?php
-            $tablecaption = _("Submitted attributes for this profile");
-            echo $tablecaption;
-            ?></h1>
+            $verify = FALSE;
+            $hint = FALSE;
+            $redirect = FALSE;
+            if (isset($_POST['verify_support'])) {
+                $verify = $validator->boolean($_POST['verify_support']);
+            }
+            if (isset($_POST['hint_support'])) {
+                $hint = $validator->boolean($_POST['hint_support']);
+            }
+            if (isset($_POST['redirect'])) {
+                $redirect = $validator->boolean($_POST['redirect']);
+            }
+            ?>
+            <h1><?php
+                $tablecaption = _("Submitted attributes for this profile");
+                echo $tablecaption;
+                ?></h1>
         <table>
             <caption><?php echo $tablecaption; ?></caption>
             <tr>
@@ -121,245 +121,245 @@ 
                 <th class="wai-invisible" scope="col"><?php echo _("Details"); ?></th>
             </tr>
             <?php
-            $uiElements = new web\lib\admin\UIElements();
-            // set realm info, if submitted
-            if ($realm !== FALSE) {
-                $profile->setRealm($anonLocal . "@" . $realm);
-                echo $uiElements->boxOkay(sprintf(_("Realm: <strong>%s</strong>"), $realm));
-            } else {
-                $profile->setRealm("");
-            }
-            // set anon ID, if submitted
-            if ($anon !== FALSE) {
-                if ($realm === FALSE) {
-                    echo $uiElements->boxError(_("Anonymous Outer Identities cannot be turned on: realm is missing!"));
+                $uiElements = new web\lib\admin\UIElements();
+                // set realm info, if submitted
+                if ($realm !== FALSE) {
+                    $profile->setRealm($anonLocal . "@" . $realm);
+                    echo $uiElements->boxOkay(sprintf(_("Realm: <strong>%s</strong>"), $realm));
                 } else {
-                    $profile->setAnonymousIDSupport(true);
-                    echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>, the anonymous outer identity is <strong>%s</strong>"), _("ON"), $profile->realm));
+                    $profile->setRealm("");
                 }
-            } else {
-                $profile->setAnonymousIDSupport(false);
-                echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>"), _("OFF")));
-                if ($verify === FALSE) { // no anon outer ID, and no realm suffix verification? Bad idea!
-                    echo $uiElements->boxWarning(_("Without Anonymous Identity, the actual username will be used as outer identity and be the basis for request routing. For that to work, the username must have a correct realm suffix. Yet, realm suffix verification has been turned OFF. Supplicants will not verify that usernames contain a realm, and errors such as username 'johndoe' which will not work in roaming scenarios will not be prohibited. Consider checking the box 'Enforce realm suffix in username'!"));
-                }
-            }
-
-            if ($checkuser !== FALSE) {
-                if ($realm === FALSE) {
-                    echo $uiElements->boxError(_("Realm check username cannot be configured: realm is missing!"));
+                // set anon ID, if submitted
+                if ($anon !== FALSE) {
+                    if ($realm === FALSE) {
+                        echo $uiElements->boxError(_("Anonymous Outer Identities cannot be turned on: realm is missing!"));
+                    } else {
+                        $profile->setAnonymousIDSupport(true);
+                        echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>, the anonymous outer identity is <strong>%s</strong>"), _("ON"), $profile->realm));
+                    }
                 } else {
-                    $profile->setRealmcheckUser(true, $checkuser_name);
-                    echo $uiElements->boxOkay(sprintf(_("Special username for realm check is <strong>%s</strong>, the value is <strong>%s</strong>"), _("ON"), $checkuser_name . "@" . $realm));
+                    $profile->setAnonymousIDSupport(false);
+                    echo $uiElements->boxOkay(sprintf(_("Anonymous Identity support is <strong>%s</strong>"), _("OFF")));
+                    if ($verify === FALSE) { // no anon outer ID, and no realm suffix verification? Bad idea!
+                        echo $uiElements->boxWarning(_("Without Anonymous Identity, the actual username will be used as outer identity and be the basis for request routing. For that to work, the username must have a correct realm suffix. Yet, realm suffix verification has been turned OFF. Supplicants will not verify that usernames contain a realm, and errors such as username 'johndoe' which will not work in roaming scenarios will not be prohibited. Consider checking the box 'Enforce realm suffix in username'!"));
+                    }
                 }
-            } else {
-                $profile->setRealmCheckUser(false);
-                echo $uiElements->boxOkay(_("No special username for realm checks is configured."));
-            }
 
-            if ($verify !== FALSE) {
-                $profile->setInputVerificationPreference($verify, $hint);
-                $extratext = "";
-                if (!empty($realm)) {
-                    if ($hint !== FALSE) {
-                        $extratext = " " . sprintf(_("The realm portion MUST be exactly '...@%s'."), $realm);
+                if ($checkuser !== FALSE) {
+                    if ($realm === FALSE) {
+                        echo $uiElements->boxError(_("Realm check username cannot be configured: realm is missing!"));
                     } else {
-                        $extratext = " " . sprintf(_("The realm portion MUST end with '%s' but sub-realms of it are allowed (i.e. 'user@%s' and 'user@<...>.%s' are both acceptable)."), $realm, $realm, $realm);
+                        $profile->setRealmcheckUser(true, $checkuser_name);
+                        echo $uiElements->boxOkay(sprintf(_("Special username for realm check is <strong>%s</strong>, the value is <strong>%s</strong>"), _("ON"), $checkuser_name . "@" . $realm));
                     }
+                } else {
+                    $profile->setRealmCheckUser(false);
+                    echo $uiElements->boxOkay(_("No special username for realm checks is configured."));
                 }
-                echo $uiElements->boxOkay(_("Where possible, supplicants will verify that username inputs contain a syntactically correct realm.") . $extratext);
-            } else {
-                $profile->setInputVerificationPreference(false, false);
-            }
-
-            echo $optionParser->processSubmittedFields($profile, $_POST, $_FILES);
 
-            if ($redirect !== FALSE) {
-                if (!isset($_POST['redirect_target']) || $_POST['redirect_target'] == "") {
-                    echo $uiElements->boxError(_("Redirection can't be activated - you did not specify a target location!"));
-                } elseif (!preg_match("/^(http|https):\/\//", $_POST['redirect_target'])) {
-                    echo $uiElements->boxError(_("Redirection can't be activated - the target needs to be a complete URL starting with http:// or https:// !"));
-                } else {
-                    $profile->addAttribute("device-specific:redirect", 'C', $_POST['redirect_target']);
-                    // check if there is a device-level redirect which effectively disables profile-level redirect, and warn if so
-                    $redirects = $profile->getAttributes("device-specific:redirect");
-                    $deviceSpecificFound = FALSE;
-                    foreach ($redirects as $oneRedirect) {
-                        if ($oneRedirect["level"] == \core\Options::LEVEL_METHOD) {
-                            $deviceSpecificFound = TRUE;
+                if ($verify !== FALSE) {
+                    $profile->setInputVerificationPreference($verify, $hint);
+                    $extratext = "";
+                    if (!empty($realm)) {
+                        if ($hint !== FALSE) {
+                            $extratext = " " . sprintf(_("The realm portion MUST be exactly '...@%s'."), $realm);
+                        } else {
+                            $extratext = " " . sprintf(_("The realm portion MUST end with '%s' but sub-realms of it are allowed (i.e. 'user@%s' and 'user@<...>.%s' are both acceptable)."), $realm, $realm, $realm);
                         }
                     }
-                    if ($deviceSpecificFound) {
-                        echo $uiElements->boxWarning(sprintf(_("Redirection set to <strong>%s</strong>, but will be ignored due to existing device-level redirect."), htmlspecialchars($_POST['redirect_target'])));
-                    } else {
-                        echo $uiElements->boxOkay(sprintf(_("Redirection set to <strong>%s</strong>"), htmlspecialchars($_POST['redirect_target'])));
-                    }
+                    echo $uiElements->boxOkay(_("Where possible, supplicants will verify that username inputs contain a syntactically correct realm.") . $extratext);
+                } else {
+                    $profile->setInputVerificationPreference(false, false);
                 }
-            } else {
-                echo $uiElements->boxOkay(_("Redirection is <strong>OFF</strong>"));
-            }
 
-            $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $profile->identifier . " - attributes changed");
-            // reload the profile to ingest new CA and server names if any; before checking EAP completeness
-            $reloadedProfileNr1 = \core\ProfileFactory::instantiate($profile->identifier);
-            foreach (\core\common\EAP::listKnownEAPTypes() as $a) {
-                if ($a->getIntegerRep() == \core\common\EAP::INTEGER_SILVERBULLET) { // do not allow adding silverbullet via the backdoor
-                    continue;
-                }
-                if (isset($_POST[$a->getPrintableRep()]) && isset($_POST[$a->getPrintableRep() . "-priority"]) && is_numeric($_POST[$a->getPrintableRep() . "-priority"])) {
-                    $priority = (int) $_POST[$a->getPrintableRep() . "-priority"];
-                    // add EAP type to profile as requested, but ...
-                    $reloadedProfileNr1->addSupportedEapMethod($a, $priority);
-                    $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $reloadedProfileNr1->identifier . " - supported EAP types changed");
-                    // see if we can enable the EAP type, or if info is missing
-                    $eapcompleteness = $reloadedProfileNr1->isEapTypeDefinitionComplete($a);
-                    if ($eapcompleteness === true) {
-                        echo $uiElements->boxOkay(_("Supported EAP Type: ") . "<strong>" . $a->getPrintableRep() . "</strong>");
+                echo $optionParser->processSubmittedFields($profile, $_POST, $_FILES);
+
+                if ($redirect !== FALSE) {
+                    if (!isset($_POST['redirect_target']) || $_POST['redirect_target'] == "") {
+                        echo $uiElements->boxError(_("Redirection can't be activated - you did not specify a target location!"));
+                    } elseif (!preg_match("/^(http|https):\/\//", $_POST['redirect_target'])) {
+                        echo $uiElements->boxError(_("Redirection can't be activated - the target needs to be a complete URL starting with http:// or https:// !"));
                     } else {
-                        $warntext = "";
-                        if (is_array($eapcompleteness)) {
-                            foreach ($eapcompleteness as $item) {
-                                $warntext .= "<strong>" . $uiElements->displayName($item) . "</strong> ";
+                        $profile->addAttribute("device-specific:redirect", 'C', $_POST['redirect_target']);
+                        // check if there is a device-level redirect which effectively disables profile-level redirect, and warn if so
+                        $redirects = $profile->getAttributes("device-specific:redirect");
+                        $deviceSpecificFound = FALSE;
+                        foreach ($redirects as $oneRedirect) {
+                            if ($oneRedirect["level"] == \core\Options::LEVEL_METHOD) {
+                                $deviceSpecificFound = TRUE;
                             }
                         }
-                        echo $uiElements->boxWarning(sprintf(_("Supported EAP Type: <strong>%s</strong> is missing required information %s !"), $a->getPrintableRep(), $warntext) . "<br/>" . _("The EAP type was added to the profile, but you need to complete the missing information before we can produce installers for you."));
+                        if ($deviceSpecificFound) {
+                            echo $uiElements->boxWarning(sprintf(_("Redirection set to <strong>%s</strong>, but will be ignored due to existing device-level redirect."), htmlspecialchars($_POST['redirect_target'])));
+                        } else {
+                            echo $uiElements->boxOkay(sprintf(_("Redirection set to <strong>%s</strong>"), htmlspecialchars($_POST['redirect_target'])));
+                        }
                     }
+                } else {
+                    echo $uiElements->boxOkay(_("Redirection is <strong>OFF</strong>"));
                 }
-            }
-            // re-instantiate $profile again, we need to do final checks on the
-            // full set of new information
-            $reloadedProfileNr2 = \core\ProfileFactory::instantiate($profile->identifier);
-            $significantChanges = \core\AbstractProfile::significantChanges($profile, $reloadedProfileNr2);
-            if (count($significantChanges) > 0) {
-                $myInstOriginal = new \core\IdP($profile->institution);
-                // send a notification/alert mail to someone we know is in charge
-                $text = _("To whom it may concern,") . "\n\n";
-                /// were made to the *Identity Provider* *LU* / integer number of IdP / (previously known as) Name
-                $text .= sprintf(_("significant changes were made to a RADIUS deployment profile of the %s %s / %s / '%s'."), $ui->nomenclatureIdP, strtoupper($myInstOriginal->federation), $myInstOriginal->identifier, $myInstOriginal->name) . "\n\n";
-                if (isset($significantChanges[\core\AbstractProfile::CA_CLASH_ADDED])) {
-                    $text .= _("WARNING! A new trusted root CA was added, and it has the exact same name as a previously existing root CA. This may (but does not necessarily) mean that this is an attempt to insert an unauthorised trust root by disguising as the genuine one. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::CA_CLASH_ADDED] . "\n\n";
-                }
-                if (isset($significantChanges[\core\AbstractProfile::CA_ADDED])) {
-                    $text .= _("A new trusted root CA was added. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::CA_ADDED] . "\n\n";
-                }
-                if (isset($significantChanges[\core\AbstractProfile::SERVERNAME_ADDED])) {
-                    $text .= _("A new acceptable server name for the authentication server was added. The details are below:") . "\n\n";
-                    $text .= $significantChanges[\core\AbstractProfile::SERVERNAME_ADDED] . "\n\n";
+
+                $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $profile->identifier . " - attributes changed");
+                // reload the profile to ingest new CA and server names if any; before checking EAP completeness
+                $reloadedProfileNr1 = \core\ProfileFactory::instantiate($profile->identifier);
+                foreach (\core\common\EAP::listKnownEAPTypes() as $a) {
+                    if ($a->getIntegerRep() == \core\common\EAP::INTEGER_SILVERBULLET) { // do not allow adding silverbullet via the backdoor
+                        continue;
+                    }
+                    if (isset($_POST[$a->getPrintableRep()]) && isset($_POST[$a->getPrintableRep() . "-priority"]) && is_numeric($_POST[$a->getPrintableRep() . "-priority"])) {
+                        $priority = (int) $_POST[$a->getPrintableRep() . "-priority"];
+                        // add EAP type to profile as requested, but ...
+                        $reloadedProfileNr1->addSupportedEapMethod($a, $priority);
+                        $loggerInstance->writeAudit($_SESSION['user'], "MOD", "Profile " . $reloadedProfileNr1->identifier . " - supported EAP types changed");
+                        // see if we can enable the EAP type, or if info is missing
+                        $eapcompleteness = $reloadedProfileNr1->isEapTypeDefinitionComplete($a);
+                        if ($eapcompleteness === true) {
+                            echo $uiElements->boxOkay(_("Supported EAP Type: ") . "<strong>" . $a->getPrintableRep() . "</strong>");
+                        } else {
+                            $warntext = "";
+                            if (is_array($eapcompleteness)) {
+                                foreach ($eapcompleteness as $item) {
+                                    $warntext .= "<strong>" . $uiElements->displayName($item) . "</strong> ";
+                                }
+                            }
+                            echo $uiElements->boxWarning(sprintf(_("Supported EAP Type: <strong>%s</strong> is missing required information %s !"), $a->getPrintableRep(), $warntext) . "<br/>" . _("The EAP type was added to the profile, but you need to complete the missing information before we can produce installers for you."));
+                        }
+                    }
                 }
-                $text .= _("This mail is merely a cross-check because these changes can be security-relevant. If the change was expected, you do not need to take any action.") . "\n\n";
-                $text .= _("Greetings, ") . "\n\n" . \config\Master::APPEARANCE['productname_long'];
-                // (currently, send hard-wired to NRO - future: for linked insts, check eduroam DBv2 and send to registered admins directly)
-                $fed = new core\Federation($myInstOriginal->federation);
-                $loggerInstance->debug(2, $myInstOriginal->federation, "FED: ", "\n");
-                foreach ($fed->listFederationAdmins() as $id) {
-                    $user = new core\User($id);
-                    $mailaddr = $user->getAttributes("user:email")[0]['value'];
-                    $loggerInstance->debug(2, $mailaddr, "FED MAIL: ", "\n");
-                    $user->sendMailToUser(sprintf(_("%s: Significant Changes made to %s"), \config\Master::APPEARANCE['productname'], $ui->nomenclatureIdP), $text);
+                // re-instantiate $profile again, we need to do final checks on the
+                // full set of new information
+                $reloadedProfileNr2 = \core\ProfileFactory::instantiate($profile->identifier);
+                $significantChanges = \core\AbstractProfile::significantChanges($profile, $reloadedProfileNr2);
+                if (count($significantChanges) > 0) {
+                    $myInstOriginal = new \core\IdP($profile->institution);
+                    // send a notification/alert mail to someone we know is in charge
+                    $text = _("To whom it may concern,") . "\n\n";
+                    /// were made to the *Identity Provider* *LU* / integer number of IdP / (previously known as) Name
+                    $text .= sprintf(_("significant changes were made to a RADIUS deployment profile of the %s %s / %s / '%s'."), $ui->nomenclatureIdP, strtoupper($myInstOriginal->federation), $myInstOriginal->identifier, $myInstOriginal->name) . "\n\n";
+                    if (isset($significantChanges[\core\AbstractProfile::CA_CLASH_ADDED])) {
+                        $text .= _("WARNING! A new trusted root CA was added, and it has the exact same name as a previously existing root CA. This may (but does not necessarily) mean that this is an attempt to insert an unauthorised trust root by disguising as the genuine one. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::CA_CLASH_ADDED] . "\n\n";
+                    }
+                    if (isset($significantChanges[\core\AbstractProfile::CA_ADDED])) {
+                        $text .= _("A new trusted root CA was added. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::CA_ADDED] . "\n\n";
+                    }
+                    if (isset($significantChanges[\core\AbstractProfile::SERVERNAME_ADDED])) {
+                        $text .= _("A new acceptable server name for the authentication server was added. The details are below:") . "\n\n";
+                        $text .= $significantChanges[\core\AbstractProfile::SERVERNAME_ADDED] . "\n\n";
+                    }
+                    $text .= _("This mail is merely a cross-check because these changes can be security-relevant. If the change was expected, you do not need to take any action.") . "\n\n";
+                    $text .= _("Greetings, ") . "\n\n" . \config\Master::APPEARANCE['productname_long'];
+                    // (currently, send hard-wired to NRO - future: for linked insts, check eduroam DBv2 and send to registered admins directly)
+                    $fed = new core\Federation($myInstOriginal->federation);
+                    $loggerInstance->debug(2, $myInstOriginal->federation, "FED: ", "\n");
+                    foreach ($fed->listFederationAdmins() as $id) {
+                        $user = new core\User($id);
+                        $mailaddr = $user->getAttributes("user:email")[0]['value'];
+                        $loggerInstance->debug(2, $mailaddr, "FED MAIL: ", "\n");
+                        $user->sendMailToUser(sprintf(_("%s: Significant Changes made to %s"), \config\Master::APPEARANCE['productname'], $ui->nomenclatureIdP), $text);
+                    }
                 }
-            }
-            $reloadedProfileNr2->prepShowtime();
+                $reloadedProfileNr2->prepShowtime();
 
-            // do OpenRoaming initial diagnostic checks
-            // numbers correspond to RFC7585Tests::OVERALL_LEVEL
-            $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NO;
-            if (sizeof($reloadedProfileNr2->getAttributes("media:openroaming")) > 0) {
-                $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD; // assume all is well, degrade if we have concrete findings to suggest otherwise
-                $tag = "aaa+auth:radius.tls.tcp";
-                // do we know the realm at all? Notice if not.
-                if (!isset($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'])) {
-                    echo $uiElements->boxRemark(_("The profile information does not include the realm, so no DNS checks for OpenRoaming can be executed."));
-                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                // do OpenRoaming initial diagnostic checks
+                // numbers correspond to RFC7585Tests::OVERALL_LEVEL
+                $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NO;
+                if (sizeof($reloadedProfileNr2->getAttributes("media:openroaming")) > 0) {
+                    $resultLevel = \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD; // assume all is well, degrade if we have concrete findings to suggest otherwise
+                    $tag = "aaa+auth:radius.tls.tcp";
+                    // do we know the realm at all? Notice if not.
+                    if (!isset($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'])) {
+                        echo $uiElements->boxRemark(_("The profile information does not include the realm, so no DNS checks for OpenRoaming can be executed."));
+                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
                     
-                } else {
-                    $dnsChecks = new \core\diag\RFC7585Tests($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'], $tag);
-                    $relevantNaptrRecords = $dnsChecks->relevantNAPTR();
-                    if ($relevantNaptrRecords <= 0) {
-                        echo $uiElements->boxError(_("There is no relevant DNS NAPTR record ($tag) for this realm. OpenRoaming will not work."));
-                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
                     } else {
-                        $recordCompliance = $dnsChecks->relevantNAPTRcompliance();
-                        if ($recordCompliance != core\diag\AbstractTest::RETVAL_OK) {
-                            echo $uiElements->boxWarning(_("The DNS NAPTR record ($tag) for this realm is not syntax conform. OpenRoaming will likely not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
-                        }
-                        $fed = new \core\Federation($my_inst->federation);
-                        // check if target is the expected one, if set by NRO
-                        $hasCustomTarget = $fed->getAttributes("fed:openroaming_customtarget");
-                        if (sizeof($hasCustomTarget) > 0) {
-                            foreach ($dnsChecks->NAPTR_records as $orpointer) {
-                                if ($orpointer["replacement"] != $hasCustomTarget[0]['value']) {
-                                    echo $uiElements->boxRemark(_("The SRV target of an OpenRoaming NAPTR record is unexpected."));
-                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                        $dnsChecks = new \core\diag\RFC7585Tests($reloadedProfileNr2->getAttributes("internal:realm")[0]['value'], $tag);
+                        $relevantNaptrRecords = $dnsChecks->relevantNAPTR();
+                        if ($relevantNaptrRecords <= 0) {
+                            echo $uiElements->boxError(_("There is no relevant DNS NAPTR record ($tag) for this realm. OpenRoaming will not work."));
+                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                        } else {
+                            $recordCompliance = $dnsChecks->relevantNAPTRcompliance();
+                            if ($recordCompliance != core\diag\AbstractTest::RETVAL_OK) {
+                                echo $uiElements->boxWarning(_("The DNS NAPTR record ($tag) for this realm is not syntax conform. OpenRoaming will likely not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                            }
+                            $fed = new \core\Federation($my_inst->federation);
+                            // check if target is the expected one, if set by NRO
+                            $hasCustomTarget = $fed->getAttributes("fed:openroaming_customtarget");
+                            if (sizeof($hasCustomTarget) > 0) {
+                                foreach ($dnsChecks->NAPTR_records as $orpointer) {
+                                    if ($orpointer["replacement"] != $hasCustomTarget[0]['value']) {
+                                        echo $uiElements->boxRemark(_("The SRV target of an OpenRoaming NAPTR record is unexpected."));
+                                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_NOTE]);
+                                    }
                                 }
                             }
-                        }
-                        $srvResolution = $dnsChecks->relevantNAPTRsrvResolution();
-                        $hostnameResolution = $dnsChecks->relevantNAPTRhostnameResolution();
+                            $srvResolution = $dnsChecks->relevantNAPTRsrvResolution();
+                            $hostnameResolution = $dnsChecks->relevantNAPTRhostnameResolution();
 
-                        if ($srvResolution <= 0) {
-                            echo $uiElements->boxError(_("The DNS SRV target for NAPTR $tag does not resolve. OpenRoaming will not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                        } elseif ($hostnameResolution <= 0) {
-                            echo $uiElements->boxError(_("The DNS hostnames in the SRV records do not resolve to actual host IPs. OpenRoaming will not work."));
-                            $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                        }
-                        // connect to all IPs we found and see if they are really an OpenRoaming server
-                        $allHostsOkay = TRUE;
-                        $oneHostOkay = FALSE;
-                        $testCandidates = [];
-                        foreach ($dnsChecks->NAPTR_hostname_records as $oneServer) {
-                            $testCandidates[$oneServer['hostname']][] = ($oneServer['family'] == "IPv4" ? $oneServer['IP'] : "[" . $oneServer['IP'] . "]") . ":" . $oneServer['port'];
-                        }
-                        foreach ($testCandidates as $oneHost => $listOfIPs) {
-                            $connectionTests = new core\diag\RFC6614Tests(array_values($listOfIPs), $oneHost, "openroaming");
-                            // for now (no OpenRoaming client certs available) only run server-side tests
-                            foreach ($listOfIPs as $oneIP) {
-                                $connectionResult = $connectionTests->cApathCheck($oneIP);
-                                if ($connectionResult != core\diag\AbstractTest::RETVAL_OK || ( isset($connectionTests->TLS_CA_checks_result['cert_oddity']) && count($connectionTests->TLS_CA_checks_result['cert_oddity']) > 0)) {
-                                    $allHostsOkay = FALSE;
-                                } else {
-                                    $oneHostOkay = TRUE;
+                            if ($srvResolution <= 0) {
+                                echo $uiElements->boxError(_("The DNS SRV target for NAPTR $tag does not resolve. OpenRoaming will not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                            } elseif ($hostnameResolution <= 0) {
+                                echo $uiElements->boxError(_("The DNS hostnames in the SRV records do not resolve to actual host IPs. OpenRoaming will not work."));
+                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                            }
+                            // connect to all IPs we found and see if they are really an OpenRoaming server
+                            $allHostsOkay = TRUE;
+                            $oneHostOkay = FALSE;
+                            $testCandidates = [];
+                            foreach ($dnsChecks->NAPTR_hostname_records as $oneServer) {
+                                $testCandidates[$oneServer['hostname']][] = ($oneServer['family'] == "IPv4" ? $oneServer['IP'] : "[" . $oneServer['IP'] . "]") . ":" . $oneServer['port'];
+                            }
+                            foreach ($testCandidates as $oneHost => $listOfIPs) {
+                                $connectionTests = new core\diag\RFC6614Tests(array_values($listOfIPs), $oneHost, "openroaming");
+                                // for now (no OpenRoaming client certs available) only run server-side tests
+                                foreach ($listOfIPs as $oneIP) {
+                                    $connectionResult = $connectionTests->cApathCheck($oneIP);
+                                    if ($connectionResult != core\diag\AbstractTest::RETVAL_OK || ( isset($connectionTests->TLS_CA_checks_result['cert_oddity']) && count($connectionTests->TLS_CA_checks_result['cert_oddity']) > 0)) {
+                                        $allHostsOkay = FALSE;
+                                    } else {
+                                        $oneHostOkay = TRUE;
+                                    }
                                 }
                             }
-                        }
-                        if (!$allHostsOkay) {
-                            if (!$oneHostOkay) {
-                                echo $uiElements->boxError(_("When connecting to the discovered OpenRoaming endpoints, they all had errors. OpenRoaming will likely not work."));
-                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
-                            } else {
-                                echo $uiElements->boxWarning(_("When connecting to the discovered OpenRoaming endpoints, only a subset of endpoints had no errors."));
-                                $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                            if (!$allHostsOkay) {
+                                if (!$oneHostOkay) {
+                                    echo $uiElements->boxError(_("When connecting to the discovered OpenRoaming endpoints, they all had errors. OpenRoaming will likely not work."));
+                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_ERROR]);
+                                } else {
+                                    echo $uiElements->boxWarning(_("When connecting to the discovered OpenRoaming endpoints, only a subset of endpoints had no errors."));
+                                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                                }
                             }
                         }
                     }
-                }
 
-                if (!$dnsChecks->allResponsesSecure) {
-                    echo $uiElements->boxWarning(_("At least one DNS response was NOT secured using DNSSEC. OpenRoaming ANPs may refuse to connect to the endpoint."));
-                    $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                    if (!$dnsChecks->allResponsesSecure) {
+                        echo $uiElements->boxWarning(_("At least one DNS response was NOT secured using DNSSEC. OpenRoaming ANPs may refuse to connect to the endpoint."));
+                        $resultLevel = min([$resultLevel, \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_WARN]);
+                    }
+                    if ($resultLevel == \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD) {
+                        echo $uiElements->boxOkay(_("Initial diagnostics regarding the DNS part of OpenRoaming (including DNSSEC) were successful."));
+                    }                
                 }
-                if ($resultLevel == \core\AbstractProfile::OVERALL_OPENROAMING_LEVEL_GOOD) {
-                    echo $uiElements->boxOkay(_("Initial diagnostics regarding the DNS part of OpenRoaming (including DNSSEC) were successful."));
-                }                
-            }
-            $reloadedProfileNr2->setOpenRoamingReadinessInfo($resultLevel);
-            ?>
+                $reloadedProfileNr2->setOpenRoamingReadinessInfo($resultLevel);
+                ?>
         </table>
         <br/>
         <form method='post' action='overview_org.php?inst_id=<?php echo $my_inst->identifier; ?>' accept-charset='UTF-8'>
             <button type='submit'><?php echo _("Continue to dashboard"); ?></button>
         </form>
         <?php
-        if (count($reloadedProfileNr2->getEapMethodsinOrderOfPreference(1)) > 0) {
-            echo "<form method='post' action='overview_installers.php?inst_id=$my_inst->identifier&profile_id=$reloadedProfileNr2->identifier' accept-charset='UTF-8'>
+            if (count($reloadedProfileNr2->getEapMethodsinOrderOfPreference(1)) > 0) {
+                echo "<form method='post' action='overview_installers.php?inst_id=$my_inst->identifier&profile_id=$reloadedProfileNr2->identifier' accept-charset='UTF-8'>
         <button type='submit'>" . _("Continue to Installer Fine-Tuning and Download") . "</button>
     </form>";
-        }
-        echo $deco->footer();
-        break;
-    default:
-        throw new Exception("Unknown submit value received.");
+            }
+            echo $deco->footer();
+            break;
+        default:
+            throw new Exception("Unknown submit value received.");
 }