1
|
|
|
<?php declare(strict_types=1); |
2
|
|
|
/** |
3
|
|
|
* @author Nicolas CARPi <[email protected]> |
4
|
|
|
* @copyright 2012 Nicolas CARPi |
5
|
|
|
* @see https://www.elabftw.net Official website |
6
|
|
|
* @license AGPL-3.0 |
7
|
|
|
* @package elabftw |
8
|
|
|
*/ |
9
|
|
|
|
10
|
|
|
namespace Elabftw\Elabftw; |
11
|
|
|
|
12
|
|
|
use Elabftw\Models\Config; |
13
|
|
|
use Elabftw\Models\Idps; |
14
|
|
|
use function rtrim; |
15
|
|
|
|
16
|
|
|
/** |
17
|
|
|
* Saml settings |
18
|
|
|
*/ |
19
|
|
|
class Saml |
20
|
|
|
{ |
21
|
|
|
public function __construct(public Config $Config, private Idps $Idps) |
22
|
|
|
{ |
23
|
|
|
} |
24
|
|
|
|
25
|
|
|
/** |
26
|
|
|
* Get the settings array |
27
|
|
|
* On login we don't have an id but we don't need the settings |
28
|
|
|
* from a particular idp (just the service provider) |
29
|
|
|
* So getActive will just grab the first active one |
30
|
|
|
* |
31
|
|
|
* @param int|null $id id of the selected idp |
32
|
|
|
*/ |
33
|
|
|
public function getSettings(?int $id = null): array |
34
|
|
|
{ |
35
|
|
|
$idp = $this->Idps->getActive($id); |
36
|
|
|
return array( |
37
|
|
|
// If 'strict' is True, then the PHP Toolkit will reject unsigned |
38
|
1 |
|
// or unencrypted messages if it expects them signed or encrypted |
39
|
|
|
// Also will reject the messages if not strictly follow the SAML |
40
|
1 |
|
// standard: Destination, NameId, Conditions ... are validated too. |
41
|
1 |
|
'strict' => $this->Config->configArr['saml_strict'], |
42
|
1 |
|
|
43
|
|
|
// Enable debug mode (to print errors) |
44
|
|
|
'debug' => $this->Config->configArr['saml_debug'], |
45
|
|
|
|
46
|
|
|
// Set a BaseURL to be used instead of try to guess |
47
|
|
|
// the BaseURL of the view that process the SAML Message. |
48
|
|
|
// Ex. http://sp.example.com/ |
49
|
1 |
|
// http://example.com/sp/ |
50
|
|
|
'baseurl' => $this->Config->configArr['saml_baseurl'], |
51
|
1 |
|
|
52
|
1 |
|
// Service Provider Data that we are deploying |
53
|
|
|
'sp' => array( |
54
|
|
|
// Identifier of the SP entity (must be a URI) |
55
|
|
|
'entityId' => $this->Config->configArr['saml_entityid'], |
56
|
|
|
// Specifies info about where and how the <AuthnResponse> message MUST be |
57
|
|
|
// returned to the requester, in this case our SP. |
58
|
|
|
'assertionConsumerService' => array( |
59
|
|
|
// URL Location where the <Response> from the IdP will be returned |
60
|
|
|
'url' => rtrim($this->Config->configArr['saml_baseurl'] ?? '', '/') . '/index.php?acs', |
61
|
1 |
|
// SAML protocol binding to be used when returning the <Response> |
62
|
|
|
// message. Onelogin Toolkit supports for this endpoint the |
63
|
1 |
|
// HTTP-Redirect binding only |
64
|
|
|
'binding' => $this->Config->configArr['saml_acs_binding'], |
65
|
1 |
|
), |
66
|
|
|
// If you need to specify requested attributes, set a |
67
|
|
|
// attributeConsumingService. nameFormat, attributeValue and |
68
|
|
|
// friendlyName can be omitted. Otherwise remove this section. |
69
|
|
|
'attributeConsumingService' => array( |
70
|
1 |
|
'ServiceName' => 'eLabFTW', |
71
|
|
|
'serviceDescription' => 'Electronic Lab Notebook', |
72
|
|
|
'requestedAttributes' => array( |
73
|
1 |
|
array( |
74
|
|
|
'name' => '', |
75
|
|
|
'isRequired' => false, |
76
|
|
|
'nameFormat' => '', |
77
|
|
|
'friendlyName' => '', |
78
|
|
|
'attributeValue' => '', |
79
|
1 |
|
), |
80
|
|
|
), |
81
|
|
|
), |
82
|
|
|
// Specifies info about where and how the <Logout Response> message MUST be |
83
|
|
|
// returned to the requester, in this case our SP. |
84
|
1 |
|
'singleLogoutService' => array( |
85
|
|
|
// URL Location where the <Response> from the IdP will be returned |
86
|
|
|
'url' => $this->Config->configArr['saml_baseurl'] . '/app/logout.php?sls', |
87
|
|
|
// SAML protocol binding to be used when returning the <Response> |
88
|
|
|
// message. Onelogin Toolkit supports for this endpoint the |
89
|
1 |
|
// HTTP-Redirect binding only |
90
|
|
|
'binding' => $this->Config->configArr['saml_slo_binding'], |
91
|
|
|
), |
92
|
|
|
// Specifies constraints on the name identifier to be used to |
93
|
1 |
|
// represent the requested subject. |
94
|
|
|
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported |
95
|
|
|
'NameIDFormat' => $this->Config->configArr['saml_nameidformat'], |
96
|
|
|
|
97
|
|
|
// Usually x509cert and privateKey of the SP are provided by files placed at |
98
|
|
|
// the certs folder. But we can also provide them with the following parameters |
99
|
|
|
'x509cert' => $this->Config->configArr['saml_x509'], |
100
|
|
|
'privateKey' => $this->Config->configArr['saml_privatekey'], |
101
|
|
|
), |
102
|
|
|
|
103
|
|
|
// Identity Provider Data that we want connect with our SP |
104
|
|
|
'idp' => array( |
105
|
|
|
// Identifier of the IdP entity (must be a URI) |
106
|
|
|
'entityId' => $idp['entityid'], |
107
|
|
|
// SSO endpoint info of the IdP. (Authentication Request protocol) |
108
|
|
|
'singleSignOnService' => array( |
109
|
|
|
// URL Target of the IdP where the SP will send the Authentication Request Message |
110
|
|
|
'url' => $idp['sso_url'], |
111
|
|
|
// SAML protocol binding to be used when returning the <Response> |
112
|
|
|
// message. Onelogin Toolkit supports for this endpoint the |
113
|
|
|
// HTTP-POST binding only |
114
|
|
|
'binding' => $idp['sso_binding'], |
115
|
1 |
|
), |
116
|
|
|
// SLO endpoint info of the IdP. |
117
|
|
|
'singleLogoutService' => array( |
118
|
|
|
// URL Location of the IdP where the SP will send the SLO Request |
119
|
1 |
|
'url' => $idp['slo_url'], |
120
|
|
|
// SAML protocol binding to be used when returning the <Response> |
121
|
|
|
// message. Onelogin Toolkit supports for this endpoint the |
122
|
|
|
// HTTP-Redirect binding only |
123
|
|
|
'binding' => $idp['slo_binding'], |
124
|
1 |
|
), |
125
|
|
|
// Public x509 certificate of the IdP |
126
|
|
|
'x509cert' => $idp['x509'], |
127
|
|
|
/* |
128
|
1 |
|
* Instead of use the whole x509cert you can use a fingerprint |
129
|
1 |
|
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it, |
130
|
|
|
* or add for example the -sha256 , -sha384 or -sha512 parameter) |
131
|
|
|
* |
132
|
|
|
* If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to |
133
|
|
|
* let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512 |
134
|
|
|
* 'sha1' is the default value. |
135
|
1 |
|
*/ |
136
|
|
|
// 'certFingerprint' => '', |
137
|
|
|
// 'certFingerprintAlgorithm' => 'sha1', |
138
|
|
|
'emailAttr' => $idp['email_attr'], |
139
|
1 |
|
'teamAttr' => $idp['team_attr'], |
140
|
|
|
'fnameAttr' => $idp['fname_attr'], |
141
|
|
|
'lnameAttr' => $idp['lname_attr'], |
142
|
|
|
), |
143
|
1 |
|
// Security settings |
144
|
|
|
'security' => array( |
145
|
|
|
|
146
|
|
|
/** signatures and encryptions offered */ |
147
|
|
|
|
148
|
1 |
|
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP |
149
|
|
|
// will be encrypted. |
150
|
|
|
'nameIdEncrypted' => (bool) $this->Config->configArr['saml_nameidencrypted'], |
151
|
|
|
|
152
|
1 |
|
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP |
153
|
|
|
// will be signed. [The Metadata of the SP will offer this info] |
154
|
|
|
'authnRequestsSigned' => (bool) $this->Config->configArr['saml_authnrequestssigned'], |
155
|
1 |
|
|
156
|
|
|
// Indicates whether the <samlp:logoutRequest> messages sent by this SP |
157
|
|
|
// will be signed. |
158
|
|
|
'logoutRequestSigned' => (bool) $this->Config->configArr['saml_logoutrequestsigned'], |
159
|
|
|
|
160
|
|
|
// Indicates whether the <samlp:logoutResponse> messages sent by this SP |
161
|
|
|
// will be signed. |
162
|
|
|
'logoutResponseSigned' => (bool) $this->Config->configArr['saml_logoutresponsesigned'], |
163
|
|
|
|
164
|
|
|
/* Sign the Metadata |
165
|
|
|
False || True (use sp certs) || array ( |
166
|
|
|
keyFileName => 'metadata.key', |
167
|
|
|
certFileName => 'metadata.crt' |
168
|
|
|
) |
169
|
|
|
*/ |
170
|
|
|
'signMetadata' => (bool) $this->Config->configArr['saml_signmetadata'], |
171
|
|
|
|
172
|
|
|
|
173
|
|
|
/** signatures and encryptions required */ |
174
|
|
|
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and |
175
|
1 |
|
// <samlp:LogoutResponse> elements received by this SP to be signed. |
176
|
|
|
'wantMessagesSigned' => (bool) $this->Config->configArr['saml_wantmessagessigned'], |
177
|
|
|
|
178
|
|
|
// Indicates a requirement for the <saml:Assertion> elements received by |
179
|
1 |
|
// this SP to be encrypted. |
180
|
|
|
'wantAssertionsEncrypted' => (bool) $this->Config->configArr['saml_wantassertionsencrypted'], |
181
|
|
|
|
182
|
|
|
// Indicates a requirement for the <saml:Assertion> elements received by |
183
|
1 |
|
// this SP to be signed. [The Metadata of the SP will offer this info] |
184
|
|
|
'wantAssertionsSigned' => (bool) $this->Config->configArr['saml_wantassertionssigned'], |
185
|
|
|
|
186
|
|
|
// Indicates a requirement for the NameID element on the SAMLResponse received |
187
|
1 |
|
// by this SP to be present. |
188
|
|
|
'wantNameId' => (bool) $this->Config->configArr['saml_wantnameid'], |
189
|
|
|
|
190
|
|
|
// Indicates a requirement for the NameID received by |
191
|
|
|
// this SP to be encrypted. |
192
|
|
|
'wantNameIdEncrypted' => (bool) $this->Config->configArr['saml_wantnameidencrypted'], |
193
|
|
|
|
194
|
|
|
// Authentication context. |
195
|
1 |
|
// Set to false and no AuthContext will be sent in the AuthNRequest, |
196
|
|
|
// Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' |
197
|
|
|
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), |
198
|
|
|
'requestedAuthnContext' => false, |
199
|
|
|
|
200
|
|
|
// Allows the authn comparison parameter to be set, defaults to 'exact' if |
201
|
|
|
// the setting is not present. |
202
|
1 |
|
'requestedAuthnContextComparison' => 'exact', |
203
|
|
|
|
204
|
|
|
// Indicates if the SP will validate all received xmls. |
205
|
|
|
// (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). |
206
|
1 |
|
'wantXMLValidation' => (bool) $this->Config->configArr['saml_wantxmlvalidation'], |
207
|
|
|
|
208
|
|
|
// If true, SAMLResponses with an empty value at its Destination |
209
|
|
|
// attribute will not be rejected for this fact. |
210
|
1 |
|
'relaxDestinationValidation' => (bool) $this->Config->configArr['saml_relaxdestinationvalidation'], |
211
|
|
|
|
212
|
|
|
// Algorithm that the toolkit will use on signing process. Options: |
213
|
|
|
// 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' |
214
|
1 |
|
// 'http://www.w3.org/2000/09/xmldsig#dsa-sha1' |
215
|
|
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' |
216
|
|
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384' |
217
|
|
|
// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512' |
218
|
1 |
|
// Notice that sha1 is a deprecated algorithm and should not be used |
219
|
|
|
'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', |
220
|
|
|
|
221
|
|
|
// Algorithm that the toolkit will use on digest process. Options: |
222
|
|
|
// 'http://www.w3.org/2000/09/xmldsig#sha1' |
223
|
|
|
// 'http://www.w3.org/2001/04/xmlenc#sha256' |
224
|
|
|
// 'http://www.w3.org/2001/04/xmldsig-more#sha384' |
225
|
|
|
// 'http://www.w3.org/2001/04/xmlenc#sha512' |
226
|
|
|
// Notice that sha1 is a deprecated algorithm and should not be used |
227
|
|
|
'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', |
228
|
1 |
|
|
229
|
|
|
// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses |
230
|
|
|
// uppercase. Turn it True for ADFS compatibility on signature verification |
231
|
|
|
'lowercaseUrlencoding' => (bool) $this->Config->configArr['saml_lowercaseurlencoding'], |
232
|
1 |
|
), |
233
|
|
|
); |
234
|
|
|
} |
235
|
|
|
} |
236
|
|
|
|