}: the date and time, with its format specified inside the brackets. See the PHP documentation
+ * of the date() function for more information on the format. If the brackets are omitted, the standard
+ * format is applied. This can be useful if you just want to control the placement of the date, but don't care
+ * about the format.
+ *
+ * - %process: the name of the SimpleSAMLphp process. Remember you can configure this in the 'logging.processname'
+ * option below.
+ *
+ * - %level: the log level (name or number depending on the handler used).
+ *
+ * - %stat: if the log entry is intended for statistical purposes, it will print the string 'STAT ' (bear in mind
+ * the trailing space).
+ *
+ * - %trackid: the track ID, an identifier that allows you to track a single session.
+ *
+ * - %srcip: the IP address of the client. If you are behind a proxy, make sure to modify the
+ * $_SERVER['REMOTE_ADDR'] variable on your code accordingly to the X-Forwarded-For header.
+ *
+ * - %msg: the message to be logged.
+ *
+ */
+ //'logging.format' => '%date{M j H:i:s} %process %level %stat[%trackid] %msg',
+
+ /*
+ * Choose which facility should be used when logging with syslog.
+ *
+ * These can be used for filtering the syslog output from SimpleSAMLphp into its
+ * own file by configuring the syslog daemon.
+ *
+ * See the documentation for openlog (http://php.net/manual/en/function.openlog.php) for available
+ * facilities. Note that only LOG_USER is valid on windows.
+ *
+ * The default is to use LOG_LOCAL5 if available, and fall back to LOG_USER if not.
+ */
+ 'logging.facility' => defined('LOG_LOCAL5') ? constant('LOG_LOCAL5') : LOG_USER,
+
+ /*
+ * The process name that should be used when logging to syslog.
+ * The value is also written out by the other logging handlers.
+ */
+ 'logging.processname' => 'simplesamlphp',
+
+ /*
+ * Logging: file - Logfilename in the loggingdir from above.
+ */
+ 'logging.logfile' => 'simplesamlphp.log',
+
+ /*
+ * This is an array of outputs. Each output has at least a 'class' option, which
+ * selects the output.
+ */
+ 'statistics.out' => [
+ // Log statistics to the normal log.
+ /*
+ [
+ 'class' => 'core:Log',
+ 'level' => 'notice',
+ ],
+ */
+ // Log statistics to files in a directory. One file per day.
+ /*
+ [
+ 'class' => 'core:File',
+ 'directory' => '/var/log/stats',
+ ],
+ */
+ ],
+
+
+
+ /***********************
+ | PROXY CONFIGURATION |
+ ***********************/
+
+ /*
+ * Proxy to use for retrieving URLs.
+ *
+ * Example:
+ * 'proxy' => 'tcp://proxy.example.com:5100'
+ */
+ 'proxy' => null,
+
+ /*
+ * Username/password authentication to proxy (Proxy-Authorization: Basic)
+ * Example:
+ * 'proxy.auth' = 'myuser:password'
+ */
+ //'proxy.auth' => 'myuser:password',
+
+
+
+ /**************************
+ | DATABASE CONFIGURATION |
+ **************************/
+
+ /*
+ * This database configuration is optional. If you are not using
+ * core functionality or modules that require a database, you can
+ * skip this configuration.
+ */
+
+ /*
+ * Database connection string.
+ * Ensure that you have the required PDO database driver installed
+ * for your connection string.
+ */
+ 'database.dsn' => 'mysql:host=localhost;dbname=saml',
+
+ /*
+ * SQL database credentials
+ */
+ 'database.username' => 'simplesamlphp',
+ 'database.password' => 'secret',
+ 'database.options' => [],
+
+ /*
+ * (Optional) Table prefix
+ */
+ 'database.prefix' => '',
+
+ /*
+ * (Optional) Driver options
+ */
+ 'database.driver_options' => [],
+
+ /*
+ * True or false if you would like a persistent database connection
+ */
+ 'database.persistent' => false,
+
+ /*
+ * Database secondary configuration is optional as well. If you are only
+ * running a single database server, leave this blank. If you have
+ * a primary/secondary configuration, you can define as many secondary servers
+ * as you want here. Secondaries will be picked at random to be queried from.
+ *
+ * Configuration options in the secondary array are exactly the same as the
+ * options for the primary (shown above) with the exception of the table
+ * prefix and driver options.
+ */
+ 'database.secondaries' => [
+ /*
+ [
+ 'dsn' => 'mysql:host=mysecondary;dbname=saml',
+ 'username' => 'simplesamlphp',
+ 'password' => 'secret',
+ 'persistent' => false,
+ ],
+ */
+ ],
+
+
+
+ /*************
+ | PROTOCOLS |
+ *************/
+
+ /*
+ * Which functionality in SimpleSAMLphp do you want to enable. Normally you would enable only
+ * one of the functionalities below, but in some cases you could run multiple functionalities.
+ * In example when you are setting up a federation bridge.
+ */
+ 'enable.saml20-idp' => true,
+ 'enable.adfs-idp' => false,
+
+
+
+ /***********
+ | MODULES |
+ ***********/
+
+ /*
+ * Configuration for enabling/disabling modules. By default the 'core', 'admin' and 'saml' modules are enabled.
+ *
+ * Example:
+ *
+ * 'module.enable' => [
+ * 'exampleauth' => true, // Setting to TRUE enables.
+ * 'consent' => false, // Setting to FALSE disables.
+ * 'core' => null, // Unset or NULL uses default.
+ * ],
+ */
+
+ 'module.enable' => [
+ 'exampleauth' => true,
+ 'core' => true,
+ 'admin' => true,
+ 'saml' => true,
+ 'cron' => true,
+ 'metarefresh' => true,
+ ],
+
+
+ /*************************
+ | SESSION CONFIGURATION |
+ *************************/
+
+ /*
+ * This value is the duration of the session in seconds. Make sure that the time duration of
+ * cookies both at the SP and the IdP exceeds this duration.
+ */
+ 'session.duration' => 60, // 60 seconds
+
+ /*
+ * Sets the duration, in seconds, data should be stored in the datastore. As the data store is used for
+ * login and logout requests, this option will control the maximum time these operations can take.
+ * The default is 4 hours (4*60*60) seconds, which should be more than enough for these operations.
+ */
+ 'session.datastore.timeout' => (4 * 60 * 60), // 4 hours
+
+ /*
+ * Sets the duration, in seconds, auth state should be stored.
+ */
+ 'session.state.timeout' => (60 * 60), // 1 hour
+
+ /*
+ * Option to override the default settings for the session cookie name
+ */
+ 'session.cookie.name' => 'SimpleSAMLSessionIDidp',
+
+ /*
+ * Expiration time for the session cookie, in seconds.
+ *
+ * Defaults to 0, which means that the cookie expires when the browser is closed.
+ *
+ * Example:
+ * 'session.cookie.lifetime' => 30*60,
+ */
+ 'session.cookie.lifetime' => 0,
+
+ /*
+ * Limit the path of the cookies.
+ *
+ * Can be used to limit the path of the cookies to a specific subdirectory.
+ *
+ * Example:
+ * 'session.cookie.path' => '/simplesaml/',
+ */
+ 'session.cookie.path' => '/',
+
+ /*
+ * Cookie domain.
+ *
+ * Can be used to make the session cookie available to several domains.
+ *
+ * Example:
+ * 'session.cookie.domain' => '.example.org',
+ */
+ 'session.cookie.domain' => '',
+
+ /*
+ * Set the secure flag in the cookie.
+ *
+ * Set this to TRUE if the user only accesses your service
+ * through https. If the user can access the service through
+ * both http and https, this must be set to FALSE.
+ *
+ * If unset, SimpleSAMLphp will try to automatically determine the right value
+ */
+ //'session.cookie.secure' => true,
+
+ /*
+ * Set the SameSite attribute in the cookie.
+ *
+ * You can set this to the strings 'None', 'Lax', or 'Strict' to support
+ * the RFC6265bis SameSite cookie attribute. If set to null, no SameSite
+ * attribute will be sent.
+ *
+ * A value of "None" is required to properly support cross-domain POST
+ * requests which are used by different SAML bindings. Because some older
+ * browsers do not support this value, the canSetSameSiteNone function
+ * can be called to only set it for compatible browsers.
+ *
+ * You must also set the 'session.cookie.secure' value above to true.
+ *
+ * Example:
+ * 'session.cookie.samesite' => 'None',
+ */
+ 'session.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
+
+ /*
+ * Options to override the default settings for php sessions.
+ */
+ 'session.phpsession.cookiename' => 'SimpleSAMLidp',
+ 'session.phpsession.savepath' => null,
+ 'session.phpsession.httponly' => true,
+
+ /*
+ * Option to override the default settings for the auth token cookie
+ */
+ 'session.authtoken.cookiename' => 'SimpleSAMLAuthToken',
+
+ /*
+ * Options for remember me feature for IdP sessions. Remember me feature
+ * has to be also implemented in authentication source used.
+ *
+ * Option 'session.cookie.lifetime' should be set to zero (0), i.e. cookie
+ * expires on browser session if remember me is not checked.
+ *
+ * Session duration ('session.duration' option) should be set according to
+ * 'session.rememberme.lifetime' option.
+ *
+ * It's advised to use remember me feature with session checking function
+ * defined with 'session.check_function' option.
+ */
+ 'session.rememberme.enable' => false,
+ 'session.rememberme.checked' => false,
+ 'session.rememberme.lifetime' => (14 * 86400),
+
+ /*
+ * Custom function for session checking called on session init and loading.
+ * See docs/simplesamlphp-advancedfeatures.md for function code example.
+ *
+ * Example:
+ * 'session.check_function' => ['\SimpleSAML\Module\example\Util', 'checkSession'],
+ */
+
+
+
+ /**************************
+ | MEMCACHE CONFIGURATION |
+ **************************/
+
+ /*
+ * Configuration for the 'memcache' session store. This allows you to store
+ * multiple redundant copies of sessions on different memcache servers.
+ *
+ * 'memcache_store.servers' is an array of server groups. Every data
+ * item will be mirrored in every server group.
+ *
+ * Each server group is an array of servers. The data items will be
+ * load-balanced between all servers in each server group.
+ *
+ * Each server is an array of parameters for the server. The following
+ * options are available:
+ * - 'hostname': This is the hostname or ip address where the
+ * memcache server runs. This is the only required option.
+ * - 'port': This is the port number of the memcache server. If this
+ * option isn't set, then we will use the 'memcache.default_port'
+ * ini setting. This is 11211 by default.
+ *
+ * When using the "memcache" extension, the following options are also
+ * supported:
+ * - 'weight': This sets the weight of this server in this server
+ * group. http://php.net/manual/en/function.Memcache-addServer.php
+ * contains more information about the weight option.
+ * - 'timeout': The timeout for this server. By default, the timeout
+ * is 3 seconds.
+ *
+ * Example of redundant configuration with load balancing:
+ * This configuration makes it possible to lose both servers in the
+ * a-group or both servers in the b-group without losing any sessions.
+ * Note that sessions will be lost if one server is lost from both the
+ * a-group and the b-group.
+ *
+ * 'memcache_store.servers' => [
+ * [
+ * ['hostname' => 'mc_a1'],
+ * ['hostname' => 'mc_a2'],
+ * ],
+ * [
+ * ['hostname' => 'mc_b1'],
+ * ['hostname' => 'mc_b2'],
+ * ],
+ * ],
+ *
+ * Example of simple configuration with only one memcache server,
+ * running on the same computer as the web server:
+ * Note that all sessions will be lost if the memcache server crashes.
+ *
+ * 'memcache_store.servers' => [
+ * [
+ * ['hostname' => 'localhost'],
+ * ],
+ * ],
+ *
+ * Additionally, when using the "memcached" extension, unique keys must
+ * be provided for each group of servers if persistent connections are
+ * desired. Each server group can also have an "options" indexed array
+ * with the options desired for the given group:
+ *
+ * 'memcache_store.servers' => [
+ * 'memcache_group_1' => [
+ * 'options' => [
+ * \Memcached::OPT_BINARY_PROTOCOL => true,
+ * \Memcached::OPT_NO_BLOCK => true,
+ * \Memcached::OPT_TCP_NODELAY => true,
+ * \Memcached::OPT_LIBKETAMA_COMPATIBLE => true,
+ * ],
+ * ['hostname' => '127.0.0.1', 'port' => 11211],
+ * ['hostname' => '127.0.0.2', 'port' => 11211],
+ * ],
+ *
+ * 'memcache_group_2' => [
+ * 'options' => [
+ * \Memcached::OPT_BINARY_PROTOCOL => true,
+ * \Memcached::OPT_NO_BLOCK => true,
+ * \Memcached::OPT_TCP_NODELAY => true,
+ * \Memcached::OPT_LIBKETAMA_COMPATIBLE => true,
+ * ],
+ * ['hostname' => '127.0.0.3', 'port' => 11211],
+ * ['hostname' => '127.0.0.4', 'port' => 11211],
+ * ],
+ * ],
+ *
+ */
+ 'memcache_store.servers' => [
+ [
+ ['hostname' => 'localhost'],
+ ],
+ ],
+
+ /*
+ * This value allows you to set a prefix for memcache-keys. The default
+ * for this value is 'simpleSAMLphp', which is fine in most cases.
+ *
+ * When running multiple instances of SSP on the same host, and more
+ * than one instance is using memcache, you probably want to assign
+ * a unique value per instance to this setting to avoid data collision.
+ */
+ 'memcache_store.prefix' => '',
+
+ /*
+ * This value is the duration data should be stored in memcache. Data
+ * will be dropped from the memcache servers when this time expires.
+ * The time will be reset every time the data is written to the
+ * memcache servers.
+ *
+ * This value should always be larger than the 'session.duration'
+ * option. Not doing this may result in the session being deleted from
+ * the memcache servers while it is still in use.
+ *
+ * Set this value to 0 if you don't want data to expire.
+ *
+ * Note: The oldest data will always be deleted if the memcache server
+ * runs out of storage space.
+ */
+ 'memcache_store.expires' => 36 * (60 * 60), // 36 hours.
+
+
+
+ /*************************************
+ | LANGUAGE AND INTERNATIONALIZATION |
+ *************************************/
+
+ /*
+ * Languages available, RTL languages, and what language is the default.
+ */
+ 'language.available' => [
+ 'en', 'no', 'nn', 'se', 'da', 'de', 'sv', 'fi', 'es', 'ca', 'fr', 'it', 'nl', 'lb',
+ 'cs', 'sk', 'sl', 'lt', 'hr', 'hu', 'pl', 'pt', 'pt-br', 'tr', 'ja', 'zh', 'zh-tw',
+ 'ru', 'et', 'he', 'id', 'sr', 'lv', 'ro', 'eu', 'el', 'af', 'zu', 'xh', 'st',
+ ],
+ 'language.rtl' => ['ar', 'dv', 'fa', 'ur', 'he'],
+ 'language.default' => 'en',
+
+ /*
+ * Options to override the default settings for the language parameter
+ */
+ 'language.parameter.name' => 'language',
+ 'language.parameter.setcookie' => true,
+
+ /*
+ * Options to override the default settings for the language cookie
+ */
+ 'language.cookie.name' => 'language',
+ 'language.cookie.domain' => '',
+ 'language.cookie.path' => '/',
+ 'language.cookie.secure' => true,
+ 'language.cookie.httponly' => false,
+ 'language.cookie.lifetime' => (60 * 60 * 24 * 900),
+ 'language.cookie.samesite' => $httpUtils->canSetSameSiteNone() ? 'None' : null,
+
+ /**
+ * Custom getLanguage function called from SimpleSAML\Locale\Language::getLanguage().
+ * Function should return language code of one of the available languages or NULL.
+ * See SimpleSAML\Locale\Language::getLanguage() source code for more info.
+ *
+ * This option can be used to implement a custom function for determining
+ * the default language for the user.
+ *
+ * Example:
+ * 'language.get_language_function' => ['\SimpleSAML\Module\example\Template', 'getLanguage'],
+ */
+
+ /**************
+ | APPEARANCE |
+ **************/
+
+ /*
+ * Which theme directory should be used?
+ */
+ 'theme.use' => 'default',
+
+ /*
+ * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want
+ * any text to appear in the header.
+ */
+ //'theme.header' => 'SimpleSAMLphp',
+
+ /**
+ * A template controller, if any.
+ *
+ * Used to intercept certain parts of the template handling, while keeping away unwanted/unexpected hooks. Set
+ * the 'theme.controller' configuration option to a class that implements the
+ * \SimpleSAML\XHTML\TemplateControllerInterface interface to use it.
+ */
+ //'theme.controller' => '',
+
+ /*
+ * Templating options
+ *
+ * By default, twig templates are not cached. To turn on template caching:
+ * Set 'template.cache' to an absolute path pointing to a directory that
+ * SimpleSAMLphp has read and write permissions to.
+ */
+ //'template.cache' => '',
+
+ /*
+ * Set the 'template.auto_reload' to true if you would like SimpleSAMLphp to
+ * recompile the templates (when using the template cache) if the templates
+ * change. If you don't want to check the source templates for every request,
+ * set it to false.
+ */
+ 'template.auto_reload' => false,
+
+ /*
+ * Set this option to true to indicate that your installation of SimpleSAMLphp
+ * is running in a production environment. This will affect the way resources
+ * are used, offering an optimized version when running in production, and an
+ * easy-to-debug one when not. Set it to false when you are testing or
+ * developing the software, in which case a banner will be displayed to remind
+ * users that they're dealing with a non-production instance.
+ *
+ * Defaults to true.
+ */
+ 'production' => true,
+
+ /*
+ * SimpleSAMLphp modules can host static resources which are served through PHP.
+ * The serving of the resources can be configured through these settings.
+ */
+ 'assets' => [
+ /*
+ * These settings adjust the caching headers that are sent
+ * when serving static resources.
+ */
+ 'caching' => [
+ /*
+ * Amount of seconds before the resource should be fetched again
+ */
+ 'max_age' => 86400,
+ /*
+ * Calculate a checksum of every file and send it to the browser
+ * This allows the browser to avoid downloading assets again in situations
+ * where the Last-Modified header cannot be trusted,
+ * for example in cluster setups
+ *
+ * Defaults false
+ */
+ 'etag' => false,
+ ],
+ ],
+
+ /**
+ * Set to a full URL if you want to redirect users that land on SimpleSAMLphp's
+ * front page to somewhere more useful. If left unset, a basic welcome message
+ * is shown.
+ */
+ //'frontpage.redirect' => 'https://example.com/',
+
+ /*********************
+ | DISCOVERY SERVICE |
+ *********************/
+
+ /*
+ * Whether the discovery service should allow the user to save his choice of IdP.
+ */
+ 'idpdisco.enableremember' => true,
+ 'idpdisco.rememberchecked' => true,
+
+ /*
+ * The disco service only accepts entities it knows.
+ */
+ 'idpdisco.validate' => true,
+
+ 'idpdisco.extDiscoveryStorage' => null,
+
+ /*
+ * IdP Discovery service look configuration.
+ * Whether to display a list of idp or to display a dropdown box. For many IdP' a dropdown box
+ * gives the best use experience.
+ *
+ * When using dropdown box a cookie is used to highlight the previously chosen IdP in the dropdown.
+ * This makes it easier for the user to choose the IdP
+ *
+ * Options: [links,dropdown]
+ */
+ 'idpdisco.layout' => 'dropdown',
+
+
+
+ /*************************************
+ | AUTHENTICATION PROCESSING FILTERS |
+ *************************************/
+
+ /*
+ * Authentication processing filters that will be executed for all IdPs
+ */
+ 'authproc.idp' => [
+ /* Enable the authproc filter below to add URN prefixes to all attributes
+ 10 => [
+ 'class' => 'core:AttributeMap', 'addurnprefix'
+ ],
+ */
+ /* Enable the authproc filter below to automatically generated eduPersonTargetedID.
+ 20 => 'core:TargetedID',
+ */
+
+ // Adopts language from attribute to use in UI
+ 30 => 'core:LanguageAdaptor',
+
+ /* When called without parameters, it will fallback to filter attributes 'the old way'
+ * by checking the 'attributes' parameter in metadata on IdP hosted and SP remote.
+ */
+ 50 => 'core:AttributeLimit',
+
+ /*
+ * Search attribute "distinguishedName" for pattern and replaces if found
+ */
+ /*
+ 60 => [
+ 'class' => 'core:AttributeAlter',
+ 'pattern' => '/OU=studerende/',
+ 'replacement' => 'Student',
+ 'subject' => 'distinguishedName',
+ '%replace',
+ ],
+ */
+
+ /*
+ * Consent module is enabled (with no permanent storage, using cookies).
+ */
+ /*
+ 90 => [
+ 'class' => 'consent:Consent',
+ 'store' => 'consent:Cookie',
+ 'focus' => 'yes',
+ 'checked' => true
+ ],
+ */
+ // If language is set in Consent module it will be added as an attribute.
+ 99 => 'core:LanguageAdaptor',
+ ],
+
+ /*
+ * Authentication processing filters that will be executed for all SPs
+ */
+ 'authproc.sp' => [
+ /*
+ 10 => [
+ 'class' => 'core:AttributeMap', 'removeurnprefix'
+ ],
+ */
+
+ /*
+ * Generate the 'group' attribute populated from other variables, including eduPersonAffiliation.
+ 60 => [
+ 'class' => 'core:GenerateGroups', 'eduPersonAffiliation'
+ ],
+ */
+ /*
+ * All users will be members of 'users' and 'members'
+ */
+ /*
+ 61 => [
+ 'class' => 'core:AttributeAdd', 'groups' => ['users', 'members']
+ ],
+ */
+
+ // Adopts language from attribute to use in UI
+ 90 => 'core:LanguageAdaptor',
+ ],
+
+
+
+ /**************************
+ | METADATA CONFIGURATION |
+ **************************/
+
+ /*
+ * This option allows you to specify a directory for your metadata outside of the standard metadata directory
+ * included in the standard distribution of the software.
+ */
+ 'metadatadir' => 'metadata',
+
+ /*
+ * This option configures the metadata sources. The metadata sources is given as an array with
+ * different metadata sources. When searching for metadata, SimpleSAMLphp will search through
+ * the array from start to end.
+ *
+ * Each element in the array is an associative array which configures the metadata source.
+ * The type of the metadata source is given by the 'type' element. For each type we have
+ * different configuration options.
+ *
+ * Flat file metadata handler:
+ * - 'type': This is always 'flatfile'.
+ * - 'directory': The directory we will load the metadata files from. The default value for
+ * this option is the value of the 'metadatadir' configuration option, or
+ * 'metadata/' if that option is unset.
+ *
+ * XML metadata handler:
+ * This metadata handler parses an XML file with either an EntityDescriptor element or an
+ * EntitiesDescriptor element. The XML file may be stored locally, or (for debugging) on a remote
+ * web server.
+ * The XML metadata handler defines the following options:
+ * - 'type': This is always 'xml'.
+ * - 'file': Path to the XML file with the metadata.
+ * - 'url': The URL to fetch metadata from. THIS IS ONLY FOR DEBUGGING - THERE IS NO CACHING OF THE RESPONSE.
+ *
+ * MDQ metadata handler:
+ * This metadata handler looks up for the metadata of an entity at the given MDQ server.
+ * The MDQ metadata handler defines the following options:
+ * - 'type': This is always 'mdq'.
+ * - 'server': Base URL of the MDQ server. Mandatory.
+ * - 'validateCertificate': The certificates file that may be used to sign the metadata. You don't need this
+ * option if you don't want to validate the signature on the metadata. Optional.
+ * - 'cachedir': Directory where metadata can be cached. Optional.
+ * - 'cachelength': Maximum time metadata can be cached, in seconds. Defaults to 24
+ * hours (86400 seconds). Optional.
+ *
+ * PDO metadata handler:
+ * This metadata handler looks up metadata of an entity stored in a database.
+ *
+ * Note: If you are using the PDO metadata handler, you must configure the database
+ * options in this configuration file.
+ *
+ * The PDO metadata handler defines the following options:
+ * - 'type': This is always 'pdo'.
+ *
+ * Examples:
+ *
+ * This example defines two flatfile sources. One is the default metadata directory, the other
+ * is a metadata directory with auto-generated metadata files.
+ *
+ * 'metadata.sources' => [
+ * ['type' => 'flatfile'],
+ * ['type' => 'flatfile', 'directory' => 'metadata-generated'],
+ * ],
+ *
+ * This example defines a flatfile source and an XML source.
+ * 'metadata.sources' => [
+ * ['type' => 'flatfile'],
+ * ['type' => 'xml', 'file' => 'idp.example.org-idpMeta.xml'],
+ * ],
+ *
+ * This example defines an mdq source.
+ * 'metadata.sources' => [
+ * [
+ * 'type' => 'mdq',
+ * 'server' => 'http://mdq.server.com:8080',
+ * 'validateCertificate' => [
+ * '/var/simplesamlphp/cert/metadata-key.new.crt',
+ * '/var/simplesamlphp/cert/metadata-key.old.crt'
+ * ],
+ * 'cachedir' => '/var/simplesamlphp/mdq-cache',
+ * 'cachelength' => 86400
+ * ]
+ * ],
+ *
+ * This example defines an pdo source.
+ * 'metadata.sources' => [
+ * ['type' => 'pdo']
+ * ],
+ *
+ * Default:
+ * 'metadata.sources' => [
+ * ['type' => 'flatfile']
+ * ],
+ */
+ 'metadata.sources' => [
+ ['type' => 'flatfile'],
+ # webwork sp metadata dir
+ ['type' => 'flatfile', 'directory' => 'metadata/metarefresh-webwork'],
+ ],
+
+ /*
+ * Should signing of generated metadata be enabled by default.
+ *
+ * Metadata signing can also be enabled for a individual SP or IdP by setting the
+ * same option in the metadata for the SP or IdP.
+ */
+ 'metadata.sign.enable' => false,
+
+ /*
+ * The default key & certificate which should be used to sign generated metadata. These
+ * are files stored in the cert dir.
+ * These values can be overridden by the options with the same names in the SP or
+ * IdP metadata.
+ *
+ * If these aren't specified here or in the metadata for the SP or IdP, then
+ * the 'certificate' and 'privatekey' option in the metadata will be used.
+ * if those aren't set, signing of metadata will fail.
+ */
+ 'metadata.sign.privatekey' => null,
+ 'metadata.sign.privatekey_pass' => null,
+ 'metadata.sign.certificate' => null,
+ 'metadata.sign.algorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
+
+
+ /****************************
+ | DATA STORE CONFIGURATION |
+ ****************************/
+
+ /*
+ * Configure the data store for SimpleSAMLphp.
+ *
+ * - 'phpsession': Limited datastore, which uses the PHP session.
+ * - 'memcache': Key-value datastore, based on memcache.
+ * - 'sql': SQL datastore, using PDO.
+ * - 'redis': Key-value datastore, based on redis.
+ *
+ * The default datastore is 'phpsession'.
+ */
+ 'store.type' => 'phpsession',
+
+ /*
+ * The DSN the sql datastore should connect to.
+ *
+ * See http://www.php.net/manual/en/pdo.drivers.php for the various
+ * syntaxes.
+ */
+ 'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3',
+
+ /*
+ * The username and password to use when connecting to the database.
+ */
+ 'store.sql.username' => null,
+ 'store.sql.password' => null,
+
+ /*
+ * The prefix we should use on our tables.
+ */
+ 'store.sql.prefix' => 'SimpleSAMLphp',
+
+ /*
+ * The driver-options we should pass to the PDO-constructor.
+ */
+ 'store.sql.options' => [],
+
+ /*
+ * The hostname and port of the Redis datastore instance.
+ */
+ 'store.redis.host' => 'localhost',
+ 'store.redis.port' => 6379,
+
+ /*
+ * The credentials to use when connecting to Redis.
+ *
+ * If your Redis server is using the legacy password protection (config
+ * directive "requirepass" in redis.conf) then you should only provide
+ * a password.
+ *
+ * If your Redis server is using ACL's (which are recommended as of
+ * Redis 6+) then you should provide both a username and a password.
+ * See https://redis.io/docs/manual/security/acl/
+ */
+ 'store.redis.username' => '',
+ 'store.redis.password' => '',
+
+ /*
+ * Communicate with Redis over a secure connection instead of plain TCP.
+ *
+ * This setting affects both single host connections as
+ * well as Sentinel mode.
+ */
+ 'store.redis.tls' => false,
+
+ /*
+ * Verify the Redis server certificate.
+ */
+ 'store.redis.insecure' => false,
+
+ /*
+ * Files related to secure communication with Redis.
+ *
+ * Files are searched in the 'certdir' when using relative paths.
+ */
+ 'store.redis.ca_certificate' => null,
+ 'store.redis.certificate' => null,
+ 'store.redis.privatekey' => null,
+
+ /*
+ * The prefix we should use on our Redis datastore.
+ */
+ 'store.redis.prefix' => 'SimpleSAMLphp',
+
+ /*
+ * The master group to use for Redis Sentinel.
+ */
+ 'store.redis.mastergroup' => 'mymaster',
+
+ /*
+ * The Redis Sentinel hosts.
+ * Example:
+ * 'store.redis.sentinels' => [
+ * 'tcp://[yoursentinel1]:[port]',
+ * 'tcp://[yoursentinel2]:[port]',
+ * 'tcp://[yoursentinel3]:[port]
+ * ],
+ *
+ * Use 'tls' instead of 'tcp' in order to make use of the additional
+ * TLS settings.
+ */
+ 'store.redis.sentinels' => [],
+
+ /*********************
+ | IdP/SP PROXY MODE |
+ *********************/
+
+ /*
+ * If the IdP in front of SimpleSAMLphp in IdP/SP proxy mode sends
+ * AuthnContextClassRef, decide whether the AuthnContextClassRef will be
+ * processed by the IdP/SP proxy or if it will be passed to the SP behind
+ * the IdP/SP proxy.
+ */
+ 'proxymode.passAuthnContextClassRef' => false,
+];
diff --git a/docker-config/idp/config/module_cron.php b/docker-config/idp/config/module_cron.php
new file mode 100644
index 0000000000..a05be61da2
--- /dev/null
+++ b/docker-config/idp/config/module_cron.php
@@ -0,0 +1,8 @@
+ 'webwork2',
+ 'allowed_tags' => ['metarefresh'],
+ 'debug_message' => true,
+ 'sendemail' => false,
+];
diff --git a/docker-config/idp/config/module_metarefresh.php b/docker-config/idp/config/module_metarefresh.php
new file mode 100644
index 0000000000..1b2cf60d61
--- /dev/null
+++ b/docker-config/idp/config/module_metarefresh.php
@@ -0,0 +1,21 @@
+ [
+ 'webwork2' => [
+ 'cron' => ['metarefresh'],
+ 'sources' => [
+ ['src' => $metadataURL]
+ ],
+ 'expiresAfter' => 60 * 60 * 24 * 365 * 10, // 10 years, basically never
+ 'outputDir' => 'metadata/metarefresh-webwork/',
+ 'outputFormat' => 'flatfile',
+ ]
+ ]
+];
diff --git a/docker-config/idp/idp.apache2.conf b/docker-config/idp/idp.apache2.conf
new file mode 100644
index 0000000000..5f2e656ebe
--- /dev/null
+++ b/docker-config/idp/idp.apache2.conf
@@ -0,0 +1,7 @@
+SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/simplesamlphp/config
+
+Alias /simplesaml /var/www/simplesamlphp/public
+
+
+ Require all granted
+
diff --git a/docker-config/idp/metadata/saml20-idp-hosted.php b/docker-config/idp/metadata/saml20-idp-hosted.php
new file mode 100644
index 0000000000..f0843f3b28
--- /dev/null
+++ b/docker-config/idp/metadata/saml20-idp-hosted.php
@@ -0,0 +1,50 @@
+ '__DEFAULT__',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'server.pem',
+ 'certificate' => 'server.crt',
+
+ /*
+ * Authentication source to use. Must be one that is configured in
+ * 'config/authsources.php'.
+ */
+ 'auth' => 'example-userpass',
+
+ /* Uncomment the following to use the uri NameFormat on attributes. */
+ 'attributes.NameFormat' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+ 'authproc' => [
+ // Convert attribute names to oids.
+ 100 => ['class' => 'core:AttributeMap', 'name2oid'],
+ ],
+
+ /*
+ * Uncomment the following to specify the registration information in the
+ * exported metadata. Refer to:
+ * http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html
+ * for more information.
+ */
+ /*
+ 'RegistrationInfo' => [
+ 'authority' => 'urn:mace:example.org',
+ 'instant' => '2008-01-17T11:28:03Z',
+ 'policies' => [
+ 'en' => 'http://example.org/policy',
+ 'es' => 'http://example.org/politica',
+ ],
+ ],
+ */
+];
diff --git a/lib/WeBWorK.pm b/lib/WeBWorK.pm
index 0ac5eeba66..319ea19c82 100644
--- a/lib/WeBWorK.pm
+++ b/lib/WeBWorK.pm
@@ -62,28 +62,19 @@ async sub dispatch ($c) {
# Note that this is Time::HiRes's time, which gives floating point values.
$c->submitTime(time);
- my $method = $c->req->method;
- my $location = $c->location;
- my $uri = $c->url_for;
- my $args = $c->req->params->to_string || '';
+ my $method = $c->req->method;
+ my $uri = $c->url_for;
+ my $args = $c->req->params->to_string || '';
debug("\n\n===> Begin " . __PACKAGE__ . "::dispatch() <===\n\n");
- debug("Hi, I'm the new dispatcher!\n");
debug(("-" x 80) . "\n");
- debug("Okay, I got some basic information:\n");
- debug("The site location is $location\n");
debug("The request method is $method\n");
debug("The URI is $uri\n");
debug("The argument string is $args\n");
debug(('-' x 80) . "\n");
- my ($path) = $uri =~ m/$location(.*)/;
- $path .= '/' if $path !~ m(/$);
- debug("The path is $path\n");
-
debug("The current route is " . $c->current_route . "\n");
- debug("Here is some information about this route:\n");
my $displayModule = ref $c;
my %routeCaptures = %{ $c->stash->{'mojo.captures'} };
@@ -96,8 +87,6 @@ async sub dispatch ($c) {
debug(('-' x 80) . "\n");
- debug("Now we want to look at the parameters we got.\n");
-
debug("The raw params:\n");
for my $key ($c->param) {
# Make it so we dont debug plain text passwords
@@ -122,7 +111,6 @@ async sub dispatch ($c) {
$c->initializeRoute(\%routeCaptures) if $c->can('initializeRoute');
# Create Course Environment
- debug("We need to get a course environment (with or without a courseID!)\n");
my $ce = eval { WeBWorK::CourseEnvironment->new({ courseName => $routeCaptures{courseID} }) };
$@ and die "Failed to initialize course environment: $@\n";
debug("Here's the course environment: $ce\n");
@@ -164,12 +152,14 @@ async sub dispatch ($c) {
if ($routeCaptures{courseID}) {
debug("We got a courseID from the route, now we can do some stuff:\n");
+ # This route could have the courseID set, but does not need authentication.
+ return 1 if $c->current_route eq 'saml2_metadata';
+
return (0, 'This course does not exist.')
unless (-e $ce->{courseDirs}{root}
|| -e "$ce->{webwork_courses_dir}/$ce->{admin_course_id}/archives/$routeCaptures{courseID}.tar.gz");
return (0, 'This course has been archived and closed.') unless -e $ce->{courseDirs}{root};
- debug("...we can create a database object...\n");
my $db = WeBWorK::DB->new($ce->{dbLayout});
debug("(here's the DB handle: $db)\n");
$c->db($db);
diff --git a/lib/WeBWorK/Authen/Saml2.pm b/lib/WeBWorK/Authen/Saml2.pm
new file mode 100644
index 0000000000..83de834738
--- /dev/null
+++ b/lib/WeBWorK/Authen/Saml2.pm
@@ -0,0 +1,348 @@
+################################################################################
+# WeBWorK Online Homework Delivery System
+# Copyright © 2000-2024 The WeBWorK Project, https://github.com/openwebwork
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of either: (a) the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any later
+# version, or (b) the "Artistic License" which comes with this package.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See either the GNU General Public License or the
+# Artistic License for more details.
+################################################################################
+
+package WeBWorK::Authen::Saml2;
+use Mojo::Base 'WeBWorK::Authen', -signatures;
+
+use Mojo::File qw(path tempfile);
+use Mojo::JSON qw(encode_json);
+use Mojo::UserAgent;
+use Net::SAML2::IdP;
+use Net::SAML2::SP;
+use URN::OASIS::SAML2 qw(BINDING_HTTP_POST BINDING_HTTP_REDIRECT);
+use Net::SAML2::Binding::POST;
+use Net::SAML2::Protocol::Assertion;
+
+use WeBWorK::Debug qw(debug);
+use WeBWorK::Authen::LTIAdvanced::Nonce;
+
+=head1 NAME
+
+WeBWorK::Authen::Saml2 - Authenticate using a SAML2 identity provider.
+
+=cut
+
+sub request_has_data_for_this_verification_module ($self) {
+ my $c = $self->{c};
+
+ # Skip if the bypass_query param is set.
+ if ($c->ce->{saml2}{bypass_query} && $c->param($c->ce->{saml2}{bypass_query})) {
+ debug('Saml2 authen module bypass detected. Going to next authentication module.');
+ return 0;
+ }
+
+ return 1;
+}
+
+sub verify ($self) {
+ my $result = $self->SUPER::verify;
+ my $c = $self->{c};
+
+ if ($c->current_route eq 'saml2_acs') {
+ # Transfer the saml2_nameid and saml2_session to the webwork session.
+ # These are used to logout of the identity provider if that is configured.
+ $self->session->{saml2_nameid} = $c->stash->{saml2_nameid} if $c->stash->{saml2_nameid};
+ $self->session->{saml2_session} = $c->stash->{saml2_session} if $c->stash->{saml2_session};
+
+ # If two factor verification is needed, defer that until after redirecting to the course route.
+ if ($c->stash->{saml2_redirect} && $self->session->{two_factor_verification_needed}) {
+ $self->session->{two_factor_verification_needed_after_redirect} =
+ delete $self->session->{two_factor_verification_needed};
+ return 1;
+ }
+ }
+
+ return $result;
+}
+
+sub do_verify ($self) {
+ my $c = $self->{c};
+ my $ce = $c->ce;
+
+ $self->{external_auth} = 1 if $ce->two_factor_authentication_enabled && $ce->{saml2}{twoFAOnlyWithBypass};
+
+ if ($c->current_route eq 'saml2_acs') {
+ debug('Verifying Saml2 assertion');
+
+ my $idpCertificateFile = $self->idp(1);
+ unless ($idpCertificateFile) {
+ $c->stash->{authen_error} = $c->maketext(
+ 'An internal server error occured. Please contact the system administrator for assistance.');
+ return 0;
+ }
+
+ # Verify that the response is signed by the identity provider and decode it.
+ my $decodedXml = Net::SAML2::Binding::POST->new(cacert => $idpCertificateFile->to_string)
+ ->handle_response($c->stash->{saml2}{samlResp});
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => $decodedXml,
+ key_file => $self->spKeyFile->to_string
+ );
+
+ # Get the database key containing the authReqId that was generated before redirecting to the identity provider.
+ my $authReqIdKey = $c->db->getKey($assertion->in_response_to);
+ unless ($authReqIdKey) {
+ $c->stash->{authen_error} = $c->maketext('Invalid user ID or password.');
+ debug('Invalid request id in response. Possible CSFR.');
+ return 0;
+ }
+ eval { $c->db->deleteKey($authReqIdKey->user_id) }; # Delete the key to avoid replay.
+
+ # Verify that the response has the same authReqId which means it's responding to the authentication request
+ # generated by webwork2. This also checks that timestamps are valid.
+ my $valid = $assertion->valid($ce->{saml2}{sp}{entity_id}, $authReqIdKey->user_id);
+ unless ($valid) {
+ $c->stash->{authen_error} = $c->maketext('Invalid user ID or password.');
+ debug('Bad timestamp or issuer');
+ return 0;
+ }
+
+ debug('Got valid response and looking for username.');
+ my $userId = $self->getUserId($ce->{saml2}{sp}{attributes}, $assertion);
+ if ($userId) {
+ debug("Got username $userId");
+
+ $c->authen->{saml2UserId} = $userId;
+ if ($self->SUPER::do_verify) {
+ # The user and key need to be set before systemLink is called. They are only used if
+ # $session_management_via is 'key'.
+ $c->param('user', $userId);
+ $c->param('key', $self->{session_key});
+ $c->stash->{saml2_redirect} = $c->systemLink($c->url_for($c->stash->{saml2}{relayState}{url}));
+
+ # Save these in the stash for now. They will be transferred to the session after it has been created.
+ $c->stash->{saml2_nameid} = $assertion->nameid;
+ $c->stash->{saml2_session} = $assertion->{session};
+
+ return 1;
+ }
+ }
+ $c->stash->{authen_error} = $c->maketext('User not found in course.');
+ debug('Unauthorized - User not found in ' . $c->stash->{courseID});
+ return 0;
+ }
+
+ # If there is an existing session, then control will be passed to the authen base class.
+ if ($ce->{session_management_via} eq 'session_cookie') {
+ my ($cookieUser) = $self->fetchCookie;
+ $self->{isLoggedIn} = 1 if defined $cookieUser;
+ } elsif ($c->param('user')) {
+ my $key = $c->db->getKey($c->param('user'));
+ $self->{isLoggedIn} = 1 if $key;
+ }
+
+ if ($self->{isLoggedIn}) {
+ debug('User signed in or was previously signed in. Saml2 passing control back to the authen base class.');
+
+ # There was a successful saml response or the user was already logged in.
+ # So hand off to the authen base class to verify the user and manage the session.
+ my $result = $self->SUPER::do_verify;
+
+ $self->session->{two_factor_verification_needed} =
+ delete $self->session->{two_factor_verification_needed_after_redirect}
+ if $self->session->{two_factor_verification_needed_after_redirect};
+
+ return $result;
+ }
+
+ # This occurs if the user clicks the logout button when the identity provider session has timed out, but the
+ # webwork2 session is still active. In this case return 0 so that the logged out page is shown anyway.
+ return 0 if $c->current_route eq 'logout';
+
+ # The user doesn't have an existing session, so redirect to the identity provider for login.
+ $self->sendLoginRequest;
+
+ return 0;
+}
+
+sub sp ($self) {
+ my $c = $self->{c};
+ return $c->stash->{sp} if $c->stash->{sp};
+
+ my $ce = $c->ce;
+
+ my $spCertificateFile = path($ce->{saml2}{sp}{certificate_file});
+ $spCertificateFile = $c->app->home->child($spCertificateFile) unless $spCertificateFile->is_abs;
+
+ $c->stash->{sp} = Net::SAML2::SP->new(
+ issuer => $ce->{saml2}{sp}{entity_id},
+ url => $ce->{server_root_url} . $c->url_for('root'),
+ error_url => $ce->{server_root_url} . $c->url_for('saml2_error'),
+ cert => $spCertificateFile->to_string,
+ key => $self->spKeyFile->to_string,
+ org_contact => $ce->{saml2}{sp}{org}{contact},
+ org_name => $ce->{saml2}{sp}{org}{name},
+ org_url => $ce->{saml2}{sp}{org}{url},
+ org_display_name => $ce->{saml2}{sp}{org}{display_name},
+ assertion_consumer_service => [ {
+ Binding => BINDING_HTTP_POST,
+ Location => $ce->{server_root_url} . $c->url_for('saml2_acs'),
+ isDefault => 'true',
+ } ],
+ $ce->{saml2}{sp}{enable_sp_initiated_logout}
+ ? (
+ single_logout_service => [ {
+ Binding => BINDING_HTTP_POST,
+ Location => $ce->{server_root_url} . $c->url_for('saml2_logout')
+ } ]
+ )
+ : ()
+ );
+
+ return $c->stash->{sp};
+}
+
+# The first time this method is executed for a given identity provider, the metadata file is retrieved from the metadata
+# URL. It is then saved in the $ce->{saml2}{active_idp} subdirectory of $ce->{webworkDirs}{DATA}/Saml2IDPs together
+# with the identity provider's signing key which is extracted from the retrieved metadata. On later requests the
+# metadata and certificate are used from the saved files. This prevents the need to retrieve the metadata on every
+# login request.
+sub idp ($self, $ceritificateOnly = 0) {
+ if (!$self->{idp_certificate_file} || !$self->{idp}) {
+ my $ce = $self->{c}->ce;
+
+ my $saml2IDPDir = path("$ce->{webworkDirs}{DATA}/Saml2IDPs")->child($ce->{saml2}{active_idp});
+ $saml2IDPDir->make_path;
+
+ my $metadataXMLFile = $saml2IDPDir->child('metadata.xml');
+ my $certificateFile = $saml2IDPDir->child('cacert.crt');
+
+ if (-r $metadataXMLFile && -r $certificateFile) {
+ $self->{idp} =
+ Net::SAML2::IdP->new_from_xml(xml => $metadataXMLFile->slurp, cacert => $certificateFile->to_string);
+ $self->{idp_certificate_file} = $certificateFile;
+ } else {
+ my $response = Mojo::UserAgent->new->get($ce->{saml2}{idps}{ $ce->{saml2}{active_idp} })->result;
+ if ($response->is_success) {
+ my $metadataXML = $response->body;
+ $metadataXMLFile->spew($metadataXML);
+ $self->{idp} = Net::SAML2::IdP->new_from_xml(xml => $metadataXML);
+ $certificateFile->spew($self->{idp}->cert('signing')->[0]);
+ $self->{idp_certificate_file} = $certificateFile;
+ } else {
+ debug("Unable to retrieve metadata from identity provider $ce->{saml2}{active_idp} with "
+ . "metadata URL $ce->{samle}{idps}{$ce->{saml2}{active_idp}}");
+ }
+ }
+ }
+
+ return $self->{idp_certificate_file} if $ceritificateOnly;
+ return $self->{idp};
+}
+
+sub spKeyFile ($self) {
+ my $c = $self->{c};
+ return $self->{spKeyFile} if $self->{spKeyFile};
+ $self->{spKeyFile} = path($c->ce->{saml2}{sp}{private_key_file});
+ $self->{spKeyFile} = $c->app->home->child($self->{spKeyFile}) unless $self->{spKeyFile}->is_abs;
+ return $self->{spKeyFile};
+}
+
+sub sendLoginRequest ($self) {
+ my $c = $self->{c};
+ my $ce = $c->ce;
+
+ my $idp = $self->idp;
+ unless ($idp) {
+ $c->stash->{authen_error} =
+ $c->maketext('An internal server error occured. Please contact the system administrator for assistance.');
+ return 0;
+ }
+
+ my $authReq = $self->sp->authn_request($idp->sso_url(BINDING_HTTP_REDIRECT));
+
+ # Get rid of stale request ids in the database. This borrows the maybe_purge_nonces method from the
+ # WeBWorK::Authen::LTIAdvanced::Nonce package.
+ WeBWorK::Authen::LTIAdvanced::Nonce->new($c, '', 0)->maybe_purge_nonces;
+
+ # The request id needs to be stored so that it can be verified in the identity provider response.
+ # This uses the "nonce" hack to store the request id in the key table.
+ my $key = $c->db->newKey({ user_id => $authReq->id, timestamp => time, key => 'nonce' });
+ eval { $c->db->deleteKey($authReq->id) };
+ eval { $c->db->addKey($key) };
+
+ # The second argument of the sign method contains info that the identity provider relays back.
+ # This information is used to send the user to the right place after login.
+ debug('Redirecting user to the identity provider');
+ $self->{redirect} = $self->sp->sso_redirect_binding($idp, 'SAMLRequest')
+ ->sign($authReq->as_xml, encode_json({ course => $ce->{courseName}, url => $c->req->url->to_string }));
+ return;
+}
+
+sub logout_user ($self) {
+ my $ce = $self->{c}->ce;
+ if ($ce->{saml2}{sp}{enable_sp_initiated_logout}
+ && defined $self->session->{saml2_nameid}
+ && defined $self->session->{saml2_session})
+ {
+ my $idp = $self->idp;
+ return unless $idp;
+
+ my $logoutReq = $self->sp->logout_request(
+ $idp->slo_url(BINDING_HTTP_REDIRECT), $self->session->{saml2_nameid},
+ $idp->format || undef, $self->session->{saml2_session}
+ );
+
+ debug('Redirecting user to the identity provider for logout');
+ $self->{redirect} = $self->sp->slo_redirect_binding($idp, 'SAMLRequest')
+ ->sign($logoutReq->as_xml, encode_json({ course => $ce->{courseName} }));
+ }
+ return;
+}
+
+sub getUserId ($self, $attributeKeys, $assertion) {
+ my $ce = $self->{c}->ce;
+ my $db = $self->{c}->db;
+
+ if ($attributeKeys) {
+ for my $key (@$attributeKeys) {
+ debug("Trying attribute $key for username");
+ my $possibleUserId = $assertion->attributes->{$key}[0];
+ next unless $possibleUserId;
+ if ($db->getUser($possibleUserId)) {
+ debug("Using attribute value for username: $possibleUserId");
+ return $possibleUserId;
+ }
+ }
+ }
+ debug('No username match in attributes. Trying NameID fallback');
+ if ($db->getUser($assertion->nameid)) {
+ debug('Using NameID for username: ' . $assertion->nameid);
+ return $assertion->nameid;
+ }
+ debug('NameID fallback failed. No username found.');
+ return;
+}
+
+sub get_credentials ($self) {
+ if ($self->{saml2UserId}) {
+ # User has been authenticated with the identity provider.
+ $self->{user_id} = $self->{saml2UserId};
+ $self->{login_type} = 'normal';
+ $self->{credential_source} = 'SAML2';
+ $self->{initial_login} = 1;
+ debug('credential source: "SAML2", user: "', $self->{user_id}, '"');
+ return 1;
+ }
+ return $self->SUPER::get_credentials if $self->{isLoggedIn};
+ return 0;
+}
+
+sub authenticate ($self) {
+ # The identity provider handles authentication, so just return 1.
+ return 1;
+}
+
+1;
diff --git a/lib/WeBWorK/ContentGenerator/Logout.pm b/lib/WeBWorK/ContentGenerator/Logout.pm
index 60629ffcb6..67919656e2 100644
--- a/lib/WeBWorK/ContentGenerator/Logout.pm
+++ b/lib/WeBWorK/ContentGenerator/Logout.pm
@@ -30,7 +30,9 @@ sub pre_header_initialize ($c) {
my $db = $c->db;
my $authen = $c->authen;
- my $userID = $c->param('user_id');
+ # Do any special processing needed by external authentication. This is done before
+ # the session is killed in case the authentication module needs access to it.
+ $authen->logout_user if $authen->can('logout_user');
$authen->killSession;
$authen->WeBWorK::Authen::write_log_entry('LOGGED OUT');
@@ -39,6 +41,8 @@ sub pre_header_initialize ($c) {
# a proctored test. So try and delete the key.
my $proctorID = $c->param('proctor_user');
if ($proctorID) {
+ my $userID = $c->param('user_id');
+
eval { $db->deleteKey("$userID,$proctorID"); };
if ($@) {
$c->addbadmessage("Error when clearing proctor key: $@");
@@ -50,9 +54,6 @@ sub pre_header_initialize ($c) {
}
}
- # Do any special processing needed by external authentication.
- $authen->logout_user if $authen->can('logout_user');
-
$c->reply_with_redirect($authen->{redirect}) if $authen->{redirect};
return;
diff --git a/lib/WeBWorK/ContentGenerator/Saml2.pm b/lib/WeBWorK/ContentGenerator/Saml2.pm
new file mode 100644
index 0000000000..bda1b4aaac
--- /dev/null
+++ b/lib/WeBWorK/ContentGenerator/Saml2.pm
@@ -0,0 +1,60 @@
+################################################################################
+# WeBWorK Online Homework Delivery System
+# Copyright © 2000-2024 The WeBWorK Project, https://github.com/openwebwork
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of either: (a) the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any later
+# version, or (b) the "Artistic License" which comes with this package.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See either the GNU General Public License or the
+# Artistic License for more details.
+################################################################################
+
+package WeBWorK::ContentGenerator::Saml2;
+use Mojo::Base 'WeBWorK::ContentGenerator', -signatures;
+
+use Mojo::JSON qw(decode_json);
+
+use WeBWorK::Debug qw(debug);
+
+sub initializeRoute ($c, $routeCaptures) {
+ if ($c->current_route eq 'saml2_acs') {
+ return unless $c->param('SAMLResponse') && $c->param('RelayState');
+ $c->stash->{saml2}{relayState} = decode_json($c->param('RelayState'));
+ $c->stash->{saml2}{samlResp} = $c->param('SAMLResponse');
+ $routeCaptures->{courseID} = $c->stash->{courseID} = $c->stash->{saml2}{relayState}{course};
+ }
+
+ $routeCaptures->{courseID} = $c->stash->{courseID} = $c->param('courseID')
+ if $c->current_route eq 'saml2_metadata' && $c->param('courseID');
+
+ return;
+}
+
+sub assertionConsumerService ($c) {
+ debug('Authentication succeeded. Redirecting to ' . $c->stash->{saml2_redirect});
+ return $c->redirect_to($c->stash->{saml2_redirect});
+}
+
+sub metadata ($c) {
+ return $c->render(data => 'Internal site configuration error', status => 500) unless $c->authen->can('sp');
+ return $c->render(data => $c->authen->sp->metadata, format => 'xml');
+}
+
+sub errorResponse ($c) {
+ return $c->reply->exception('SAML2 Login Error')->rendered(400);
+}
+
+# When this request comes in the user is actually already signed out of webwork, so this just attempts to redirect back
+# to webwork's logout page for the course. This doesn't verify anything in the response from the identity provider, but
+# hopefully the courseID is found in the relay state so that the user can be redirected to the logout page for the
+# course.
+sub logout ($c) {
+ return $c->render('SAML2 Logout Error', status => 500) unless $c->param('RelayState');
+ return $c->redirect_to($c->url_for('logout', courseID => decode_json($c->param('RelayState'))->{course}));
+}
+
+1;
diff --git a/lib/WeBWorK/Utils/Routes.pm b/lib/WeBWorK/Utils/Routes.pm
index 3197229372..39deece4f6 100644
--- a/lib/WeBWorK/Utils/Routes.pm
+++ b/lib/WeBWorK/Utils/Routes.pm
@@ -39,6 +39,11 @@ PLEASE FOR THE LOVE OF GOD UPDATE THIS IF YOU CHANGE THE ROUTES BELOW!!!
ltiadvantage_keys /ltiadvantage/keys
ltiadvantage_content_selection /ltiadvantage/content_selection
+ saml2_acs /saml2/acs
+ saml2_metadata /saml2/metadata
+ saml2_error /saml2/error
+ saml2_logout /saml2/logout
+
pod_index /pod
pod_viewer /pod/$filePath
@@ -155,6 +160,10 @@ my %routeParameters = (
ltiadvantage_launch
ltiadvantage_keys
ltiadvantage_content_selection
+ saml2_acs
+ saml2_metadata
+ saml2_error
+ saml2_logout
pod_index
sample_problem_index
set_list
@@ -222,6 +231,33 @@ my %routeParameters = (
action => 'content_selection'
},
+ # This route also ends up at the login screen on failure, and the title is not used anywhere else.
+ saml2_acs => {
+ title => x('Login'),
+ module => 'Saml2',
+ path => '/saml2/acs',
+ action => 'assertionConsumerService',
+ methods => ['POST']
+ },
+ saml2_metadata => {
+ title => 'metadata',
+ module => 'Saml2',
+ path => '/saml2/metadata',
+ action => 'metadata'
+ },
+ saml2_error => {
+ title => 'error',
+ module => 'Saml2',
+ path => '/saml2/error',
+ action => 'errorResponse'
+ },
+ saml2_logout => {
+ title => 'logout',
+ module => 'Saml2',
+ path => '/saml2/logout',
+ action => 'logout'
+ },
+
pod_index => {
title => x('POD Index'),
children => [qw(pod_viewer)],
@@ -574,12 +610,13 @@ sub setup_content_generator_routes_recursive {
if ($routeParameters{$child}{children}) {
my $child_route = $route->under($routeParameters{$child}{path}, [ problemID => qr/\d+/ ])->name($child);
- $child_route->any('/')->to("$routeParameters{$child}{module}#$action")->name($child);
+ $child_route->any($routeParameters{$child}{methods} // (), '/')->to("$routeParameters{$child}{module}#$action")
+ ->name($child);
for (@{ $routeParameters{$child}{children} }) {
setup_content_generator_routes_recursive($child_route, $_);
}
} else {
- $route->any($routeParameters{$child}{path}, [ problemID => qr/\d+/ ])
+ $route->any($routeParameters{$child}{methods} // (), $routeParameters{$child}{path}, [ problemID => qr/\d+/ ])
->to("$routeParameters{$child}{module}#$action")->name($child);
}
diff --git a/templates/ContentGenerator/Login.html.ep b/templates/ContentGenerator/Login.html.ep
index 0436697cd5..9031aacee5 100644
--- a/templates/ContentGenerator/Login.html.ep
+++ b/templates/ContentGenerator/Login.html.ep
@@ -6,7 +6,7 @@
%
% my $course = (stash('courseID') // '') =~ s/_/ /gr;
%
-% if ($externalAuth) {
+% if ($ce->{LTI} && $externalAuth) {
% my $LMS = $ce->{LTI}{ $ce->{LTIVersion} }{LMS_url}
% ? link_to($ce->{LTI}{ $ce->{LTIVersion} }{LMS_name} => $ce->{LTI}{ $ce->{LTIVersion} }{LMS_url})
% : $ce->{LTI}{ $ce->{LTIVersion} }{LMS_name};
@@ -24,6 +24,13 @@
tag('strong', $course), $LMS) =%>
% }
+% } elsif ($externalAuth) {
+ % if (stash('authen_error')) {
+
+ <%== maketext(q{This course uses an external authentication system. You've authenticated }
+ . q{through that system, but aren't allowed to log in to this course.}) =%>
+
+ % }
% } else {
<%== maketext('Please enter your username and password for [_1] below:', tag('b', $course)) %>
%
diff --git a/templates/ContentGenerator/Logout.html.ep b/templates/ContentGenerator/Logout.html.ep
index 59c19fb283..ed4d9fd928 100644
--- a/templates/ContentGenerator/Logout.html.ep
+++ b/templates/ContentGenerator/Logout.html.ep
@@ -1,7 +1,7 @@
<%= maketext('You have been logged out of WeBWorK.') =%>
%
% # This should be set in the course environment when a sequence of authentication modules is used.
-% if ($ce->{external_auth} || $authen->{external_auth}) {
+% if ($ce->{LTI} && ($ce->{external_auth} || $authen->{external_auth})) {
<%== maketext(
'The course [_1] uses an external authentication system ([_2]). Please go there to log in again.',
@@ -12,6 +12,9 @@
: $ce->{LTI}{ $ce->{LTIVersion} }{LMS_name}
) =%>
+% } elsif ($ce->{external_auth} || $authen->{external_auth}) {
+ <%== maketext('This course uses an external authentication system. '
+ . 'Please return to its sign in page to log in again.') =%>
% } else {
<%= form_for 'set_list', method => 'POST', begin =%>
<%= hidden_field force_passwd_authen => 1 =%>