Commit d07eaab8 authored by Clément OUDOT's avatar Clément OUDOT
Browse files

SAML: keep SAML request in memory for IDP Proxy management (#31)

parent 81eff4aa
......@@ -177,6 +177,10 @@ sub issuerForUnAuthUser {
return PE_ERROR;
}
# Store SAML request in memory in case of proxying
$self->{_samlRequest} = $saml_request;
return PE_OK;
}
elsif ($response) {
......
......@@ -741,6 +741,8 @@ sub createAuthnRequest {
$nameIDFormat, $allowProxiedAuthn, $signSSOMessage,
$requestedAuthnContext
) = splice @_;
my $proxyCount;
my $proxyRequestedAuthnContext;
# Create Lasso Login
my $login = $self->createLogin($server);
......@@ -769,6 +771,50 @@ sub createAuthnRequest {
# Customize request
my $request = $login->request();
# Maybe we are in IDP proxy mode (SAML request received on IDP side)
# In this case:
# * Check proxy conditions
# * Forward some authn constraints
if ( $self->{_samlRequest} ) {
$self->lmLog( "IDP Proxy mode detected", 'debug' );
# Get ProxyCount value
eval { $proxyCount = $self->{_samlRequest}->Scoping()->ProxyCount() };
# Deny request if ProxyCount eq 0
if ( defined $proxyCount ) {
$self->lmLog( "Found proxyCount $proxyCount in proxied request",
'debug' );
if ( $proxyCount eq 0 ) {
$self->lmLog( "SAML request cannot be proxied (ProxyCount 0)",
'error' );
return;
}
else {
# Decrease ProxyCount
my $scoping = $self->{_samlRequest}->Scoping();
$scoping->ProxyCount( $proxyCount-- );
eval { $request->Scoping($scoping); };
}
}
# isPassive
eval { $isPassive = $self->{_samlRequest}->IsPassive(); };
# forceAuthn
eval { $forceAuthn = $self->{_samlRequest}->ForceAuthn(); };
# requestedAuthnContext
eval {
$proxyRequestedAuthnContext =
$self->{_samlRequest}->RequestedAuthnContext();
};
}
# NameIDFormat
if ($nameIDFormat) {
$self->lmLog( "Use NameIDFormat $nameIDFormat", 'debug' );
......@@ -815,7 +861,12 @@ sub createAuthnRequest {
}
# Requested authentication context
if ($requestedAuthnContext) {
if ($proxyRequestedAuthnContext) {
$self->lmLog( "Use RequestedAuthnContext from proxied request",
'debug' );
$request->RequestedAuthnContext($proxyRequestedAuthnContext);
}
elsif ($requestedAuthnContext) {
$self->lmLog( "Request $requestedAuthnContext context", 'debug' );
eval {
my $context = Lasso::Samlp2RequestedAuthnContext->new();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment