Commit dfcb0f86 authored by Xavier Guimard's avatar Xavier Guimard

More doc (#595)

parent 871a41dd
......@@ -27,7 +27,7 @@ has sloRe => ( is => 'rw' );
sub init {
my ($self) = @_;
# Get configuration parameter
# Prepare SSO URL catching
my $saml_sso_soap_url =
$self->getMetaDataURL( "samlIDPSSODescriptorSingleSignOnServiceSOAP", 1 );
my $saml_sso_soap_url_ret =
......@@ -50,7 +50,7 @@ sub init {
qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_url_ret|$saml_sso_post_url|$saml_sso_post_url_ret|$saml_sso_art_url|$saml_sso_art_url_ret)(?:\?.*)?$/i
);
# SOAP routes
# SOAP routes (access without authentication)
$self->addRouteFromMetaDataURL(
'samlIDPSSODescriptorArtifactResolutionServiceArtifact',
3, 'artifactServer', ['POST'] );
......@@ -61,6 +61,13 @@ qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_u
"samlIDPSSODescriptorSingleLogoutServiceSOAP",
2, 'soapSloServer', ['POST'] );
# TODO: @coudot, why this URL isn't managed with a conf param ?
$self->addUnauthRoute(
saml => { relaySingleLogoutSOAP => 'sloRelaySoap' },
[ 'GET', 'POST' ]
);
# Single logout routes (managed by regexp in run())
my $saml_slo_get_url = $self->getMetaDataURL(
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect", 1 );
my $saml_slo_get_url_ret = $self->getMetaDataURL(
......@@ -75,11 +82,7 @@ qr/^($saml_sso_soap_url|$saml_sso_soap_url_ret|$saml_sso_get_url|$saml_sso_get_u
qr/^($saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_url_ret)(?:\?.*)?$/i
);
$self->addUnauthRoute(
saml => { relaySingleLogoutSOAP => 'sloRelaySoap' },
[ 'GET', 'POST' ]
);
# Launch parents initialization subroutines, then launch IdP en SP lists
return (
$self->Lemonldap::NG::Portal::Main::Issuer::init()
......@@ -97,6 +100,7 @@ qr/^($saml_slo_get_url|$saml_slo_get_url_ret|$saml_slo_post_url|$saml_slo_post_u
# RUNNING METHODS
# Main method (launched only for authenticated users, see Main/Issuer)
sub run {
my ( $self, $req ) = @_;
my $server = $self->lassoServer;
......@@ -125,15 +129,6 @@ sub run {
$self->lmLog( "URL $url detected as an SSO request URL", 'debug' );
# Get hidden params for IDP initiated if needed
#$idp_initiated = $self->p->getHiddenFormValue( $req, 'IDPInitiated' )
# unless defined $idp_initiated;
#$idp_initiated_sp = $self->p->getHiddenFormValue( $req, 'sp' )
# unless defined $idp_initiated_sp;
#$idp_initiated_spConfKey =
# $self->p->getHiddenFormValue( $req, 'spConfKey' )
# unless defined $idp_initiated_spConfKey;
# Check message
my ( $request, $response, $method, $relaystate, $artifact );
......
......@@ -109,3 +109,146 @@ sub _pForAuthUser {
}
1;
__END__
=pod
=encoding utf8
=head1 NAME
Lemonldap::NG::Portal::Main::Issuer - Base class for identity providers.
=head1 SYNOPSIS
package Lemonldap::NG::Portal::Issuer::My;
use strict;
use Mouse;
extends 'Lemonldap::NG::Portal::Main::Issuer';
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
# Optional initialization method
sub init {
my ($self) = @_;
...
# Must return 1 (succeed) or 0 (failure)
}
# Required methods are run() and logout(), they are launched only for
# authenticated users
# $req is a Lemonldap::NG::Portal::Main::Request object
# They must return a Lemonldap::NG::Portal::Main::Constants constant
sub run {
my ( $self, $req ) = @_
...
return PE_OK
}
sub logout {
my ( $self, $req ) = @_
...
return PE_OK
}
1;
=head1 DESCRIPTION
Lemonldap::NG::Portal::Main::Issuer is a base class to write identity providers
for Lemonldap::NG web-SSO system. It provide several methods to write easily
an IdP and manage authentication if the identity request comes before
authentication.
=head1 WRITING AN IDENTITY PROVIDER
To write a classic identity provider, you just have to inherit this class and
write run() and logout() methods. These methods must return a
Lemonldap::NG::Portal::Main::Constants constant.
A classic identity provider needs a "issuerDBE<gt>XXXE<lt>Path" parameter in
LLNG configuration to declare its base URI path (see
L<Lemonldap::NG::Manager::Build>). Example: /saml/. All requests that starts
with /saml/ will call run() after authenticatio if needed, and noone else.
The logout() function is called when user asks for logout on this server. If
you want to write an identity provider, you must implement a single logout
system.
=head2 managing other URI path
Lemonldap::NG::Portal::Main::Issuer provides methods to bind a method to an
URI path:
=over
=item addAuthRoute() for authenticated users
=item addUnauthRoute() for unauthenticated users
=back
They must be called during initialization process (so you must write the
optional init() sub).
Example:
sub init {
my ($self) = @_;
...
$self->addUnauthRoute( saml => { soap => 'soapServer' }, [ 'POST' ] );
return 1;
}
sub soapServer {
my ( $self, $req ) = @_;
...
# You must return a valid PSGI response
return [ 200, [ 'Content-Type' => 'application/xml' ], [] ];
}
=head1 SEE ALSO
L<http://lemonldap-ng.org/>
=head1 AUTHOR
=over
=item Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
=item Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=back
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<http://jira.ow2.org>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
=head1 COPYRIGHT AND LICENSE
=over
=item Copyright (C) 2016 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=item Copyright (C) 2016 by Clement Oudot, E<lt>clem.oudot@gmail.comE<gt>
=back
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see L<http://www.gnu.org/licenses/>.
=cut
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment