getSettings(); $metadata = $settings->getSPMetadata(); $errors = $settings->validateMetadata($metadata); if (!empty($errors)) { throw new OneLogin_Saml2_Error( 'Invalid SP metadata: '.implode(', ', $errors), OneLogin_Saml2_Error::METADATA_SP_INVALID ); } return $metadata; } /** * Class SAML2Authenticate for SAML2 auth */ class SAML2Authenticate extends SugarAuthenticate { public $userAuthenticateClass = 'SAML2AuthenticateUser'; public $authenticationDir = 'SAML2Authenticate'; /** * @var OneLogin_Saml2_Auth */ private $samlLogoutAuth; /** * @var array */ private $samlLogoutArgs = []; /** * pre login initialization - use SAML2 to authenticate a user login process * @throws OneLogin_Saml2_Error */ public function pre_login() { $settingsInfo = []; require_once __DIR__ . '/../SAML2Authenticate/lib/onelogin/settings.php'; $auth = new OneLogin_Saml2_Auth($settingsInfo); if (!empty($_POST['SAMLResponse'])) { if (isset($_SESSION['AuthNRequestID'])) { $requestID = $_SESSION['AuthNRequestID']; } else { $requestID = null; } $auth->processResponse($requestID); $errors = $auth->getErrors(); if (!empty($errors)) { print_r('

' . implode(', ', $errors) . '

'); } if (!$auth->isAuthenticated()) { SugarApplication::redirect($auth->getSSOurl()); } $_SESSION['samlUserdata'] = $auth->getAttributes(); $_SESSION['samlNameId'] = $auth->getNameId(); $_SESSION['samlNameIdFormat'] = $auth->getNameIdFormat(); $_SESSION['samlSessionIndex'] = $auth->getSessionIndex(); unset($_SESSION['AuthNRequestID']); if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) { $relayStateUrl = $_POST['RelayState'] . '?action=Login&module=Users'; $selfurl = OneLogin_Saml2_Utils::getSelfURL(); if ($selfurl === $relayStateUrl) { // Authenticate with suitecrm $this->redirectToLogin($GLOBALS['app']); } } elseif (!empty($_GET['SAMLResponse']) || (!empty($_GET['SAMLRequest']))) { $auth->processSLO(); $errors = $auth->getErrors(); if (!empty($errors)) { $GLOBALS['log']->warn('SLO errors: ' . implode(', ', $errors)); } $auth->login(); exit; } } else { $auth->login(); exit; } } /** * override SugarAuthenticate and use SAML2 authentication * @param SugarApplication $app * @return bool */ public function redirectToLogin(SugarApplication $app) { if (isset($_SESSION['samlNameId']) && !empty($_SESSION['samlNameId'])) { if ($this->userAuthenticate->loadUserOnLogin($_SESSION['samlNameId'], null)) { global $authController; $authController->login($_SESSION['samlNameId'], null); } SugarApplication::redirect('index.php?module=Users&action=LoggedOut'); } else { return false; } } /** * Called when a user requests to logout, and use SAML2 logout * @param bool $redirect * @param bool $exit * @param bool $clean * @throws OneLogin_Saml2_Error */ public function logout(bool $redirect = true, bool $exit = true, bool $clean = true) { if ($this->samlLogoutAuth && $this->samlLogoutAuth->getSLOurl()) { $this->samlLogoutAuth->logout( $this->samlLogoutArgs['returnTo'], $this->samlLogoutArgs['parameters'], $this->samlLogoutArgs['nameId'], $this->samlLogoutArgs['sessionIndex'], $this->samlLogoutArgs['false'], $this->samlLogoutArgs['nameIdFormat'] ); } else { // TODO: SLO Url need for SAML2, add it to SAML2 authentication settings $GLOBALS['log']->debug('SLO Url need for SAML2, add it to SAML2 authentication settings'); SugarApplication::redirect('index.php'); } } /** * call before from user logout page clear the session, store logout information for SAML2 logout */ public function preLogout() { $settingsInfo = []; require_once dirname(__FILE__, 2) . '/SAML2Authenticate/lib/onelogin/settings.php'; $auth = new OneLogin_Saml2_Auth($settingsInfo); $returnTo = null; $paramters = array(); $nameId = null; $sessionIndex = null; $nameIdFormat = null; if (isset($_SESSION['samlNameId'])) { $nameId = $_SESSION['samlNameId']; } if (isset($_SESSION['samlSessionIndex'])) { $sessionIndex = $_SESSION['samlSessionIndex']; } if (isset($_SESSION['samlNameIdFormat'])) { $nameIdFormat = $_SESSION['samlNameIdFormat']; } $this->samlLogoutAuth = $auth; $this->samlLogoutArgs = array('returnTo' => $returnTo, 'parameters' => $paramters, 'nameId' => $nameId, 'sessionIndex' => $sessionIndex, 'false' => false, 'nameIdFormat' => $nameIdFormat); } }