Error with Shibboleth authentication\n";
print "You have attempted to log in using Shibboleth from an
\n";
print "institution that does not allow VCL to see all of these
\n";
print "attributes:
\n";
print "\n";
print "- eduPersonPrincipalName
\n";
print "
\n";
print "and either:\n";
print "\n";
print "- sn and givenName
\n";
print "
\n";
print "or:\n";
print "\n";
print "- displayName
\n";
print "
\n";
print "You need to contact the administrator of your institution's
\n";
print "IdP to have all of those attributes be available to VCL in
\n";
print "order to log in using Shibboleth.\n";
dbDisconnect();
exit;
}
}
}
// open keys
$fp = fopen(".ht-inc/keys.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["private"] = openssl_pkey_get_private($key, $pemkey);
if(! $keys['private'])
abort(6);
$fp = fopen(".ht-inc/pubkey.pem", "r");
$key = fread($fp, 8192);
fclose($fp);
$keys["public"] = openssl_pkey_get_public($key);
if(! $keys['public'])
abort(7);
# get VCL affiliation from shib affiliation
$tmp = explode('@', $_SERVER['eppn']);
$username = strtolower($tmp[0]);
$tmp1 = mysql_escape_string(strtolower($tmp[1]));
$query = "SELECT name, shibonly FROM affiliation WHERE shibname = '$tmp1'";
$qh = doQuery($query, 101);
# if shib affiliation not already in VCL, create affiliation
if(! ($row = mysql_fetch_assoc($qh))) {
$affil = strtolower($tmp[1]);
$tmp = explode('.', $affil);
array_pop($tmp);
$affilname = strtoupper(implode('', $tmp));
$affilname = preg_replace('/[^A-Z0-9]/', '', $affilname);
$query = "SELECT name, "
. "shibname "
. "FROM affiliation "
. "WHERE name LIKE '$affilname%' "
. "ORDER BY name DESC "
. "LIMIT 1";
$qh = doQuery($query, 101);
if($row = mysql_fetch_assoc($qh)) {
if(preg_match("/$affilname([0-9]+)/", $row['name'], $matches)) {
$cnt = $matches[1];
$cnt++;
$newaffilname = $affilname . $cnt;
}
elseif($affilname != $row['name'] && $affil != $row['shibname']) {
$newaffilname = $affilname;
}
else {
$msg = "Someone tried to log in to VCL using Shibboleth from an idp "
. "affiliation that could not be automatically added.\n\n"
. "eppn: {$_SERVER['eppn']}\n"
. "givenName: {$_SERVER['givenName']}\n"
. "sn: {$_SERVER['sn']}\n";
if(array_key_exists('mail', $_SERVER))
$msg .= "mail: {$_SERVER['mail']}\n\n";
$msg .="tried to add VCL affiliation name \"$affilname\" with "
. "shibname \"$affil\"";
$mailParams = "-f" . ENVELOPESENDER;
mail(ERROREMAIL, "Error with VCL pages (problem adding shib affil)", $msg, '', $mailParams);
print "\n";
print "Error encountered
\n";
print "You have attempted to log in to VCL using a Shibboleth
\n";
print "Identity Provider that VCL has not been configured to
\n";
print "work with. VCL administrators have been notified of the
\n";
print "problem.
\n";
print "\n";
dbDisconnect();
exit;
}
}
else
$newaffilname = $affilname;
$query = "INSERT INTO affiliation "
. "(name, "
. "shibname, "
. "shibonly) "
. "VALUES "
. "('$newaffilname', "
. "'" . mysql_escape_string($affil) . "', "
. "1)";
doQuery($query, 101, 'vcl', 1);
unset($row);
$row = array('name' => $newaffilname, 'shibonly' => 1);
}
$affil = $row['name'];
# create VCL userid
$userid = "$username@$affil";
if($row['shibonly']) {
$userdata = updateShibUser($userid);
updateShibGroups($userdata['id'], $_SERVER['affiliation']);
$usernid = $userdata['id'];
}
else {
$usernid = getUserlistID($userid, 1);
if(is_null($usernid))
$usernid = updateShibUser($userid);
}
$affilid = getAffiliationID($affil);
addLoginLog($userid, 'shibboleth', $affilid, 1);
# save data to shibauth table
$shibdata = array('Shib-Application-ID' => $_SERVER['Shib-Application-ID'],
'Shib-Identity-Provider' => $_SERVER['Shib-Identity-Provider'],
'Shib-AuthnContext-Dec' => $_SERVER['Shib-AuthnContext-Decl'],
'Shib-logouturl' => $_SERVER['Shib-logouturl'],
'eppn' => $_SERVER['Shib-logouturl'],
'unscoped-affiliation' => $_SERVER['unscoped-affiliation'],
'affiliation' => $_SERVER['affiliation'],
);
$serdata = mysql_escape_string(serialize($shibdata));
$query = "SELECT id "
. "FROM shibauth "
. "WHERE sessid = '{$_SERVER['Shib-Session-ID']}'";
$qh = doQuery($query, 101);
if($row = mysql_fetch_assoc($qh)) {
$shibauthid = $row['id'];
}
else {
$ts = strtotime($_SERVER['Shib-Authentication-Instant']);
$ts = unixToDatetime($ts);
$query = "INSERT INTO shibauth "
. "(userid, "
. "ts, "
. "sessid, "
. "data) "
. "VALUES "
. "($usernid, "
. "'$ts', "
. "'{$_SERVER['Shib-Session-ID']}', "
. "'$serdata')";
doQuery($query, 101);
$qh = doQuery("SELECT LAST_INSERT_ID() FROM shibauth", 101);
if(! $row = mysql_fetch_row($qh)) {
# todo
}
$shibauthid = $row[0];
}
# get cookie data
$cookie = getAuthCookieData($userid, 600, $shibauthid);
# set cookie
if(version_compare(PHP_VERSION, "5.2", ">=") == true)
#setcookie("VCLAUTH", "{$cookie['data']}", $cookie['ts'], "/", COOKIEDOMAIN, 1, 1);
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1);
else
#setcookie("VCLAUTH", "{$cookie['data']}", $cookie['ts'], "/", COOKIEDOMAIN, 1);
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN);
# set skin cookie based on affiliation
switch($affil) {
case 'Example1':
case 'EXAMPLE2':
$skin = strtoupper($affil);
setcookie("VCLSKIN", $skin, (time() + (SECINDAY * 31)), "/", COOKIEDOMAIN);
break;
default:
setcookie("VCLSKIN", "default", (time() + (SECINDAY * 31)), "/", COOKIEDOMAIN);
}
header("Location: " . BASEURL . "/");
dbDisconnect();
?>