diff --git a/.htaccess b/.htaccess
index 0654970d0361d0925f2a271bf72101b1c16784c9..c59e2c4287f2112150acb12814705eae00ed4148 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,3 +3,12 @@ RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]
+
+# mod_rewrite changes some Shibboleth headers
+# this restores them:
+SetEnvIf REDIRECT_Shib-Session-ID (.+) Shib-Session-ID=$1
+SetEnvIf REDIRECT_eppn (.+) eppn=$1
+SetEnvIf REDIRECT_mail (.+) mail=$1
+SetEnvIf REDIRECT_givenName (.+) givenName=$1
+SetEnvIf REDIRECT_sn (.+) sn=$1
+
diff --git a/auth/x509/index.php b/auth/x509/index.php
new file mode 100644
index 0000000000000000000000000000000000000000..fa7755b39858b0a81183f527d7187652e3596b44
--- /dev/null
+++ b/auth/x509/index.php
@@ -0,0 +1,19 @@
+<?php
+
+/* It is necessary to use this index file inside /auth/x509
+ * because mod_rewrite (used by the Flight framework to
+ * create a front controller) changes some of the SSL headers
+ * and SSL client certificate is not recognized anymore */
+
+chdir(dirname(__FILE__));
+
+include '../../include/init.php';
+// Session must be started after classes inclusion in order
+// to avoid __PHP_Incomplete_Class Object error
+session_start();
+
+$x509Login = new \RAP\X509Login($locator);
+$url = $x509Login->login();
+header("Location: $url");
+die();
+
diff --git a/classes/login/ShibbolethLogin.php b/classes/login/ShibbolethLogin.php
index adce6449e9ac913bafc26b90991bd8d95a6637fe..0d08f8f512e116d1e6d229df2901a959b98ff9f4 100644
--- a/classes/login/ShibbolethLogin.php
+++ b/classes/login/ShibbolethLogin.php
@@ -10,26 +10,20 @@ class ShibbolethLogin extends LoginHandler {
public function login() {
- $prefix = '';
-
- if (isset($_SERVER['Shib-Session-ID']) || $redirect = isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
-
- if (isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
- $prefix = 'REDIRECT_';
- }
+ if (isset($_SERVER['Shib-Session-ID'])) {
// Retrieving eduPersonPrincipalName (eppn)
- $eppn = $_SERVER[$prefix . 'eppn'];
+ $eppn = $_SERVER['eppn'];
// Search if the user is already registered into RAP using the eppn.
// The persistent id should be a more appropriate identifier, however at IA2
// we need to import all INAF user into RAP, even if they will never register,
// and in that case we know only their eppn.
- return $this->onIdentityDataReceived($eppn, function($identity) use($eppn, $prefix) {
- $identity->email = $_SERVER[$prefix . 'mail'];
- $identity->name = $_SERVER[$prefix . 'givenName'];
- $identity->surname = $_SERVER[$prefix . 'sn'];
+ return $this->onIdentityDataReceived($eppn, function($identity) use($eppn) {
+ $identity->email = $_SERVER['mail'];
+ $identity->name = $_SERVER['givenName'];
+ $identity->surname = $_SERVER['sn'];
$identity->eppn = $eppn;
});
} else {
diff --git a/classes/login/X509Login.php b/classes/login/X509Login.php
index 33ce0a5a10bf310fcc9b29ee7ec4ee066eaaba80..b050bbacf4e653c625091223fa393901cae5fb41 100644
--- a/classes/login/X509Login.php
+++ b/classes/login/X509Login.php
@@ -14,7 +14,7 @@ class X509Login extends LoginHandler {
if (isset($_SERVER['SSL_CLIENT_VERIFY']) && isset($_SERVER['SSL_CLIENT_V_REMAIN']) &&
$_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' && $_SERVER['SSL_CLIENT_V_REMAIN'] > 0) {
- $x509Data = RAP\X509Data::parse($_SERVER);
+ $x509Data = X509Data::parse($_SERVER);
$this->x509Data = $x509Data;
return $this->onIdentityDataReceived($x509Data->serialNumber, function($identity) use ($x509Data) {
diff --git a/config-example.json b/config-example.json
index 909132e2a655122c03924699b4ee828192956b45..9cf0321eaae85e8abb44f37ba3557520b30e283a 100644
--- a/config-example.json
+++ b/config-example.json
@@ -31,7 +31,7 @@
"secret": "XXXXXX",
"callback": "/auth/social/linkedin/token"
},
- "X.509": {},
+ "X509": {},
"LocalIdP": {
"url": "https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php",
"logo": "img/ia2-logo-60x60.png",