Changes for X.509 and Shibboleth login

0ff1e83d · Sonia Zorba · d3b51020 · 0ff1e83d · 0ff1e83d · 0ff1e83d
Commit 0ff1e83d authored 5 years ago by Sonia Zorba
--- a/.htaccess
+++ b/.htaccess
@@ -3,3 +3,12 @@ RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.*)$ index.php [QSA,L]
+# mod_rewrite changes some Shibboleth headers
+# this restores them:
+SetEnvIf REDIRECT_Shib-Session-ID (.+) Shib-Session-ID=$1
+SetEnvIf REDIRECT_eppn (.+) eppn=$1
+SetEnvIf REDIRECT_mail (.+) mail=$1
+SetEnvIf REDIRECT_givenName (.+) givenName=$1
+SetEnvIf REDIRECT_sn (.+) sn=$1
--- a/auth/x509/index.php
+++ b/auth/x509/index.php
+<?php
+/* It is necessary to use this index file inside /auth/x509 
+ * because mod_rewrite (used by the Flight framework to
+ * create a front controller) changes some of the SSL headers
+ * and SSL client certificate is not recognized anymore */
+chdir(dirname(__FILE__));
+include '../../include/init.php';
+// Session must be started after classes inclusion in order
+// to avoid __PHP_Incomplete_Class Object error
+session_start();
+$x509Login = new \RAP\X509Login($locator);
+$url = $x509Login->login();
+header("Location: $url");
+die();
--- a/classes/login/ShibbolethLogin.php
+++ b/classes/login/ShibbolethLogin.php
@@ -10,26 +10,20 @@ class ShibbolethLogin extends LoginHandler {
    public function login() {
-        $prefix = '';
+        if (isset($_SERVER['Shib-Session-ID'])) {
-        if (isset($_SERVER['Shib-Session-ID']) || $redirect = isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
-            if (isset($_SERVER['REDIRECT_Shib-Session-ID'])) {
-                $prefix = 'REDIRECT_';
-            }
            // Retrieving eduPersonPrincipalName (eppn)
-            $eppn = $_SERVER[$prefix . 'eppn'];
+            $eppn = $_SERVER['eppn'];
            // Search if the user is already registered into RAP using the eppn.
            // The persistent id should be a more appropriate identifier, however at IA2
            // we need to import all INAF user into RAP, even if they will never register,
            // and in that case we know only their eppn.
-            return $this->onIdentityDataReceived($eppn, function($identity) use($eppn, $prefix) {
+            return $this->onIdentityDataReceived($eppn, function($identity) use($eppn) {
-                $identity->email = $_SERVER[$prefix . 'mail'];
+                $identity->email = $_SERVER['mail'];
-                $identity->name = $_SERVER[$prefix . 'givenName'];
+                $identity->name = $_SERVER['givenName'];
-                $identity->surname = $_SERVER[$prefix . 'sn'];
+                $identity->surname = $_SERVER['sn'];
                $identity->eppn = $eppn;
            });
        } else {

--- a/classes/login/X509Login.php
+++ b/classes/login/X509Login.php
@@ -14,7 +14,7 @@ class X509Login extends LoginHandler {
        if (isset($_SERVER['SSL_CLIENT_VERIFY']) && isset($_SERVER['SSL_CLIENT_V_REMAIN']) &&
                $_SERVER['SSL_CLIENT_VERIFY'] === 'SUCCESS' && $_SERVER['SSL_CLIENT_V_REMAIN'] > 0) {
-            $x509Data = RAP\X509Data::parse($_SERVER);
+            $x509Data = X509Data::parse($_SERVER);
            $this->x509Data = $x509Data;
            return $this->onIdentityDataReceived($x509Data->serialNumber, function($identity) use ($x509Data) {

--- a/config-example.json
+++ b/config-example.json
@@ -31,7 +31,7 @@
            "secret": "XXXXXX",
            "callback": "/auth/social/linkedin/token"
        },
-        "X.509": {},
+        "X509": {},
        "LocalIdP": {
            "url": "https://sso.ia2.inaf.it/Shibboleth.sso/Login?entityID=https://sso.ia2.inaf.it/idp/shibboleth&target=https://sso.ia2.inaf.it/rap-ia2/auth/saml2/aai.php",
            "logo": "img/ia2-logo-60x60.png",