You are here

function saml_sp__get_settings in SAML Service Provider 8.3

Same name and namespace in other branches
  1. 8.2 saml_sp.module \saml_sp__get_settings()
  2. 7.8 saml_sp.module \saml_sp__get_settings()
  3. 7 saml_sp.module \saml_sp__get_settings()
  4. 7.2 saml_sp.module \saml_sp__get_settings()
  5. 7.3 saml_sp.module \saml_sp__get_settings()
  6. 4.x saml_sp.module \saml_sp__get_settings()
  7. 3.x saml_sp.module \saml_sp__get_settings()

Get the SAML settings for an IdP.

Parameters

\Drupal\saml_sp\Entity\Idp|null $idp: An IdP object, such as that provided by saml_sp_idp_load($machine_name).

Return value

\OneLogin\Saml2\Settings IdP Settings data.

4 calls to saml_sp__get_settings()
SamlSPController::consume in src/Controller/SamlSPController.php
Receive data back from the IdP.
saml_sp_start in ./saml_sp.module
Start a SAML authentication request.
saml_sp__get_metadata in ./saml_sp.module
Load the settings and get the metadata.
saml_sp__logout in ./saml_sp.pages.inc
Page callback to initiate the SAML SLO process.

File

./saml_sp.module, line 96
SAML Service Provider.

Code

function saml_sp__get_settings($idp = NULL) {
  if (empty($idp)) {
    $idp = new Idp([]);
  }
  $settings = [];

  // The consumer endpoint will always be /saml/consume.
  $endpoint_url = Url::fromRoute('saml_sp.consume', [], [
    'absolute' => TRUE,
  ]);
  $settings['idp']['entityId'] = $idp
    ->id() ?: 'none_given';

  // URL to login of the IdP server.
  $settings['idp']['singleSignOnService']['url'] = $idp
    ->getLoginUrl() ?: 'https://www.example.com/login';

  // URL to logout of the IdP server.
  $settings['idp']['singleLogoutService'] = [
    'url' => $idp
      ->getLogoutUrl(),
    'binding' => Constants::BINDING_HTTP_REDIRECT,
  ];

  // The IdP's public X.509 certificate.
  if (is_array($idp
    ->getX509Cert())) {

    // We only need one key, so use the first one.
    $settings['idp']['x509cert'] = $idp
      ->getX509Cert()[0] ?: 'blank';
  }
  else {
    $settings['idp']['x509cert'] = $idp
      ->getX509Cert() ?: 'blank';
  }

  // The authentication method we want to use with the IdP:
  $settings['idp']['AuthnContextClassRef'] = $idp
    ->getAuthnContextClassRef() ?: 'blank';

  // Name to identify IdP:
  $settings['idp']['entityId'] = $idp
    ->getEntityId() ?: 'blank';
  $config = \Drupal::config('saml_sp.settings');
  $settings['strict'] = (bool) $config
    ->get('strict');

  // Name to identify this application, if none is given use the absolute URL
  // instead:
  $settings['sp']['entityId'] = Html::escape($config
    ->get('entity_id')) ?: Url::fromRoute('user.page', [], [
    'absolute' => TRUE,
  ])
    ->toString();
  $settings['sp']['assertionConsumerService'] = [
    'url' => $endpoint_url
      ->toString(),
    'binding' => Constants::BINDING_HTTP_POST,
  ];

  // Drupal URL to logout the user from the IdP.
  $settings['sp']['singleLogoutService'] = array(
    'url' => $endpoint_url
      ->toString(),
    'binding' => Constants::BINDING_HTTP_POST,
  );

  // Tells the IdP to return the email address of the current user:
  $settings['sp']['NameIDFormat'] = Constants::NAMEID_EMAIL_ADDRESS;

  // Add the contact information for the SP:
  $settings['contactPerson'] = [];
  if (!empty($config
    ->get('contact.technical.name')) && !empty($config
    ->get('contact.technical.email'))) {
    $settings['contactPerson']['technical'] = [
      'givenName' => Html::escape($config
        ->get('contact.technical.name')),
      'emailAddress' => $config
        ->get('contact.technical.email'),
    ];
  }
  if (!empty($config
    ->get('contact.support.name')) && !empty($config
    ->get('contact.support.email'))) {
    $settings['contactPerson']['support'] = [
      'givenName' => Html::escape($config
        ->get('contact.support.name')),
      'emailAddress' => $config
        ->get('contact.support.email'),
    ];
  }

  // Add the organization information.
  $org_name = Html::escape($config
    ->get('organization.name'));
  $org_disp = Html::escape($config
    ->get('organization.display_name'));
  $org_url = $config
    ->get('organization.url');
  if (!empty($org_name) && !empty($org_disp) && !empty($org_url)) {
    $settings['organization'] = [
      'en-US' => [
        'name' => $org_name,
        'displayname' => $org_disp,
        'url' => $org_url,
      ],
    ];
  }
  $refs = saml_sp_authn_context_class_refs(TRUE);
  $authnContexts = [];
  if (is_array($idp
    ->getAuthnContextClassRef()) && !empty($idp
    ->getAuthnContextClassRef())) {
    foreach ($idp
      ->getAuthnContextClassRef() as $value) {
      if (!empty($value)) {
        $authnContexts[] = $refs[$value];
      }
    }
  }

  // Add the security settings.
  $settings['security'] = [
    // Signatures and encryptions offered:
    'nameIdEncrypted' => (bool) $config
      ->get('security.nameIdEncrypted'),
    'authnRequestsSigned' => (bool) $config
      ->get('security.authnRequestsSigned'),
    'logoutRequestSigned' => (bool) $config
      ->get('security.logoutRequestSigned'),
    'logoutResponseSigned' => (bool) $config
      ->get('security.logoutResponseSigned'),
    // Sign the Metadata:
    'signMetadata' => (bool) $config
      ->get('security.signMetaData'),
    // Signatures and encryptions required:
    'wantMessagesSigned' => (bool) $config
      ->get('security.wantMessagesSigned'),
    'wantAssertionsSigned' => (bool) $config
      ->get('security.wantAssertionsSigned'),
    'wantNameIdEncrypted' => (bool) $config
      ->get('security.wantNameIdEncrypted'),
    'signatureAlgorithm' => $config
      ->get('security.signatureAlgorithm'),
    'lowercaseUrlencoding' => (bool) $config
      ->get('security.lowercaseUrlencoding'),
    'requestedAuthnContext' => empty($authnContexts) ? FALSE : $authnContexts,
  ];
  $cert_location = $config
    ->get('cert_location');
  if ($cert_location && file_exists($cert_location)) {
    $settings['sp']['x509cert'] = file_get_contents($cert_location);
  }
  $new_cert_location = $config
    ->get('new_cert_location');
  if ($new_cert_location && file_exists($new_cert_location)) {
    $settings['sp']['x509certNew'] = file_get_contents($new_cert_location);
  }

  // Invoke hook_saml_sp_settings_alter().
  \Drupal::moduleHandler()
    ->alter('saml_sp_settings', $settings);

  // We are adding in the private key after the alter function because we don't
  // want to risk the private key getting into the hands of a rogue module.
  $key_location = $config
    ->get('key_location');
  if ($key_location && file_exists($key_location)) {
    $settings['sp']['privateKey'] = file_get_contents($key_location);
  }
  return $settings;
}