Skip to content

Commit

Permalink
issue #2 support ssl offloadin
Browse files Browse the repository at this point in the history
  • Loading branch information
@szabogyula
szabogyula committed Nov 28, 2016
1 parent d09f5b8 commit ca9d842
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 7 deletions.
7 changes: 7 additions & 0 deletions config-templates/module_aa.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,11 @@
*/
//'signAssertion' => FALSE,

/**
* Header variable that contain the ssl client certificate, default is SSL_CLIENT_CERT.
* Useful when the AA is behind load balancer.
*/
//'sslClientCertContainer' => 'SSL_CLIENT_CERT',


);
19 changes: 12 additions & 7 deletions lib/AA/SAML2.php
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
<?php

/*
Implements SAML2 Attribute Authority
*/

/**
*
* Implements SAML2 Attribute Authority
*/
class sspmod_aa_AA_SAML2
{
Expand Down Expand Up @@ -34,6 +30,11 @@ public function __construct($metadata)
$this->signResponse = $this->config->getBoolean('signResponse');
}

$this->sslClientCertContainer = 'SSL_CLIENT_CERT';
if ($this->config->hasValue('sslClientCertContainer')) {
$this->sslClientCertContainer = $this->config->getString('sslClientCertContainer');
}

$this->binding = $this->getBinding();
$this->query = $this->getQuery();
$this->attributeNameFormat = $this->getAttributeNameFormat();
Expand Down Expand Up @@ -125,9 +126,13 @@ private function authenticate()
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)) {
SimpleSAML_Logger::debug('[aa] Request was made using the following certificate: '.var_export($_SERVER['SSL_CLIENT_VERIFY'], 1));
}
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER) && $_SERVER['SSL_CLIENT_VERIFY'] && $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE') {
if (array_key_exists('SSL_CLIENT_VERIFY', $_SERVER)
&& $_SERVER['SSL_CLIENT_VERIFY']
&& $_SERVER['SSL_CLIENT_VERIFY'] != 'NONE'
&& $_SERVER[$this->sslClientCertContainer]
) {
/* compare certificate fingerprints */
$clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER['SSL_CLIENT_CERT']));
$clientCertData = trim(preg_replace('/--.* CERTIFICATE-+-/', '', $_SERVER[$this->sslClientCertContainer]));
$clientCertFingerprint = strtolower(sha1(base64_decode($clientCertData)));
if (!$clientCertFingerprint) {
throw new SimpleSAML_Error_Exception('[aa] Can not calculate certificate fingerprint from the request.');
Expand Down

0 comments on commit ca9d842

Please sign in to comment.