salvamomo / drupalauth Goto Github PK

If the modules 'simplesamlphp_auth' and 'drupalauth4ssp' are enabled / 
activated simultaneously on the same Drupal 7 server then an empty page is 
displayed. When I disable one of them or deactivate simplesamlphp_auth then it 
works nicely either as an SP or and IdP. But I need both: I want to use it as a 
User Register with another Drupal server (i.e. as an IdP) while I want to allow 
people to register into this User Register also from external sources such as 
Google and Facebook (i.e. as an SP). The User Register uses two separate 
SimpleSAMLphp installations, two different MySQL databases, and different 
cookies. Of course, the Google/Facebook IdP is based on a third SimpleSAMLphp 
installation.

I have found out there are conflicting (redeclared) functions and classes in 
'vendor/autoload.php', 'vendor/composer/autoload_real.php', 
'simplesamlphp/xmlseclibs/xmlseclibs.php' and 'lib/_autoload_modules.php'.
But I have no idea what the files in the folder 'vendor' do; I have found no 
clue in the documentation - is there a way to resolve these conflicts?

What steps will reproduce the problem?
1. Log in as a user on Drupal site
2. Goto site with SAML SP
3. Redirect to Drupal site
4. Notice that you just get the front page and don't get redirected back to SP 
site.

The attached patch fixes the issue by hooking into hook_init and if the user is 
already logged in ($user->uid != 0), performs the redirect. 

Location:
http://idp.saml.net/simplesaml/module.php/drupalauth/resume.php?State=_6a8b4f8b6
12de6d04c64becee5c38bf94efac5ccc6%3Ahttp%3A%2F%2Fidp.saml.net%2Fsimplesaml%2Fsam
l2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fsp.saml.net%26cookie
Time%3D1403620133%26RelayState%3Dhttp%253A%252F%252Flocal2.saml.net%252Fsaml_log
in

Message

Notice: Undefined variable: attributes in 
sspmod_drupalauth_Auth_Source_External->getUser() (line 294 of 
D:\wamp\www\drupal-7-23-idp\simplesaml\modules\drupalauth\lib\Auth\Source\Extern
al.php).

Made 2 Drupal installations - one as parent and other one as child.

Made 2 'SimpleSAMLphp' installations - one as Identity Provider(idp) and other 
as Service Provider(sp).

In the parent Drupal 'drupalauth4ssp' module is enabled

Also, in the 'BASIC SETUP' of the parent Drupal, idp path is given in 
'Installation directory' and 'drupalauth:External' is given in 'Authentication 
source'.

The module 'drupalauth' is enabled in the idp installation.


In the child Drupal 'simplesamlphp_auth' module is enabled.


Also, in the 'BASIC SETUP' of the child Drupal, sp path is given in 
'Installation directory' and 'default-sp' is given in 'Authentication source'.


After I login into the parent drupal, when I click 'Federated Log In' to login 
in to the child drupal I getting errror page 

Unhandled exception
An unhandled exception was thrown.
If you report this error, please also report this tracking number which makes 
it possible to locate your session in the logs available to the system 
administrator: 44ecfc19f2
Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 D:\wamp\www\simplesaml\www\module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: User not authenticated after login page.
Backtrace:
2 D:\wamp\www\simplesaml\modules\drupalauth\lib\Auth\Source\External.php:439 
(sspmod_drupalauth_Auth_Source_External::resume)
1 D:\wamp\www\simplesaml\modules\drupalauth\www\resume.php:12 (require)
0 D:\wamp\www\simplesaml\www\module.php:135 (N/A)

What steps will reproduce the problem?
1. In the same browser (different tabs), sign into 2 SPs and the IdP. 
2. Initiate "Log Out" from the IdP (Drupal 7 Website)
3. You are only logged out from the IdP (Drupal 7 site), not the IdPs. 
4. If you initiate "Log Out" from any of the SPs, you are logged out of all 3 
SPs and the IdP (Drupal 7 site)

What is the expected output? What do you see instead?
Once logged out of the IdP (Drupal 7 site), I should be able to go to the SP 
tabs, and hit "refresh" and be redirected to a login page. That doesn't happen. 
I'm able to continue navigating throughout both SPs. 


What version of the product are you using? On what operating system?
I'm using the latest version of simpleSAMLphp on the IdP which is running a 
Drupal 7 website. 

Please provide any additional information below.

Hi, i'm using Drupal 7.22 under Linux, Drupalauth version 1.2.1_1x_7x 

I successfully configured the authentication, and custom text fields are passed 
correctly to the SP application, but turns out that if i define a field of type 
"List (text)" in Drupal the field isn't passed trough the authentication.

I've been working at the file External.php around line 266
Seem that the key 'safe_value' is not in the dictionary 
'$userAttrs[$userKey]['und'][0]' but there is a key 'value' instead.

I attach a patch for drupalauth/lib/Auth/Source/External.php . 

The issue is that when passing a return to param to the logout() method, the 
param is not used.

Here is working code to make that work, the code usses snippets from the drupal 
redirect logout module.

drupalauth4ssp.module
// implements hook_user_logout()
function drupalauth4ssp_user_logout($account) {
  // Get the configuration information from SimpleSAMLphp
  $sspConfig = _drupalauth4ssp_get_simplesamlphp_config();

  // If we don't have configuration, exit without doing anything
  if (!is_array($sspConfig)) {
    // The least we can do is write something to the watchdog so someone will know what's happening.
    watchdog('drupalauth4ssp', 'Could not use drupalauth for %name, could not get the SimpleSAMLphp configuration.', array('%name' => $user->name));
    return;
  }

  // Delete the cookie
  setcookie($sspConfig['cookie_name'], "", time() - 3600 , $sspConfig['baseurlpath']);

  // if the ReturnTo URL is present, send the user to the URL
  if (isset($_GET['ReturnTo']) && $_GET['ReturnTo']) {
    $destination = &drupal_static(__FUNCTION__);
    $destination = $_GET['ReturnTo'];
  }
}

/**
 * Implements hook_drupal_goto_alter().
 */
function drupalauth4ssp_drupal_goto_alter(&$path, &$options, 
&$http_response_code) {
  $destination = &drupal_static('drupalauth4ssp_user_logout');
  if (!$path && $destination) {
    drupal_goto($destination);
  }
}

And here is the code change for External.php
    /**
     * This function is called when the user start a logout operation, for example
     * by logging out of a SP that supports single logout.
     *
     * @param array &$state  The logout state array.
     */
    public function logout(&$state) {
    assert('is_array($state)');

    if (!session_id()) {
      /* session_start not called before. Do it here. */
      session_start();
    }

    /*
     * In this example we simply remove the 'uid' from the session.
     */
    unset($_SESSION['uid']);

    // Added armor plating, just in case
    if (isset($_COOKIE[$this->cookie_name])) {
      setcookie($this->cookie_name, "", time() - 3600, $this->cookie_path);

    }

    if (isset($state['ReturnTo'])) {
      SimpleSAML_Utilities::redirect($this->drupal_logout_url, array(
        'ReturnTo' => $state['ReturnTo'],
      ));
    }
    else {
      /*
        * Redirect the user to the Drupal logout page
        */
      header('Location: ' . $this->drupal_logout_url);
    }
    die;
  }

What steps will reproduce the problem?
1. Log out on Drupal site directly
2. Go to WordPress site, which has SLO support
3. Still logged into WordPress because WordPress is on it's own installation of 
SSP, not the same one as the IdP.

What is the expected output? What do you see instead?

Expected to get logged out of WP. In other words, $as->isAuthenticated() should 
fail.


What version of the product are you using? On what operating system?

Latest version. Configured and working on Drupal site.


Please provide any additional information below.

Not logging into Drupal site with SSP because it *is* the IdP. But I can set up 
an SP for it as long as this won't make it too hard for things to work for my 
existing Drupal users.

There is a serious security issue with the Drupal integration in simplesamlphp.
The function "getUser()" which returns the attributes for the current user 
picks the Drupal User ID "uid" from a Cookie which obviously passes through the 
client machine. There is nothing stopping a suitable engineered client from 
changing the uid in the Cookie to be any user. Thus the client could acquire 
single sign on credentials for any Drupal user whatsoever by manipulating the 
Cookie so that when a single sign on transaction is started the client machine 
gets logged in to the requesting server as that other user rather that as the 
currently logged in Drupal user.

There is a very straightforward alternative which is to fetch the credentials 
for the currently logged in Drupal user in 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php ...
Pseudo code...
global $user;
...
$drupaluid = $user->uid;
...
$drupaluser = user_load($drupaluid);

I have also added "chdir(DRUPAL_ROOT)" in two places as, at least in Drupal 6, 
Drupal generates errors if it is called with the wrong working directory. 
"chdir($a)" changes back the working directory after the call.

The code to fix the above issues is in the attached new version of 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php and, as an 
alternative, a patch "External.php.patch" to apply the change. 

Alan Barrett

What steps will reproduce the problem?
It is not possible to provide a language parameter from SP to IdP, because 
drupalauth module will always redirect user to /user path of the IdP Drupal.

What is the expected output? What do you see instead?
Login is always in default language. It would be nice to have it in the same 
language as in SP when user starts the login process.

What version of the product are you using? On what operating system?
Latest code on Drupal 7.30.

Please provide any additional information below.
Below is a fix for both simplesamlphp and drupal modules. A language url 
parameter can be passed from SP to IdP and it will be stored in session. IdP 
Drupal needs to have the language negotiation set to session with "language" as 
parameter name.

Add this to drupalauth4ssp.module

/**
 * Implements hook_init().
 */
function drupalauth4ssp_init() {
  // Store language to session from URL if set
  if (isset($_GET['language'])) {
    $_SESSION['language'] = $_GET['language'];
  }
  // Store destination to session from URL if set
  if (isset($_GET['destination'])) {
    $_SESSION['destination'] = $_GET['destination'];
  }
}

And this to External.php:

  // If language is set, then append it to URL so that Drupal can react
  if (isset($_GET['language'])) {
    $authPage = $authPage . '&language=' . $_GET['language'];
  }

What steps will reproduce the problem?
1. Use a SP
2. Call the $as->logout(array('ReturnTo' => $url)); method.

What is the expected output? What do you see instead?
Afther being logged out of saml and drupal, you would expect to be redirected 
to the $url provided in the logout() method as described in 
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_5

What version of the product are you using? On what operating system?
Drupal 7, simpleSAMLphp latest.

Please provide any additional information below.

What steps will reproduce the problem?
1. In SP, click 'Test authentication resources' > 'drupal-userpass'
2. Login (E.g. admin credentials)

What is the expected output? What do you see instead?

Expected output = redirect to Drupal SP page and login over there
I see = White screen at simplesaml/module.php/core/loginuserpass.php

What version of the product are you using? On what operating system?
Latest version
Ubuntu

Please provide any additional information below.
I wonder if the problem could be caused by a misconfiguration on the Idp. 
However, I'm not sure about this. Therefore I would like to know if this 
behaviour is 'normal'. Why does the drupalauth module doesn't send a redirect?

Regards,
W

It would be nice if this recorded login events (success or failure) to the 
Drupal watchdog. It would also be good if it updated the user's last login 
information as well.

What steps will reproduce the problem?
1. Login to Drupal with acct1
2. Go to /user/acct2 (view the user profile, etc)
3. Initiate a drupalauth-based SAML login to your Service Provider
4. You will be logged in NOT as the currently authenticated session, but as the 
user you viewed.

We are using 7.x-1.0.

It looks like this is the responsible piece of code:
// implements hook_user_view()
function drupalauth4ssp_user_view($account, $view_mode, $langcode) {
  _drupalauth4ssp_exec($account);
}

Commenting this out fixed the issue for us.  

What reason could there be for setting the user cookie on user view?!

Wouldn't it be much safer just to rely on the native SESS* cookie, that already 
relates to the authenticated user session?

In the simpleSAMLphp installation page, I clicked on the Authentication tab to 
test the drupalauth connection. I entered a username and password for an 
account in the site and got the following error message on a white screen:

Call to undefined function entity_load() in 
/home/sitename/public_html/modules/user/user.module on line 287

1.)
Notice: Use of undefined constant DRUPAL_ROOT - assumed 'DRUPAL_ROOT' in 
/simplesamlphp/modules/drupalauth/lib/Auth/Source/UserPass.php on line 107
To fix change line 107 from
define(DRUPAL_ROOT, $drupalAuthConfig->getDrupalroot());
to
define('DRUPAL_ROOT', $drupalAuthConfig->getDrupalroot());

2.)
Strict standards: Creating default object from empty value in 
/var/www/bloodhound/simplesamlphp/modules/drupalauth/lib/Auth/Source/UserPass.ph
p on line 119

to fix add the following below line 118
if(!is_object($user)){
  $user = new stdClass();
}

so that:

global $user;
$user->uid = 0;

becomes:

global $user;
if(!is_object($user)){
  $user = new stdClass();
}
$user->uid = 0;

The Drupal Module "drupalauth4ssp" does not work with Drupal 6 (user hooks not 
triggered).
To make it work a new "hook" function drupalauth4ssp_user(...) needs to be 
added to 
simplesamlphp/modules/drupalauth/drupal_module/drupalauth4ssp/drupalauth4ssp.mod
ule .
The user hook functions in drupalauth4ssp.module are only triggered in Drupal 
7, but are not triggered in Drupal 6.
drupalauth4ssp_user(...) provides the equivalent functionality for Drupal 6. 
Since the "user" hook does not seem to be triggered in Drupal 7, it does not 
seem to be an issue to leave that function in the Drupal 7 version (in other 
words it would seem that the module with that function added will work with 
both Drupal 6 and 7).

Attached is an updated drupalauth4ssp.module and, as an alternative, a patch 
"drupalauth4ssp.module.patch" to apply the change.

Alan Barrett

How does this work in a multi-site environment when you have multiple websites 
under the same Drupal installation and you only want one of them to be 
authenticated against?

I noticed that only the first value of multi-value fields is used.

The attached patch adds support for multi-value fields.

1. Configure drupalauth + drupalauth4ssp
2. In simplesaml config.php file, set up baseurlpath to any valid URL 
(http://...)

Logins do not work, because the cookie path that drupal module is trying to set 
will equal to /http://... as per following code:

  // get the baseurlpath
  $config['baseurlpath'] = '/' . $sspConfig->getValue('baseurlpath');

You currently are unable to use the same user field for multiple SAML 
attributes. If you do this then only the last SAML attribute will be set. This 
occurs because of the array handling in the loop on line 239 of 
lib/auth/source/External.php.

The use case of this is passing the user email field as the email attribute and 
the username attribute for Salesforce, which wants an email for the username 
field.

Patch attached.