diff --git a/conf/authen_saml2.conf.dist b/conf/authen_saml2.conf.dist
new file mode 100644
index 0000000000..8701d0efba
--- /dev/null
+++ b/conf/authen_saml2.conf.dist
@@ -0,0 +1,132 @@
+#!perl
+################################################################################
+# Configuration for using Saml2 authentication.
+# To enable this Saml2 authentication, copy this file to conf/authen_saml2.conf
+# and uncomment the appropriate lines in localOverrides.conf. The Saml2
+# authentication module uses the Net::SAML2 library. The library claims to be
+# compatible with a wide range of SAML2 implementations, including Shibboleth.
+################################################################################
+
+# Set Saml2 as the authentication module to use.
+# Comment out 'WeBWorK::Authen::Basic_TheLastOption' if bypassing Saml2
+# authentication is not allowed (see $saml2{bypass_query} below).
+$authen{user_module} = [
+ 'WeBWorK::Authen::Saml2',
+ 'WeBWorK::Authen::Basic_TheLastOption'
+];
+
+# List of authentication modules that may be used to enter the admin course.
+# This is used instead of $authen{user_module} when logging into the admin
+# course. Since the admin course provides overall power to add/delete courses,
+# access to this course should be protected by the best possible authentication
+# you have available to you.
+$authen{admin_module} = [
+ 'WeBWorK::Authen::Saml2'
+];
+
+# Note that Saml2 authentication can be used in conjunction with webwork's two
+# factor authentication. If the identity provider does not provide two factor
+# authentication, then it is recommended that you DO use webwork's two factor
+# authentication. If the identity provider does provide two factor
+# authentication, then you would not want your users need to perform two factor
+# authentication twice, so you should disable webwork's two factor
+# authentication. The two factor authentication settings are set in
+# localOverrides.conf.
+
+# This URL query parameter can be added to the end of a course url to skip the
+# saml2 authentication module and go to the next one, for example,
+# http://your.school.edu/webwork2/courseID?bypassSaml2=1. Comment out the next
+# line to disable this feature.
+$saml2{bypass_query} = 'bypassSaml2';
+
+# If $external_auth is 1, and the authentication sequence reaches
+# Basic_TheLastOption, then the webwork login screen will show a message
+# directing the user to use the external authentication system to login. This
+# prevents users from attempting to login in to WeBWorK directly.
+$external_auth = 0;
+
+# The $saml2{idps} hash contains names of identity proviers and their SAML2
+# metadata URLs that are used by this server. Webwork will request the identity
+# provider's metadata from the URL of the $saml2{active_idp} during the
+# authentication process. Additional identity providers can also be added for a
+# particular course by adding, for example, $saml2{idps}{other_idp} = '...' to
+# the course.conf file of the course. Note that the names of the identity
+# providers in this hash are used for a directory name in which the metadata and
+# certificate for the identity provider are saved. So the names should only
+# contain alpha numeric characters and underscores.
+$saml2{idps} = {
+ default => 'http://idp/simplesaml/module.php/saml/idp/metadata',
+ # Add additional identity providers used by this server below.
+ #other_idp => 'http://other.idp.server/metadata',
+};
+
+# The $saml2{active_idp} is the identity provider in the $saml2{idps} hash that
+# will be used. If different identity providers are used for different courses,
+# then set $saml2{active_idp} = 'other_idp' in the course.conf file of each
+# course.
+$saml2{active_idp} = 'default';
+
+# The identity provider will need to be configured to obtain webwork2's sevice
+# provider metadata using the URL
+# https://webwork.yourschool.edu/webwork2/saml2/metadata.
+# The URL needs to have the courseID URL parameter added if Saml2 authentication
+# is not enabled site wide, but is enabled for some courses in those course's
+# course.conf files. So for example if the course is myTestCourse, then the
+# metadata URL would be
+# https://webwork.yourschool.edu/webwork2/saml2/metadata?courseID=myTestCourse
+# Further note that if multiple courses use that same identity provider then
+# just pick any one of the courses to use in the metadata URL.
+
+# This the id for the webwork2 service provider. This is usually the application
+# root URL plus the base path to the service provider.
+$saml2{sp}{entity_id} = 'http://localhost:8080/webwork2/saml2';
+
+# This is the organization metadata information for the webwork2 service
+# provider. The Saml2 authentication module will generate xml metadata that can
+# be obtained by the identity provider for configuration from the
+# /webwork2/saml2/metadata URL if Saml2 authentication is enabled site wide.
+# However, Saml2 authentication can be enabled for individual courses as well by
+# setting the options in this file in a course's course.conf file. In that case
+# the identity provider will need to be configured to obtain the metadata from
+# the webwork2/courseID/saml2/metadata URL instead. Note that if Saml2
+# authentication is not enabled site wide and multiple courses use the same
+# identity provider, then pick the courseID of one of the courses that is
+# configured for that identity provider to use for the metadata URL. All of the
+# other courses share the same metedata.
+$saml2{sp}{org} = {
+ contact => 'webwork@example.edu',
+ name => 'webwork',
+ url => 'https://localhost:8080/',
+ display_name => 'WeBWorK'
+};
+
+# The following list of attributes will be checked in the given order for a
+# matching user in the webwork2 course. If no attributes are given, then
+# webwork2 will default to the NameID. It is recommended that you use the
+# attribute's OID.
+$saml2{sp}{attributes} = [
+ 'urn:oid:0.9.2342.19200300.100.1.1'
+];
+
+# The following settings are the locations of the files that contain the
+# certificate and private key for the webwork2 service provider. A certificate
+# and private key can be generated using openssl. For example,
+# openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
+# The files saml.crt and saml.pem that are generated contain the public
+# "certificate" and the "private_key", respectively.
+# Note that if the files are placed within the root webwork2 app directory, then
+# the paths may be given relative to the the root webwork2 app directory.
+# Otherwise the absolute path must be given. Make sure that the webwork2 app has
+# read permissions for those files.
+$saml2{sp}{certificate_file} = 'docker-config/idp/certs/saml.crt';
+$saml2{sp}{private_key_file} = 'docker-config/idp/certs/saml.pem';
+
+##############################################################################
+# SECURITY WARNING
+# For production, you MUST provide your own unique 'certificate' and
+# 'private_key' files. The files referred to in the default settings above are
+# only intended to be used in development, and are publicly exposed. Hence, they
+# provide NO SECURITY.
+##############################################################################
+
+1;
diff --git a/conf/authen_saml2.dist.yml b/conf/authen_saml2.dist.yml
deleted file mode 100644
index 6200516132..0000000000
--- a/conf/authen_saml2.dist.yml
+++ /dev/null
@@ -1,120 +0,0 @@
----
-################################################################################
-# Configuration for the Saml2 plugin
-#
-# To enable the Saml2 plugin, copy authen_saml2.dist.yml to authen_saml2.yml
-#
-# The Saml2 plugin uses the Net::SAML2 library, the library claims to be
-# compatible with a wide range of SAML2 implementations, including Shibboleth.
-################################################################################
-
-# add this query to the end of a course url to skip the saml2 authen module
-# and go to the next one, comment out to disable this feature
-bypass_query: bypassSaml2
-idp: # this is the central SAML2 server
- # url where we can get the SAML2 metadata xml for the IdP
- metadata_url: http://idp.docker:8180/simplesaml/module.php/saml/idp/metadata
-sp: # this is the Webwork side
- # also known as iss (issuer)
- entity_id: http://localhost:8080/saml2
- # endoints created by the plugin, relative to the webwork root url
- route:
- base: '/saml2' # prefix path for all URLs handled by the plugin
- metadata: '/metadata' # actual path would be /saml2/metadata
- # 'Assertion Consumer Service', basically handles the SAML response, plugin
- # only supports a POST response (HTTP POST Binding)
- acs:
- post: '/acs/post'
- # Ideally, there would be a way to have separate app info and org info but
- # Net::SAML2's metadata generation doesn't seem to have that separation. So
- # I've filled out the org info with app info instead.
- org:
- contact: 'webwork@example.edu'
- name: 'webwork'
- url: 'https://localhost:8080/'
- display_name: 'WeBWorK'
- # list of attributes that can be used as the username, each of them will be
- # tried in turn to see if there's a matching user in the classlist. If no
- # attributes are given, then we'll default to the NameID. Please use the
- # attribute's OID
- attributes:
- - 'urn:oid:0.9.2342.19200300.100.1.1'
- ##############################################################################
- # SECURITY WARNING
- # For production, you MUST generate your own unique 'cert' and 'signing_key'.
- # The examples below are publicly exposed and thus provides NO SECURITY.
- ##############################################################################
- # Cert and key pairs can be generated using an openssl command such as:
- # openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out webwork.crt -keyout webwork.pem
- # Where webwork.crt contains the cert and webwork.pem contains the signing_key
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIE7zCCA1egAwIBAgIUIteyNYLSAiB0FcNl0GLJNYRppk8wDQYJKoZIhvcNAQEL
- BQAwgYYxCzAJBgNVBAYTAkFBMQswCQYDVQQIDAJBQTEQMA4GA1UEBwwHRXhhbXBs
- ZTEQMA4GA1UECgwHRXhhbXBsZTEQMA4GA1UECwwHRXhhbXBsZTEQMA4GA1UEAwwH
- RXhhbXBsZTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmVkdTAeFw0y
- NDA1MDMwMTA2MzNaFw0zNDA1MDMwMTA2MzNaMIGGMQswCQYDVQQGEwJBQTELMAkG
- A1UECAwCQUExEDAOBgNVBAcMB0V4YW1wbGUxEDAOBgNVBAoMB0V4YW1wbGUxEDAO
- BgNVBAsMB0V4YW1wbGUxEDAOBgNVBAMMB0V4YW1wbGUxIjAgBgkqhkiG9w0BCQEW
- E2V4YW1wbGVAZXhhbXBsZS5lZHUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
- AoIBgQC45DCHUejzAeq+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOY
- Uc4djwx148N14A+S0GCys2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1Qfe
- pjCcr1djPH9PpwglG1nTsiWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6
- MWKsbVLKrYMV2kPcQ0PQByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9
- aDt4/AfK90BvhkjF4BuQ+Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9l
- aLZzaeutg+G3RUYcvDMlnP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPs
- CM16SB/6xptOxoLcg/5q3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/
- piWykDk6/BDWFpEHaj+NnFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCF
- OPVOYQECAwEAAaNTMFEwHQYDVR0OBBYEFGs8F3VIGSEk+DE2MBqqNKX6UuZTMB8G
- A1UdIwQYMBaAFGs8F3VIGSEk+DE2MBqqNKX6UuZTMA8GA1UdEwEB/wQFMAMBAf8w
- DQYJKoZIhvcNAQELBQADggGBAIpDktpfGH7ZqgdWvxbJrjekb1IyCGrWsHOYSjwM
- +MxnhAA6oY63wC04a2i31zIMNOkY9F0tAdd4uDchxA9IWHqpb7t7zBlZdDabPPC3
- WoDYnKhtZBULVVo7AvWO0UJGfZNJE393aKer3ePvfoG0OpCyrw4eFI/GCd4UjJBF
- DnD7hvUxE7RRwOhbuYrtDRuB3Z7CeeP8o81eDVexyuBpM/9UQjYPqBBAfoeYKQzu
- ZIhpGRWXw0ntH+EEOWagRXA5pRru61hteParZe4LBjPqisqN4Ek6ZR7MD9gB5xnt
- Pn1BKRY08quFOZyaogzwfkYk5SCF8F8jBA8ZNAYwJWe1gtO3iw5vpUaQc2iCabvI
- Y+Pc6qsSNwbkl7+sFrVHzI9QZVyz1cARUXxvrgGNLBkYtprkG91k6mCjX90cQspb
- ZwHixcQyCNv+4H738e99h/Wf0YzjxFjDKrbGoosYBzWAsYYtzrtsBvw3SJMTXIh7
- OvFMA+rbIL8XWs8oNmZDDh8g0A==
- -----END CERTIFICATE-----
- signing_key: |
- -----BEGIN PRIVATE KEY-----
- MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC45DCHUejzAeq+
- eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOYUc4djwx148N14A+S0GCy
- s2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1QfepjCcr1djPH9PpwglG1nT
- siWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6MWKsbVLKrYMV2kPcQ0PQ
- ByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9aDt4/AfK90BvhkjF4BuQ
- +Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9laLZzaeutg+G3RUYcvDMl
- nP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPsCM16SB/6xptOxoLcg/5q
- 3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/piWykDk6/BDWFpEHaj+N
- nFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCFOPVOYQECAwEAAQKCAYAR
- p6iCo22tFrfFrGz+9epRoXCNgg/9h66gQyfcOKMD5wT5Oj3l31d4XgucleMqq2gz
- MaaOcPDLwh4ZskwJm8k3IM0GdN5w9tuxZ+fwp7CFXKvkpJwGcfyyk+kGd7QYoh2k
- GjjF8Fs0v+HZ9x7lqMzmW8wUr+7gYKJ56qCAkPbF6EteCfb1Cd9UPaF04RZdBKtt
- MxhbU9Y7CClHigbyWlgZmUW8dzoz8bTFklKL0FCJqad/bZYTMUYu91XT88oKCXbD
- AUxpF2Ikbkfj820XOqq8iV3xGpYszt1aMRpsdXbDAhCqfKoNet2X7jnRWlNXZutC
- RIUGm4VUNDNeD4nXW8aLgDa8bNQnvsSmM9DUVuPjbejUs0VN7uwxo8rYqvkAKiBQ
- 1ZqxoBK4ShZVcqgWE6CUj9FRZ3CVzSzydxZSQzex/ZRYPuYLUhQJFHLVIdJSYhf3
- XTEki0+ndwAB7yP/tBNlcxLftCzAaS7mPLLn1tf0A27QPCSjwOsTLxuJ4WYVkmkC
- gcEAuuh8EImBfE9WOg3ITmJpr95WlVi8WE6BHWowV8dQwODQLj+38itDDL1xLn9+
- Vuz4o9AaIBiH5fCr6otun28lVp/sNVdWnBVeioSpu3tGV18OiDNaXtXOo7qkUnBI
- Z+V7cD69gJLS6byD3OXlGi42h3XxK4mVlhwQtkQ69qI/zhl6rc0O2/iXXUAFa5T5
- MJ84Cw1B9kHFB/NC27sraee+cwAK0Pogj5WnqaBOIPeIO/f+br65xMUvEYvDD1m4
- TwIzAoHBAP082l0IQ5KHBY4WuFIDOoevO5SxHN5EUp2sPRDZwZxwOrjHxFRXPc/h
- pDrVEHEn/4HQ706AHYpED0diumr4gee7gusNIDcGpXwjGVdFmFvxKoDbhz1C5vL3
- xC7qgyS/ZtAopxpCPH3+7IrQyBk8e6He+8F97bA0e9sYSBQSuPLcdKQXGNbLYb6s
- yLbP02cB2CNeI1GJMQIOXe9bi9Cz5w+hCGMvEKt5oAz5SLWlPBvv1YATpG5Ux8Wy
- RbGPD4zj+wKBwBGVDx6rIMAl4nGhnEcrYM/HdZOk/kq8T88JjzSirkkGnO7M1av1
- P+Bx7bS3D5Zzwkv+poaAaEBMLI/qv+RFm1iTwK+f4KjcJcGYCzN0vEA50+8iDY1A
- RakHRK/wmg8T+lGrxT3UEf0k266q/atBz6VchexXi/fL+hJ7RqSuzJvBr9WrpYsx
- zmNaQ2hEYlCdmbMIcz0MINHHo3FyIPpcb4D37wyLiwaWyGffiZn2Tx19DbUzQdxt
- xCi9YgMOqJTeGwKBwQD4rJ0x5j+U0ApgcWcnAgyj2SwE47eZfDY0p0KAHZXGbV78
- vQ7KU7FbRhTjwP6YX9LEQ8v7pktbz2HBk+3DxayrRrNU5lrQLjKrKDxmOu1WvAgk
- 6W5wdhYcWbnI6HlHyLzJhGIzov+MKp1V45fbUE2Hs1Q9uc+CzMcja0C8lXYQ5vOT
- fyrhIm8lsr6W5paN/H2mnXbJRpNdlYYg2iD+HOu1qUh3PWx9Nr44f0MrPMs+E9Hw
- J1m9DnvuYxWVOwrmK6kCgcADfcatftIJWMqeYJsDnB9jJaANmjln2G3bppo9WcIC
- lvfXFE+Rf3FleaijVrUFbgxDU2MHh/2VPjJgIQT3QtfqS5+OnF1Z5+uOTGwbDNmT
- 3Th0IcSt6TjvLJwkanNeSkvc+2lMnuNtH6TQLXB0qEs3D7xND0kFWHfyies+RYNC
- eualoZJ/6UL9X2gkPG5jmzXjInEBguAL0ll5yETXgx6v0hXR058TcvPl58j73cCQ
- dzDq+xUD8nHpKM33A2EaUFY=
- -----END PRIVATE KEY-----
diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
index 39b4a02afe..a660b50bcf 100644
--- a/conf/localOverrides.conf.dist
+++ b/conf/localOverrides.conf.dist
@@ -527,6 +527,16 @@ $mail{feedbackRecipients} = [
#include("conf/authen_ldap.conf");
+################################################################################
+# Saml2 Authentication
+################################################################################
+# Uncomment the following line to enable authentication via a Saml2 identity
+# provider. You will also need to copy the file authen_saml2.conf.dist to
+# authen_saml2.conf, and then edit that file to fill in the settings for your
+# installation.
+
+#include("conf/authen_saml2.conf");
+
################################################################################
# Session Management
################################################################################
diff --git a/docker-config/docker-compose.dist.yml b/docker-config/docker-compose.dist.yml
index a168a9f96e..6a8369a721 100644
--- a/docker-config/docker-compose.dist.yml
+++ b/docker-config/docker-compose.dist.yml
@@ -251,47 +251,27 @@ services:
#ports:
# - "6311:6311"
- # saml2 dev use only, separate profile from the other services so it doesn't
- # start in normal usage. Use "docker compose --profile saml2dev up" to start.
+ # SimpleSAMLphp Saml2 identity provider for development use only. This is a separate profile from the other services
+ # so it doesn't start in normal usage. Use "docker compose --profile saml2dev up" to start, and "docker compose
+ # --profile saml2dev down" to stop.
idp:
build:
- context: ./docker-config/idp/ # SimpleSAMLphp based IDP
+ context: ./docker-config/idp/
profiles:
- saml2dev
ports:
- '8180:80'
environment:
- SP_METADATA_URL: 'http://app.docker:8080/saml2/metadata'
- # the healthcheck url is simplesamlphp's url for triggering cron jobs, the
- # cron job it'll trigger is to automatically grab webwork sp's metadata
+ SP_METADATA_URL: 'http://app:8080/webwork2/saml2/metadata'
+ # The healthcheck url is SimpleSAMLphp's url for triggering cron jobs. The cron job it triggers will
+ # automatically fetch the webwork2 service provider's metadata.
healthcheck:
- test: ['CMD', 'curl', '-f', 'http://localhost/simplesaml/module.php/cron/run/docker/healthcheck']
+ test: ['CMD', 'curl', '-f', 'http://localhost/simplesaml/module.php/cron/run/metarefresh/webwork2']
start_period: 1m
start_interval: 15s
interval: 1h
retries: 1
timeout: 10s
- # Send internal docker traffic for the idp external port to the idp internal
- # port. Needed so the webwork saml2 plugin can request the idp metadata.
- socat-idp:
- image: alpine/socat:1.8.0.0
- profiles:
- - saml2dev
- command: 'TCP-LISTEN:8180,fork,reuseaddr TCP:idp:80'
- networks:
- default:
- aliases:
- - idp.docker
- # same port redirect so the idp can get the webwork saml2 plugin metadata
- socat-app:
- image: alpine/socat:1.8.0.0
- profiles:
- - saml2dev
- command: 'TCP-LISTEN:8080,fork,reuseaddr TCP:app:8080'
- networks:
- default:
- aliases:
- - app.docker
volumes:
oplVolume:
diff --git a/docker-config/idp/Dockerfile b/docker-config/idp/Dockerfile
index a9dac13770..876ba9f7d0 100644
--- a/docker-config/idp/Dockerfile
+++ b/docker-config/idp/Dockerfile
@@ -1,8 +1,7 @@
-# actual image we'll run in the end
FROM php:8.3-apache
WORKDIR /var/www
-# Install composer & php extension installer
+# Install composer and the php extension installer.
COPY --from=composer/composer:2-bin /composer /usr/bin/composer
COPY --from=mlocati/php-extension-installer /usr/bin/install-php-extensions /usr/local/bin/
@@ -10,27 +9,30 @@ RUN apt-get update && \
apt-get -y install git curl vim && \
install-php-extensions ldap zip
-# dirs used by simplesamlphp needs to be accessible by apache user
+# Directories used by simplesamlphp. These need to be accessible by the apache2 user.
RUN mkdir simplesamlphp/ /var/cache/simplesamlphp
-RUN chown www-data. simplesamlphp/ /var/cache/simplesamlphp
-# Composer doesn't like to be root, so we'll run the rest as the apache user
+RUN chown www-data simplesamlphp/ /var/cache/simplesamlphp
+
+COPY ./idp.apache2.conf /etc/apache2/conf-available
+RUN a2enconf idp.apache2
+
+# Composer doesn't like to be root, so run the rest as the apache user.
USER www-data
# Install simplesamlphp
-ARG SIMPLESAMLPHP_TAG=v2.2.1
-RUN git clone --branch $SIMPLESAMLPHP_TAG https://github.com/simplesamlphp/simplesamlphp.git
+RUN git clone --branch v2.2.1 https://github.com/simplesamlphp/simplesamlphp.git
WORKDIR /var/www/simplesamlphp
-# Generate certs
+# Generate the server certificates.
RUN cd cert/ && \
- openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem -subj "/C=CA/SP=BC/L=Vancouver/O=UBC/CN=idp.docker"
+ openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out server.crt -keyout server.pem \
+ -subj "/C=US/S=New York/L=Rochester/O=WeBWorK/CN=idp.webwork2"
-# Use composer to install dependencies
+# Use composer to install dependencies.
RUN composer install && \
composer require simplesamlphp/simplesamlphp-module-metarefresh
-# Copy config files
+# Copy configuration files.
COPY ./config/ config/
COPY ./metadata/ metadata/
-COPY ./apache.conf /etc/apache2/sites-available/000-default.conf
diff --git a/docker-config/idp/README.md b/docker-config/idp/README.md
new file mode 100644
index 0000000000..f575fa7165
--- /dev/null
+++ b/docker-config/idp/README.md
@@ -0,0 +1,173 @@
+# Development identity provider test instance for SAML2 authentication
+
+A development SAML2 identity provider is provided that uses SimpleSAMLphp.
+Instructions for utilizing this instance follow.
+
+## Development IdP test instance with docker
+
+A docker service that implements a SAML2 identity provider is provided in the
+`docker-compose.yml.dist` file. To start this identity provider along with the
+rest of webwork2, add the `--profile saml2dev` argument to docker compose as in
+the following exmaple.
+
+```bash
+docker compose --profile saml2dev up
+```
+
+Without the profile argument, the identity provider services do not start.
+
+Stop all docker services with
+
+```bash
+docker compose --profile saml2dev down
+```
+
+## Development IdP test instance without docker
+
+Effective development is not done with docker. So it is usually more useful to
+set up an identity provider without docker. The following instructions are for
+Ubuntu 24.04, but could be adapted for other operating systems.
+
+A web server and php are needed to serve the SimpleSAMLphp files. Install these
+and other dependencies with:
+
+```bash
+sudo apt install \
+ apache2 php php-ldap php-zip php-xml php-curl php-sqlite3 php-fpm \
+ composer
+```
+
+Now download the SimpleSAMLphp source, install php dependencies, and install the
+SimpleSAMLphp metarefresh module with
+
+```bash
+cd /var/www
+sudo mkdir simplesamlphp /var/cache/simplesamlphp
+sudo chown $USER:www-data simplesamlphp
+sudo chown www-data /var/cache/simplesamlphp
+git clone --branch v2.2.1 https://github.com/simplesamlphp/simplesamlphp.git
+sudo chown -R $USER:www-data simplesamlphp
+cd simplesamlphp
+composer install
+composer require simplesamlphp/simplesamlphp-module-metarefresh
+```
+
+Next, generate certificates for the SimpleSAMLphp identity provider and make
+them owned by the `www-data` user with
+
+```bash
+cd /var/www/simplesamlphp/cert
+openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes \
+ -out server.crt -keyout server.pem \
+ -subj "/C=US/ST=New York/L=Rochester/O=WeBWorK/CN=idp.webwork2"
+sudo chown www-data:www-data server.crt server.pem
+```
+
+Next, copy the `idp` configuration files from `docker-config`.
+
+```bash
+cp /opt/webwork/webwork2/docker-config/idp/config/* /var/www/simplesamlphp/config/
+cp /opt/webwork/webwork2/docker-config/idp/metadata/* /var/www/simplesamlphp/metadata/
+```
+
+The configuration files are setup to work with the docker build. So there are
+some changes that are needed.
+
+Edit the file `/var/www/simplesamlphp/config/config.php` and change
+`baseurlpath` to `simplesaml/`.
+
+Edit the file `/var/www/simplesamlphp/metadata/saml20-idp-hosted.php` and change
+the line that reads
+`$metadata['http://localhost:8180/simplesaml'] = [`
+to
+`$metadata['http://localhost/simplesaml'] = [`.
+
+Enable the apache2 idp configuration with
+
+```bash
+sudo cp /opt/webwork/webwork2/docker-config/idp/idp.apache2.conf /etc/apache2/conf-available
+sudo a2enconf idp.apache2 php8.3-fpm
+```
+
+Edit the file `/etc/apache2/conf-available/idp.apache2.conf` and add the line
+`SetEnv SP_METADATA_URL http://localhost:3000/webwork2/saml2/metadata` to the
+beginning of the file.
+
+Finally, restart (or start) apache2 with `sudo systemctl restart apache2`.
+
+## Webwork2 Setup
+
+Copy `/opt/webwork/webwork2/conf/authen_saml2.conf.dist` to
+`/opt/webwork/webwork2/conf/authen_saml2.conf`.
+
+The default `conf/authen_saml2.conf.dist` is configured to use the docker
+identity provider. So for the docker build, it should work as is.
+
+Without the docker build a few changes are needed.
+
+- Find the `$saml2{idps}{default}` setting and change its value to
+ `'http://localhost/simplesaml/module.php/saml/idp/metadata'`.
+- Find the `$saml2{sp}{entity_id}` setting and change its value to
+ `'http://localhost:3000/webwork2/saml2'`.
+- In the `$saml2{sp}{org}` hash change the `url` to `'https://localhost:3000/'`.
+
+The above settings assume you are using `morbo` with the default port. Change
+the port as needed.
+
+Without the docker build, the SimpleSAMLphp identity provider needs to fetch
+webwork2's service provider metadata. For this execute
+
+```bash
+curl -f http://localhost/simplesaml/module.php/cron/run/metarefresh/webwork2
+```
+
+That is done automatically with the docker build. The command usually only
+needs to be done once, but if webwork2's settings are changed it may need to be
+run again. A cron job to run the command hourly could be utilized if desired.
+
+## Identity provider administration
+
+The identity provider has an admin interface. You can login to the docker
+instance with the password 'admin' at
+`http://localhost:8180/simplesaml/module.php/admin/federation`
+or without docker at
+`http://localhost/simplesaml/module.php/admin/federation`.
+
+The admin interface lets you check if the identity provider has properly
+registered the webwork2 service provider under the 'Federation' tab, it should
+be listed under the "Trusted entities" section.
+
+You can also test login with the user accounts listed below in the "Test" tab
+under the "example-userpass" authentication source.
+
+## Single sign-on users
+
+The following single sign-on accounts are preconfigured:
+
+- Username: student01, Password: student01
+- Username: instructor01, Password: instructor01
+- Username: staff01, Password: staff01
+
+You can add more accounts to the `docker-config/idp/config/authsources.php` file
+in the `example-userpass` section. If using docker the identity provider, the
+image will need to be rebuilt for the changes to take effect.
+
+## Troubleshooting
+
+### "Error retrieving metadata"
+
+This error message indicates that the Saml2 authentication module wasn't able to
+fetch the metadata from the identity provider metadata URL. Make sure the
+identity provider is accessible to webwork2.
+
+### User not found in course
+
+The user was verified by the identity provider but did not have a corresponding
+user account in the Webwork course. The Webwork user account needs to be created
+separately as the Saml2 autentication module does not do user provisioning.
+
+### The WeBWorK service provider does not appear in the service provider Federation tab
+
+This can occur when using the docker identity provider service because Webwork's
+first startup can be slow enough that the IdP wasn't able to successfully fetch
+metadata from the webwork2 metadata URL. Restarting everything should fix this.
diff --git a/docker-config/idp/apache.conf b/docker-config/idp/apache.conf
deleted file mode 100644
index bbe3dc3eed..0000000000
--- a/docker-config/idp/apache.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-
- # The ServerName directive sets the request scheme, hostname and port that
- # the server uses to identify itself. This is used when creating
- # redirection URLs. In the context of virtual hosts, the ServerName
- # specifies what hostname must appear in the request's Host: header to
- # match this virtual host. For the default virtual host (this file) this
- # value is not decisive as it is used as a last resort host regardless.
- # However, you must set it for any further virtual host explicitly.
- #ServerName www.example.com
-
- ServerAdmin webmaster@localhost
- DocumentRoot /var/www/simplesamlphp
-
- # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
- # error, crit, alert, emerg.
- # It is also possible to configure the loglevel for particular
- # modules, e.g.
- #LogLevel info ssl:warn
-
- ErrorLog ${APACHE_LOG_DIR}/error.log
- CustomLog ${APACHE_LOG_DIR}/access.log combined
-
- # For most configuration files from conf-available/, which are
- # enabled or disabled at a global level, it is possible to
- # include a line for only one particular virtual host. For example the
- # following line enables the CGI configuration for this host only
- # after it has been globally disabled with "a2disconf".
- #Include conf-available/serve-cgi-bin.conf
-
- SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/simplesamlphp/config
-
- Alias /simplesaml /var/www/simplesamlphp/public
-
-
- Require all granted
-
-
-
diff --git a/docker-config/idp/certs/saml.crt b/docker-config/idp/certs/saml.crt
new file mode 100644
index 0000000000..ca2f952c0f
--- /dev/null
+++ b/docker-config/idp/certs/saml.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7zCCA1egAwIBAgIUIteyNYLSAiB0FcNl0GLJNYRppk8wDQYJKoZIhvcNAQEL
+BQAwgYYxCzAJBgNVBAYTAkFBMQswCQYDVQQIDAJBQTEQMA4GA1UEBwwHRXhhbXBs
+ZTEQMA4GA1UECgwHRXhhbXBsZTEQMA4GA1UECwwHRXhhbXBsZTEQMA4GA1UEAwwH
+RXhhbXBsZTEiMCAGCSqGSIb3DQEJARYTZXhhbXBsZUBleGFtcGxlLmVkdTAeFw0y
+NDA1MDMwMTA2MzNaFw0zNDA1MDMwMTA2MzNaMIGGMQswCQYDVQQGEwJBQTELMAkG
+A1UECAwCQUExEDAOBgNVBAcMB0V4YW1wbGUxEDAOBgNVBAoMB0V4YW1wbGUxEDAO
+BgNVBAsMB0V4YW1wbGUxEDAOBgNVBAMMB0V4YW1wbGUxIjAgBgkqhkiG9w0BCQEW
+E2V4YW1wbGVAZXhhbXBsZS5lZHUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGK
+AoIBgQC45DCHUejzAeq+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOY
+Uc4djwx148N14A+S0GCys2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1Qfe
+pjCcr1djPH9PpwglG1nTsiWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6
+MWKsbVLKrYMV2kPcQ0PQByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9
+aDt4/AfK90BvhkjF4BuQ+Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9l
+aLZzaeutg+G3RUYcvDMlnP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPs
+CM16SB/6xptOxoLcg/5q3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/
+piWykDk6/BDWFpEHaj+NnFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCF
+OPVOYQECAwEAAaNTMFEwHQYDVR0OBBYEFGs8F3VIGSEk+DE2MBqqNKX6UuZTMB8G
+A1UdIwQYMBaAFGs8F3VIGSEk+DE2MBqqNKX6UuZTMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggGBAIpDktpfGH7ZqgdWvxbJrjekb1IyCGrWsHOYSjwM
++MxnhAA6oY63wC04a2i31zIMNOkY9F0tAdd4uDchxA9IWHqpb7t7zBlZdDabPPC3
+WoDYnKhtZBULVVo7AvWO0UJGfZNJE393aKer3ePvfoG0OpCyrw4eFI/GCd4UjJBF
+DnD7hvUxE7RRwOhbuYrtDRuB3Z7CeeP8o81eDVexyuBpM/9UQjYPqBBAfoeYKQzu
+ZIhpGRWXw0ntH+EEOWagRXA5pRru61hteParZe4LBjPqisqN4Ek6ZR7MD9gB5xnt
+Pn1BKRY08quFOZyaogzwfkYk5SCF8F8jBA8ZNAYwJWe1gtO3iw5vpUaQc2iCabvI
+Y+Pc6qsSNwbkl7+sFrVHzI9QZVyz1cARUXxvrgGNLBkYtprkG91k6mCjX90cQspb
+ZwHixcQyCNv+4H738e99h/Wf0YzjxFjDKrbGoosYBzWAsYYtzrtsBvw3SJMTXIh7
+OvFMA+rbIL8XWs8oNmZDDh8g0A==
+-----END CERTIFICATE-----
diff --git a/docker-config/idp/certs/saml.pem b/docker-config/idp/certs/saml.pem
new file mode 100644
index 0000000000..65accf00b2
--- /dev/null
+++ b/docker-config/idp/certs/saml.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQC45DCHUejzAeq+
+eVwEX5zSQWC+kqydEmoxpydT4YiSXnNeoNAkilKfHGOYUc4djwx148N14A+S0GCy
+s2j3Ey2wuL7DSep5y1Z9Uxj6Ayg23XGIFFFJJLMy1QfepjCcr1djPH9PpwglG1nT
+siWqvHGGc3WWn1u6RfyrCf+jxbhygNRTA+LVPpqNvko6MWKsbVLKrYMV2kPcQ0PQ
+ByNHJnjBy3KH2k99lS20h32sgHbgbVpJWdAWjeyJrOh9aDt4/AfK90BvhkjF4BuQ
++Jw5oIwMhbx7YmzIfiJmBLLaGjVRppuoAQtLX9uLst9laLZzaeutg+G3RUYcvDMl
+nP7cU8Sq4BD7uK0ChKxxCMFcihAhQ8wqCKncaaE9WqPsCM16SB/6xptOxoLcg/5q
+3PJyUi2g4VDKXuQc6AURKIJxSM9nlrcv/R7fCFgk3Nj/piWykDk6/BDWFpEHaj+N
+nFE9ZIxKr9CjTxdmqiDTyqSv50rNCjleyL/iASBTSCCFOPVOYQECAwEAAQKCAYAR
+p6iCo22tFrfFrGz+9epRoXCNgg/9h66gQyfcOKMD5wT5Oj3l31d4XgucleMqq2gz
+MaaOcPDLwh4ZskwJm8k3IM0GdN5w9tuxZ+fwp7CFXKvkpJwGcfyyk+kGd7QYoh2k
+GjjF8Fs0v+HZ9x7lqMzmW8wUr+7gYKJ56qCAkPbF6EteCfb1Cd9UPaF04RZdBKtt
+MxhbU9Y7CClHigbyWlgZmUW8dzoz8bTFklKL0FCJqad/bZYTMUYu91XT88oKCXbD
+AUxpF2Ikbkfj820XOqq8iV3xGpYszt1aMRpsdXbDAhCqfKoNet2X7jnRWlNXZutC
+RIUGm4VUNDNeD4nXW8aLgDa8bNQnvsSmM9DUVuPjbejUs0VN7uwxo8rYqvkAKiBQ
+1ZqxoBK4ShZVcqgWE6CUj9FRZ3CVzSzydxZSQzex/ZRYPuYLUhQJFHLVIdJSYhf3
+XTEki0+ndwAB7yP/tBNlcxLftCzAaS7mPLLn1tf0A27QPCSjwOsTLxuJ4WYVkmkC
+gcEAuuh8EImBfE9WOg3ITmJpr95WlVi8WE6BHWowV8dQwODQLj+38itDDL1xLn9+
+Vuz4o9AaIBiH5fCr6otun28lVp/sNVdWnBVeioSpu3tGV18OiDNaXtXOo7qkUnBI
+Z+V7cD69gJLS6byD3OXlGi42h3XxK4mVlhwQtkQ69qI/zhl6rc0O2/iXXUAFa5T5
+MJ84Cw1B9kHFB/NC27sraee+cwAK0Pogj5WnqaBOIPeIO/f+br65xMUvEYvDD1m4
+TwIzAoHBAP082l0IQ5KHBY4WuFIDOoevO5SxHN5EUp2sPRDZwZxwOrjHxFRXPc/h
+pDrVEHEn/4HQ706AHYpED0diumr4gee7gusNIDcGpXwjGVdFmFvxKoDbhz1C5vL3
+xC7qgyS/ZtAopxpCPH3+7IrQyBk8e6He+8F97bA0e9sYSBQSuPLcdKQXGNbLYb6s
+yLbP02cB2CNeI1GJMQIOXe9bi9Cz5w+hCGMvEKt5oAz5SLWlPBvv1YATpG5Ux8Wy
+RbGPD4zj+wKBwBGVDx6rIMAl4nGhnEcrYM/HdZOk/kq8T88JjzSirkkGnO7M1av1
+P+Bx7bS3D5Zzwkv+poaAaEBMLI/qv+RFm1iTwK+f4KjcJcGYCzN0vEA50+8iDY1A
+RakHRK/wmg8T+lGrxT3UEf0k266q/atBz6VchexXi/fL+hJ7RqSuzJvBr9WrpYsx
+zmNaQ2hEYlCdmbMIcz0MINHHo3FyIPpcb4D37wyLiwaWyGffiZn2Tx19DbUzQdxt
+xCi9YgMOqJTeGwKBwQD4rJ0x5j+U0ApgcWcnAgyj2SwE47eZfDY0p0KAHZXGbV78
+vQ7KU7FbRhTjwP6YX9LEQ8v7pktbz2HBk+3DxayrRrNU5lrQLjKrKDxmOu1WvAgk
+6W5wdhYcWbnI6HlHyLzJhGIzov+MKp1V45fbUE2Hs1Q9uc+CzMcja0C8lXYQ5vOT
+fyrhIm8lsr6W5paN/H2mnXbJRpNdlYYg2iD+HOu1qUh3PWx9Nr44f0MrPMs+E9Hw
+J1m9DnvuYxWVOwrmK6kCgcADfcatftIJWMqeYJsDnB9jJaANmjln2G3bppo9WcIC
+lvfXFE+Rf3FleaijVrUFbgxDU2MHh/2VPjJgIQT3QtfqS5+OnF1Z5+uOTGwbDNmT
+3Th0IcSt6TjvLJwkanNeSkvc+2lMnuNtH6TQLXB0qEs3D7xND0kFWHfyies+RYNC
+eualoZJ/6UL9X2gkPG5jmzXjInEBguAL0ll5yETXgx6v0hXR058TcvPl58j73cCQ
+dzDq+xUD8nHpKM33A2EaUFY=
+-----END PRIVATE KEY-----
diff --git a/docker-config/idp/config/authsources.php b/docker-config/idp/config/authsources.php
index 608ab59c30..03740f20bf 100644
--- a/docker-config/idp/config/authsources.php
+++ b/docker-config/idp/config/authsources.php
@@ -67,7 +67,6 @@
// */
//],
-
/*
'example-sql' => [
'sqlauth:SQL',
diff --git a/docker-config/idp/config/config.php b/docker-config/idp/config/config.php
index b42a1e77f5..7abc4c87ff 100644
--- a/docker-config/idp/config/config.php
+++ b/docker-config/idp/config/config.php
@@ -31,7 +31,7 @@
* external url, no matter where you come from (direct access or via the
* reverse proxy).
*/
- 'baseurlpath' => 'simplesaml/',
+ 'baseurlpath' => 'http://localhost:8180/simplesaml/',
/*
* The 'application' configuration array groups a set configuration options
@@ -281,7 +281,7 @@
'X-Frame-Options' => 'SAMEORIGIN',
'X-Content-Type-Options' => 'nosniff',
'Referrer-Policy' => 'origin-when-cross-origin',
-],
+ ],
*/
diff --git a/docker-config/idp/config/module_cron.php b/docker-config/idp/config/module_cron.php
index 63a66ba3ed..a05be61da2 100644
--- a/docker-config/idp/config/module_cron.php
+++ b/docker-config/idp/config/module_cron.php
@@ -1,8 +1,8 @@
'healthcheck',
- 'allowed_tags' => ['docker'],
+ 'key' => 'webwork2',
+ 'allowed_tags' => ['metarefresh'],
'debug_message' => true,
'sendemail' => false,
];
diff --git a/docker-config/idp/config/module_metarefresh.php b/docker-config/idp/config/module_metarefresh.php
index 6c8975e524..1b2cf60d61 100644
--- a/docker-config/idp/config/module_metarefresh.php
+++ b/docker-config/idp/config/module_metarefresh.php
@@ -1,17 +1,19 @@
[
- 'webwork' => [
- 'cron' => ['docker'],
+ 'webwork2' => [
+ 'cron' => ['metarefresh'],
'sources' => [
- ['src' => $_ENV['SP_METADATA_URL']]
+ ['src' => $metadataURL]
],
- 'expiresAfter' => 60*60*24*365*10, // 10 years, basically never
+ 'expiresAfter' => 60 * 60 * 24 * 365 * 10, // 10 years, basically never
'outputDir' => 'metadata/metarefresh-webwork/',
'outputFormat' => 'flatfile',
]
diff --git a/docker-config/idp/idp.apache2.conf b/docker-config/idp/idp.apache2.conf
new file mode 100644
index 0000000000..5f2e656ebe
--- /dev/null
+++ b/docker-config/idp/idp.apache2.conf
@@ -0,0 +1,7 @@
+SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/www/simplesamlphp/config
+
+Alias /simplesaml /var/www/simplesamlphp/public
+
+
+ Require all granted
+
diff --git a/lib/Mojolicious/Plugin/Saml2/Controller/AcsPostController.pm b/lib/Mojolicious/Plugin/Saml2/Controller/AcsPostController.pm
deleted file mode 100644
index 1f1553fb04..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Controller/AcsPostController.pm
+++ /dev/null
@@ -1,101 +0,0 @@
-package Mojolicious::Plugin::Saml2::Controller::AcsPostController;
-
-use Mojo::Base 'WeBWorK::Controller', -signatures, -async_await;
-
-use Mojo::JSON qw(decode_json);
-use Net::SAML2::Binding::POST;
-use Net::SAML2::Protocol::Assertion;
-
-use WeBWorK::Authen::Saml2;
-use WeBWorK::CourseEnvironment;
-use WeBWorK::DB;
-use WeBWorK::Debug qw(debug);
-
-async sub post ($c) {
- debug('SAML2 is on!');
- # check required params
- my $samlResp = $c->param('SAMLResponse');
- if (!$samlResp) {
- return $c->reply->exception('Unauthorized - Missing SAMLResponse')->rendered(401);
- }
- my $relayState = $c->param('RelayState');
- if (!$relayState) {
- return $c->reply->exception('Unauthorized - Missing RelayState')->rendered(401);
- }
- $relayState = decode_json($relayState);
-
- my $idp = $c->saml2->getIdp();
- my $conf = $c->saml2->getConf();
-
- # verify response is signed by the IdP and decode it
- my $postBinding = Net::SAML2::Binding::POST->new(cacert => $c->saml2->getIdpCertFile());
- my $decodedXml = $postBinding->handle_response($samlResp);
- my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
- xml => $decodedXml,
- key_file => $c->saml2->getSpSigningKeyFile()
- );
-
- $c->_actAsWebworkController($relayState->{course});
- # get the authReqId we generated when we sent the user to the IdP
- my $authReqId = $c->session->{authReqId};
- delete $c->session->{authReqId}; # delete from session to avoid replay
-
- # verify the response has the same authReqId which means it's responding to
- # the auth request we generated, also checks that timestamps are valid
- my $valid = $assertion->valid($conf->{sp}{entity_id}, $authReqId);
- if (!$valid) {
- return $c->reply->exception('Unauthorized - Bad timestamp or issuer')->rendered(401);
- }
-
- debug('Got valid response and looking for username');
- my $userId = $c->_getUserId($conf->{sp}{attributes}, $assertion, $relayState);
- if ($userId) {
- debug("Got username $userId");
- $c->authen->setSaml2UserId($userId);
- if (!$c->authen->verify()) {
- debug("Saml2 User Verify Failed");
- debug("Rendering WeBWorK::ContentGenerator::Login");
- return await WeBWorK::ContentGenerator::Login->new($c)->go();
- }
- return $c->redirect_to($relayState->{url});
- }
- return $c->reply->exception('Unauthorized - User not found in ' . $relayState->{course})->rendered(401);
-}
-
-sub _actAsWebworkController ($c, $courseName) {
- # we need to call Webwork authen module to create the auth session, so our
- # controller need to have the things that the authen module needs to use
- $c->stash('courseID', $courseName);
- $c->ce(WeBWorK::CourseEnvironment->new({ courseName => $courseName }));
- $c->db(WeBWorK::DB->new($c->ce->{dbLayout}));
- my $authz = WeBWorK::Authz->new($c);
- $c->authz($authz);
- my $authen = WeBWorK::Authen::Saml2->new($c);
- $c->authen($authen);
-}
-
-sub _getUserId ($c, $attributeKeys, $assertion, $relayState) {
- my $ce = $c->{ce};
- my $db = $c->{db};
- my $user;
- if ($attributeKeys) {
- foreach my $key (@$attributeKeys) {
- debug("Trying attribute $key for username");
- my $possibleUserId = $assertion->attributes->{$key}->[0];
- if (!$possibleUserId) { next; }
- if ($db->getUser($possibleUserId)) {
- debug("Using attribute value for username: $possibleUserId");
- return $possibleUserId;
- }
- }
- }
- debug("No username match in attributes, trying NameID fallback");
- if ($db->getUser($assertion->nameid)) {
- debug("Using NameID for username: " . $assertion->nameid);
- return $assertion->nameid;
- }
- debug("NameID fallback failed, no username possible");
- return '';
-}
-
-1;
diff --git a/lib/Mojolicious/Plugin/Saml2/Controller/ErrorController.pm b/lib/Mojolicious/Plugin/Saml2/Controller/ErrorController.pm
deleted file mode 100644
index 1903a2c49e..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Controller/ErrorController.pm
+++ /dev/null
@@ -1,9 +0,0 @@
-package Mojolicious::Plugin::Saml2::Controller::ErrorController;
-
-use Mojo::Base 'Mojolicious::Controller', -signatures, -async_await;
-
-async sub get ($c) {
- return $c->reply->exception('SAML2 Login Error')->rendered(400);
-}
-
-1;
diff --git a/lib/Mojolicious/Plugin/Saml2/Controller/MetadataController.pm b/lib/Mojolicious/Plugin/Saml2/Controller/MetadataController.pm
deleted file mode 100644
index bd74129093..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Controller/MetadataController.pm
+++ /dev/null
@@ -1,10 +0,0 @@
-package Mojolicious::Plugin::Saml2::Controller::MetadataController;
-
-use Mojo::Base 'Mojolicious::Controller', -signatures, -async_await;
-
-async sub get ($c) {
- my $sp = $c->saml2->getSp();
- return $c->render(data => $sp->metadata(), format => 'xml');
-}
-
-1;
diff --git a/lib/Mojolicious/Plugin/Saml2/Exception.pm b/lib/Mojolicious/Plugin/Saml2/Exception.pm
deleted file mode 100644
index 43d5cd88e0..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Exception.pm
+++ /dev/null
@@ -1,3 +0,0 @@
-package Mojolicious::Plugin::Saml2::Exception;
-use Mojo::Base 'Mojo::Exception', -signatures;
-1;
diff --git a/lib/Mojolicious/Plugin/Saml2/README.md b/lib/Mojolicious/Plugin/Saml2/README.md
deleted file mode 100644
index f531c80ea9..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/README.md
+++ /dev/null
@@ -1,163 +0,0 @@
-# SAML2 Authentication Plugin
-
-This Mojolicious plugin implements SAML2 authentication for Webwork. SAML2
-functionality is provided by the
-[Net::SAML2](https://metacpan.org/dist/Net-SAML2) library. Net::SAML2 claims to
-be compatible with a wide array of SAML2 based Single Sign On systems such as
-Shibboleth. This plugin is intended to replace the previous Shibboleth
-authentication module that depended on Apache mod_shib.
-
-There are two components to SAML2 support, the Mojolicious plugin here and a a
-regular Webwork Authen module at `lib/WeBWorK/Authen/Saml2.pm`.
-
-## Configuration
-
-To enable the Saml2 plugin, copy `conf/authen_saml2.dist.yml` to
-`conf/authen_saml2.yml`.
-
-Important settings:
-
-- *idp.metadata_url* - must be set to the IdP's metadata endpoint
-- *sp.entity_id* - the ID for the Webwork SP, this is usually the application
- root URL plus the base path to the SP
-- *sp.attributes* - list of attribute OIDs that the SP will look at and try to
- match to a Webwork username
-- *sp.cert*, *sp.signing_key* - a unique key and cert pair must be generated
- for your own prod deployments. The example key and cert is only meant for dev
- use as described below in [Docker Compose](#docker-compose-dev).
-
-The Saml2 plugin will generate its own xml metadata that can be used by the IdP
-for configuration. This is available at the `/saml2/metadata` URL with the
-default config. Endpoint locations, such as metadata, can be configured under
-`sp.route`.
-
-### Generate key and cert
-
-OpenSSL can be used to generate the key and cert, like the following command:
-
-```bash
-openssl req -newkey rsa:4096 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
-```
-
-The cert is placed in `saml.crt`. The key is in `saml.pem`.
-
-### localOverrides.conf
-
-Webwork's authentication system will need to be configured to use the Saml2
-module in `conf/localOverrides.conf`. The example below allows bypassing the
-Saml2 module to use the internal username/password login as a fallback:
-
-```perl
-$authen{user_module} = [
- 'WeBWorK::Authen::Saml2',
- 'WeBWorK::Authen::Basic_TheLastOption'
-];
-```
-
-If you add the bypass query to a course url, the Saml2 module will be skipped
-and the next one in the list used, e.g.:
-`http://localhost:8080/webwork2/TEST100?bypassSaml2=1`
-
-Admin login also needs its own config, the example below assumes the bypass
-option is disabled:
-
-```perl
-$authen{admin_module} = [
- 'WeBWorK::Authen::Saml2'
-];
-```
-
-To disable the bypass, `conf/authen_saml2.yml` must also be edited, commenting
-out the `bypass_query` line.
-
-## Docker Compose Dev
-
-A dev use SAML2 IdP was added to docker-compose.yml.dist, to start this IdP
-along with the rest of the Webwork, add the '--profile saml2dev' arg to docker
-compose:
-
-```bash
-docker compose --profile saml2dev up
-```
-
-Without the profile arg, the IdP services do not start. The dev IdP is a
-SimpleSAMLphp instance.
-
-### Setup
-
-The default `conf/authen_saml2.dist.yml` is configured to use this dev IdP.
-Just copy it to `conf/authen_saml2.yml` and it should work.
-
-### Admin
-
-The dev IdP has an admin interface, you can login with the password 'admin' at:
-
-```text
-http://localhost:8180/simplesaml/module.php/admin/federation
-```
-
-The admin interface lets you check if the IdP has properly registered the
-Webwork SP under the 'Federation' tab, it should be listed under the "Trusted
-entities" section.
-
-You can also test login with the user accounts listed below in the "Test" tab
-under the "example-userpass" authentication source.
-
-### Users
-
-There are some single sign-on accounts preconfigured:
-
-- Username: student01
- - Password: student01
-- Username: instructor01
- - Password: instructor01
-- Username: staff01
- - Password: staff01
-
-You can add more accounts at `docker-config/idp/config/authsources.php` in the
-`example-userpass` section. The IdP image will need to be rebuilt for the
-change to take effect.
-
-## Troubleshooting
-
-### Webwork doesn't start, "Error retrieving metadata"
-
-This error message indicates that the Saml2 plugin wasn't able to grab metadata
-from the IdP metadata url. Make sure the IdP is accessible by the container.
-Example error message:
-
-```text
-app-1 | Can't load application from file "/opt/webwork/webwork2/bin/webwork2":
-Error retrieving metadata: Can't connect to idp.docker:8180 (Connection
-refused) (500)
-```
-
-### User not found in course
-
-The user was verified by the IdP but did not have a corresponding user account
-in the Webwork course. The Webwork user account needs to be created separately
-as the Saml2 plugin does not do user provisioning.
-
-### Logout shows uninitialized value warnings
-
-The message on the page reads "The course TEST100 uses an external
-authentication system ()."
-
-The external auth message takes values from LTI config. If you're not using
-LTI, you can define the missing values separately in `localOverrides.conf`:
-
-```perl
-$LTIVersion = 'v1p3';
-$LTI{v1p3}{LMS_name} = 'Webwork';
-$LTI{v1p3}{LMS_url} = 'http://localhost:8080/';
-```
-
-It's not an ideal solution but the Saml2 plugin needs to declare itself as an
-external auth system in order to avoid the internal 2FA. And the external auth
-message assumes LTI is on.
-
-### Dev IdP does not show the Webwork SP in Federation tab
-
-Webwork's first startup might be slow enough that the IdP wasn't able to
-successfully grab metadata from the Webwork Saml2 plugin. Restarting everything
-should fix this.
diff --git a/lib/Mojolicious/Plugin/Saml2/Router.pm b/lib/Mojolicious/Plugin/Saml2/Router.pm
deleted file mode 100644
index ac4dd5cb7b..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Router.pm
+++ /dev/null
@@ -1,17 +0,0 @@
-package Mojolicious::Plugin::Saml2::Router;
-
-use Mojo::Base -signatures;
-
-sub setup ($app, $conf) {
- my $subRouter =
- $app->routes->any($conf->{sp}{route}{base})->to(namespace => 'Mojolicious::Plugin::Saml2::Controller')
- ->name('saml2.base');
- $subRouter->get($conf->{sp}{route}{metadata})->to(controller => 'MetadataController', action => 'get')
- ->name('saml2.metadata');
- $subRouter->get($conf->{sp}{route}{error})->to(controller => 'ErrorController', action => 'get')
- ->name('saml2.error');
- $subRouter->post($conf->{sp}{route}{acs}{post})->to(controller => 'AcsPostController', action => 'post')
- ->name('saml2.acsPost');
-}
-
-1;
diff --git a/lib/Mojolicious/Plugin/Saml2/Saml2Plugin.pm b/lib/Mojolicious/Plugin/Saml2/Saml2Plugin.pm
deleted file mode 100644
index 4073520e1c..0000000000
--- a/lib/Mojolicious/Plugin/Saml2/Saml2Plugin.pm
+++ /dev/null
@@ -1,155 +0,0 @@
-package Mojolicious::Plugin::Saml2::Saml2Plugin;
-use Mojo::Base 'Mojolicious::Plugin', -signatures;
-# external libs
-use File::Temp qw/ tempfile /;
-use Mojo::JSON qw(encode_json);
-use Mojolicious;
-use Mojolicious::Plugin::NotYAMLConfig;
-use Net::SAML2::IdP;
-use Net::SAML2::SP;
-use URN::OASIS::SAML2 qw(BINDING_HTTP_POST BINDING_HTTP_REDIRECT);
-# external libs for NotYAMLConfig
-use CPAN::Meta::YAML;
-use Mojo::Util qw(decode encode);
-# webwork modules
-use WeBWorK::Debug qw(debug);
-# plugin's own modules
-use Mojolicious::Plugin::Saml2::Exception;
-use Mojolicious::Plugin::Saml2::Router;
-
-use constant Exception => 'Mojolicious::Plugin::Saml2::Exception';
-
-our $VERSION = '0.0.1';
-
-sub register ($self, $app, $conf = {}) {
- # yml config can be overridden with config passed in during plugin init
- $conf = $self->_loadConf($conf, $app);
- $self->checkConf($conf);
- # note this will grab the IdP metadata on every server reboot
- my $idp = Net::SAML2::IdP->new_from_url(url => $conf->{idp}{metadata_url});
- my $spCertFile = $self->_getTmpFileWithContent($conf->{sp}{cert});
- my $spSigningKeyFile = $self->_getTmpFileWithContent($conf->{sp}{signing_key});
- my $idpCertFile = $self->_getTmpFileWithContent($idp->cert('signing')->[0]);
- # setup routes for metadata and samlresponse handling
- Mojolicious::Plugin::Saml2::Router::setup($app, $conf);
- # cached values we need later
- $app->helper('saml2.getConf' => sub { return $conf; });
- $app->helper('saml2.getIdp' => sub { return $idp; });
- $app->helper('saml2.getSpCertFile' => sub { return $spCertFile; });
- $app->helper('saml2.getSpSigningKeyFile' => sub { return $spSigningKeyFile; });
- $app->helper('saml2.getIdpCertFile' => sub { return $idpCertFile; });
- $app->helper('saml2.getSp' => \&getSp);
- # called by the Webwork Saml2 authen module to redirect users to the IdP
- $app->helper('saml2.sendLoginRequest' => \&sendLoginRequest);
-}
-
-sub checkConf ($self, $conf) {
- if (!$conf->{idp}) {
- Exception->throw("Config missing 'idp' section");
- }
- if (!$conf->{idp}{metadata_url}) {
- Exception->throw("Config in 'idp' missing 'metadata_url'");
- }
- if (!$conf->{sp}) {
- Exception->throw("Config missing 'sp' section");
- }
- if (!$conf->{sp}{entity_id}) {
- Exception->throw("Config in 'sp' missing 'entity_id'");
- }
- if (!$conf->{sp}{cert}) {
- Exception->throw("Config in 'sp' missing 'cert'");
- }
- if (!$conf->{sp}{signing_key}) {
- Exception->throw("Config in 'sp' missing 'signing_key'");
- }
- if (!$conf->{sp}{route}) {
- Exception->throw("Config missing 'sp.route' section");
- }
- if (!$conf->{sp}{route}{base}) {
- Exception->throw("Config in 'sp.route' missing 'base'");
- }
- if (!$conf->{sp}{route}{metadata}) {
- Exception->throw("Config in 'sp.route' missing 'metadata'");
- }
- if (!$conf->{sp}{route}{acs}) {
- Exception->throw("Config missing 'sp.route.acs' section");
- }
- if (!$conf->{sp}{route}{acs}{post}) {
- Exception->throw("Config in 'sp.route.acs' missing 'post'");
- }
-}
-
-# we need an SP instance in order to generate the xml metadata and specify our
-# SP endpoints. We have to do this in a helper cause we need to use the
-# controller's url_for()
-sub getSp ($c) {
- state $sp;
- if ($sp) { return $sp; }
- my $conf = $c->saml2->getConf();
- $sp = Net::SAML2::SP->new(
- issuer => $conf->{sp}->{entity_id},
- # base url for SP services
- url => $ENV{WEBWORK_ROOT_URL} . $c->url_for('saml2.base'),
- error_url => $ENV{WEBWORK_ROOT_URL} . $c->url_for('saml2.error'),
- cert => $c->saml2->getSpCertFile(),
- key => $c->saml2->getSpSigningKeyFile(),
- org_contact => $conf->{sp}->{org}->{contact},
- org_name => $conf->{sp}->{org}->{name},
- org_url => $conf->{sp}->{org}->{url},
- org_display_name => $conf->{sp}->{org}->{display_name},
- assertion_consumer_service => [ {
- Binding => BINDING_HTTP_POST,
- Location => $ENV{WEBWORK_ROOT_URL} . $c->url_for('saml2.acsPost'),
- isDefault => 'true',
- } ]
- );
- return $sp;
-}
-
-# $returnUrl is the course URL that the user should be directed into after they
-# sucessfully authed at the IdP
-sub sendLoginRequest ($c, $returnUrl, $courseName) {
- debug('Creating Login Request');
- my $conf = $c->saml2->getConf();
- my $idp = $c->saml2->getIdp();
- my $sp = $c->saml2->getSp();
- my $authReq = $sp->authn_request($idp->sso_url(BINDING_HTTP_REDIRECT));
- $c->session->{authReqId} = $authReq->id;
- my $redirect = $sp->sso_redirect_binding($idp, 'SAMLRequest');
- # info the IdP relays back to help us put the user in the right place after
- # login
- my $relayState = {
- 'course' => $courseName,
- 'url' => $returnUrl
- };
- my $url = $redirect->sign($authReq->as_xml, encode_json($relayState));
- debug('Redirecting user to the IdP');
- $c->redirect_to($url);
-}
-
-# Write $content into a temporary file and return the full path to that file.
-# Net:SAML2 strangely won't take keys and certs as strings, it only wants
-# filepaths, this helper is meant to get around that.
-sub _getTmpFileWithContent ($self, $content) {
- my ($fh, $filename) = tempfile();
- print $fh $content;
- close($fh);
- return $filename;
-}
-
-sub _loadConf ($self, $pluginConf, $app) {
- my $confFile = "$ENV{WEBWORK_ROOT}/conf/authen_saml2.yml";
- if (!-e $confFile) {
- Exception->throw("Missing conf file: $confFile");
- }
- $app->config->{config_override} = 1;
- my $yamlPlugin = Mojolicious::Plugin::NotYAMLConfig->new;
- # we just want to use the plugin's load() method and don't want to merge
- # with the app config, so we have to manually do the setup done in
- # NotYAMLConfig's register()
- $yamlPlugin->{yaml} = sub { CPAN::Meta::YAML::Load(decode 'UTF-8', shift) };
- my $yamlConf = $yamlPlugin->load($confFile, {}, $app);
- return { %$yamlConf, %$pluginConf };
-}
-
-1;
diff --git a/lib/Mojolicious/WeBWorK.pm b/lib/Mojolicious/WeBWorK.pm
index ef3a1c8fc0..66281467f9 100644
--- a/lib/Mojolicious/WeBWorK.pm
+++ b/lib/Mojolicious/WeBWorK.pm
@@ -94,10 +94,6 @@ sub startup ($app) {
# Provide the ability to serve data as a file download.
$app->plugin('RenderFile');
- # Load the SAML2 plugin if configuration found
- if (-e "$ENV{WEBWORK_ROOT}/conf/authen_saml2.yml") {
- $app->plugin('Mojolicious::Plugin::Saml2::Saml2Plugin');
- }
# Helpers
diff --git a/lib/WeBWorK.pm b/lib/WeBWorK.pm
index 0ac5eeba66..319ea19c82 100644
--- a/lib/WeBWorK.pm
+++ b/lib/WeBWorK.pm
@@ -62,28 +62,19 @@ async sub dispatch ($c) {
# Note that this is Time::HiRes's time, which gives floating point values.
$c->submitTime(time);
- my $method = $c->req->method;
- my $location = $c->location;
- my $uri = $c->url_for;
- my $args = $c->req->params->to_string || '';
+ my $method = $c->req->method;
+ my $uri = $c->url_for;
+ my $args = $c->req->params->to_string || '';
debug("\n\n===> Begin " . __PACKAGE__ . "::dispatch() <===\n\n");
- debug("Hi, I'm the new dispatcher!\n");
debug(("-" x 80) . "\n");
- debug("Okay, I got some basic information:\n");
- debug("The site location is $location\n");
debug("The request method is $method\n");
debug("The URI is $uri\n");
debug("The argument string is $args\n");
debug(('-' x 80) . "\n");
- my ($path) = $uri =~ m/$location(.*)/;
- $path .= '/' if $path !~ m(/$);
- debug("The path is $path\n");
-
debug("The current route is " . $c->current_route . "\n");
- debug("Here is some information about this route:\n");
my $displayModule = ref $c;
my %routeCaptures = %{ $c->stash->{'mojo.captures'} };
@@ -96,8 +87,6 @@ async sub dispatch ($c) {
debug(('-' x 80) . "\n");
- debug("Now we want to look at the parameters we got.\n");
-
debug("The raw params:\n");
for my $key ($c->param) {
# Make it so we dont debug plain text passwords
@@ -122,7 +111,6 @@ async sub dispatch ($c) {
$c->initializeRoute(\%routeCaptures) if $c->can('initializeRoute');
# Create Course Environment
- debug("We need to get a course environment (with or without a courseID!)\n");
my $ce = eval { WeBWorK::CourseEnvironment->new({ courseName => $routeCaptures{courseID} }) };
$@ and die "Failed to initialize course environment: $@\n";
debug("Here's the course environment: $ce\n");
@@ -164,12 +152,14 @@ async sub dispatch ($c) {
if ($routeCaptures{courseID}) {
debug("We got a courseID from the route, now we can do some stuff:\n");
+ # This route could have the courseID set, but does not need authentication.
+ return 1 if $c->current_route eq 'saml2_metadata';
+
return (0, 'This course does not exist.')
unless (-e $ce->{courseDirs}{root}
|| -e "$ce->{webwork_courses_dir}/$ce->{admin_course_id}/archives/$routeCaptures{courseID}.tar.gz");
return (0, 'This course has been archived and closed.') unless -e $ce->{courseDirs}{root};
- debug("...we can create a database object...\n");
my $db = WeBWorK::DB->new($ce->{dbLayout});
debug("(here's the DB handle: $db)\n");
$c->db($db);
diff --git a/lib/WeBWorK/Authen/Saml2.pm b/lib/WeBWorK/Authen/Saml2.pm
index ef02074cc5..96660e2ec0 100644
--- a/lib/WeBWorK/Authen/Saml2.pm
+++ b/lib/WeBWorK/Authen/Saml2.pm
@@ -16,87 +16,288 @@
package WeBWorK::Authen::Saml2;
use Mojo::Base 'WeBWorK::Authen', -signatures;
+use Mojo::File qw(path tempfile);
+use Mojo::JSON qw(encode_json);
+use Mojo::UserAgent;
+use Net::SAML2::IdP;
+use Net::SAML2::SP;
+use URN::OASIS::SAML2 qw(BINDING_HTTP_POST BINDING_HTTP_REDIRECT);
+use Net::SAML2::Binding::POST;
+use Net::SAML2::Protocol::Assertion;
+
use WeBWorK::Debug qw(debug);
+use WeBWorK::Authen::LTIAdvanced::Nonce;
=head1 NAME
-WeBWorK::Authen::Saml2 - Sends everyone to the SAML2 IdP to authenticate.
-
-Requires the Saml2 plugin to be loaded and configured.
+WeBWorK::Authen::Saml2 - Authenticate using a SAML2 identity provider.
=cut
sub request_has_data_for_this_verification_module ($self) {
my $c = $self->{c};
- $self->setIsLoggedIn(0);
- # skip if Saml2 plugin config is missing, this means the plugin isn't loaded
- if (!-e "$ENV{WEBWORK_ROOT}/conf/authen_saml2.yml") {
- debug('Saml2 Authen Module requires Saml2 plugin to be configured');
+ # Skip if the bypass_query param is set.
+ if ($c->ce->{saml2}{bypass_query} && $c->param($c->ce->{saml2}{bypass_query})) {
+ debug('Saml2 authen module bypass detected. Going to next authentication module.');
return 0;
}
- # skip if we have the param that indicates we want to bypass SAML2
- my $bypassQuery = $c->saml2->getConf->{bypass_query};
- if ($bypassQuery && $c->param($bypassQuery)) {
- debug('Saml2 Authen module bypass detected, going to next module');
+
+ return 1;
+}
+
+sub verify ($self) {
+ my $result = $self->SUPER::verify;
+
+ # If two factor verification is needed, defer that until after redirecting to the regular webwork2 route.
+ if ($self->{c}->current_route eq 'saml2_acs'
+ && $self->{c}->stash->{saml2_redirect}
+ && $self->session->{two_factor_verification_needed})
+ {
+ $self->session->{two_factor_verification_needed_after_redirect} =
+ delete $self->session->{two_factor_verification_needed};
+ return 1;
+ }
+
+ return $result;
+}
+
+sub do_verify ($self) {
+ my $c = $self->{c};
+ my $ce = $c->ce;
+
+ if ($c->current_route eq 'saml2_acs') {
+ debug('Verifying Saml2 assertion');
+
+ my $idpCertificateFile = $self->idp(1);
+ unless ($idpCertificateFile) {
+ $c->stash->{authen_error} = $c->maketext(
+ 'An internal server error occured. Please contact the system administrator for assistance.');
+ return 0;
+ }
+
+ # Verify that the response is signed by the identity provider and decode it.
+ my $decodedXml = Net::SAML2::Binding::POST->new(cacert => $idpCertificateFile->to_string)
+ ->handle_response($c->stash->{saml2}{samlResp});
+ my $assertion = Net::SAML2::Protocol::Assertion->new_from_xml(
+ xml => $decodedXml,
+ key_file => $self->spKeyFile->to_string
+ );
+
+ # Get the database key containing the authReqId that was generated before redirecting to the identity provider.
+ my $authReqIdKey = $c->db->getKey($assertion->in_response_to);
+ unless ($authReqIdKey) {
+ $c->stash->{authen_error} = $c->maketext('Invalid user ID or password.');
+ debug('Invalid request id in response. Possible CSFR.');
+ return 0;
+ }
+ eval { $c->db->deleteKey($authReqIdKey->user_id) }; # Delete the key to avoid replay.
+
+ # Verify that the response has the same authReqId which means it's responding to the authentication request
+ # generated by webwork2. This also checks that timestamps are valid.
+ my $valid = $assertion->valid($ce->{saml2}{sp}{entity_id}, $authReqIdKey->user_id);
+ unless ($valid) {
+ $c->stash->{authen_error} = $c->maketext('Invalid user ID or password.');
+ debug('Bad timestamp or issuer');
+ return 0;
+ }
+
+ debug('Got valid response and looking for username.');
+ my $userId = $self->getUserId($ce->{saml2}{sp}{attributes}, $assertion);
+ if ($userId) {
+ debug("Got username $userId");
+
+ $c->authen->{saml2UserId} = $userId;
+ if ($self->SUPER::do_verify) {
+ $c->param('user', $userId);
+ $c->stash->{saml2_redirect} = $c->systemLink($c->url_for($c->stash->{saml2}{relayState}{url}));
+ return 1;
+ }
+ }
+ $c->stash->{authen_error} = $c->maketext('User not found in course.');
+ debug('Unauthorized - User not found in ' . $c->stash->{courseID});
return 0;
}
- # handle as existing session if we have cookie or if it's a rpc
- my ($cookieUser, $cookieKey, $cookieTimeStamp) = $self->fetchCookie;
- if (defined $cookieUser || defined $c->{rpc}) {
- $self->setIsLoggedIn(1);
+
+ # If there is an existing session, then control will be passed to the authen base class.
+ if ($ce->{session_management_via} eq 'session_cookie') {
+ my ($cookieUser) = $self->fetchCookie;
+ $self->{isLoggedIn} = 1 if defined $cookieUser;
+ } elsif ($c->param('user')) {
+ my $key = $c->db->getKey($c->param('user'));
+ $self->{isLoggedIn} = 1 if $key;
}
- return 1;
+ if ($self->{isLoggedIn}) {
+ debug('User signed in or was previously signed in. Saml2 passing control back to the authen base class.');
+
+ # There was a successful saml response or the user was already logged in.
+ # So hand off to the authen base class to verify the user and manage the session.
+ my $result = $self->SUPER::do_verify;
+
+ $self->session->{two_factor_verification_needed} =
+ delete $self->session->{two_factor_verification_needed_after_redirect}
+ if $self->session->{two_factor_verification_needed_after_redirect};
+
+ return $result;
+ }
+
+ # This occurs if the user clicks the logout button when the identity provider session has timed out, but the
+ # webwork2 session is still active. In this case return 0 so that the logged out page is shown anyway.
+ return 0 if $c->current_route eq 'logout';
+
+ # The user doesn't have an existing session, so redirect to the identity provider for login.
+ $self->sendLoginRequest;
+
+ return 0;
}
-sub do_verify ($self) {
- if ($self->{saml2UserId} || $self->{isLoggedIn}) {
- # successful saml response/already logged in, hand off to the parent
- # to create/read the session
- $self->{external_auth} = 1; # so we skip internal 2fa
- return $self->SUPER::do_verify();
+sub sp ($self) {
+ my $c = $self->{c};
+ return $c->stash->{sp} if $c->stash->{sp};
+
+ my $ce = $c->ce;
+
+ my $spCertificateFile = path($ce->{saml2}{sp}{certificate_file});
+ $spCertificateFile = $c->app->home->child($spCertificateFile) unless $spCertificateFile->is_abs;
+
+ $c->stash->{sp} = Net::SAML2::SP->new(
+ issuer => $ce->{saml2}{sp}{entity_id},
+ url => $ce->{server_root_url} . $c->url_for('root'),
+ error_url => $ce->{server_root_url} . $c->url_for('saml2_error'),
+ cert => $spCertificateFile->to_string,
+ key => $self->spKeyFile->to_string,
+ org_contact => $ce->{saml2}{sp}{org}{contact},
+ org_name => $ce->{saml2}{sp}{org}{name},
+ org_url => $ce->{saml2}{sp}{org}{url},
+ org_display_name => $ce->{saml2}{sp}{org}{display_name},
+ assertion_consumer_service => [ {
+ Binding => BINDING_HTTP_POST,
+ Location => $ce->{server_root_url} . $c->url_for('saml2_acs'),
+ isDefault => 'true',
+ } ]
+ );
+
+ return $c->stash->{sp};
+}
+
+# The first time this method is executed for a given identity provider, the metadata file is retrieved from the metadata
+# URL. It is then saved in the the $ce->{saml2}{active_idp} subdirectory of $ce->{webworkDirs}{DATA}/Saml2IDPs together
+# with the identity provider's signing key which is extracted from the retrieved metadata. On later requests the
+# metadata and certificate are used from the saved files. This prevents the need to retrieve the metadata on every
+# login request.
+sub idp ($self, $ceritificateOnly = 0) {
+ if (!$self->{idp_certificate_file} || !$self->{idp}) {
+ my $ce = $self->{c}->ce;
+
+ my $saml2IDPDir = path("$ce->{webworkDirs}{DATA}/Saml2IDPs")->child($ce->{saml2}{active_idp});
+ $saml2IDPDir->make_path;
+
+ my $metadataXMLFile = $saml2IDPDir->child('metadata.xml');
+ my $certificateFile = $saml2IDPDir->child('cacert.crt');
+
+ if (-r $metadataXMLFile && -r $certificateFile) {
+ $self->{idp} =
+ Net::SAML2::IdP->new_from_xml(xml => $metadataXMLFile->slurp, cacert => $certificateFile->to_string);
+ $self->{idp_certificate_file} = $certificateFile;
+ } else {
+ my $response = Mojo::UserAgent->new->get($ce->{saml2}{idps}{ $ce->{saml2}{active_idp} })->result;
+ if ($response->is_success) {
+ my $metadataXML = $response->body;
+ $metadataXMLFile->spew($metadataXML);
+ $self->{idp} = Net::SAML2::IdP->new_from_xml(xml => $metadataXML);
+ $certificateFile->spew($self->{idp}->cert('signing')->[0]);
+ $self->{idp_certificate_file} = $certificateFile;
+ } else {
+ debug("Unable to retrieve metadata from identity provider $ce->{saml2}{active_idp} with "
+ . "metadata URL $ce->{samle}{idps}{$ce->{saml2}{active_idp}}");
+ }
+ }
}
- # user doesn't have an existing session, send them to IdP for login
+
+ return $self->{idp_certificate_file} if $ceritificateOnly;
+ return $self->{idp};
+}
+
+sub spKeyFile ($self) {
+ my $c = $self->{c};
+ return $self->{spKeyFile} if $self->{spKeyFile};
+ $self->{spKeyFile} = path($c->ce->{saml2}{sp}{private_key_file});
+ $self->{spKeyFile} = $c->app->home->child($self->{spKeyFile}) unless $self->{spKeyFile}->is_abs;
+ return $self->{spKeyFile};
+}
+
+sub sendLoginRequest ($self) {
my $c = $self->{c};
- my $ce = $c->{ce};
- debug('User needs to go to the IdP for login');
- debug('If login successful, user should be in course: ' . $ce->{courseName});
- debug('With the URL ' . $c->req->url);
- $c->saml2->sendLoginRequest($c->req->url->to_string, $ce->{courseName});
-
- # we fail verify for this request but doesn't matter cause the user gets
- # redirected to the IdP
- return 0;
+ my $ce = $c->ce;
+
+ my $idp = $self->idp;
+ unless ($idp) {
+ $c->stash->{authen_error} =
+ $c->maketext('An internal server error occured. Please contact the system administrator for assistance.');
+ return 0;
+ }
+
+ my $authReq = $self->sp->authn_request($idp->sso_url(BINDING_HTTP_REDIRECT));
+
+ # Get rid of stale request ids in the database. This borrows the maybe_purge_nonces method from the
+ # WeBWorK::Authen::LTIAdvanced::Nonce package.
+ WeBWorK::Authen::LTIAdvanced::Nonce->new($c, '', 0)->maybe_purge_nonces;
+
+ # The request id needs to be stored so that it can be verified in the identity provider response.
+ # This uses the "nonce" hack to store the request id in the key table.
+ my $key = $c->db->newKey({ user_id => $authReq->id, timestamp => time, key => 'nonce' });
+ eval { $c->db->deleteKey($authReq->id) };
+ eval { $c->db->addKey($key) };
+
+ # The second argument of the sign method contains info that the identity provider relays back.
+ # This information is used to send the user to the right place after login.
+ debug('Redirecting user to the identity provider');
+ return $c->redirect_to($self->sp->sso_redirect_binding($idp, 'SAMLRequest')
+ ->sign($authReq->as_xml, encode_json({ course => $ce->{courseName}, url => $c->req->url->to_string })));
+}
+
+sub getUserId ($self, $attributeKeys, $assertion) {
+ my $ce = $self->{c}->ce;
+ my $db = $self->{c}->db;
+
+ if ($attributeKeys) {
+ for my $key (@$attributeKeys) {
+ debug("Trying attribute $key for username");
+ my $possibleUserId = $assertion->attributes->{$key}[0];
+ next unless $possibleUserId;
+ if ($db->getUser($possibleUserId)) {
+ debug("Using attribute value for username: $possibleUserId");
+ return $possibleUserId;
+ }
+ }
+ }
+ debug('No username match in attributes. Trying NameID fallback');
+ if ($db->getUser($assertion->nameid)) {
+ debug('Using NameID for username: ' . $assertion->nameid);
+ return $assertion->nameid;
+ }
+ debug('NameID fallback failed. No username found.');
+ return '';
}
sub get_credentials ($self) {
if ($self->{saml2UserId}) {
- # user has been authed by the IdP
+ # User has been authenticated with the identity provider.
$self->{user_id} = $self->{saml2UserId};
- $self->{login_type} = "normal";
- $self->{credential_source} = "SAML2";
- $self->{session_key} = undef;
+ $self->{login_type} = 'normal';
+ $self->{credential_source} = 'SAML2';
$self->{initial_login} = 1;
+ debug('credential source: "SAML2", user: "', $self->{user_id}, '"');
return 1;
}
- if ($self->{isLoggedIn}) {
- return $self->SUPER::get_credentials();
- }
+ return $self->SUPER::get_credentials if $self->{isLoggedIn};
return 0;
}
sub authenticate ($self) {
- # idp has authenticated us, so we can just return 1
+ # The identity provider handles authentication, so just return 1.
return 1;
}
-sub setSaml2UserId ($self, $userId) {
- $self->{saml2UserId} = $userId;
-}
-
-sub setIsLoggedIn ($self, $val) {
- $self->{isLoggedIn} = $val;
-}
-
1;
diff --git a/lib/WeBWorK/ContentGenerator/Saml2.pm b/lib/WeBWorK/ContentGenerator/Saml2.pm
new file mode 100644
index 0000000000..e1b9150391
--- /dev/null
+++ b/lib/WeBWorK/ContentGenerator/Saml2.pm
@@ -0,0 +1,51 @@
+################################################################################
+# WeBWorK Online Homework Delivery System
+# Copyright © 2000-2024 The WeBWorK Project, https://github.com/openwebwork
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of either: (a) the GNU General Public License as published by the
+# Free Software Foundation; either version 2, or (at your option) any later
+# version, or (b) the "Artistic License" which comes with this package.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See either the GNU General Public License or the
+# Artistic License for more details.
+################################################################################
+
+package WeBWorK::ContentGenerator::Saml2;
+use Mojo::Base 'WeBWorK::ContentGenerator', -signatures;
+
+use Mojo::JSON qw(decode_json);
+
+use WeBWorK::Debug qw(debug);
+
+sub initializeRoute ($c, $routeCaptures) {
+ if ($c->current_route eq 'saml2_acs') {
+ return unless $c->param('SAMLResponse') && $c->param('RelayState');
+ $c->stash->{saml2}{relayState} = decode_json($c->param('RelayState'));
+ $c->stash->{saml2}{samlResp} = $c->param('SAMLResponse');
+ $routeCaptures->{courseID} = $c->stash->{courseID} = $c->stash->{saml2}{relayState}{course};
+ }
+
+ if ($c->current_route eq 'saml2_metadata' && $c->param('courseID')) {
+ $routeCaptures->{courseID} = $c->stash->{courseID} = $c->param('courseID');
+ }
+ return;
+}
+
+sub assertionConsumerService ($c) {
+ debug('Authentication succeeded. Redirecting to ' . $c->stash->{saml2_redirect});
+ return $c->redirect_to($c->stash->{saml2_redirect});
+}
+
+sub metadata ($c) {
+ return $c->render(data => 'Internal site configuration error', status => 500) unless $c->authen->can('sp');
+ return $c->render(data => $c->authen->sp->metadata, format => 'xml');
+}
+
+sub errorResponse ($c) {
+ return $c->reply->exception('SAML2 Login Error')->rendered(400);
+}
+
+1;
diff --git a/lib/WeBWorK/Utils/Routes.pm b/lib/WeBWorK/Utils/Routes.pm
index 3197229372..5eb0f7fbbf 100644
--- a/lib/WeBWorK/Utils/Routes.pm
+++ b/lib/WeBWorK/Utils/Routes.pm
@@ -39,6 +39,10 @@ PLEASE FOR THE LOVE OF GOD UPDATE THIS IF YOU CHANGE THE ROUTES BELOW!!!
ltiadvantage_keys /ltiadvantage/keys
ltiadvantage_content_selection /ltiadvantage/content_selection
+ saml2_acs /saml2/acs
+ saml2_metadata /saml2/metadata
+ saml2_error /saml2/error
+
pod_index /pod
pod_viewer /pod/$filePath
@@ -155,6 +159,9 @@ my %routeParameters = (
ltiadvantage_launch
ltiadvantage_keys
ltiadvantage_content_selection
+ saml2_acs
+ saml2_metadata
+ saml2_error
pod_index
sample_problem_index
set_list
@@ -222,6 +229,26 @@ my %routeParameters = (
action => 'content_selection'
},
+ # This route also ends up at the login screen on failure, and the title is not used anywhere else.
+ saml2_acs => {
+ title => x('Login'),
+ module => 'Saml2',
+ path => '/saml2/acs',
+ action => 'assertionConsumerService'
+ },
+ saml2_metadata => {
+ title => 'metadata',
+ module => 'Saml2',
+ path => '/saml2/metadata',
+ action => 'metadata'
+ },
+ saml2_error => {
+ title => 'error',
+ module => 'Saml2',
+ path => '/saml2/error',
+ action => 'errorResponse'
+ },
+
pod_index => {
title => x('POD Index'),
children => [qw(pod_viewer)],
diff --git a/templates/ContentGenerator/Login.html.ep b/templates/ContentGenerator/Login.html.ep
index 0436697cd5..9031aacee5 100644
--- a/templates/ContentGenerator/Login.html.ep
+++ b/templates/ContentGenerator/Login.html.ep
@@ -6,7 +6,7 @@
%
% my $course = (stash('courseID') // '') =~ s/_/ /gr;
%
-% if ($externalAuth) {
+% if ($ce->{LTI} && $externalAuth) {
% my $LMS = $ce->{LTI}{ $ce->{LTIVersion} }{LMS_url}
% ? link_to($ce->{LTI}{ $ce->{LTIVersion} }{LMS_name} => $ce->{LTI}{ $ce->{LTIVersion} }{LMS_url})
% : $ce->{LTI}{ $ce->{LTIVersion} }{LMS_name};
@@ -24,6 +24,13 @@
tag('strong', $course), $LMS) =%>
% }
+% } elsif ($externalAuth) {
+ % if (stash('authen_error')) {
+
+ <%== maketext(q{This course uses an external authentication system. You've authenticated }
+ . q{through that system, but aren't allowed to log in to this course.}) =%>
+
+ % }
% } else {
<%== maketext('Please enter your username and password for [_1] below:', tag('b', $course)) %>
%
diff --git a/templates/ContentGenerator/Logout.html.ep b/templates/ContentGenerator/Logout.html.ep
index 59c19fb283..ed4d9fd928 100644
--- a/templates/ContentGenerator/Logout.html.ep
+++ b/templates/ContentGenerator/Logout.html.ep
@@ -1,7 +1,7 @@
<%= maketext('You have been logged out of WeBWorK.') =%>
%
% # This should be set in the course environment when a sequence of authentication modules is used.
-% if ($ce->{external_auth} || $authen->{external_auth}) {
+% if ($ce->{LTI} && ($ce->{external_auth} || $authen->{external_auth})) {
<%== maketext(
'The course [_1] uses an external authentication system ([_2]). Please go there to log in again.',
@@ -12,6 +12,9 @@
: $ce->{LTI}{ $ce->{LTIVersion} }{LMS_name}
) =%>
+% } elsif ($ce->{external_auth} || $authen->{external_auth}) {
+ <%== maketext('This course uses an external authentication system. '
+ . 'Please return to its sign in page to log in again.') =%>
% } else {
<%= form_for 'set_list', method => 'POST', begin =%>
<%= hidden_field force_passwd_authen => 1 =%>