#!/usr/bin/perl # Optima <-> Shibboleth glue use strict; use CGI; use lib '../learning/bin'; use Tconfig; use GUser; use Digest::HMAC_SHA1 qw(hmac_sha1_hex); use Digest::SHA1 qw(sha1_hex); use MIME::Base64; my $conf = new Tconfig; my $req = new CGI; my $eppname = $ENV{'eppn'} || ''; my $logouturl = $ENV{'HTTP_SHIB_LOGOUT_URL'} || ''; my $now = time(); my $timestring = scalar localtime; my $namespace = $req->param('ns') || 4; my $mode = $req->param('mode') || ''; if ($eppname eq '') { # This should never be reached. Incorrect shibboleth usernames and passwords # should generate an error in the IdP login page, not here print $req->header; print <<"EOT";
The Shibboleth IdP server did not send an eduPersonPrincipalName attribute for some reason. Please contact your IdP maintainer to sort this out. Tell them this happened in $timestring
EOT } else { my $guser = new GUser(handle => $eppname, namespace => $namespace); my ($domain) = $eppname =~ /@(.*)$/; if ($logouturl ne '') { $guser->hakalogout_sync(domain => $domain, url => $logouturl); } if (($guser->{id} eq '') || ($guser->{passwd} ne '**shibboleth**')) { # The shibboleth edupersonprincipalname of this successfully authenticated account # does not exist as a handle in Optima, or it exists but its password is not the # shibboleth token. Offer a chance to login to Optima # and change the Optima handle to be the same as edupersonprincipalname and password # to be the shibboleth token. my $cs_key = $conf->{'cs_key'}; my $dval = sha1_hex("$eppname,$cs_key"); print $req->header; print <<"EOT";You have successfully authenticated with a Shibboleth account $eppname. However, there is no such account in Optima. Please contact the administrator of your Optima environment and ask them to provide you with an account.
EOT } else { # User authenticated successfully to shibboleth, edupersonprincipalname exists as # a Optima handle, and the password of this account is the shibboleth token. # Everything is OK, create an Optima cookien and redirect the user to loginmenu my $envlist = $guser->{'envs'}; $envlist =~ s/,/!/g; my $taikina = $guser->{'id'} . ':' . $now . ':' . $guser->{namespace} . ':' . $envlist . ':0'; my $hmac = new Digest::HMAC_SHA1($conf->{'key'}); $hmac->add($taikina); my $leivonnainen = $hmac->b64digest; my $prevuri = $req->param('prevuri'); $prevuri = decode_base64($prevuri); if ($prevuri eq '') { $prevuri = "https://$conf->{host}/loginmenu" } if ($mode eq 'mobile') { $prevuri =~ s/loginmenu/loginmobmenu/ } # warn "PREVURI: $prevuri"; print $req->redirect(-uri => "$prevuri", -cookie => "OpAuth_Optima=$taikina:$leivonnainen;path=/"); } }