SilverStripe\RealMe\RealMeService
Synopsis
class RealMeService
implements
TemplateGlobalProvider
{
- // constants
- const ENV_MTS = 'mts';
- const ENV_ITE = 'ite';
- const ENV_PROD = 'prod';
- const TYPE_LOGIN = 'login';
- const TYPE_ASSERT = 'assert';
- const AUTHN_LOW_STRENGTH = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength';
- const AUTHN_MOD_STRENTH = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength';
- const AUTHN_MOD_MOBILE_SMS = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Mobile:SMS';
- const AUTHN_MOD_TOKEN_SID = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Token:SID';
- const ERR_TIMEOUT = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:status:Timeout';
- const ERR_INTERNAL_ERROR = 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:status:InternalError';
- const ERR_AUTHN_FAILED = 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed';
- const ERR_UNKNOWN_PRINCIPAL = 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal';
- const ERR_NO_AVAILABLE_IDP = 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP';
- const ERR_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive';
- const ERR_NO_AUTHN_CONTEXT = 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext';
- const ERR_REQUEST_UNSUPPORTED = 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported';
- const ERR_REQUEST_DENIED = 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied';
- const ERR_UNSUPPORTED_BINDING = 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding';
- // members
- private static bool $sync_with_local_member_database = false;
- private static User|null $user_data = NULL;
- private static string $realme_env = 'mts';
- private static array $allowed_realme_environments = ;
- private static string $integration_type = 'login';
- private static array $allowed_realme_integration_types = ;
- private static array $sp_entity_ids = ;
- private static array $idp_entity_ids = ;
- private static array $idp_sso_service_urls = ;
- private static array $idp_x509_cert_filenames = ;
- private static array $authn_contexts = ;
- private static $allowed_authn_context_list $allowed_authn_context_list = ;
- private static array $metadata_assertion_service_domains = ;
- private static array $realme_error_message_overrides = ;
- private static string|null $metadata_organisation_name = NULL;
- private static string|null $metadata_organisation_display_name = NULL;
- private static string|null $metadata_organisation_url = NULL;
- private static string|null $metadata_contact_support_company = NULL;
- private static string|null $metadata_contact_support_firstnames = NULL;
- private static string|null $metadata_contact_support_surname = NULL;
- private Auth|null $auth = NULL;
- private string|null $lastError = NULL;
- // methods
- public static array get_template_global_variables()
- protected static HTTPRequest|null getRequest()
- public static User user_data()
- public void getUserData()
- public static User current_realme_user()
- public static User currentRealMeUser()
- public bool|null enforceLogin()
- private void processSamlErrors()
- public bool isAuthenticated()
- public User|null getAuthData()
- public void clearLogin()
- public void getLastError()
- public string getBackURL()
- public void getErrorBackURL()
- private void validSiteURL()
- public string|null getCertDir()
- public string|null getAuthnContextForEnvironment()
- public string|null getSigningCertPath()
- public void getIdPCertPath()
- public void getSPCertContent()
- public void getIdPCertContent()
- public string|null getCertificateContents()
- public string|null getAssertionConsumerServiceUrlForEnvironment()
- public string|null getMetadataOrganisationName()
- public string|null getMetadataOrganisationDisplayName()
- public string|null getMetadataOrganisationUrl()
- public array getMetadataContactSupport()
- public array getAllowedRealMeEnvironments()
- public array getAllowedAuthNContextList()
- public string|null getSPEntityID()
- private void getIdPEntityID()
- private void getSingleSignOnServiceURL()
- private void getRequestedAuthnContext()
- public Auth getAuth()
- public string getNameIdFormat()
- private string|null getConfigurationVarByEnv()
- private string|null getCertPath()
- private string|null getMetadataAssertionServiceDomainForEnvironment()
- private string|null retrieveFederatedLogonTag()
- private string|null retrieveFederatedIdentityTag()
- private FederatedIdentity|null retrieveFederatedIdentity()
- private string|null findErrorMessageForCode()
Hierarchy
Uses
- SilverStripe\Core\Config\Configurable
- SilverStripe\Core\Injector\Injectable
Implements
- SilverStripe\View\TemplateGlobalProvider
Constants
Name | Value |
---|---|
ENV_MTS | 'mts' |
ENV_ITE | 'ite' |
ENV_PROD | 'prod' |
TYPE_LOGIN | 'login' |
TYPE_ASSERT | 'assert' |
AUTHN_LOW_STRENGTH | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:LowStrength' |
AUTHN_MOD_STRENTH | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength' |
AUTHN_MOD_MOBILE_SMS | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Mobile:SMS' |
AUTHN_MOD_TOKEN_SID | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:ac:classes:ModStrength::OTP:Token:SID' |
ERR_TIMEOUT | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:status:Timeout' |
ERR_INTERNAL_ERROR | 'urn:nzl:govt:ict:stds:authn:deployment:GLS:SAML:2.0:status:InternalError' |
ERR_AUTHN_FAILED | 'urn:oasis:names:tc:SAML:2.0:status:AuthnFailed' |
ERR_UNKNOWN_PRINCIPAL | 'urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal' |
ERR_NO_AVAILABLE_IDP | 'urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP' |
ERR_NO_PASSIVE | 'urn:oasis:names:tc:SAML:2.0:status:NoPassive' |
ERR_NO_AUTHN_CONTEXT | 'urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext' |
ERR_REQUEST_UNSUPPORTED | 'urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported' |
ERR_REQUEST_DENIED | 'urn:oasis:names:tc:SAML:2.0:status:RequestDenied' |
ERR_UNSUPPORTED_BINDING | 'urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding' |
Members
private
- $allowed_authn_context_list — SilverStripe\RealMe\$allowed_authn_context_list
- $allowed_realme_environments — array
- $allowed_realme_integration_types
- $auth — SilverStripe\RealMe\Auth|null
- $authn_contexts — array
- $idp_entity_ids — array
- $idp_sso_service_urls
- $idp_x509_cert_filenames — array
- $integration_type — string
- $lastError — SilverStripe\RealMe\string|null
- $metadata_assertion_service_domains — array
- $metadata_contact_support_company — SilverStripe\RealMe\string|null
- $metadata_contact_support_firstnames — SilverStripe\RealMe\string|null
- $metadata_contact_support_surname — SilverStripe\RealMe\string|null
- $metadata_organisation_display_name — SilverStripe\RealMe\string|null
- $metadata_organisation_name — SilverStripe\RealMe\string|null
- $metadata_organisation_url — SilverStripe\RealMe\string|null
- $realme_env — string
- $realme_error_message_overrides — array
- $sp_entity_ids — array
- $sync_with_local_member_database — SilverStripe\RealMe\bool
- $user_data — SilverStripe\RealMe\User|null
Methods
private
- findErrorMessageForCode() — Finds a human-readable error message based on the error code provided in the RealMe SAML response
- getCertPath()
- getConfigurationVarByEnv()
- getIdPEntityID()
- getMetadataAssertionServiceDomainForEnvironment()
- getRequestedAuthnContext()
- getSingleSignOnServiceURL()
- processSamlErrors() — If there was an error returned from the saml response, process the errors
- retrieveFederatedIdentity()
- retrieveFederatedIdentityTag()
- retrieveFederatedLogonTag()
- validSiteURL()
protected
public
- clearLogin() — Clear the RealMe credentials from Session, called during Security->logout() overrides
- currentRealMeUser() — A helpful static method that follows SilverStripe naming for Member::currentUser();
- current_realme_user() — Calls available user data and checks for validity
- enforceLogin() — Enforce login via RealMe. This can be used in controllers to force users to be authenticated via RealMe (not necessarily logged in as a {@link Member}), in the form of: <code> Session::set('RealMeBackURL', '/path/to/the/controller/method'); if($service->enforceLogin()) { // User has a valid RealMe account, $service->getAuthData() will return you their details } else { // Something went wrong processing their details, show an error } </code>
- getAllowedAuthNContextList() — The list of valid realme AuthNContexts
- getAllowedRealMeEnvironments() — The list of RealMe environments that can be used. By default, we allow mts, ite and production.
- getAssertionConsumerServiceUrlForEnvironment()
- getAuth() — Returns the internal {@link Auth} object against which visitors are authenticated.
- getAuthData() — Returns a {@link RealMeUser} object if one can be built from the RealMe session data.
- getAuthnContextForEnvironment() — Returns the appropriate AuthN Context, given the environment passed in. The AuthNContext may be different per environment, and should be one of the strings as defined in the static {@link self::$authn_contexts} at the top of this class.
- getBackURL()
- getCertDir()
- getCertificateContents() — Returns the content of the SAML signing certificate. This is used by getAuth() and by RealMeSetupTask to produce metadata XML files.
- getErrorBackURL()
- getIdPCertContent()
- getIdPCertPath()
- getLastError()
- getMetadataContactSupport()
- getMetadataOrganisationDisplayName()
- getMetadataOrganisationName()
- getMetadataOrganisationUrl()
- getNameIdFormat()
- getSPCertContent()
- getSPEntityID() — Returns the appropriate entity ID for RealMe, given the environment passed in. The entity ID may be different per environment, and should be a full URL, including privacy realm and application name. For example, this may be: https://www.agency.govt.nz/privacy-realm-name/application-name
- getSigningCertPath() — Returns the full path to the SAML signing certificate file, used by SimpleSAMLphp to sign all messages sent to RealMe.
- getUserData()
- get_template_global_variables()
- isAuthenticated() — Checks data stored in Session to see if the user is authenticated.
- user_data() — Return the user data which was saved to session from the first RealMe auth.