WAYF 19.9 KB
Newer Older
Lukas Haemmerle's avatar
Lukas Haemmerle committed
1
<?php // Copyright (c) 2018, SWITCH
haemmer's avatar
haemmer committed
2 3 4

/*
******************************************************************************
5
SWITCHwayf
Lukas Haemmerle's avatar
Lukas Haemmerle committed
6
Version: 1.21
haemmer's avatar
haemmer committed
7
Contact:  aai@switch.ch
8
Web site: https://www.switch.ch/aai/support/tools/wayf/
haemmer's avatar
haemmer committed
9 10 11 12 13 14 15
******************************************************************************
*/

/*------------------------------------------------*/
// Load general configuration and template file
/*------------------------------------------------*/

16 17 18 19 20
if (isset($_SERVER{'SWITCHWAYF_CONFIG'})){
	require_once($_SERVER{'SWITCHWAYF_CONFIG'});
} else {
	require_once('config.php');
}
21 22 23
require_once('languages.php');
require_once('functions.php');
require_once('templates.php');
24 25 26 27 28

// Set default config options
initConfigOptions();

// Read custom locales
haemmer's avatar
haemmer committed
29 30 31 32 33
if (file_exists('custom-languages.php')){
	require_once('custom-languages.php');
}

/*------------------------------------------------*/
haemmer's avatar
haemmer committed
34
// Turn on PHP error reporting
haemmer's avatar
haemmer committed
35
/*------------------------------------------------*/
36
if ($developmentMode){
haemmer's avatar
haemmer committed
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
	ini_set('error_reporting', E_ALL);
	ini_set('display_errors', 'On');
	ini_set('log_erros', 'Off');
} else {
	error_reporting(0);
}

/*------------------------------------------------*/
// Read IDP configuration file
/*------------------------------------------------*/

// Determine language
$language = determineLanguage();

// Check if IdP files differ
// If not load file
if ($IDPConfigFile == $backupIDPConfigFile){
	require_once($IDPConfigFile);
// If they do, check config file
} elseif (checkConfig($IDPConfigFile, $backupIDPConfigFile)){
	require_once($IDPConfigFile);
// Use backup file if something went wrong 
} else {
	require_once($backupIDPConfigFile);
}

// Read metadata file if configuration option is set
64
if($useSAML2Metadata && function_exists('xml_parser_create')){
haemmer's avatar
haemmer committed
65 66 67 68 69 70 71 72 73 74 75 76 77 78
	require('readMetadata.php');
}

// Set default type
foreach ($IDProviders as $key => $values){
	if (!isset($IDProviders[$key]['Type'])){
		$IDProviders[$key]['Type'] = 'unknown';
	}
}

/*------------------------------------------------*/
// Back-wards compatibility logic
/*------------------------------------------------*/

79 80 81
// Set P3P headers just in case they were not set in Apache already
header('P3P: CP="NOI CUR DEVa OUR IND COM NAV PRE"');

haemmer's avatar
haemmer committed
82 83
// This is for back-wards compatibility with very old versions of the WAYF
if (isset($_GET['getArguments']) && isset($_GET['origin']) && isset($_GET['redirect'])){
84
	redirectTo($_SERVER['PHP_SELF'].'/redirect/'.$_GET['origin'].'?'.$_GET['getArguments']);
haemmer's avatar
haemmer committed
85 86 87
	exit;
}

haemmer's avatar
haemmer committed
88 89 90 91 92 93
/*------------------------------------------------*/
// Input validation
/*------------------------------------------------*/

if(isValidDSRequest()){
	// Check that return URL in DS request is a valid URL
haemmer's avatar
haemmer committed
94
	$returnURL = getSanitizedURL($_GET['return']);
haemmer's avatar
haemmer committed
95 96 97
	if(!$returnURL){
		// Show error
		$message = sprintf(getLocalString('invalid_return_url'), htmlentities($_GET['return']));
98
		logWarning('Invalid return URL: '.$_GET['return']);
haemmer's avatar
haemmer committed
99 100 101 102
		printError($message);
		exit;
	}
	
103
	if ($useSAML2Metadata && $enableDSReturnParamCheck){
104 105 106 107
		// Check SP
		if(!isset($SProviders[$_GET['entityID']])){
			// Show error
			$message = sprintf(getLocalString('unknown_sp'), htmlentities($_GET['entityID']));
108
			logWarning('Unknown SP: '.$_GET['entityID']);
109 110 111 112 113 114 115 116 117
			printError($message);
			exit;
		}
		
		// Check return URL in DS request if checks are enabled
		$returnURLOK = verifyReturnURL($_GET['entityID'], $returnURL);
		if(!$returnURLOK){
			// Show error
			$message = sprintf(getLocalString('unverified_return_url'), htmlentities($returnURL), htmlentities($_GET['entityID']));
118
			logWarning('Unverified return URL: '.$returnURL.' for SP: '.$_GET['entityID']);
119 120 121
			printError($message);
			exit;
		}
haemmer's avatar
haemmer committed
122
	}
123 124
	
	
haemmer's avatar
haemmer committed
125 126
}

haemmer's avatar
haemmer committed
127 128 129 130 131 132 133 134 135
/*------------------------------------------------*/
// Set and delete cookies
/*------------------------------------------------*/

// Delete all cookies
if (isRequestType('deleteSettings')){
	$cookies = array($redirectCookieName, $redirectStateCookieName, $SAMLDomainCookieName, $SPCookieName);
	foreach ($cookies as $cookie){ 
		if (isset($_COOKIE[$cookie])){
136
			setcookie($cookie,'',time()-86400, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
137 138 139 140
		}
	}
	
	if (isset($_GET['return'])){
141
		redirectTo($_GET['return']);
haemmer's avatar
haemmer committed
142
	} else {
143
		redirectTo($_SERVER['SCRIPT_NAME']);
haemmer's avatar
haemmer committed
144 145 146 147 148 149 150
	}
	exit;
}


// Delete permanent cookie
if (isset($_POST['clear_user_idp'])){
151
	setcookie ($redirectCookieName, '', time() - 3600, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
152
	redirectTo('?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
	exit;
}

// Get previously accessed IdPs
if (isset($_COOKIE[$SAMLDomainCookieName])){
	$IDPArray = getIdPArrayFromValue($_COOKIE[$SAMLDomainCookieName]);
} else {
	$IDPArray = array();
}

// Get previously accessed SPs
if (isset($_COOKIE[$SPCookieName])){
	$SPArray = getIdPArrayFromValue($_COOKIE[$SPCookieName]);
} else {
	$SPArray = array();
}

// Set Cookie to remember the selection
171
if (isset($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp'])){
haemmer's avatar
haemmer committed
172
	$IDPArray = appendValueToIdPArray($_POST['user_idp'], $IDPArray);
173
	setcookie ($SAMLDomainCookieName, getValueFromIdPArray($IDPArray) , time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
174 175 176 177 178
}

// Set cookie for most recently used Service Provider
if (isset($_GET['entityID'])){
	$SPArray = appendValueToIdPArray($_GET['entityID'], array());
179
	setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
180 181
} else if (isset($_GET['providerId'])){
	$SPArray = appendValueToIdPArray($_GET['providerId'], array());
182
	setcookie ($SPCookieName, getValueFromIdPArray($SPArray), time() + (10*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
183 184 185 186 187 188
}


// Set the permanent or session cookie
if (isset($_POST['permanent']) 
	&& isset($_POST['user_idp']) 
189
	&& checkIDPAndShowErrors($_POST['user_idp'])){
haemmer's avatar
haemmer committed
190 191 192
	
	// Set permanent cookie 
	if (is_numeric($_POST['permanent'])){
193
		setcookie ($redirectCookieName, $_POST['user_idp'], time() + ($_POST['permanent']*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
194
	} else {
195
		setcookie ($redirectCookieName, $_POST['user_idp'], time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
196 197
	}
} elseif (
198
	isset($_POST['user_idp']) 
199
	&& checkIDPAndShowErrors($_POST['user_idp'])
haemmer's avatar
haemmer committed
200
	){
201 202 203
	
	if (isset($_POST['session'])){
		// Set redirection cookie and redirection state cookie
204 205
		setcookie ($redirectCookieName, $_POST['user_idp'], null, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
		setcookie ($redirectStateCookieName, 'checked', time() + ($cookieValidity*24*3600), '/', $commonDomain, $cookieSecurity, $cookieSecurity);
206
	} else {
207
		setcookie ($redirectStateCookieName, 'checked', time() - 3600, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
208
	}
haemmer's avatar
haemmer committed
209 210 211 212 213 214
}

/*------------------------------------------------*/
// Redirecting user
/*------------------------------------------------*/

215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269
// Redirect using user selection
if (
	isset($_POST['user_idp']) 
	&& checkIDPAndShowErrors($_POST['user_idp'])
	&& isValidShibRequest()
	&& !isset($_POST['permanent'])
	){
	
	$selectedIDP = $_POST['user_idp'];
	
	// Handle cascaded WAYF
	if (isset($IDProviders[$selectedIDP]['Type']) && $IDProviders[$selectedIDP]['Type'] == 'wayf'){
		
		// Send user to cascaded WAYF with same request
		redirectTo($IDProviders[$selectedIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
		
	} else if (isValidDSRequest()){
		redirectToSP($_GET['return'], $selectedIDP);
		
		// Create log entry
		if (isset($_POST['request_type']) && $_POST['request_type'] == 'embedded'){
			$dsType = 'Embedded-DS';
		} else {
			$dsType = 'DS';
		}
		logAccessEntry($dsType, 'Request', $_GET['entityID'], $selectedIDP, $_GET['return']);
		
	} else {
		redirectTo($IDProviders[$selectedIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
		
		// Create log entry
		if (isset($_POST['request_type']) && $_POST['request_type'] == 'embedded'){
			$dsType = 'Embedded-WAYF';
		} else {
			$dsType = 'WAYF';
		}
		logAccessEntry($dsType, 'Request', (isset($_GET['providerId'])) ? $_GET['providerId'] : '-', $selectedIDP, $_GET['shire']);
	}
	exit;
}

// For backwards compatiblity
if (	
		isset($_GET['shire']) 
		&& isset($_GET['target'])
		&& isset($_GET['origin'])
		&& checkIDPAndShowErrors($_GET['origin'])
	){
	redirectTo($IDProviders[$_GET['origin']]['SSO'].'?'.$_SERVER['QUERY_STRING']);
	
	// Create log entry
	logAccessEntry('WAYF', 'Old-Request', (isset($_GET['providerId'])) ? $_GET['providerId'] : '-', $_GET['origin'], $_GET['shire']);
	exit;
} 

haemmer's avatar
haemmer committed
270 271 272 273
// IDP determined by redirect cookie
if (	
		isValidShibRequest()
		&& isset($_COOKIE[$redirectCookieName]) 
274
		&& checkIDP($_COOKIE[$redirectCookieName])
haemmer's avatar
haemmer committed
275 276 277 278 279 280 281 282
	){
	
	$cookieIdP = $_COOKIE[$redirectCookieName];
	
	// Handle cascaded WAYF
	if (isset($IDProviders[$cookieIdP]['Type']) && $IDProviders[$cookieIdP]['Type'] == 'wayf'){
		
		// Send user to cascaded WAYF with same request
283
		redirectTo($IDProviders[$cookieIdP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
284 285
		
	} elseif (isValidDSRequest()){
286
		redirectToSP($_GET['return'], $cookieIdP);
haemmer's avatar
haemmer committed
287 288
		
		// Create log entry
haemmer's avatar
haemmer committed
289
		logAccessEntry('DS', 'Cookie', $_GET['entityID'], $cookieIdP, $_GET['return']);
haemmer's avatar
haemmer committed
290 291
		
	} else {
292
		redirectTo($IDProviders[$cookieIdP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
293 294
		
		// Create log entry
haemmer's avatar
haemmer committed
295
		logAccessEntry('WAYF', 'Cookie', (isset($_GET['providerId'])) ? $_GET['providerId'] : '-', $cookieIdP, $_GET['shire']);
haemmer's avatar
haemmer committed
296 297 298 299 300 301 302 303
		
	}
		
	exit;
} 

// Redirect using Kerberos
// Check if $REMOTE_USER has been set by mod_auth_kerb
haemmer's avatar
haemmer committed
304
if ($useKerberos && isset($_SERVER['REMOTE_USER'])) {
haemmer's avatar
haemmer committed
305 306 307 308
	$kerberosPrincipal = $_SERVER['REMOTE_USER'];
	// Bingo - we have a winner!
	$kerberosRealm = substr($user, 1 + strlen($kerberosPrincipal) - strlen(strrchr($kerberosPrincipal, "@")));
	
309
	if ($kerberosIDP = getKerberosRealm($kerberosRealm) && checkIDP($kerberosIDP)){
haemmer's avatar
haemmer committed
310 311 312 313 314
		
		// Handle cascaded WAYF
		if (isset($IDProviders[$kerberosIDP]['Type']) && $IDProviders[$kerberosIDP]['Type'] == 'wayf'){
			
			// Send user to cascaded WAYF with same request
315
			redirectTo($IDProviders[$kerberosIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
316 317
			
		} elseif (isValidDSRequest()){
318
			redirectToSP($_GET['return'], $kerberosIDP);
haemmer's avatar
haemmer committed
319 320
			
			// Create log entry
haemmer's avatar
haemmer committed
321
			logAccessEntry('DS', 'Kerberos', $_GET['entityID'], $kerberosIDP, $_GET['return']);
haemmer's avatar
haemmer committed
322
		} else {
323
			redirectTo($IDProviders[$kerberosIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
324 325
			
			// Create log entry
haemmer's avatar
haemmer committed
326
			logAccessEntry('WAYF', 'Kerberos', (isset($_GET['providerId'])) ? $_GET['providerId'] : '-', $kerberosIDP, $_GET['shire']);
haemmer's avatar
haemmer committed
327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342
		}
		exit;
	}
}

// Trigger Kerberos authentication
if ($useKerberos && !isset($kerberosRealm)) {
	// Check the headers for an Authorisation header.
	$headers = getallheaders();
	// If its' there...
	foreach ($headers as $name => $content) {
			if ($name == "Authorization") {
			// ... then the user agent is attempting Negotiate, so we
			// redirect to the soft link (that points back to this script)
			// which is	 protected by mod_auth_kerb.
			$url = $kerberosRedirectURL."?".$_SERVER['QUERY_STRING'];
343
			redirectTo($url);
haemmer's avatar
haemmer committed
344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362
			exit();
		}
	}
	
	// Send the User Agent a Negotiate header
	// This will provoke a User Agent that supports Negotiate into requesting this 
	// script a second time, including an 'Authorize' header. We catch this header
	// in the code above.
	header('WWW-Authenticate: Negotiate');
	// If the User Agent doesn't support Negotiate, we continue as usual.
}

// Redirect using resource hint
$hintedPathIDP = getIdPPathInfoHint();
if ($hintedPathIDP != '-'){
	// Handle cascaded WAYF
	if (isset($IDProviders[$hintedPathIDP]['Type']) && $IDProviders[$hintedPathIDP]['Type'] == 'wayf'){
		
		// Send user to cascaded WAYF with same request
363
		redirectTo($IDProviders[$hintedPathIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
364 365
		exit;
		
haemmer's avatar
haemmer committed
366
	} elseif (isPartOfPathInfo('redirect') ){
haemmer's avatar
haemmer committed
367
		// Set redirect cookie for this session
368
		setcookie ($redirectCookieName, $hintedPathIDP, null, '/', $commonDomain, $cookieSecurity, $cookieSecurity);
haemmer's avatar
haemmer committed
369 370 371
		
		// Determine if DS or WAYF request
		if (isValidDSRequest()){
372
			redirectToSP($_GET['return'], $hintedPathIDP);
haemmer's avatar
haemmer committed
373 374
			
			// Create log entry
haemmer's avatar
haemmer committed
375
			logAccessEntry('DS', 'Path', $_GET['entityID'], $hintedPathIDP, $_GET['return']);
haemmer's avatar
haemmer committed
376 377
			
		} else {
378
			redirectTo($IDProviders[$hintedPathIDP]['SSO'].'?'.$_SERVER['QUERY_STRING']);
haemmer's avatar
haemmer committed
379 380
			
			// Create log entry
haemmer's avatar
haemmer committed
381
			logAccessEntry('WAYF', 'Path', (isset($_GET['providerId'])) ? $_GET['providerId'] : '-', $hintedPathIDP, $_GET['shire']);
haemmer's avatar
haemmer committed
382 383 384 385 386 387
		}
		
		exit;
	}
}

388

haemmer's avatar
haemmer committed
389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413

/*------------------------------------------------*/
// Gather data to preselect user's IdP
/*------------------------------------------------*/

// Initialize selected IdP
$selectedIDP = '-';

// Cookie hint
$hintedCookieIdP = '-';
if (count($IDPArray) > 0){
	// Make sure one of these IdP exists
	foreach ($IDPArray as $previouslyUsedIDP){
		if (isset($IDProviders[$previouslyUsedIDP])){
			$hintedCookieIdP = $previouslyUsedIDP;
		}
	}
} 

// IP address range hint
$hintedIPIDP = '-';
$hintedIPIDP = getIPAdressHint();

// Reverse DNS lookup hint
$hintedDomainIDP = '-';
414
if ($useReverseDNSLookup){
haemmer's avatar
haemmer committed
415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440
	$hintedDomainIDP = getDomainNameFromURIHint();
}

/*------------------------------------------------*/
// Determine preselected IdP using gathered data
/*------------------------------------------------*/

// Prioritise selected IDP in this sequence
// - Previous used IdP
// - Path info hint
// - IP address range hint 
// - Reverse DNS Lookup hint
// - No Preselection

if ($hintedCookieIdP != '-'){
	$selectedIDP = $hintedCookieIdP;
} elseif ($hintedPathIDP != '-'){
	$selectedIDP = $hintedPathIDP;
} elseif ($hintedIPIDP != '-'){
	$selectedIDP = $hintedIPIDP;
} elseif ($hintedDomainIDP != '-'){
	$selectedIDP = $hintedDomainIDP;
} else {
	$selectedIDP = '-';
}

441 442 443 444
/*------------------------------------------------*/
// Sort Identity Providers
/*------------------------------------------------*/

445
if ($useSAML2Metadata){
446 447 448 449 450
	// Only automatically sort if list of Identity Provider is parsed
	// from metadata instead of being manualy managed
	sortIdentityProviders($IDProviders);
}

haemmer's avatar
haemmer committed
451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469
/*------------------------------------------------*/
// Draw WAYF
/*------------------------------------------------*/

// Coming from an SP with proper GET arguments
if ( 
	isValidShibRequest() 
	&& (!isset($_POST['user_idp']) || $_POST['user_idp'] == '-')
	) {
	
	// Return directly to IdP if isPassive is set
	if (
		isValidDSRequest() 
		&& isset($_GET['isPassive'])
		&& $_GET['isPassive'] == 'true'
		){
		
		// Only return user with returnIDParam to SP if IdP could be guessed
		if ($selectedIDP == '-' || $selectedIDP == ''){
470
			redirectTo($_GET['return']);
haemmer's avatar
haemmer committed
471 472
			
			// Create log entry
haemmer's avatar
haemmer committed
473
			logAccessEntry('DS', 'Passive', $_GET['entityID'], '-', $_GET['return']);
haemmer's avatar
haemmer committed
474 475 476
			
			
		} else {
477
			redirectToSP($_GET['return'], $selectedIDP);
haemmer's avatar
haemmer committed
478 479
			
			// Create log entry
haemmer's avatar
haemmer committed
480
			logAccessEntry('DS', 'Passive', $_GET['entityID'], $selectedIDP, $_GET['return']);
haemmer's avatar
haemmer committed
481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506
		}
		exit;
	}
	
	// Show selection
	
	// Show Header
	printHeader();
	
	// Show drop down list
	printWAYF();
	
	// Show footer
	printFooter();
	exit;
	
} elseif(
		(!isset($_GET['shire']) && isset($_GET['target'])) 
		|| (isset($_GET['shire']) && !isset($_GET['target']))
){
	
	// Show error
	$invalidstring = urldecode($_SERVER['QUERY_STRING']);
	$invalidstring = preg_replace('/&/',"&\n",$invalidstring);
	if ($invalidstring == '')
		$invalidstring = getLocalString('no_arguments');
haemmer's avatar
haemmer committed
507 508 509
	$message = getLocalString('arguments_missing') . '<pre>';
	$message .= '<code>'.htmlentities($invalidstring).'</code></pre></p>';
	$message .= '<p>'. getLocalString('valid_request_description');
510
	logWarning('Invalid GET arguments for Shibboleth discovery requests: '.$invalidstring);
haemmer's avatar
haemmer committed
511 512
	printError($message);
	exit;
513
} elseif(
haemmer's avatar
haemmer committed
514 515 516 517 518 519 520 521 522
		(!isset($_GET['entityID']) && isset($_GET['return'])) 
		|| (isset($_GET['entityID']) && !isset($_GET['return']))
){
	
	// Show error
	$invalidstring = urldecode($_SERVER['QUERY_STRING']);
	$invalidstring = preg_replace('/&/',"&\n",$invalidstring);
	if ($invalidstring == '')
		$invalidstring = getLocalString('no_arguments');
haemmer's avatar
haemmer committed
523 524 525
	$message = getLocalString('arguments_missing') . '</p><pre>';
	$message .= '<code>'.htmlentities($invalidstring).'</code></pre>';
	$message .= '<p>'. getLocalString('valid_saml2_request_description');
526
	logWarning('Invalid GET arguments for SAML discovery requests: '.$invalidstring);
haemmer's avatar
haemmer committed
527 528 529
	printError($message);
	exit;
	
haemmer's avatar
haemmer committed
530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545
} elseif(isRequestType('styles.css')){
	
	header('Content-Type: text/css');
	
	printCSS('styles.css');
	
	exit;

} elseif(isRequestType('ImprovedDropDown.css')){

	header('Content-Type: text/css');
	
	printCSS('ImprovedDropDown.css');
	
	exit;

haemmer's avatar
haemmer committed
546 547 548
} elseif(isRequestType('snippet.html')){
	
	// Check if this feature is activated at all
549
	if (!$useEmbeddedWAYF){
haemmer's avatar
haemmer committed
550 551 552 553 554 555 556 557 558 559 560 561 562 563
		echo '// The embedded WAYF feature is deactivated in the configuration';
		exit;
	}
	
	// Return the HTML snippet for including the Embedded WAYF
	printEmbeddedConfigurationScript();
	
	exit;

} elseif(isRequestType('snippet.txt')){
	
	header('Content-Type: text/plain');
	
	// Check if this feature is activated at all
564
	if (!$useEmbeddedWAYF){
haemmer's avatar
haemmer committed
565 566 567 568 569 570 571 572 573 574 575 576
		echo '// The embedded WAYF feature is deactivated in the configuration';
		exit;
	}
	
	// Return the HTML snippet for including the Embedded WAYF
	printEmbeddedConfigurationScript();
	
	exit;

} elseif(isRequestType('embedded-wayf.js')){
	
	// Check if this feature is activated at all
577
	if (!$useEmbeddedWAYF){
haemmer's avatar
haemmer committed
578 579 580 581 582 583 584
		echo '// The embedded WAYF feature is deactivated in the configuration';
		exit;
	}
	
	// Set JavaScript content type
	header('Content-type: text/javascript;charset="utf-8"');
	
585 586 587 588 589 590
	// If the data protection feature is enabled, don't preselect the IdP
	if ($useEmbeddedWAYFPrivacyProtection){
		$selectedIDP = '-';
	}
	
	// If the referer check is enabled but fails, don't preselect the IdP
haemmer's avatar
haemmer committed
591
	if (
592 593 594
		   !$useEmbeddedWAYFPrivacyProtection
		&&  $useEmbeddedWAYFRefererForPrivacyProtection
		&& !isRequestRefererMatchingSPHost()
haemmer's avatar
haemmer committed
595 596 597 598
		){
		$selectedIDP = '-';
	}
	
haemmer's avatar
haemmer committed
599 600 601 602 603 604 605 606 607 608 609 610 611
	// Generate JavaScript code
	printEmbeddedWAYFScript();
	
	exit;
	
} elseif (isRequestType('ShibbolethDS-IDProviders.json')){
	
	// Return $IdProviders as JSON data structure
	if (!$developmentMode){
		header('Content-Type: application/json');
	}
	
	// Add guessed Identity Provider
612
	if ($exportPreselectedIdP){
haemmer's avatar
haemmer committed
613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628
		$IDProviders['preselectedIDP'] = $selectedIDP;
	}
	
	$ShibDSIDProviders = convertToShibDSStructure($IDProviders);
	
	// Add list of IdPs
	echo json_encode($ShibDSIDProviders);
	
	exit;
	
} elseif (isRequestType('ShibbolethDS-IDProviders.js')){
	
	// Set JavaScript content type
	header('Content-type: text/javascript;charset="utf-8"');
	
	// Add guessed Identity Provider
629
	if ($exportPreselectedIdP){
haemmer's avatar
haemmer committed
630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647
		$IDProviders['preselectedIDP'] = $selectedIDP;
	}
	
	$ShibDSIDProviders = convertToShibDSStructure($IDProviders);
	
	// Add list of IdPs
	echo 'var myJSONObject = '.json_encode($ShibDSIDProviders).';';
	
	exit;
	
} elseif (isRequestType('IDProviders.json')){
	
	// Return $IdProviders as JSON data structure
	if (!$developmentMode){
		header('Content-Type: application/json');
	}
	
	// Add guessed Identity Provider
648
	if ($exportPreselectedIdP){
haemmer's avatar
haemmer committed
649 650 651 652 653 654 655 656 657 658 659 660 661 662
		$IDProviders['preselectedIDP'] = $selectedIDP;
	}
	
	// Add list of IdPs
	echo json_encode($IDProviders);
	
	exit;
	
} elseif (isRequestType('IDProviders.txt')){
	
	// Return $IdProviders as human readable data
	header('Content-Type: text/plain');
	
	// Add guessed Identity Provider
663
	if ($exportPreselectedIdP){
haemmer's avatar
haemmer committed
664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679
		$IDProviders['preselectedIDP'] = $selectedIDP;
	}
	
	echo 'IDProviders = ';
	
	// Return list of IdP array
	print_r($IDProviders);
	
	exit;
	
} elseif (isRequestType('IDProviders.php')){
	
	// Return $IdProviders as PHP code
	header('Content-Type: text/plain');
	
	// Add guessed Identity Provider
680
	if ($exportPreselectedIdP){
haemmer's avatar
haemmer committed
681 682 683 684 685 686 687 688 689 690 691
		$IDProviders['preselectedIDP'] = $selectedIDP;
	}
	
	echo '$IDProviders = ';
	
	// Return list of IdP array
	var_export($IDProviders);
	
	exit;
	
} elseif (
692
			(isset($_POST['user_idp']) && checkIDPAndShowErrors($_POST['user_idp']))
haemmer's avatar
haemmer committed
693 694
			|| (
				   isset($_COOKIE[$redirectCookieName]) 
695
				&& checkIDP($_COOKIE[$redirectCookieName])
haemmer's avatar
haemmer committed
696
				)
haemmer's avatar
haemmer committed
697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723
		){
	
	// Show confirmatin notice
	// Show Header
	printHeader();
	
	// Show drop down list
	printNotice();
	
	// Show footer
	printFooter();
	
	exit;
} else {
	
	// Show Header
	printHeader();
	
	// Show drop down list
	printSettings();
	
	// Show footer
	printFooter();
	exit;
} 

?>