SAML (SSO) Test v$iv

#!/usr/bin/perl #EDIT THE ABOVE LINE TO POINT TO THE LOCATION OF Perl ON YOUR SERVER ##### DO NOT EDIT ANYTHING BELOW THIS LINE ##### use strict;use utf8;use JSON;use MIME::Base64;my$iv='1.01';my$fname='SAMLtest.pl';my$cwd=$ENV{SCRIPT_FILENAME};if($cwd){$cwd=~s!(?:[^/\\]*)$!!}else{($_=$0)=~s![\\/][^\\/]+$!!;unshift@INC,$_;$cwd=$_};$cwd=~s/\\/\//g;use lib qw(.);my%in=parse();my$act=$in{act};my$nolog=$in{nolog};require CGI::Carp;CGI::Carp->import('fatalsToBrowser','set_message');set_message('For help, please refer to the MIDAS Knowledge Base');my$midas;eval{$midas=decode_json(SSI_INCLUDE("$cwd/midas.dat"))};if($@){}my$certprefix=lc(substr($midas->{midasid},9,3).substr($midas->{midasid},-1,1));$certprefix='MIDAS' if !$certprefix;if(!$act){if($in{SAMLResponse}){samlresponse()}else{splash()}}elsif($act eq 'start'){samlsetup()}elsif($act eq 'gen_cert_key'){gen_cert_key()}elsif($act eq 'samlsetup'){samlsetup()}elsif($act eq 'samlsave'){samlsave()}elsif($act eq 'test'){samltest()}sub pagehead {print "Content-type: text/html; charset=UTF-8\n\n";print qq~ SAML (SSO) Test v$iv

SAML Test v$iv

~}sub pagefoot{print qq~

~}sub splash{my$nonetsaml2;eval{require Net::SAML2};if($@){$nonetsaml2=1}pagehead();print qq~

IS YOUR SERVER READY FOR SEAMLESS SSO INTEGRATION?

This tool will allow you to test your server setup to determine whether you're able to integrate MIDAS with your SAML service, to allow users to be authenticated and seamlessly logged into your MIDAS system upon each access.

THIS TOOL IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL THE AUTHOR BE LIABLE TO YOU FOR INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF ANY USE THEREOF OR BREACH OF ANY WARRANTY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Click "Continue" to begin.

~;if($nonetsaml2){print qq~

The Perl module Net::SAML2 was not detected on this server
Please install this module then reload this page to continue

~}else{print q~~}print q~

~;pagefoot()}sub samlsetup{pagehead();my$idp_meta=SSI_INCLUDE("$cwd/SAML/$certprefix-idp-meta.dat")||SSI_INCLUDE("$cwd/SAML/MIDAS-idp-meta.dat");my$idp_cert=SSI_INCLUDE("$cwd/SAML/$certprefix-idp-cert.dat")||SSI_INCLUDE("$cwd/SAML/MIDAS-idp-cert.dat");my$sp_key=SSI_INCLUDE("$cwd/SAML/$certprefix-sp-key.dat")||SSI_INCLUDE("$cwd/SAML/MIDAS-sp-key.dat");my$sp_key_ph=($sp_key)?'[Not Shown]':q~Paste Service Provider's Private Key Here...~;my$sp_cert=SSI_INCLUDE("$cwd/SAML/$certprefix-sp-cert.dat")||SSI_INCLUDE("$cwd/SAML/MIDAS-sp-cert.dat");my$acsurl=($midas->{paths}{aliasurl})?"https://$midas->{paths}{aliasurl}$fname":"https://$midas->{paths}{weburl}$fname";$acsurl='https://'.$ENV{SERVER_NAME}.$ENV{REQUEST_URI} if !$acsurl;print qq~~;pagefoot()}sub gen_cert_key{unlink "$cwd/SAML/$certprefix-sp-key-temp.dat";unlink "$cwd/SAML/$certprefix-sp-cert-temp.dat";my$dataname;my$dbs;eval{$dbs=@{$midas->{database}{db}}};if($dbs){foreach my$k(0..@{$midas->{database}{db}}-1){if($midas->{database}{default} eq $midas->{database}{db}[$k]{r}){$dataname=$midas->{database}{db}[$k]{display};last}}}$dataname='MIDAS' if !$dataname;my$country=$midas->{languages}{default};$country=~s/\w\w-//;my$aliasdomain=$midas->{paths}{aliasurl};$aliasdomain=~s!/(.*)!!;my$subject='/C='.$country.'/O='.$dataname.'/CN='.$aliasdomain;my$sp_key;my$sp_cert;if(-e "$cwd/SAML/$certprefix-sp-key-temp.dat"){$sp_key=SSI_INCLUDE("$cwd/SAML/$certprefix-sp-key-temp.dat");$sp_cert=SSI_INCLUDE("$cwd/SAML/$certprefix-sp-cert-temp.dat");unlink "$cwd/SAML/$certprefix-sp-key-temp.dat";unlink "$cwd/SAML/$certprefix-sp-cert-temp.dat"}else{require LWP::UserAgent;LWP::UserAgent->import();eval{require IO::Socket::SSL};if($@){$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0}my$ua=LWP::UserAgent->new(env_proxy=>0,keep_alive=>0,timeout=>30,agent =>"SAML TEST v$iv");if($midas->{paths}{proxy}){$ENV{HTTPS_PROXY}=$midas->{paths}{proxy};$ua->proxy(['http','https'],$midas->{paths}{proxy})}my$r=$ua->post('https://u.mid.as/SAMLcertgen.pl',[dataname=>$dataname,prefix=>$certprefix,country=>$country,alias=>$aliasdomain]);my@response=($r->is_success)?($r->code,$r->status_line,$r->content):($r->code,$r->status_line);if($response[0]==200){if($response[2]=~m/^-----BEGIN PRIVATE KEY-----/){my@spdata=split(/\|/,$response[2]);$sp_key=$spdata[0];$sp_cert=$spdata[1]}else{$sp_key=$sp_cert='Unable to generate'}}}print "Content-type: text/plain; charset=UTF-8\n\n$sp_key|$sp_cert"}sub samlsave{if(!-e "$cwd/SAML"){mkdir "$cwd/SAML/"}if($in{saml_idp_meta}){$in{saml_idp_meta}=~s/\r//g;$in{saml_idp_meta}=~s/&(?!amp;)/&/g;open(my$TMPF,'>:encoding(UTF-8)',"$cwd/SAML/$certprefix-idp-meta.dat");flock($TMPF,2);print $TMPF $in{saml_idp_meta};flock($TMPF,8);close($TMPF)}if($in{saml_idp_cert}){$in{saml_idp_cert}=~s/\r//g;open(my$TMPF,'>:encoding(UTF-8)',"$cwd/SAML/$certprefix-idp-cert.dat");flock($TMPF,2);print $TMPF $in{saml_idp_cert};flock($TMPF,8);close($TMPF)}if($in{saml_sp_key}){$in{saml_sp_key}=~s/\r//g;open(my$TMPF,'>:encoding(UTF-8)',"$cwd/SAML/$certprefix-sp-key.dat");flock($TMPF,2);print $TMPF $in{saml_sp_key};flock($TMPF,8);close($TMPF)}if($in{saml_sp_cert}){$in{saml_sp_cert}=~s/\r//g;open(my$TMPF,'>:encoding(UTF-8)',"$cwd/SAML/$certprefix-sp-cert.dat");flock($TMPF,2);print $TMPF $in{saml_sp_cert};flock($TMPF,8);close($TMPF)}print "Content-type: text/plain; charset=UTF-8\n\n1";exit}sub samltest{eval{require Net::SAML2};if($@){ssoerr('Net::SAML2 not found')}my$issuer='midas';my$provider='midas';my$idp_meta="$cwd/SAML/$certprefix-idp-meta.dat";my$idp_cert="$cwd/SAML/$certprefix-idp-cert.dat";my$sp_key="$cwd/SAML/$certprefix-sp-key.dat";my$idp_metadata=SSI_INCLUDE($idp_meta);if(!$idp_meta){ssoerr('Identity Provider metadata not found')}my$xml_doc;if($idp_metadata=~m/load_xml(location=>$idp_meta)};if($@){ssoerr('Invalid Identity Provider metadata')}}else{require LWP::UserAgent;LWP::UserAgent->import();$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;my$ua=LWP::UserAgent->new;$ua->timeout(10);my$response=$ua->get("$idp_metadata");$response=$response->content;eval{$xml_doc=XML::LibXML->load_xml(string=>$response)};if($@){ssoerr('Invalid Identity Provider metadata')}}$idp_metadata=$xml_doc->documentElement;my $idp=Net::SAML2::IdP->new_from_xml(xml=>$idp_metadata,cacert=>$idp_cert,);my $authnreq=Net::SAML2::Protocol::AuthnRequest->new(issuer=> $issuer,destination=>$idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),provider_name=>$provider,);my$saml_request_id=$authnreq->id;if(!$saml_request_id){ssoerr('SAML Request ID not found')}print "Set-Cookie:SAMLID=$saml_request_id; HttpOnly; SameSite=Strict; Secure\n";my $redirect=Net::SAML2::Binding::Redirect->new(key=>$sp_key,cert=>$idp->cert('signing'),param=>'SAMLRequest',url=>$idp->sso_url('urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'),);my$url=$redirect->sign($authnreq->as_xml);if(!$url){ssoerr('Redirect URL not found')}print "Location:$url\n\n"}sub samlresponse{my$saml_response=$in{SAMLResponse};my$op;$op.=qq~

SAML OUTPUT

~;pagefoot();exit}require Net::SAML2::Binding::POST;require Net::SAML2::Protocol::Assertion;$op.=qq~Got SAML response and action is "verify"\n~;my$issuer='midas';my$idp_cert="$cwd/SAML/$certprefix-idp-cert.dat";my%cookies=getCookies();my$saml_request_id=$cookies{'SAMLID'};$op.=qq~Got SAML request id: $saml_request_id\n~;my$post=Net::SAML2::Binding::POST->new(cacert=>$idp_cert );my$ret=$post->handle_response($saml_response);my$assertion=Net::SAML2::Protocol::Assertion->new_from_xml(xml=>decode_base64($saml_response));my$valid=$assertion->valid($issuer,$saml_request_id);if($valid){my$dn=determine_name($assertion);my$em=determine_email($assertion);if(($dn)&&($em)){$op.=qq~========================================\nSUCCESS! I received the user/email: $dn <$em>\n========================================\n~}else{require Data::Dumper;my$raw=Data::Dumper::Dumper($assertion);$op.=qq~VALID RESPONSE - but unable to determine name/email\n$raw~}}}else{$op.=qq~Got SAML response but action is NOT "verify":\n$saml_response\n~;$tryagain=1}$op.=q~~;if($tryagain){$op.=qq~