RealMeService
class RealMeService implements TemplateGlobalProvider (View source)
Traits
Provides extensions to this object to integrate it with standard config API methods.
A class that can be instantiated or replaced via DI
Constants
ENV_MTS |
Current RealMe supported environments. |
ENV_ITE |
|
ENV_PROD |
|
TYPE_LOGIN |
SAML binding types |
TYPE_ASSERT |
|
AUTHN_LOW_STRENGTH |
the valid AuthN context values for each supported RealMe environment. |
AUTHN_MOD_STRENTH |
|
AUTHN_MOD_MOBILE_SMS |
|
AUTHN_MOD_TOKEN_SID |
|
ERR_TIMEOUT |
Realme SAML2 error status constants |
ERR_INTERNAL_ERROR |
|
ERR_AUTHN_FAILED |
SAML2 Error constants used for business logic and switching error messages |
ERR_UNKNOWN_PRINCIPAL |
|
ERR_NO_AVAILABLE_IDP |
|
ERR_NO_PASSIVE |
|
ERR_NO_AUTHN_CONTEXT |
|
ERR_REQUEST_UNSUPPORTED |
|
ERR_REQUEST_DENIED |
|
ERR_UNSUPPORTED_BINDING |
|
Config options
sync_with_local_member_database | bool | ||
user_data | User|null | ||
realme_env | string | ||
allowed_realme_environments | array | ||
integration_type | string | ||
allowed_realme_integration_types | |||
sp_entity_ids | array | ||
idp_entity_ids | array | ||
idp_sso_service_urls | |||
idp_x509_cert_filenames | array | ||
authn_contexts | array | ||
allowed_authn_context_list | |||
metadata_assertion_service_domains | array | ||
realme_error_message_overrides | array | ||
metadata_organisation_name | string|null | ||
metadata_organisation_display_name | string|null | ||
metadata_organisation_url | string|null | ||
metadata_contact_support_company | string|null | ||
metadata_contact_support_firstnames | string|null | ||
metadata_contact_support_surname | string|null |
Properties
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
Gets the uninherited value for the given config option
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Return the user data which was saved to session from the first RealMe auth.
A helpful static method that follows SilverStripe naming for Member::currentUser();
Enforce login via RealMe. This can be used in controllers to force users to be authenticated via RealMe (not necessarily logged in as a Member), in the form of:
Session::set('RealMeBackURL', '/path/to/the/controller/method');
if($service->enforceLogin()) {
// User has a valid RealMe account, $service->getAuthData() will return you their details
} else {
// Something went wrong processing their details, show an error
}
Returns a RealMeUser object if one can be built from the RealMe session data.
Clear the RealMe credentials from Session, called during Security->logout() overrides
Returns the appropriate AuthN Context, given the environment passed in. The AuthNContext may be different per environment, and should be one of the strings as defined in the static RealMeService::$authn_contexts at the top of this class.
Returns the full path to the SAML signing certificate file, used by SimpleSAMLphp to sign all messages sent to RealMe.
Returns the content of the SAML signing certificate. This is used by getAuth() and by RealMeSetupTask to produce metadata XML files.
The list of RealMe environments that can be used. By default, we allow mts, ite and production.
Returns the appropriate entity ID for RealMe, given the environment passed in. The entity ID may be different per environment, and should be a full URL, including privacy realm and application name. For example, this may be: https://www.agency.govt.nz/privacy-realm-name/application-name
Returns the internal Auth object against which visitors are authenticated.
Details
static Config_ForClass
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
mixed
uninherited(string $name)
Gets the uninherited value for the given config option
static Injectable
create(mixed ...$args)
An implementation of the factory method, allows you to create an instance of a class
This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();
static Injectable
singleton(string $class = null)
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
static array
get_template_global_variables()
No description
static protected HTTPRequest|null
getRequest()
No description
static User
user_data()
Return the user data which was saved to session from the first RealMe auth.
Note: Does not check authenticity or expiry of this data
getUserData()
No description
static User
current_realme_user()
Calls available user data and checks for validity
static User
currentRealMeUser()
A helpful static method that follows SilverStripe naming for Member::currentUser();
bool|null
enforceLogin(HTTPRequest $request, string $backUrl = null)
Enforce login via RealMe. This can be used in controllers to force users to be authenticated via RealMe (not necessarily logged in as a Member), in the form of:
Session::set('RealMeBackURL', '/path/to/the/controller/method');
if($service->enforceLogin()) {
// User has a valid RealMe account, $service->getAuthData() will return you their details
} else {
// Something went wrong processing their details, show an error
}
In cases where people are not authenticated with RealMe, this method will redirect them directly to RealMe.
However, generally you want this to be an explicit process, so you should look at instead using the standard RealMeAuthenticator.
A return value of bool false indicates that there was a failure during the authentication process (perhaps a communication issue, or a failure to decode the response correctly. You should handle this like you would any other unexpected authentication error. You can use getLastError() to see if a human-readable error message exists for display to the user.
bool
isAuthenticated()
Checks data stored in Session to see if the user is authenticated.
User|null
getAuthData()
Returns a RealMeUser object if one can be built from the RealMe session data.
void
clearLogin(HTTPRequest $request)
Clear the RealMe credentials from Session, called during Security->logout() overrides
getLastError()
No description
string
getBackURL(HTTPRequest $request)
No description
getErrorBackURL(HTTPRequest $request)
No description
string|null
getCertDir(string $subdir = null)
No description
string|null
getAuthnContextForEnvironment(string $env)
Returns the appropriate AuthN Context, given the environment passed in. The AuthNContext may be different per environment, and should be one of the strings as defined in the static RealMeService::$authn_contexts at the top of this class.
string|null
getSigningCertPath()
Returns the full path to the SAML signing certificate file, used by SimpleSAMLphp to sign all messages sent to RealMe.
getIdPCertPath()
No description
getSPCertContent($contentType = 'certificate')
No description
getIdPCertContent()
No description
string|null
getCertificateContents(string $certPath, string $contentType = 'certificate')
Returns the content of the SAML signing certificate. This is used by getAuth() and by RealMeSetupTask to produce metadata XML files.
string|null
getAssertionConsumerServiceUrlForEnvironment(string $env)
No description
string|null
getMetadataOrganisationName()
No description
string|null
getMetadataOrganisationDisplayName()
No description
string|null
getMetadataOrganisationUrl()
No description
string[]
getMetadataContactSupport()
No description
array
getAllowedRealMeEnvironments()
The list of RealMe environments that can be used. By default, we allow mts, ite and production.
array
getAllowedAuthNContextList()
The list of valid realme AuthNContexts
string|null
getSPEntityID()
Returns the appropriate entity ID for RealMe, given the environment passed in. The entity ID may be different per environment, and should be a full URL, including privacy realm and application name. For example, this may be: https://www.agency.govt.nz/privacy-realm-name/application-name
Auth
getAuth(HTTPRequest $request = null)
Returns the internal Auth object against which visitors are authenticated.
string
getNameIdFormat()
No description