Created
December 4, 2014 09:59
-
-
Save olberger/d34253822a84664648b3 to your computer and use it in GitHub Desktop.
Connection to a web app protected via Shibboleth with curl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| #set -x | |
| # Usage: shibb-cas-get.sh {username} {password} # If you have any errors try removing the redirects to get more information | |
| # The service to be called, and a url-encoded version (the url encoding isn't perfect, if you're encoding complex stuff you may wish to replace with a different method) | |
| DEST=https://myapp.example.com/ | |
| SP=https://myapp.example.com/index.php | |
| IDP="https://myidp.example.com/idp/shibboleth&btn_sso=SSOok" | |
| #Authentication details. This script only supports username/password login, but curl can handle certificate login if required | |
| USERNAME=$1 | |
| PASSWORD=$2 | |
| #Temporary files used by curl to store cookies and http headers | |
| COOKIE_JAR=.cookieJar | |
| HEADER_DUMP_DEST=.headers | |
| rm $COOKIE_JAR | |
| rm $HEADER_DUMP_DEST | |
| #The script itself is below | |
| # 1. connect to the page which will display the WAYF | |
| curl -s -k -c $COOKIE_JAR "$DEST" -o /dev/null | |
| # 2. Choose the Shibb provider and get redirected to the CAS login form | |
| #Visit CAS and get a login form. This includes a unique ID for the form, which we will store in CAS_ID and attach to our form submission. jsessionid cookie will be set here | |
| CAS_ID=`curl -s -L --data "provider=$IDP" -i -b $COOKIE_JAR -c $COOKIE_JAR "$SP" -D $HEADER_DUMP_DEST | grep name=.lt | sed 's/.*value..//' | sed 's/\".*//'` | |
| dos2unix $HEADER_DUMP_DEST > /dev/null 2>&1 | |
| CURL_DEST=`grep Location $HEADER_DUMP_DEST | tail -n 1 | sed 's/Location: //'` | |
| # 3. Submit the login form, using the cookies saved in the cookie jar and the form submission ID just extracted. We keep the headers from this request as the return value should be a 302 including a "ticket" param which we'll need in the next request | |
| curl -L -s -k --data "username=$USERNAME&password=$PASSWORD<=$CAS_ID&_eventId=submit&submit=LOGIN" -i -b $COOKIE_JAR -c $COOKIE_JAR $CURL_DEST -D $HEADER_DUMP_DEST -o file.html | |
| # 4. Extract the SAMLResponse and RelayState from the page and submit it | |
| grep 'name=.SAMLResponse' file.html | sed 's/.*value..//' | sed 's/\".*//' > samlresponse.txt | |
| relaystate=`grep 'name=.RelayState' file.html | sed 's/.*value..//' | sed 's/\".*//' | perl -MHTML::Entities -le 'while(<>) {print decode_entities($_);}'` | |
| target=`grep 'form action.' file.html | sed 's/.*action..//' | sed 's/\".*//' | perl -MHTML::Entities -le 'while(<>) {print decode_entities($_);}'` | |
| # Post the form and get redirected to the page | |
| curl -L -s -k --data "RelayState=$relaystate" --data-urlencode SAMLResponse@samlresponse.txt -i -b $COOKIE_JAR -c $COOKIE_JAR "$target" | |
Please note that all users on the same machine can see your password in the process list and use it to access all services in your name through the SSO.
I wrote an updated fork here feel free to comment any issue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I should note that this was adapted from https://gist.github.com/dodok1/4134605