taiyeoguns / laravel-saml-sp-demo Goto Github PK

Is possible in LoginListener.php
avoid to save the user? and already have the authentication?

Thank you in advance
Enrico

Hello,

I'm following your steps regarding sso circle setup.

However when submitting the form with the data it says the following:

Yet when I go into the meta data page, it only displays this:

Any idea what I'm doing wrong ?

Thanks!

Dear @taiyeoguns,

first off, thanks for your great work!

I have an issue with the listener (I believe) and I think it has to do with my Laravel version as it seems there have been some changes in the recent Laravel versions. It doesn't seem to "fire" after logging in.
Do you know what I have to do? I don't find anything regarding the SAML login in my session. But it seems the SAML-auth itself is working.

Maybe I have missed something? If I try to implement this into an existing application, what all do I have to "copy"? I have the controller, the middleware, the listener and the routes.

Thanks again!
Curtis

Hello, im having problem with logout, when i try to logout give me error 404.

Im using he same code as you but the laravel version are 5.8. All works unless logout.

Hi,

Thank you for putting together this demo, it has been really useful to learn how SAML authenticating works. I am currently adapting this project to authenticate against another idp which uses ADFS 3.0.

I am able to reach the idp login form, but when I am directed back after authenticating successful, I am sent to the error url. I am also not able to get any user attributes. I think this might be because I'm requesting firstName, lastName and emailAddress which will be labelled differently on our idp.

How can I configure which information I request from the idp?

For example, if I wanted to get the users nickname, or manager, how could I request these attributes instead of firstName, lastName, emailAddress?

Thanks

@taiyeoguns Hey i used your code and its working fine with SSO.
but i am trying to use different IDP and its show me error "Signature validation failed. SAML Response rejected"

Below is my saml2_settings.php file

true, 'routesPrefix' => '/saml2', /** * which middleware group to use for the saml routes * Laravel 5.2 will need a group which includes StartSession */ 'routesMiddleware' => ['web'], /** * Indicates how the parameters will be * retrieved from the sls request for signature validation */ 'retrieveParametersFromServer' => false, /** * Where to redirect after logout */ 'logoutRoute' => '/', /** * Where to redirect after login if no other option was provided */ 'loginRoute' => '/loggedin', /** * Where to redirect after login if no other option was provided */ 'errorRoute' => '/error', /***** * One Login Settings */ // If 'strict' is True, then the PHP Toolkit will reject unsigned // or unencrypted messages if it expects them signed or encrypted // Also will reject the messages if not strictly follow the SAML // standard: Destination, NameId, Conditions ... are validated too. 'strict' => false, //@todo: make this depend on laravel config // Enable debug mode (to print errors) 'debug' => true, //@todo: make this depend on laravel config, // If 'proxyVars' is True, then the Saml lib will trust proxy headers // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if // your application is running behind a load balancer which terminates // SSL. 'proxyVars' => false, // Service Provider Data that we are deploying 'sp' => array( // Specifies constraints on the name identifier to be used to // represent the requested subject. // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters 'x509cert' => '', 'privateKey' => '', // Identifier (URI) of the SP entity. // Leave blank to use the 'saml_metadata' route. 'entityId' => 'url:test:laravel:php', // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. 'assertionConsumerService' => array( // URL Location where the from the IdP will be returned, // using HTTP-POST binding. // Leave blank to use the 'saml_acs' route 'url' => '', ), // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. // Remove this part to not include any URL Location in the metadata. 'singleLogoutService' => array( // URL Location where the from the IdP will be returned, // using HTTP-Redirect binding. // Leave blank to use the 'saml_sls' route 'url' => '', ), ), // Identity Provider Data that we want connect with our SP 'idp' => array( // Identifier of the IdP entity (must be a URI) // 'entityId' => $idp_host . '/saml2/idp/metadata.php', // 'entityId' => $idp_host . '/sso/SSOPOST/metaAlias/publicidp', 'entityId' => $idp_host . '/idp/shibboleth', // SSO endpoint info of the IdP. (Authentication Request protocol) 'singleSignOnService' => array( // URL Target of the IdP where the SP will send the Authentication Request Message, // using HTTP-Redirect binding. // 'url' => $idp_host . '/saml2/idp/SSOService.php', // 'url' => $idp_host . '/sso/SSORedirect/metaAlias/publicidp', //'url' => $idp_host . 'idp/profile/Shibboleth/SSO', //'url' => $idp_host . '/idp/profile/SAML2/POST/SSO', //'url' => $idp_host . '/idp/profile/SAML2/POST-SimpleSign/SSO', 'url' => $idp_host . '/idp/profile/SAML2/Redirect/SSO', ), // SLO endpoint info of the IdP. 'singleLogoutService' => array( // URL Location of the IdP where the SP will send the SLO Request, // using HTTP-Redirect binding. // 'url' => $idp_host . '/saml2/idp/SingleLogoutService.php', 'url' => $idp_host . '/sso/IDPSloRedirect/metaAlias/publicidp', ), // Public x509 certificate of the IdP // 'x509cert' => 'MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRFMRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMyM1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0NpcmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTWcY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZEERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv/Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTCasAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8GlVnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJHgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPUg6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9DKDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3hiM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1jo6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsNWCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVYmnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PUaLfL63AFVlpOnEpIio5++UjNJRuPuAA=', 'x509cert' => 'MIIDMzCCAhugAwIBAgIUDQVo1lb3ZOm0mUKeEwLWuQYMSHkwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMB4XDTE3MTIyMTIzMDAxNFoXDTM3MTIyMTIzMDAxNFowHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYR/TFQ5+jihmtxn+xqLPOBs+0jX9dOoi0eCG5DIUm1VWbrckNDtC7rKKUNmwVdkSIbK9Dlrsl037dswjbRQnrRhOQ1ggikea+RoH9PfcgzEETnJtmoTVhFKZ6Cw36Ud+TO6+hDUGLlJJMqYau40RiHErS+I54NFr0c2USDrIQuYGaxvixHx155vLjJEAlovfoaUh67BoRk4kFs62CyIPaVJvq53X7NyCa9rO5Tt/KVKoYe16knqCsnmy6gnp6lkewmCBJFlcJgcrggmBOHWdB0pYSmp7V9Kfb+Khog5beqNkKgFtn4Z6VVX4xg66sgCwq8JPBEmCZvZhGn5TPqvXQIDAQABo2swaTAdBgNVHQ4EFgQU+rnx825ekeRYh9LChJuiFIqqDp8wSAYDVR0RBEEwP4IScGFzc3BvcnQuc29hZXIuY29thilodHRwczovL3Bhc3Nwb3J0LnNvYWVyLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAfA3cKFh2C2Tst3G7RRq6Isjg//RkZ7Q7VQ70IYdx/vW7dz3sqBq2UXtkejvDM7kEdRRLW2mlqoEWrdTfdrVEWjUOsALJIF6QQHps6B/Zmj5nhzFKED8q1WwQxjStRgqhhjweG184gSdlxylzziv5OGjfJu+iHGAMgpOlk6BzGZ3f+95axx9wBM3mNJuYkE3LT5Klxj3BzED7GOjAjbsyz8vga/PE1aTiYqiCTVnfnjf77WZQ+J8P25kqCNHmAUyOeXSGfyiaxMxDvsPKA++FiRsQwzGOZQd/8GMwWJvG+4ee0dzrd5hc999lzAngxHdaPi7ZCZZNUFCAhb/Rj4rV3Q==', /* * Instead of use the whole x509cert you can use a fingerprint * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it) */ // 'certFingerprint' => 'SHA-256', 'certFingerprintAlgorithm' => 'sha256', ), /*** * * OneLogin advanced settings * * */ // Security settings 'security' => array( /** signatures and encryptions offered */ // Indicates that the nameID of the sent by this SP // will be encrypted. 'nameIdEncrypted' => false, // Indicates whether the messages sent by this SP // will be signed. [The Metadata of the SP will offer this info] 'authnRequestsSigned' => false, // Indicates whether the messages sent by this SP // will be signed. 'logoutRequestSigned' => false, // Indicates whether the messages sent by this SP // will be signed. 'logoutResponseSigned' => false, /* Sign the Metadata False || True (use sp certs) || array ( keyFileName => 'metadata.key', certFileName => 'metadata.crt' ) */ 'signMetadata' => false, /** signatures and encryptions required **/ // Indicates a requirement for the , and // elements received by this SP to be signed. 'wantMessagesSigned' => false, // Indicates a requirement for the elements received by // this SP to be signed. [The Metadata of the SP will offer this info] 'wantAssertionsSigned' => false, // Indicates a requirement for the NameID received by // this SP to be encrypted. 'wantNameIdEncrypted' => false, // Authentication context. // Set to false and no AuthContext will be sent in the AuthNRequest, // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), 'requestedAuthnContext' => true, ), // Contact information template, it is recommended to suply a technical and support contacts 'contactPerson' => array( 'technical' => array( 'givenName' => 'name', 'emailAddress' => '[email protected]' ), 'support' => array( 'givenName' => 'Support', 'emailAddress' => '[email protected]' ), ), // Organization information template, the info in en_US lang is recomended, add more if required 'organization' => array( 'en-US' => array( 'name' => 'Name', 'displayname' => 'Display Name', 'url' => 'http://url' ), ), /* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current 'authnRequestsSigned' => false, // SP SHOULD NOT sign the , // MUST NOT assume that the IdP validates the sign 'wantAssertionsSigned' => true, 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled 'wantNameIdEncrypted' => false, */ );