taiyeoguns / laravel-saml-sp-demo Goto Github PK
View Code? Open in Web Editor NEWLaravel demo application showing implementation of SAML authentication as a Service Provider.
Home Page: https://laravel-saml-sp-demo.herokuapp.com
Laravel demo application showing implementation of SAML authentication as a Service Provider.
Home Page: https://laravel-saml-sp-demo.herokuapp.com
Hello, while this is an old repo, it is really great. It helped me a lot. However, one thing I am not able to figure out. If user is not logged in, and visit a specific page of my site, It will get redirected to the login, however after succesful login, they will be redirected to the route defined in the saml2_settings. How I can redirect to the original url they have visited before being redirected to the login?
Is possible in LoginListener.php
avoid to save the user? and already have the authentication?
Thank you in advance
Enrico
Hello,
I'm following your steps regarding sso circle setup.
However when submitting the form with the data it says the following:
Error occurred
Reason: A http://localhost:8000/saml2/metadata entity already exists. Go to the *Manage Metadata*, and delete the existing http://localhost:8000/saml2/metadata entity first.
Detailed trace information only available with paid accounts.
Please check our plans
Yet when I go into the meta data page, it only displays this:
Service Provider Metadata
You currently do not have Service Provider Metadata
Add new Service Provider
SSOCircle Public IDP Metadata
SSOCircle Public IDP Metadata (deprecated)
Any idea what I'm doing wrong ?
Thanks!
Dear @taiyeoguns,
first off, thanks for your great work!
I have an issue with the listener (I believe) and I think it has to do with my Laravel version as it seems there have been some changes in the recent Laravel versions. It doesn't seem to "fire" after logging in.
Do you know what I have to do? I don't find anything regarding the SAML login in my session. But it seems the SAML-auth itself is working.
Maybe I have missed something? If I try to implement this into an existing application, what all do I have to "copy"? I have the controller, the middleware, the listener and the routes.
Thanks again!
Curtis
Hello, im having problem with logout, when i try to logout give me error 404.
Im using he same code as you but the laravel version are 5.8. All works unless logout.
Hi,
Thank you for putting together this demo, it has been really useful to learn how SAML authenticating works. I am currently adapting this project to authenticate against another idp which uses ADFS 3.0.
I am able to reach the idp login form, but when I am directed back after authenticating successful, I am sent to the error
url. I am also not able to get any user attributes. I think this might be because I'm requesting firstName, lastName and emailAddress which will be labelled differently on our idp.
How can I configure which information I request from the idp?
For example, if I wanted to get the users nickname, or manager, how could I request these attributes instead of firstName, lastName, emailAddress?
Thanks
@taiyeoguns Hey i used your code and its working fine with SSO.
but i am trying to use different IDP and its show me error "Signature validation failed. SAML Response rejected"
Below is my saml2_settings.php file
true, 'routesPrefix' => '/saml2', /** * which middleware group to use for the saml routes * Laravel 5.2 will need a group which includes StartSession */ 'routesMiddleware' => ['web'], /** * Indicates how the parameters will be * retrieved from the sls request for signature validation */ 'retrieveParametersFromServer' => false, /** * Where to redirect after logout */ 'logoutRoute' => '/', /** * Where to redirect after login if no other option was provided */ 'loginRoute' => '/loggedin', /** * Where to redirect after login if no other option was provided */ 'errorRoute' => '/error', /***** * One Login Settings */ // If 'strict' is True, then the PHP Toolkit will reject unsigned // or unencrypted messages if it expects them signed or encrypted // Also will reject the messages if not strictly follow the SAML // standard: Destination, NameId, Conditions ... are validated too. 'strict' => false, //@todo: make this depend on laravel config // Enable debug mode (to print errors) 'debug' => true, //@todo: make this depend on laravel config, // If 'proxyVars' is True, then the Saml lib will trust proxy headers // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if // your application is running behind a load balancer which terminates // SSL. 'proxyVars' => false, // Service Provider Data that we are deploying 'sp' => array( // Specifies constraints on the name identifier to be used to // represent the requested subject. // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', // Usually x509cert and privateKey of the SP are provided by files placed at // the certs folder. But we can also provide them with the following parameters 'x509cert' => '', 'privateKey' => '', // Identifier (URI) of the SP entity. // Leave blank to use the 'saml_metadata' route. 'entityId' => 'url:test:laravel:php', // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. 'assertionConsumerService' => array( // URL Location where the from the IdP will be returned, // using HTTP-POST binding. // Leave blank to use the 'saml_acs' route 'url' => '', ), // Specifies info about where and how the message MUST be // returned to the requester, in this case our SP. // Remove this part to not include any URL Location in the metadata. 'singleLogoutService' => array( // URL Location where the from the IdP will be returned, // using HTTP-Redirect binding. // Leave blank to use the 'saml_sls' route 'url' => '', ), ), // Identity Provider Data that we want connect with our SP 'idp' => array( // Identifier of the IdP entity (must be a URI) // 'entityId' => $idp_host . '/saml2/idp/metadata.php', // 'entityId' => $idp_host . '/sso/SSOPOST/metaAlias/publicidp', 'entityId' => $idp_host . '/idp/shibboleth', // SSO endpoint info of the IdP. (Authentication Request protocol) 'singleSignOnService' => array( // URL Target of the IdP where the SP will send the Authentication Request Message, // using HTTP-Redirect binding. // 'url' => $idp_host . '/saml2/idp/SSOService.php', // 'url' => $idp_host . '/sso/SSORedirect/metaAlias/publicidp', //'url' => $idp_host . 'idp/profile/Shibboleth/SSO', //'url' => $idp_host . '/idp/profile/SAML2/POST/SSO', //'url' => $idp_host . '/idp/profile/SAML2/POST-SimpleSign/SSO', 'url' => $idp_host . '/idp/profile/SAML2/Redirect/SSO', ), // SLO endpoint info of the IdP. 'singleLogoutService' => array( // URL Location of the IdP where the SP will send the SLO Request, // using HTTP-Redirect binding. // 'url' => $idp_host . '/saml2/idp/SingleLogoutService.php', 'url' => $idp_host . '/sso/IDPSloRedirect/metaAlias/publicidp', ), // Public x509 certificate of the IdP // 'x509cert' => 'MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRFMRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMyM1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0NpcmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTWcY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZEERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv/Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTCasAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8GlVnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJHgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPUg6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9DKDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3hiM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1jo6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsNWCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVYmnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PUaLfL63AFVlpOnEpIio5++UjNJRuPuAA=', 'x509cert' => 'MIIDMzCCAhugAwIBAgIUDQVo1lb3ZOm0mUKeEwLWuQYMSHkwDQYJKoZIhvcNAQELBQAwHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMB4XDTE3MTIyMTIzMDAxNFoXDTM3MTIyMTIzMDAxNFowHTEbMBkGA1UEAwwScGFzc3BvcnQuc29hZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYR/TFQ5+jihmtxn+xqLPOBs+0jX9dOoi0eCG5DIUm1VWbrckNDtC7rKKUNmwVdkSIbK9Dlrsl037dswjbRQnrRhOQ1ggikea+RoH9PfcgzEETnJtmoTVhFKZ6Cw36Ud+TO6+hDUGLlJJMqYau40RiHErS+I54NFr0c2USDrIQuYGaxvixHx155vLjJEAlovfoaUh67BoRk4kFs62CyIPaVJvq53X7NyCa9rO5Tt/KVKoYe16knqCsnmy6gnp6lkewmCBJFlcJgcrggmBOHWdB0pYSmp7V9Kfb+Khog5beqNkKgFtn4Z6VVX4xg66sgCwq8JPBEmCZvZhGn5TPqvXQIDAQABo2swaTAdBgNVHQ4EFgQU+rnx825ekeRYh9LChJuiFIqqDp8wSAYDVR0RBEEwP4IScGFzc3BvcnQuc29hZXIuY29thilodHRwczovL3Bhc3Nwb3J0LnNvYWVyLmNvbS9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAQEAfA3cKFh2C2Tst3G7RRq6Isjg//RkZ7Q7VQ70IYdx/vW7dz3sqBq2UXtkejvDM7kEdRRLW2mlqoEWrdTfdrVEWjUOsALJIF6QQHps6B/Zmj5nhzFKED8q1WwQxjStRgqhhjweG184gSdlxylzziv5OGjfJu+iHGAMgpOlk6BzGZ3f+95axx9wBM3mNJuYkE3LT5Klxj3BzED7GOjAjbsyz8vga/PE1aTiYqiCTVnfnjf77WZQ+J8P25kqCNHmAUyOeXSGfyiaxMxDvsPKA++FiRsQwzGOZQd/8GMwWJvG+4ee0dzrd5hc999lzAngxHdaPi7ZCZZNUFCAhb/Rj4rV3Q==', /* * Instead of use the whole x509cert you can use a fingerprint * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it) */ // 'certFingerprint' => 'SHA-256', 'certFingerprintAlgorithm' => 'sha256', ), /*** * * OneLogin advanced settings * * */ // Security settings 'security' => array( /** signatures and encryptions offered */ // Indicates that the nameID of the sent by this SP // will be encrypted. 'nameIdEncrypted' => false, // Indicates whether the messages sent by this SP // will be signed. [The Metadata of the SP will offer this info] 'authnRequestsSigned' => false, // Indicates whether the messages sent by this SP // will be signed. 'logoutRequestSigned' => false, // Indicates whether the messages sent by this SP // will be signed. 'logoutResponseSigned' => false, /* Sign the Metadata False || True (use sp certs) || array ( keyFileName => 'metadata.key', certFileName => 'metadata.crt' ) */ 'signMetadata' => false, /** signatures and encryptions required **/ // Indicates a requirement for the , and // elements received by this SP to be signed. 'wantMessagesSigned' => false, // Indicates a requirement for the elements received by // this SP to be signed. [The Metadata of the SP will offer this info] 'wantAssertionsSigned' => false, // Indicates a requirement for the NameID received by // this SP to be encrypted. 'wantNameIdEncrypted' => false, // Authentication context. // Set to false and no AuthContext will be sent in the AuthNRequest, // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'), 'requestedAuthnContext' => true, ), // Contact information template, it is recommended to suply a technical and support contacts 'contactPerson' => array( 'technical' => array( 'givenName' => 'name', 'emailAddress' => '[email protected]' ), 'support' => array( 'givenName' => 'Support', 'emailAddress' => '[email protected]' ), ), // Organization information template, the info in en_US lang is recomended, add more if required 'organization' => array( 'en-US' => array( 'name' => 'Name', 'displayname' => 'Display Name', 'url' => 'http://url' ), ), /* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current 'authnRequestsSigned' => false, // SP SHOULD NOT sign the , // MUST NOT assume that the IdP validates the sign 'wantAssertionsSigned' => true, 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled 'wantNameIdEncrypted' => false, */ );A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.