aacotroneo / laravel-saml2 Goto Github PK

Can I use SAML2 to authenticate in Shibboleth?

Hi,

When i am trying to logout using the Saml2Auth::logout(); with google its showing the following error

Error parsing the request, malformed_request: The SAML request is malformed

can help me about this what i am missing in settings

When I am enabling the following security options, I am getting a 'Reference validation error'.

'authnRequestsSigned' => true,
'wantAssertionsSigned' => true,

Just a suggestion, but I think that the User object shouldn't really be responsible for dealing with input from the request.

I'm thinking of making an MR which moves this responsibility out, so that the controller does the getIntendedUrl logic internally, and moving the getRawSamlAssertation onto the Saml2LoginEvent so it can still be accessed by the parent application.

My only worry is that this would be a breaking change to the previous versions, but if you are happy with that I think it sticks to the Single Responsibility Principle a bit more.

When the current application doesn't fire the logout event, the application receives $_GET['SAMLRequest'] instead of $_GET['SAMLResponse'], which sends the OneLogin Saml2 library into a branch which redirects the user rather than returning:

else if (isset($_GET) && isset($_GET['SAMLRequest'])) {
    if (!$logoutRequest->isValid($retrieveParametersFromServer)) {
        $this->_errors[] = 'invalid_logout_request';
        $this->_errorReason = $logoutRequest->getError();
    } else {
        // ...
        $this->redirectTo($this->getSLOurl(), $parameters);
    }
}

What this means is that the function never returns, and the logout event never fires, which means that the user's session doesn't actually get cleared.

I'm not sure what the best option is here - we can look for that $_GET variable and fire off the logout event early (although that has problems because we're not verifying the logout request before firing the event).

I kept getting this error

OneLogin_Saml2_Error in Settings.php line 121:
Invalid array settings: idp_sso_url_invalid, idp_slo_url_invalid

and here is my settings

`<?php

//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = 'https://identityfederation.uat.connect.company/fed/idp';

return $settings = array(

/**
 * If 'useRoutes' is set to true, the package defines five new routes:
 *
 *    Method | URI                      | Name
 *    -------|--------------------------|------------------
 *    POST   | {routesPrefix}/acs       | saml_acs
 *    GET    | {routesPrefix}/login     | saml_login
 *    GET    | {routesPrefix}/logout    | saml_logout
 *    GET    | {routesPrefix}/metadata  | saml_metadata
 *    GET    | {routesPrefix}/sls       | saml_sls
 */
'useRoutes' => true,

'routesPrefix' => '/samlv20',

/**
 * which middleware group to use for the saml routes
 * Laravel 5.2 will need a group which includes StartSession
 */
'routesMiddleware' => [],

/**
 * Indicates how the parameters will be
 * retrieved from the sls request for signature validation
 */
'retrieveParametersFromServer' => false,

/**
 * Where to redirect after logout
 */
'logoutRoute' => '/',

/**
 * Where to redirect after login if no other option was provided
 */
'loginRoute' => '/admin/dashboard',


/**
 * Where to redirect after login if no other option was provided
 */
'errorRoute' => '/',




/*****
 * One Login Settings
 */



// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config

// Enable debug mode (to print errors)
'debug' => false, //@todo: make this depend on laravel config

// Service Provider Data that we are deploying
'sp' => array(

    // Specifies constraints on the name identifier to be used to
    // represent the requested subject.
    // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',

    // Usually x509cert and privateKey of the SP are provided by files placed at
    // the certs folder. But we can also provide them with the following parameters
    'x509cert' => '/benudata/certificates/testserver.benunets.com.cert.pem',
    'privateKey' => '/benudata/certificates/testserver.benunets.com.key.pem',

    // Identifier (URI) of the SP entity.
    // Leave blank to use the 'saml_metadata' route.
    'entityId' => 'testserver.benunets.com',

    // Specifies info about where and how the <AuthnResponse> message MUST be
    // returned to the requester, in this case our SP.
    'assertionConsumerService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-POST binding.
        // Leave blank to use the 'saml_acs' route
        'url' => 'https://testserver.benunets.com/admin/secure/dashboard',
    ),
    // Specifies info about where and how the <Logout Response> message MUST be
    // returned to the requester, in this case our SP.
    'singleLogoutService' => array(
        // URL Location where the <Response> from the IdP will be returned,
        // using HTTP-Redirect binding.
        // Leave blank to use the 'saml_sls' route
        'url' => 'https://testserver.benunets.com/admin/login/error',
    ),
),

// Identity Provider Data that we want connect with our SP
'idp' => array(
    // Identifier of the IdP entity  (must be a URI)
    'entityId' => 'Telenet',
    // SSO endpoint info of the IdP. (Authentication Request protocol)
    'singleSignOnService' => array(
        // URL Target of the IdP where the SP will send the Authentication Request Message,
        // using HTTP-Redirect binding.
        'url' => 'https://identityfederation.uat.connect.company/fed/idp/samlv20',
    ),
    // SLO endpoint info of the IdP.
    'singleLogoutService' => array(
        // URL Location of the IdP where the SP will send the SLO Request,
        // using HTTP-Redirect binding.
        'url' => 'https://identityfederation.uat.connect.company/fed/idp/samlv20',
    ),
    // Public x509 certificate of the IdP
    'x509cert' => '****',
    /*
     *  Instead of use the whole x509cert you can use a fingerprint
     *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
     */
    // 'certFingerprint' => 'Telenet need to provided',
),



/***
 *
 *  OneLogin advanced settings
 *
 *
 */
// Security settings
'security' => array(

    /** signatures and encryptions offered */

    // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
    // will be encrypted.
    'nameIdEncrypted' => false,

    // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
    // will be signed.              [The Metadata of the SP will offer this info]
    'authnRequestsSigned' => false,

    // Indicates whether the <samlp:logoutRequest> messages sent by this SP
    // will be signed.
    'logoutRequestSigned' => false,

    // Indicates whether the <samlp:logoutResponse> messages sent by this SP
    // will be signed.
    'logoutResponseSigned' => false,

    /* Sign the Metadata
     False || True (use sp certs) || array (
                                                keyFileName => 'metadata.key',
                                                certFileName => 'metadata.crt'
                                            )
    */
    'signMetadata' => false,


    /** signatures and encryptions required **/

    // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
    // <samlp:LogoutResponse> elements received by this SP to be signed.
    'wantMessagesSigned' => false,

    // Indicates a requirement for the <saml:Assertion> elements received by
    // this SP to be signed.        [The Metadata of the SP will offer this info]
    'wantAssertionsSigned' => false,

    // Indicates a requirement for the NameID received by
    // this SP to be encrypted.
    'wantNameIdEncrypted' => false,

    // Authentication context.
    // Set to false and no AuthContext will be sent in the AuthNRequest,
    // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
    // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
    'requestedAuthnContext' => true,
),

// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
    'technical' => array(
        'givenName' => 'name',
        'emailAddress' => '[email protected]'
    ),
    'support' => array(
        'givenName' => 'Support',
        'emailAddress' => '[email protected]'
    ),
),

// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
    'en-US' => array(
        'name' => 'Name',
        'displayname' => 'Display Name',
        'url' => 'http://url'
    ),
),

/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current

'authnRequestsSigned' => false, // SP SHOULD NOT sign the samlp:AuthnRequest,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/

);
`

How can I prevent that ?

With 0d5412d commit, Saml2User.php became broken.
While replacing facade usages with helper function, url() helper function misused.
url() helper function returns string, so that url()->full() usage is wrong

I have configured this per the instructions included in the readme.md. However when I attempt to go to /saml2/metadata I get PHP Fatal error: 'continue' not in the 'loop' or 'switch' context in /app/vendor/onelogin/php-saml/lib/Saml2/Utils.php on line 1006. For reference I am using V0.6.0

I updated my vendors today and now I have this error upon login. I think onelogin/php-saml has been updated and now your script is not compliant with it anymore.

exception 'OneLogin_Saml2_Error' with message 'Invalid array settings: sp_acs_url_invalid'

I have tried to set up this package, but I'm facing the error "Metadata not found for entity". Do you know what this can be? I'm new to SAML

Is it possible to execute a custom SAML call after the user has logged in? I was thinking of dynamically changing the settings returned by saml2_settings.php and then call the Saml2::login() function again. Is that the best way to accomplish this or is there a better way?

The readme is confusing and will lead to a lot of errors and lost hours if followed verbatim. You should make the following changes:

METADATA
$metadata['http://laravel_url/saml2/metadata'] = array(
'AssertionConsumerService' => 'http://laravel_url/saml2/acs',
'SingleLogoutService' => 'http://laravel_url/saml2/sls',
//the following two affect what the $Saml2user->getUserId() will return
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid'
);

instead of

$metadata['http://laravel_url/saml/metadata'] = array(
'AssertionConsumerService' => 'http://laravel_url/saml/acs',
'SingleLogoutService' => 'http://laravel_url/saml/sls',
//the following two affect what the $Saml2user->getUserId() will return
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'simplesaml.nameidattribute' => 'uid'
);

LOGIN AND LOGOUT
Use Saml2;
......
......
Saml2::login() and Saml2::logout()

instead of
Saml2Auth::login() and Saml2Auth::logout()

Laravel 5.1 is released, hope you can update it to support it! Thanks.

Hi,

is it possible to use dynamic routesPrefix and Identity Provider Data from database?
Now all is in saml2_settings.php but I want create saml2 login for multiple IdP and I need keep settings in DB. Do you have any solution for this?

Next question is about saml2 routes. I have project with multiple authentication forms (admin, default etc.). Every authentication form is on the different subdomain. What I need is create route group with scope domain. Now I see something like this:

Route::group([
    'prefix' => config('saml2_settings.routesPrefix'),
    'middleware' => config('saml2_settings.routesMiddleware'),
], function () { 
...

Maybe better idea will be something like this:

Route::group(config('saml2_settings.routesGroup'), function () { ...

?

Last one question:
Are you thinking about integration saml2 with oauth2: https://help.sap.com/saphelp_nw74/helpdata/en/12/41087770d9441682e3e02958997846/content.htm ? IMHO it is great feature.

Best Regards
Peter

In your configuration section,

You guys said, "if you use simplesamlphp, add the following to /metadata/sp-remote.php"

I'm a little confuse right now, since this is my first time implementing this integration.

Does that mean I have to pre-installed simplesampleid in order to use this package ?

Also, I saw you start using http://laravel_url/ in

$metadata['http://laravel_url/saml/metadata'] = array(
    'AssertionConsumerService' => 'http://laravel_url/saml/acs',
    'SingleLogoutService' => 'http://laravel_url/saml/sls',
    //the following two affect what the $Saml2user->getUserId() will return
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
    'simplesaml.nameidattribute' => 'uid' 
);

What is that ? How do I get that ?

I am not implementing the iDP. I got the end point from the IT guy.
In that case, should I request for ACS, and SLS URL too ?

Are those manditory for these 2 lines ?

    'AssertionConsumerService' => 'http://laravel_url/saml/acs',
    'SingleLogoutService' => 'http://laravel_url/saml/sls',

Any hints / suggestions will mean a lot to me !!

Hello,

Is it possible to use dynamic $idp_host? We would like to get that url from user's settings..

I am new to the Laravel world!
I am trying to configure this Library in Laravel 5, I setup a dummy laravel application and followed your provided steps. But when I execute the below command then everything went wrong
php artisan config:publish aacotroneo/laravel-saml2

" [Symfony\Component\Debug\Exception\FatalErrorException]
class 'aacotroneo\sam2\saml2serviceprovider' not found "

Can you please help me, what I missed?
or this configuration steps is for Laravel 4 as mentioned in the "Installation - Composer" description.

Thanks in advance.

I am not all that familiar with SAML so bare with me.

I just installed this package in a new instance of Laravel 5. Unfortunately I am getting this error The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext.

Any thoughts on how what this error means?

By the way I am connecting to ADFS and not PHPSimpleSaml as the IDP.

I would appreciate any suggestions. Thanks.

I am trying to integrate with https://www.okta.com/

Can I use this library for that purpose?

Hey @aacotroneo ,

Would you be able to create a public method in Saml2Auth.php to expose OneLogin_Saml2_Auth->getLastErrorReason(). I can create a PR if you want.

Nathan.

I have this in my EventServiceProvider:

public function boot() 
{
    parent::boot();

    Event::listen('Aacotroneo\Saml2\Events\Saml2LoginEvent', function (Saml2LoginEvent $event) {
        Log::info('Saml2LoginEvent');
    });
…
}

In my controller I have something like this:

public function acs(Request $request) {
    $samldata = $request->get('SAMLResponse');
…
}

My config settings look like this:

$idp_host = 'http://localhost/simplesaml';

return $settings = array(
    /*****
     * Cosmetic settings - controller routes
     **/
    'useRoutes' => true, //include library routes and controllers


    'routesPrefix' => '/saml2',

    /**
     * which middleware group to use for the saml routes
     * Laravel 5.2 will need a group which includes StartSession
     */
    'routesMiddleware' => ['web'],

… the rest is default

I have added the Saml routes to my web routes:
// Login lands here
Route::post('saml/acs', 'TestController@acs');
// Single Logout Services
Route::get('saml/sls', 'TestController@sls');

I do see the SAMLResponse coming in at TestController@acs and I can parse it with DOMXPath.
So it looks like it's working. But I would expect the event being fired too…

Am I missing something or is this a bug?

At the 55th row, url method's return value is string, you can not call full function.
I think it should be \ URL :: full ()

Assuming the SAML2 authentication uses a metadata.xml, the sp entityId automatically sets the entityId to the saml_metadata route, but the use of the metadata.xml should be optional.

When not using a metadata.xml, an sp entityId URI can be chosen at will, as long as it matches the configured entityId on the idp. At my client the entityId is simply a domain name (without scheme).

As a solution, I propose adding an empty-check on the config-value when setting the sp entityId. Line 45 in the Saml2ServiceProvider class would be changed to:

$config['sp']['entityId'] = empty($config['sp']['entityId']) ? URL::route('saml_metadata') : $config['sp']['entityId'];

If it's is ok, I'll create a PR to apply the change.

The IdP I use requires this data. I've tried a lot of different settings values & combinations, but neither resulted in signature being included in the samlp::AuthnRequest. Is it possible?

Hello,

I've got my SP and IDP settings all set up correctly and I can see my SAML response coming through file in the SAML tracer addon in firefox.

Please could you provide me an example of how to use this library in my controller to retrieve the attributes passed from the SAML response.

Thank you.

Hi,

the documentation for the authprovider is for 5.2. Does anyone have a working example available for 5.3 ? Preferable with automatic user creation?

Thanks!

Some people experience endless loops and never login in IE and Edge. Do you have an idea what might cause this?

It looks to be the same problem as here: http://stackoverflow.com/questions/34091031/saml-assertion-is-being-replayed-in-internet-explorer-11-only

How can I set the RelayState upon login so when the user comes back to my site I can redirect them?

• ignore -

php-saml 2.9.0 version includes security improvements so I recommend to use it.

I'm trying to user laravel-saml2 with OpenAM but after login it ran in to endless loop. I think maybe because of Saml2LoginEvent is not listened at the right point. I've tried to add it in route.php, in middlware after 'StartSession` but it doesn't work.
http://localhost:8080/openam/XUI/#login/&realm=/&forward=true&spEntityID=http://lavapp.dev/saml2/metadata&goto=/SSORedirect/metaAlias/idp?ReqID=ONELOGIN_69bdcea5602172fa91feff7e67ecd06999c0ae37&index=null&acsURL=http://lavapp.dev/saml2/acs&spEntityID=http://lavapp.dev/saml2/metadata&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&AMAuthCookie=

Can we use this package directly with google Apps or do we need to connect with OneLogin?

When logging out, app redirect URL to /saml2/logout (or Saml2Controller@logout), but it always return Could not log out.
I've tried:
Event::listen('Aacotroneo\Saml2\Events\Saml2LogoutEvent', function ($event) {
Auth::logout();
Session::save();
});

php-saml 2.10.0 version.
It includes a security patch that contains extra validations that will prevent signature wrapping attacks and other security improvements.

It says "SAML Response not found, Only supported HTTP_POST Binding" trying to log in.

i tried to use this with my azure ad as idp got this error " TokenMismatchException in VerifyCsrfToken.php line 49:" are you familiar with this error?

In our codebase I have added some code to load private keys and certificates from key- and certificatefiles. The files have to be in openssl format.

Supported configuration options:

• $config['sp']['x509cert']
• $config['sp']['privateKey']
• $config['idp']['x509cert']

The change adds a dependency to openssl to the codebase, but this is also a requirement for the Onelogin toolkit, so I see no BC breaks.

@aacotroneo If you're interested, I can push these changes to the laravel-saml2 codebase.

Hi Alejandro

I've successfully integrated the library in Laravel 5.0, got the login/redirecting working properly, but cannot access SSO session persistence. What this means is that the isAuthenticated() function in Saml2Auth.php returns true if it is executed in the same request where the login process succeeds, but false at any other time, even if it's in the next request immediately after the successful login.

This makes it very hard to design my middleware properly, because ideally I would run the isAuthenticated() function as a check and only allow the Saml2::login() to proceed when the isAuthenticated() function returns false. However, it always returns false, thus causing infinite looping redirects, because the login function is called on a valid session on all requests after the initial login.

Have you had this problem before?

Thanks

John

Can i use this as a SP for developing laravel where im using azure ad as my IDP... hoping for reply !!

The command doesn't appear in the php artisan list, and I tried to run clear-compiled and dump-autoload to no avail as well.

Can I just insert that config file in the location the docs showed?

Wade

We would like to use this package on a project we are developing however one of the requirements is the user enters his/her credentials on our site and we send them over to the idp. Would this package work for that?

Also we are using laravel 4.2.7 could we install this package on that version or would we have to upgrade to 5.x? If we do need to upgrade, which version would be best to use 5.0 or 5.1?

Quick question, are you planning on supporting Lumen anytime in the near future? There are only a few small issues to be ironed out I believe.

Hi,

I don't want to expose a single-logout service, so I expected to do something like this in the "config/saml2_settings.php":

'sp' => array(
    ...
    'singleLogoutService' => false,
),

But this still sets up the service in the Saml2ServiceProvider@register. When I remove/comment out this part it is working:

if (empty($config['sp']['singleLogoutService']['url'])) {
    $config['sp']['singleLogoutService']['url'] = URL::route('saml_sls');
}

Why isn't this supported? Maybe it's better to check if the singleLogoutService even exists and if it does if the value isn't equal to false before inserting it.

@aacotroneo what do you think about it?

I'm trying to use this package to login multiple applications but getting this error.
I have changed following in Illuminate\Auth\Middleware\Authenticate.php

From:
public function handle($request, Closure $next, ...$guards)
{
$this->authenticate($guards);
return $next($request);
}

To:

public function handle($request, Closure $next, ...$guards)
{
//$this->authenticate($guards);
if ($this->auth->guest())
{
if ($request->ajax())
{
return response('Unauthorized.', 401);
}
else
{
return Saml2::login(URL::full());
//return redirect()->guest('auth/login');
}
}

    return $next($request);
}

And I'm trying login two applications saml and saml2(application name).
What will be the solution for it.

Hi,
Thanks for doing this development. I'm trying to use this package but I need to use simplesamlphp... I'm not sure what i need to do in order to use that instead of onelogin. Could you give me hints or steps in what i need to do for getting this work? I guess I need to install simplesamlphp library, but controllers are calling an instance of onelogin.

Thanks a lot I appreciate your time

Would it be possible for you to create a full tutorial on implementing a generic sign on for Laravel 5 ?
Or better documentation on the methods available in the package and how to use them?

New to SAML here ... proving very confusing. Any help would be appreciated.

Hi, man.
I'm using this library with great satisfaction, but unfortunately I see Packagist is not updated with the latest version of onelogin/php-saml dependency (2.9.1 instead of 2.*).
According to Packagist update schedule, packages are updated once every month, in the worst case.
Is there any problem in updating Packagist?
Thanks in advance,

Francesco

I am receiving the following in the laravel log after the SAML is returned from the IDP. In chrome using the SAML inspector tool everything looks fine.

No login event is fired within laravel.

Any suggestions?

Thank you

I configured everything in the SP and iDP sections in saml2_settings.php
I go to : /admin/login
I got landed on my iDP log-in page immediately, it is a correct behavior.

I log-in with the proper username and password provided by my iDP.

After successfully authenticated, I kept redirecting back to my log-in page/host.

I declared my routes like this

Route::get('/admin/login','SAMLController@adminSignIn');
Route::post('admin/secure/dashboard', 'SAMLController@saml_post');

SAMLController

public function adminSignIn(){
        return Saml2::login(URL::full());
    }

public function saml_post(){
        $inputs = json_decode(Input::get('json'), true);
        dd($inputs); <—— I never get to see what POST to me from my iDP
}

How do I prevent that redirect ? Do I need to create a middleware ?

Can someone please help me how to create a middleware to prevent this redirecting ?

Thanks..