adactivesas / saml2-bridge-bundle Goto Github PK

View Code? Open in Web Editor NEW

11.0 7.0 20.0 245 KB

Symfony bundle that provide a SAML Identity Provider (idp).

Home Page: https://adactive.com/

License: GNU General Public License v3.0

PHP 97.76% HTML 2.24%

saml2 saml saml2-bridge-bundle identity-provider idp

saml2-bridge-bundle's Introduction

SAML2 Bridge Bundle

A bundle that adds SAML capabilities to your application using simplesamlphp/saml2 highly inspired by OpenConext/Stepup-saml-bundle

SAML Support

SAML Support is limited, this bundle can be used to provide a basic identity provider with the following support:

Basic metadata
Single Sign On:
- Binding:
  - Http-POST & Http-Redirect signed request
  - Http-POST & Http-Post signed response
Single Logout:
- Binding:
  - Http-POST & Http-Redirect signed request
  - Http-POST & Http-Redirect signed response
- Both identity provider initiated and service provider initiated

Getting started

Installation

Add the package to your Composer file

composer require adactive-sas/saml2-bridge-bundle

Add the bundle to your kernel in app/AppKernel.php

public function registerBundles()
{
    // ...
    $bundles[] = new AdactiveSas\Saml2BridgeBundle\AdactiveSasSaml2BridgeBundle();
}

Configuration

adactive_sas_saml2_bridge:
    hosted:
        metadata_route: name_of_the_route_of_metadata_url
        identity_provider:
            enabled: true
            service_provider_repository: service.name.of.entity_repository
            sso_route: name_of_the_route_of_the_single_sign_on_url
            sls_route: name_of_the_route_of_the_single_logout_url
            login_route: name_of_the_route_of_the_login_url
            logout_route: name_of_the_route_of_the_logout_url
            public_key: %idp_public_key_file_path%
            private_key: %idp_private_key_file_path%

Also add logout handler.

            logout:
                handlers: [adactive_sas_saml2_bridge.logout.handler]

The hosted configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP functionality can be turned off and on individually through the repective enabled flags.

The inlined certificate in the last line can be replaced with certificate_file containing a filesystem path to a file which contains said certificate.

It is recommended to use parameters as listed above. The various publickey and privatekey variables are the contents of the key in a single line, without the certificate etc. delimiters. The use of parameters as listed above is highly recommended so that the actual key contents can be kept out of the configuration files (using for instance a local parameters.yml file).

The service_provider_repository is a repository of service providers for which you offer IdP services. The service configured must implement the AdactiveSas\Saml2BridgeBundle\Entity\ServiceProviderRepository interface.

Example Usage

Implement the Service Provider Repository

<?php

namespace Acme\SamlBundle\Entity;

use AdactiveSas\Saml2BridgeBundle\Entity\ServiceProvider;
use AdactiveSas\Saml2BridgeBundle\Entity\ServiceProviderRepository;

class SamlServiceProviderRepository implements ServiceProviderRepository
{
    protected $spMap = [];
    
    public function __construct() {
        $this->spMap["https://test.fake/metadata"] = new ServiceProvider(
            [
                /**
                * Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
                * '-----END CERTIFICATE-----'.
                *
                * @return null|string
                */
                'certificateData' => 'MIIEJTCCAw2gAwIBAgIJANug+o++1X5IMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MRwwGgYDVQQDDBNTVVJGbmV0IERldmVsb3BtZW50MSswKQYJKoZIhvcNAQkBFhxzdXJmY29uZXh0LWJlaGVlckBzdXJmbmV0Lm5sMB4XDTE0MTAyMDEyMzkxMVoXDTE0MTExOTEyMzkxMVowgagxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25leHQxHDAaBgNVBAMME1NVUkZuZXQgRGV2ZWxvcG1lbnQxKzApBgkqhkiG9w0BCQEWHHN1cmZjb25leHQtYmVoZWVyQHN1cmZuZXQubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXuSSBeNJY3d4p060oNRSuAER5nLWT6AIVbv3XrXhcgSwc9m2b8u3ksp14pi8FbaNHAYW3MjlKgnLlopYIylzKD/6Ut/clEx67aO9Hpqsc0HmIP0It6q2bf5yUZ71E4CN2HtQceO5DsEYpe5M7D5i64kS2A7e2NYWVdA5Z01DqUpQGRBc+uMzOwyif6StBiMiLrZH3n2r5q5aVaXU4Vy5EE4VShv3Mp91sgXJj/v155fv0wShgl681v8yf2u2ZMb7NKnQRA4zM2Ng2EUAyy6PQ+Jbn+rALSm1YgiJdVuSlTLhvgwbiHGO2XgBi7bTHhlqSrJFK3Gs4zwIsop/XqQRBAgMBAAGjUDBOMB0GA1UdDgQWBBQCJmcoa/F7aM3jIFN7Bd4uzWRgzjAfBgNVHSMEGDAWgBQCJmcoa/F7aM3jIFN7Bd4uzWRgzjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBd80GpWKjp1J+Dgp0blVAox1s/WPWQlex9xrx1GEYbc5elp3svS+S82s7dFm2llHrrNOBt1HZVC+TdW4f+MR1xq8O5lOYjDRsosxZc/u9jVsYWYc3M9bQAx8VyJ8VGpcAK+fLqRNabYlqTnj/t9bzX8fS90sp8JsALV4g84Aj0G8RpYJokw+pJUmOpuxsZN5U84MmLPnVfmrnuCVh/HkiLNV2c8Pk8LSomg6q1M1dQUTsz/HVxcOhHLj/owwh3IzXf/KXV/E8vSYW8o4WWCAnruYOWdJMI4Z8NG1Mfv7zvb7U3FL1C/KLV04DqzALXGj+LVmxtDvuxqC042apoIDQV',
                
                /**
                * Returns the full path to the (local) file that contains the X509 pem certificate.
                *
                * @return null|string
                */
                "certificateFile" => "",
                                
                /**
                * @return null|string
                */
                "entityId" => "https://test.fake/saml/metadata",
                
                /**
                * @return null|bool
                */
                "assertionEncryptionEnabled" => true,
                                
                "assertionConsumerUrl" => "https://test.fake/saml/acs",
                "assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
                "singleLogoutUrl" => "https://test.fake/saml/sls",
                "singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
                "nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
                "nameIdValue" => function (UserInterface $user) {
                    /** @var User $user */
                    return $user->getEmailCanonical();
                },
                "NameQualifier" => 'test.fake',
                "wantSignedAuthnRequest" => true,
                "wantSignedAuthnResponse" => true,
                "wantSignedAssertions" => false,
                "wantSignedLogoutRequest" => false,
                "wantSignedLogoutResponse" => false,
                "attributes" => [
                    'User.Email' => function (UserInterface $user) {
                        /** @var User $user */
                        return $user->getEmailCanonical();
                    },
                    'User.Username' => function (UserInterface $user) {
                        /** @var User $user */
                        return $user->getName();
                    },
                    'first_name' => function (UserInterface $user) {
                        /** @var User $user */
                        return $user->getFirstName();
                    },
                    'last_name' => function (UserInterface $user) {
                        /** @var User $user */
                        return $user->getLastName();
                    },
                ],
                "validAudiences" => [
                    "https://test.fake/saml/acs",
                ],
                "assertionNotBeforeInterval" => new \DateInterval('PT0S'),
                "assertionNotOnOrAfterInterval" => new \DateInterval('PT5M'),
                "assertionSessionNotOnOrAfterInterval" => new \DateInterval('P1D'),
            ]
        );
    }

    /**
     * @param string $entityId
     * @return ServiceProvider
     */
    public function getServiceProvider($entityId)
    {
        return $this->hasServiceProvider($entityId) ? $this->spMap[$entityId] : null;
    }

    /**
     * @param string $entityId
     * @return bool
     */
    public function hasServiceProvider($entityId)
    {
        return array_key_exists($entityId, $this->spMap);
    }
}

Slack example

<?php

$this->spMap["https://slack.com"] = new ServiceProvider(
    [
        /**
         * Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
         * '-----END CERTIFICATE-----'.
         *
         * @return null|string
         */
        'certificateData' => 'MIIDrzCCApagAwIBAgIBADANBgkqhkiG9w0BAQ0FADBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wHhcNMTUwMzE3MDEyMzMyWhcNMjUwMzE0MDEyMzMyWjBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wggEjMA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgDB0y4ruySosz1GX/3KI1jp4oivxtnXLeMwKELrBgG+rZ8pl+UMhLG2iCp0nbnwSxXVU0ONJVI3SSzJ5VQtBHHCA4UAzse0HRaSZfBs+6urKoMLf8iusBYk62f2g/RAPjsMVcjC8B3FHyhaD9OnWSdJ7uGopmwwEhDiwf/gdS9Uw8FojYDuVprODfmj7+fgWPkGTf8TRGaHjudjuP1LMDRAz2cI0ym09jbnW8BVynSjjUrE+K9ri1uWzT2tp49OHqSgjaXkWWY6prFa9MT8jsibe02Id2i5+h0c4F892O7MybNWgF139dMGapmW4rf3GT7brLZEO4sZPwovhlj3b6U+8wIDAQABo1AwTjAdBgNVHQ4EFgQUa2YVk5yi+WMxLT/q7rokAfzyvU0wHwYDVR0jBBgwFoAUa2YVk5yi+WMxLT/q7rokAfzyvU0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQIAUwv53vh2LkgbJbBGyRlSkjAZyybwM7pO6TtQ4SHyn366SG1lZXkc9S9u8m4kMETDquOujC/fZLiAe4f8rZ8+ZXV0f17FL/RhMDzVBv6DgDabfpXAkt+Yn+ZIThFi2D7L4jyJzZPbaf7soCu1e/Dx0CBhm/Lz2nsny6Il7rkEbDB7gBpjZODMMi/PEJ5I462JUrj+9aSZBtx2/NXIoFkLZ1B4j3UG+WJhcYMlMBim/GTimKS7yzkvfqdADmIAaO0RPYduNPds6Dyjyjbqj3XR3WwdsmTorO95UKitRGu10ImwByXo2xzQCwGNP8WuRAmWVIlisLLNEDKTnZDb38085gY=',

        /**
         * Returns the full path to the (local) file that contains the X509 pem certificate.
         *
         * @return null|string
         */
        "certificateFile" => "",

        /**
         * @return null|string
         */
        "entityId" => "https://slack.com",

        /**
         * @return null|bool
         */
        "assertionEncryptionEnabled" => true,

        "assertionConsumerUrl" => "https://$slackTeamName.slack.com/sso/saml",
        "assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
        "singleLogoutUrl" => "https://$slackTeamName.slack.com/sso/saml/logout",
        "singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
        "nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
        "nameIdValue" => function (UserInterface $user) {
            /** @var User $user */
            return $user->getEmailCanonical();
        },
        "NameQualifier" => "$slackTeamName.slack.com",
        "wantSignedAuthnRequest" => true,
        "wantSignedAuthnResponse" => true,
        "wantSignedAssertions" => false,
        "attributes" => [
            'User.Email' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getEmailCanonical();
            },
            'User.Username' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getName();
            },
            'first_name' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getFirstName();
            },
            'last_name' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getLastName();
            },
        ],
    ]
);

Freshdesk example

<?php

$this->spMap["https://$freshdeskAccountName.freshdesk.com"] = new ServiceProvider(
    [
        /**
         * Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
         * '-----END CERTIFICATE-----'.
         *
         * @return null|string
         */
        'certificateData' => '',

        /**
         * Returns the full path to the (local) file that contains the X509 pem certificate.
         *
         * @return null|string
         */
        "certificateFile" => "",

        /**
         * @return null|string
         */
        "entityId" => "https://$freshdeskAccountName.freshdesk.com",

        /**
         * @return null|bool
         */
        "assertionEncryptionEnabled" => false,

        "assertionConsumerUrl" => "https://$freshdeskAccountName.freshdesk.com/login/saml",
        "assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
        "singleLogoutUrl" => "https://$freshdeskAccountName.freshdesk.com/logout/saml",
        "singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
        "nameIdFormat" => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
        "nameIdValue" => function (UserInterface $user) {
            /** @var User $user */
            return $user->getEmailCanonical();
        },
        "NameQualifier" => "$freshdeskAccountName.freshdesk.com",
        "wantSignedAuthnRequest" => false,
        "wantSignedAuthnResponse" => false,
        "wantSignedAssertions" => true,
        "attributes" => [
            'email' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getEmailCanonical();
            },
            'name' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getName();
            },
            'given_name' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getFirstName();
            },
            'family_name' => function (UserInterface $user) {
                /** @var User $user */
                return $user->getLastName();
            },
        ],
    ]
);

NewRelic example

<?php

$this->spMap["rpm.newrelic.com"] = new ServiceProvider(
    [
        /**
         * Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
         * '-----END CERTIFICATE-----'.
         *
         * @return null|string
         */
        'certificateData' => '',

        /**
         * Returns the full path to the (local) file that contains the X509 pem certificate.
         *
         * @return null|string
         */
        "certificateFile" => "",

        /**
         * @return null|string
         */
        "entityId" => "rpm.newrelic.com",

        /**
         * @return null|bool
         */
        "assertionEncryptionEnabled" => false,

        "assertionConsumerUrl" => "https://rpm.newrelic.com/accounts/$accountId/sso/saml/finalize",
        "assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
        "singleLogoutUrl" => "",
        "singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
        "nameIdFormat" => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
        "nameIdValue" => function (UserInterface $user) {
            /** @var User $user */
            return $user->getEmailCanonical();
        },
        "NameQualifier" => "rpm.newrelic.com",
        "wantSignedAuthnRequest" => false,
        "wantSignedAuthnResponse" => false,
        "wantSignedAssertions" => true,
        "attributes" => [],
    ]
);

Note: Keep in mind that this is a example, you may retrieve ServiceProviders from database

Create the Controller

<?php

namespace Acme\SamlBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;

/**
 * @Route("/saml")
 */
class SamlController extends Controller
{
    /**
     * @Route("/sso", name="acme_saml_sso")
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function singleSignOnAction(Request $httpRequest)
    {
        $idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");

        return $idpProcessor->processSingleSignOn($httpRequest);
    }

    /**
     * @Route("/sls", name="acme_saml_sls")
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function singleLogoutAction(Request $httpRequest)
    {
        $idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");

        return $idpProcessor->processSingleLogoutService($httpRequest);
    }

    /**
     * @Route("/metadata", name="acme_saml_metadata", defaults={"_format"="xml"})
     *
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function metadataAction()
    {
        $idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");

        return $idpProcessor->getMetadataXmlResponse();
    }
}

Define services

<?xml version="1.0" ?>

<container xmlns="http://symfony.com/schema/dic/services"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">

    <services>
        <service id="acme.saml.service_provider_repository" class="Acme\SamlBundle\Entity\SamlServiceProviderRepository">
        </service>
    </services>
</container>

Configuration

adactive_sas_saml2_bridge:
    hosted:
        metadata_route: acme_saml_metadata
        identity_provider:
            enabled: true
            service_provider_repository: acme.saml.service_provider_repository
            sso_route: acme_saml_sso
            sls_route: acme_saml_sls
            login_route: fos_user_security_login
            logout_route: fos_user_security_logout
            public_key: '%kernel.root_dir%/../vendor/adactive-sas/saml2-bridge-bundle/src/Resources/keys/development_publickey.cer'
            private_key: '%kernel.root_dir%/../vendor/adactive-sas/saml2-bridge-bundle/src/Resources/keys/development_privatekey.pem'

Note: this is development keys, never use them in production !

Tests

We are aware that this bundle really miss tests, this would come in next releases.

Contributing

For the time being, this bundle is very limited but is designed to be support all SAML2 process.

So feel free to create issue and pull-request in order to help us making this bundle a bit more complete.

saml2-bridge-bundle's People

Contributors

Stargazers

Watchers

Forkers

hitmeister marnixbent phptrude cdaguerre jansabat isakrubin arturslogins noud tanktiger wulfnacht josuealcalde caplogik johnpez naryushi it-room arturponinski

saml2-bridge-bundle's Issues

Argument 1 passed to Symfony\Component\Routing\RequestContext::fromRequest() must be an instance of Symfony\Component\HttpFoundation\Request, null given

Got this error, can't figure out why. Running v0.10.0 on Symfony 3.4.14.

10:40:46 ERROR [console] Error thrown while running command "**debug:event-dispatcher**". Message: "Argument 1 passed to Symfony\Component\Routing\RequestContext::fromRequest() must be an instance of Symfony\Component\HttpFoundation\Request, null given, called in /Volumes/Dati/WORK/icgest/vendor/adactive-sas/saml2-bridge-bundle/src/Entity/HostedEntities.php on line 141" ["exception" => TypeError { …},"command" => "debug:event-dispatcher","message" => "**Argument 1 passed to Symfony\Component\Routing\RequestContext::fromRequest() must be an instance of Symfony\Component\HttpFoundation\Request, null given, called in /Volumes/Dati/WORK/icgest/vendor/adactive-sas/saml2-bridge-bundle/src/Entity/HostedEntities.php on line 141**"] []

Support for Conditions -> AudienceRestriction on signed requests

When signing requests, SAML providers would verify it's a valid audience member. <Conditions> element supports a sub-element called <AudienceRestriction> that SPs use to assert itself is a valid recipient.

The lack of this element is resulting in issues with third party apps that expect it to be present (against SAML Specs, I know...) when testing certified responses.

Azure Active Directory

This is not an issue but a request for information.

I am currently using this your bundle as an IDP and it's working well. A new requirement has come up to implement my application as the SP to work with an Azure Active Directory IDP through SAML2.

How would I go about doing that?

private_key and public_key cannot be set as cert contents

We have environment files. We want to be able to set our certificates in line, but code is extremely adamant on using file_get_contents for these two key values.

Ideally:

# [...]
            private_key '%local_config.pem%'
            public_key '%local_config.cert%'

And those values will be the certificate contents, not file paths.

While I have found the option to set public certs within the Service Providers, nothing I did would allow me to set private cert contents.

SAML Support.

Please improve 'SAML Support' section in the README.md. As I understood we have implemented some of new features.

Dependancy doesn't satisfy requirements

Unable to install anything above version 4.0 and here's why

Problem 1
- Installation request for adactive-sas/saml2-bridge-bundle 0.7.1 -> satisfiable by adactive-sas/saml2-bridge-bundle[v0.7.1].
- adactive-sas/saml2-bridge-bundle v0.7.1 requires roave/security-advisories dev-master -> satisfiable by roave/security-advisories[dev-master] but these conflict with your requirements or minimum-stability.

Unexpected behaviour

I am getting the following error when trying to log in. Do you think it would be related to something in this bundle?

Request.CRITICAL: Uncaught PHP Exception Symfony\Component\Debug\Exception\FatalThrowableError: "Type error: Argument 1 passed to DOMNode::appendChild() must be an instance of DOMNode, null given" at /vendor/simplesamlphp/saml2/src/SAML2/Assertion.php line 1537 {"exception":"[object] (Symfony\Component\Debug\Exception\FatalThrowableError(code: 0): Type error: Argument 1 passed to DOMNode::appendChild() must be an instance of DOMNode, null given at /vendor/simplesamlphp/saml2/src/SAML2/Assertion.php:1537)"}

We seem to be back to this issue again

request.CRITICAL: Uncaught PHP Exception AdactiveSas\Saml2BridgeBundle\Exception\RuntimeException: "Could not process Request, error: "The SAMLRequest is expected to be signed but it was not""

Would you be able to help out?

Hi,

I am new to SSO and kind of overwhelmed by all the information around. Your bundle seemed simplest enough to implement but I've run into the error below when an external website tries to authenticate users on my application.

"Could not process Request, error: "The SAMLRequest is expected to be signed but it was not"" at /vendor/adactive-sas/saml2-bridge-bundle/src/SAML2/Provider/HostedIdentityProviderProcessor.php line 263 {"exception":"[object] (AdactiveSas\\Saml2BridgeBundle\\Exception\\RuntimeException(code: 0): Could not process Request, error: \"The SAMLRequest is expected to be signed but it was not\"

The website asks for the following information so just to be sure I didn't mess the configuration.

Erreur "adactive_sas_saml2_bridge.processor.hosted_idp"

La déclaration d'un service semble manquée dans cette déclaration.

The service "adactive_sas_saml2_bridge.processor.hosted_idp" has a dependency on a non-existent service "adsum_user.saml.service_provider_repository".

Symfony5 Support

Are there any plans to port this to symfony 5. Currently after fork I'm getting error about templating service not found.

Success Handler

Hello, thanks for the bundle. Its work as a charm.
But, i got an issue after login with the idp. Everything is ok, after redirected from the sp. But when i go directly to the idp and connecte the user, i am not connected in the sp.

For the logout, it's works very well after adding in security.yml
logout:
handlers: [adactive_sas_saml2_bridge.logout.handler]

But you haven't talk about the handler for login.
Do you have any solution about this?
Thanks!

openssl signing error EVP_DecryptFinal_ex:bad decrypt - SHA256

Hi, i've got a problem with the certificates i think.
I've set up my idp and tested it with https://samltest.id/start-idp-test/.
Now i want to add talentlms . I've created a self signed certificate on the server with the following command:
openssl req -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365

I've placed the files under app/Resources/saml_keys/ and added this path in the config:

public_key: '%kernel.root_dir%/Resources/saml_keys/cert.pem'
private_key: '%kernel.root_dir%/Resources/saml_keys/key.pem'

I've added the public certificate to my talentlms profile. If i check from talentlms i will be redirected to my login page and can login. After the login i'm getting this error before redirect:

request.CRITICAL: Uncaught PHP Exception Exception: "Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256" at /var/www/vhosts/xxxxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php line 464 {"exception":"[object] (Exception(code: 0): Failure Signing Data: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt - SHA256 at /var/www/vhosts/xxxx.de/idp.xxxxx.de/vendor/robrichards/xmlseclibs/src/XMLSecurityKey.php:464)"}

So where is the problem? Is the creation of the certificate wrong?

Here is my sp config:

              /**
                 *
                 * @return null|string
                 */
                "certificateData" => "MIIF3jCCA8aXXXXX.....",

                /**
                 * @return null|string
                 */
                "entityId" => "xxxxx.talentlms.com",

                /**
                 * @return null|bool
                 */

                "assertionEncryptionEnabled" => true,
                "assertionConsumerUrl" => "https://xxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-acs.php/xxxx.talentlms.com",
                "assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
                "singleLogoutUrl" => "https://xxxx.talentlms.com/simplesaml/module.php/saml/sp/saml2-logout.php/xxxx.talentlms.com",
                "singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
                "nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
                "nameIdValue" => function (UserInterface $user) {
                    /** @var Member $user */
                    return $user->getEmail();
                },
                "NameQualifier" => 'xxxx.talentlms.com',
                "wantSignedAuthnRequest" => false,
                "wantSignedAuthnResponse" => true,
                "wantSignedAssertions" => false,
                "wantSignedLogoutRequest" => false,
                "wantSignedLogoutResponse" => false,
                "attributes" => [
                    'targetedID' => function (UserInterface $user) {
                        /** @var Member $user */
                        return $user->getEmail();
                    },
                    'email' => function (UserInterface $user) {
                        /** @var Member $user */
                        return $user->getEmail();
                    },
                    'firstname' => function (UserInterface $user) {
                        /** @var Member $user */
                        return $user->getFirstName();
                    },
                    'lastname' => function (UserInterface $user) {
                        /** @var Member $user */
                        return $user->getLastName();
                    },
                ],
                "assertionNotBeforeInterval" => new \DateInterval('PT0S'),
                "assertionNotOnOrAfterInterval" => new \DateInterval('PT5M'),
                "assertionSessionNotOnOrAfterInterval" => new \DateInterval('P1D'),
            ]
        );

Redirection with bad credentials

Hello,
i got an issue when i give bad credential. It still redirect to the SP with an error:
The status code of the Response was not Success, was AuthnFailed invalid_response
Do you know please, where is the problem ?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.