Right now you have a unique SamlLogoutHandler, instead of that I recommend you to create 2 different endpoints:

• saml/logout -> Send the LogoutRequest. --> samlAuth->logout();
• saml/sls -> Process the LogoutRequest/LogoutResponse. --> samlAuth->processSLO();

I want to add:

logout:
    path: /saml/logout

But have one defined already.

What if one have logout defined already?

security:
    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
                check_path: fos_user_security_check
                login_path: /login
            saml:
                # Match SAML attribute 'uid' with username.
                # Uses getNameId() method by default.
                username_attribute: username
                check_path: /saml/acs
                login_path: /saml/login
            logout:
                path: fos_user_security_logout

Can it be part of the same firewall?

Hi,

How can i provide a different provider for the ACS controller?

I want to add a 'samluser=true' to the dataprovider class to prevent any trickery, (i have saml and NON saml users).

I tried setting a different provider, but it always seems to just grab the first one listed under providers..

Hi,

So your bundle is firing me off to the idp, which works, but then login_check is just hitting assertionConsumerService in SamlController , which is not implemented..

what is supposed to happen here?

Hello everyone,
I am using this Bundle but we have an issue, It seems that the SAMLlistener is not launched.
In the acs action, when I debug the User object it's null. I tried again the factory, have the same result.
Help please.

To disconnect user in my application, i use saml_logout route.
My twig contains : <a href="{{ path('saml_logout')} ">logout</a>

When the user clicks on link, he goes on https://myapp.com/saml/logout.
This link calls logout function in SamlLogoutHandler.php file.
processSLO() is called but nothing appears in $_GET parameters and it fails.

I don't found logout example with the bundle.
Someone can help me, please ?

So we've got multiple authentication methods for our site - SAML and normal form login. How do we set saml to be the default? Currently, when a user is not logged in and accesses the site, they're redirected to the form login page.

firewalls:
    app:
        pattern:    ^/
        anonymous: true
        saml:
            check_path: /saml_consume.php
            login_path: /saml/login
            user_factory: sonicwall_user_factory
            persist_user: true
            use_referer: true
        form_login:
            login_path: login
            check_path: login
            always_use_default_target_path: true

Greetings,

I was wondering whether it would be possible to bump onelogin/php-saml to version 3.0.0. Version 2 unfortunately does not work with php7.2

Thank you!

I've implemented this bundle with Azure AD as the IDP.

When I access the login path on my app, the browser is stuck in a circular loop between Azure AD and my APP which I've not been able to decipher.

Here are my configurations:

config.yml

hslavich_onelogin_saml:
# Basic settings
idp:
    entityId: 'https://login.microsoftonline.com/azure_app_id/saml2'
    singleSignOnService:
        url: 'https://login.microsoftonline.com/azure_app_id/saml2'
        binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
    singleLogoutService:
        url: 'https://login.microsoftonline.com/azure_app_id/saml2'
        binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
    x509cert: '%kernel.project_dir%/src/AppBundle/Resources/config/AzureCert.cer'
sp:
    entityId: 'https://myapp.com/saml/meta'
    assertionConsumerService:
        url: 'https://myapp.com/saml/acs'
        binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
    singleLogoutService:
        url: 'https://myapp.com/saml/logout'
        binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

Azure AD configuration

Identifier(EntityId): https://myapp.com/saml/meta
Reply URL (ACS): https://myapp.com/saml/acs 

I'm using a fork of this bundle to be able to pack it into on of our app.
I noticed that is not possible to use the NameId as username to check authentication.

The solution we adopted is a simple assumption: https://github.com/Coolshop/OneloginSamlBundle/blob/master/Security/Firewall/SamlListener.php#L51-L55
if username_attribute is equal to 'uid' than into the authentication Listener the nameId is used instead of one of the attributes.

Do you think that it could be a solution?

php-saml 2.10.0 version.
It includes a security patch that contains extra validations that will prevent signature wrapping attacks and other security improvements.

for my project I use two databases, and I would like to save the user who connects in the database which is not by default

I would like to save my user in "grandparc"
config.yml
orm: default_entity_manager: default entity_managers: default: connection: default mappings: PDFRecrutementBundle: ~ grandparc: auto_mapping: true connection: grandparc mappings: PDFGrandParcBundle: ~

security.yml
user_provider: entity: class: PDF\GrandParcBundle\Entity\Personnel property: sAMAccountName manager_name: grandparc

do you have an idea ?

Hello,
Do you have any plan to publish your package on packagist?
Thomas

https://github.com/onelogin/php-saml/releases/tag/v2.11.0

Hi,

We are using your bundle and generally it's working fine.
Unfortunately when we were setting up production env the configuration issue occurs with two certificates used by IdP.

php-saml library is ready with x509certMulti configuration element (https://github.com/onelogin/php-saml#settings)

I made small change in local-code but I think it can be done globally, so please look at this and verify if i don't miss something:

You have to add below code under ->scalarNode('x509cert')->end() in Configuration.

->arrayNode('x509certMulti')
    ->children()
        ->arrayNode('signing')
            ->prototype('scalar')->end()
        ->end()
        ->arrayNode('encryption')
            ->prototype('scalar')->end()
        ->end()
    ->end()
->end()

Your code is not passing the nameid to the underlying OneLogin library when logging out. This has cause the IDP that I'm using to not log you out, only the SP thinks that the logout was successful. Thus, when you hit log in again, since the IDP thinks you're logged in, it will just send back the same user without asking to log in again.

I was able to fix it as follows:

Replace line 38 in SamlLogoutHandler.php with the following, thus passing in the nameid:
$this->samlAuth->logout(null, [], $token->getUsername());

Hi,

According to : https://github.com/onelogin/php-saml/blob/f13c9f3ed0e0492ff938a0af0fa8270a95a9b404/lib/Saml2/AuthnRequest.php#L102-L115

It looks like the requestedAuthnContext can be :

• true
• false
• Array

The array let users customize saml:AuthnContextClassRef node value.

php-saml 2.9.0 version includes security improvements so I recommend to use it.

In the SamlUserProvider, you are depending (through a setter injection) on doctrine's orm EntityManager. I don't think it should be its role to actually persist or not the entity, neither should there be an option to do so. It should be up to the developper using it, at the appropriate place.

Because what if we are using something like an ODM or even Propel (not my case, but still a possibility) ? What if we need to control when and what we are persisting (which is my case) ?

Cheers.

The NameIDFormat tag is no longer supported in SimpleSAMLphp V 1.15, it is replaced by NameIDPolicy. Is this something you plan to change?

Now I have to edit the files in de the vendor dir Configuration.php which will be altered after a composer update.

Cheers.

I don't know what's causing this error, but I assume it's a bug ( in Symfony 3.4.14)

Hi and thank you for this very usefull bundle !!

I try to update my project from Sf3 to Sf4 and I have a problem. I have this error and I can't continue my migration. Service "hslavich_onelogin_saml.saml_listener": Parent definition "security.authentication.listener.abstract" does not exist.. What I missed ?

Here is my bundles.php file :

<?php

return [
   Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
   Doctrine\Bundle\DoctrineCacheBundle\DoctrineCacheBundle::class => ['all' => true],
   Doctrine\Bundle\DoctrineBundle\DoctrineBundle::class => ['all' => true],
   Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle::class => ['all' => true],
   Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
   Symfony\Bundle\TwigBundle\TwigBundle::class => ['all' => true],
];

Thanks in advance !

Your library seems to be incompatible with PHP 7.2 (because of onelogin/php-saml dependency).

To solve the problem, your library needs to use the 3.0.0.x-dev version of onelogin/php-saml (the problem comes from mcrypt, deprecated in 7.1 and removed in 7.2)

Hi,

Is this possible to implement OneloginSamlBundle with POST method and not in GET method ?

This is not worrking :
idp:
singleSignOnService:
binding: 'urn:Oasis:names:tc:SAML:2.0:bindings:HTTP-POST'

binding: 'urn:Oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'

How can we use your module in POST and not in redirect please ?

Regards,

Emmanuel

Hi,

I don't see the support of "sessionIndex".
It seems that the instruction $this->samlAuth->logout(null, array(), $token->getUsername()); does not take care of it in "SamlLogoutHandler". I need it for ADFS.

Thanks for your help,

We noticed that there is no "login-failed" page. The problem is that when a user correctly authenticate into the idp but it's not present into the application database, because in my case the root of the application is behind firewall, except for login and metadata route. In this situation user cannot authenticate, is redirect to root, go back to idp where is already authenticated an returns to my application, looping until the idp returns an error for too many attempt.

Do you think is best to implement a path be configurable from security.yml? Do you think that should be implemented an authentication exception listener?

I'm working on it, so i'm interested in your opinion, so maybe i could do a pull request if you like...

I installed and configured this bundle according to install instructions. When I try to perform console commands (e.g. php app/console server:run or php app/console generate:bundle), I get this error:

[Symfony\Component\DependencyInjection\Exception\ServiceNotFoundException]
The service "security.authentication.provider.saml.app" has a dependency on
a non-existent service "".

And similar when I open the app via my browser:

ServiceNotFoundException in CheckExceptionOnInvalidReferenceBehaviorPass.php line 58:
The service "security.authentication.provider.saml.app" has a dependency on a non-existent
service "".

Any ideas what the problem could be?

You are using getLastLoginError method that does not exists
https://github.com/hslavich/OneloginSamlBundle/blob/master/Security/Firewall/SamlListener.php#L37

use instead getLastErrorReason

Is there any way to be able to log every login attempt in a secondary table?

Hi, I've implemented this bundle in a Symfony 3.2 app. This app doesn't have db nor users, just need to be authenticated throught an IDP.

Now, I can log in at /saml/login successfully, but can't log out. Moreover each request to some resource at this app, it's redirected to IDP, then to ACS endpoint and finally, I get the app resource.

Do you have some tips? Probably I made some mistakes at setting up my app.

Hi,
it's not clear to me how the option default_roles is supposed to be working.

If I try to connect with an user and it's getRoles method returns null, the SamlTokenFactory will throw with this error:

Type error: Argument 3 passed to
Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlTokenFactory::createToken()
must be of the type array, null given,
called in /vendor/hslavich/oneloginsaml-bundle/Security/Authentication/Provider/SamlProvider.php
on line 56

If I force getRoles to return an empty array instead of null, I can connect but I've got no role at all.

Either way I can't manage to provide a default_role to my user.
Is this a bug or am I misunderstanding this option purpose ?

During logout, when the IDP redirect to /saml/logout on the SP, an AccessDeniedException is now thrown.
Which result in the user being redirected to the IDP's login page instead of the logout target specified in security.yml.

I think (but I'm not totally sure) that this has been introduced by changes made on the default logout_listener in Symfony 3.4.10:
https://symfony.com/blog/symfony-3-4-10-released
symfony/symfony#24805

I have fixed the issue by making /saml/logout public:

security:
    access_control:
        - { path: ^/saml/(login|logout|metadata), roles: IS_AUTHENTICATED_ANONYMOUSLY }

I'm not sure this is the best way to fix it though. I do not have enough knowledge of the inner mechanics of Symfony's SecurityBundle.

Add support for multiple login methods.

This setting exists in OneLogin Saml framework, but does not exist in your bundle.
I was able to easily modify and add it to configuration.php:

->arrayNode('security')
    ->children()
        ->booleanNode('nameIdEncrypted')->end()
        ->booleanNode('authnRequestsSigned')->end()
        ->booleanNode('logoutRequestSigned')->end()
        ->booleanNode('logoutResponseSigned')->end()
        ->booleanNode('wantMessagesSigned')->end()
        ->booleanNode('wantAssertionsSigned')->end()
        ->booleanNode('wantNameIdEncrypted')->end()
        ->booleanNode('requestedAuthnContext')->end()
        ->booleanNode('signMetadata')->end()

When this was added, it worked correctly. Can you please add to bundle so I don't have to keep my modified version.

On the base repository, the settings for strict mode can be customized. It would be good if that could be customized in this bundle, too.

By the way: If the default setting of strict is false, does this mean that it's false when using it with this bundle?

Hello,

I have configured the bundle with Onelogin IdP, with the SAML Test Connector:
https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector

I don't succeed in making works one thing: once i am connected with onelogin, the service does not redirect me to my local application. The page doesn't give any error. RelayState in URL is set to "http://mylocaldomain.dev/saml/login".

What mistake I made ? Is the RelayState value valid ? Maybe it could make a loop if it stay on "saml/login"... If i dig in code, the $return parameter from $this->get('onelogin_auth')->login(); in SamlController::loginAction is not set. Should it be a page URL from my application ?

Hope you could help me. Thank you

Right now at the config.yml we support settings for the idp and the sp, but the advanced settings are also required in a normal SAML integration, the ones related to the 'security' array:

• 'nameIdEncrypted'
• 'authnRequestsSigned'
• 'logoutRequestSigned'
• 'logoutResponseSigned'
• 'wantMessagesSigned'
• 'wantAssertionsSigned'
• 'wantNameIdEncrypted'

See that implementation: pitbulk@07076ec

Hello,

I succeeded in installing the bundle in our application and make it work with ADFS.

Now, we would like to enhance our features:

• First, we would like to make the bundle optional in our application, so the user could activate the SSO dynamically as needed, customize the configuration and test the results, etc. Actually, the bundle needs the parameters to be set and well set in file. As exemple, if i set the contact support email to null, it doesn't work. But, the real need is to load all parameters from a dynamic file or even better, from the database (i have actually the same need for native symfony ldap component).
• Second, the configuration of the IdP/SP could not be so easy (for neophyte like me - it was a pain to found the could conf between IdP and SP so logout could work on ADFS). It will be interesting to import a IdP metadata, to know what parameters are allowed for IdP...

Maybe there is other idea to make the installation / process / bundle more flexible and fluid.
Do you plan some similare improvements ?

By the while, the bundle is really great and it makes already our development easier.
Thanks

Can we add the NameIDFormat settings?

Hello,

Please add those two new options in config bundle:

• wantNameId SAML-Toolkits/php-saml@9a1cec3
• lowercaseUrlencoding (supported in a future release) SAML-Toolkits/php-saml@3738c11

Thank you

Using the bundle with Symfony 4 leads to the following error due to the new default service visibility (false):

The "onelogin_auth" service or alias has been removed or inlined when the container was compiled. You should either make it public, or stop using the container directly and use dependency injection instead.

The following configuration can be used as a workaround:

services:
  onelogin_auth:
    class: OneLogin_Saml2_Auth
    public: true
    arguments: [ "%hslavich_onelogin_saml.settings%"]
`

https://symfony.com/blog/helping-prepare-for-symfony-4-bundle-support

Hi our implementation of this bundle requires us to have a more custom tailored SamlProvider class.
Would it be possible to paramaterize these classes so that it would be easier to override certain settings?

Hey,

I'm trying to set roles based on if the user is in a list of usernames in parameters.yml.
eg. if they're in this list, they're ROLE_ADMIN, otherwise fall back to default.

Is this possible, can you help point me in the right direction?

I guess I need to make my own version of SamlUserProvider and pass the adminUserList along with $username and $defaultRoles or something similar?

But if you've got a better way I'm keen to hear it!

Thanks!

Hello,

I think there is a problem in the provider
I think you use the user roles before initialise them on line 56.

Is it possible to initialise an user before because it's my idp which send roles to this bundle.

Regards

Any chance to make it compatible with SF2.2 ?

Hello, could you please tell me how to configure the key file for x509 certification ?

https://github.com/hslavich/OneloginSamlBundle/blob/master/composer.json#L15

replace
"onelogin/php-saml": "master-dev"
by
"onelogin/php-saml": "dev-master"

Add attribute mapping, role mapping and just-in-time provisioning to user provider.

Hi,

Getting this error

Error: Signature validation failed. SAML Response rejected

I dont see in the config where I'm supposed to set the cert fingerprint of cert. I assume this is why it's failing?