ae / oneloginsaml-bundle
OneLogin SAML Bundle for Symfony2
Installs: 5 380
Dependents: 0
Suggesters: 0
Security: 0
Stars: 1
Watchers: 17
Forks: 0
Open Issues: 0
Type:symfony-bundle
Requires
- onelogin/php-saml: ^3.3
- symfony/framework-bundle: ~3.0|^4.0
- symfony/security-bundle: ~3.0|^4.0
Requires (Dev)
- doctrine/orm: ~2.3
- phpunit/phpunit: ~5.7
- satooshi/php-coveralls: ~1.0
- symfony/phpunit-bridge: ~3.0|^4.0
This package is not auto-updated.
Last update: 2024-04-14 02:40:16 UTC
README
OneLogin SAML Bundle for Symfony. (https://github.com/onelogin/php-saml)
Installation
Install with composer
"require": { "ae/oneloginsaml-bundle": "dev-master" }
Run composer update
composer update ae/oneloginsaml-bundle
Enable the bundle in app/AppKernel.php
$bundles = array( // ... new AE\OneLoginSamlBundle\AEOneLoginSamlBundle(), )
Configuration
Configure SAML metadata in app/config/config.yml
. Check https://github.com/onelogin/php-saml#settings for more info.
ae_one_login_saml: # default is the config name, but can be anything. This is used in firewall and route config default: # Basic settings idp: entityId: 'http://id.example.com/saml2/idp/metadata.php' singleSignOnService: url: 'http://id.example.com/saml2/idp/SSOService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' singleLogoutService: url: 'http://id.example.com/saml2/idp/SingleLogoutService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' x509cert: '' sp: entityId: 'http://myapp.com/app_dev.php/saml/metadata' assertionConsumerService: url: 'http://myapp.com/app_dev.php/saml/acs' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' singleLogoutService: url: 'http://myapp.com/app_dev.php/saml/logout' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' # Optional settings security: nameIdEncrypted: false authnRequestsSigned: false logoutRequestSigned: false logoutResponseSigned: false wantMessagesSigned: false wantAssertionsSigned: false wantNameIdEncrypted: false requestedAuthnContext: true signMetadata: false wantXMLValidation: true signatureAlgorithm: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' digestAlgorithm: 'http://www.w3.org/2000/09/xmldsig#sha1' contactPerson: technical: givenName: 'Tech User' emailAddress: 'techuser@example.com' support: givenName: 'Support User' emailAddress: 'supportuser@example.com' organization: en: name: 'Example' displayname: 'Example' url: 'http://example.com'
If you don't want to set contactPerson or organization, don't add those parameters instead of leaving them blank.
Configure firewall and user provider in app/config/security.yml
security: # ... providers: saml_provider: # Basic provider instantiates a user with default roles saml: user_class: 'AppBundle\Entity\User' default_roles: ['ROLE_USER'] firewalls: app: pattern: ^/ anonymous: true saml: # Tell the firewall which SAML config to use, defaults to 'default' config: default # Match SAML attribute 'uid' with username. # Uses getNameId() method by default. username_attribute: check_path: /saml/default/acs login_path: /saml/default/login logout: # Path should be /saml/[CONFIG NAME]/logout path: /saml/default/logout access_control: - { path: ^/saml/default/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/saml/default/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/, roles: ROLE_USER }
Edit your app/config/routing
ae_saml_sp: resource: "@AEOneLoginSamlBundle/Resources/config/routing.yml"
Inject SAML attributes into User object (Optional)
Your user class must implement SamlUserInterface
<?php namespace AppBundle\Entity; use AE\OneLoginSamlBundle\Security\User\SamlUserInterface; class User implements SamlUserInterface { protected $username; protected $email; // ... public function setSamlAttributes(array $attributes) { $this->email = $attributes['mail'][0]; } }
Then you can get attributes from user object
$email = $this->getUser()->getEmail();
Integration with classic login form
You can integrate SAML authentication with traditional login form by editing your security.yml
:
security: providers: user_provider: # Loads user from user repository entity: class: AppBundle:User property: username firewalls: default: anonymous: ~ saml: # Tell the firewall which SAML Config you want to use (defaults to 'default') config: default username_attribute: uid # No need to specify check_path and login_path, they're set based on config name failure_path: /login always_use_default_target_path: true # Traditional login form form_login: login_path: /login check_path: /login_check always_use_default_target_path: true logout: path: /saml/default/logout
Then you can add a link to route saml_login
in your login page in order to start SAML sign on.
<a href="{{ path('saml_login', {saml: 'default'}) }}">SAML Login</a>
Just-in-time user provisioning (optional)
When user is not found by user provider, you can set a user factory to create a new user mapping SAML attributes.
Edit firewall settings in security.yml
:
firewalls: default: anonymous: ~ saml: # Tell the firewall which config to use (default is the default) config: default username_attribute: uid # User factory service user_factory: my_user_factory # Persist new user. Doctrine is required. persist_user: true logout: path: /saml/logout
Create the user factory service editing services.yml
:
services: my_user_factory: class: AE\OneLoginSamlBundle\Security\User\SamlUserFactory arguments: # User class - AppBundle\Entity\User # Attribute mapping. - password: 'notused' email: $mail name: $cn lastname: $sn roles: ['ROLE_USER']
Fields with '$' references to SAML attribute value.
Or you can create your own User Factory that implements SamlUserFactoryInterface
<?php namespace AppBundle\Security; use AppBundle\Entity\User; use AE\OneLoginSamlBundle\Security\Authentication\Token\SamlTokenInterface; use AE\OneLoginSamlBundle\Security\User\SamlUserFactoryInterface; class UserFactory implements SamlUserFactoryInterface { public function createUser(SamlTokenInterface $token) { $attributes = $token->getAttributes(); $user = new User(); $user->setRoles(array('ROLE_USER')); $user->setUsername($token->getUsername()); $user->setPassword('notused'); $user->setEmail($attributes['mail'][0]); $user->setName($attributes['cn'][0]); return $user; } }
services: my_user_factory: class: AppBundle\Security\UserFactory