ae/oneloginsaml-bundle

OneLogin SAML Bundle for Symfony2

Installs: 4 646

Dependents: 0

Suggesters: 0

Stars: 1

Watchers: 15

Forks: 0

Open Issues: 0

Type:symfony-bundle

v1.0.1 2018-07-25 19:38 UTC

README

OneLogin SAML Bundle for Symfony. (https://github.com/onelogin/php-saml)

Installation

Install with composer

"require": {
    "ae/oneloginsaml-bundle": "dev-master"
}

Run composer update

composer update ae/oneloginsaml-bundle

Enable the bundle in app/AppKernel.php

$bundles = array(
    // ...
    new AE\OneLoginSamlBundle\AEOneLoginSamlBundle(),
)

Configuration

Configure SAML metadata in app/config/config.yml. Check https://github.com/onelogin/php-saml#settings for more info.

ae_one_login_saml:
    # default is the config name, but can be anything. This is used in firewall and route config
    default:
        # Basic settings
        idp:
            entityId: 'http://id.example.com/saml2/idp/metadata.php'
            singleSignOnService:
                url: 'http://id.example.com/saml2/idp/SSOService.php'
                binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
            singleLogoutService:
                url: 'http://id.example.com/saml2/idp/SingleLogoutService.php'
                binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
            x509cert: ''
        sp:
            entityId: 'http://myapp.com/app_dev.php/saml/metadata'
            assertionConsumerService:
                url: 'http://myapp.com/app_dev.php/saml/acs'
                binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
            singleLogoutService:
                url: 'http://myapp.com/app_dev.php/saml/logout'
                binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        # Optional settings
        security:
            nameIdEncrypted:       false
            authnRequestsSigned:   false
            logoutRequestSigned:   false
            logoutResponseSigned:  false
            wantMessagesSigned:    false
            wantAssertionsSigned:  false
            wantNameIdEncrypted:   false
            requestedAuthnContext: true
            signMetadata: false
            wantXMLValidation: true
            signatureAlgorithm: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
            digestAlgorithm: 'http://www.w3.org/2000/09/xmldsig#sha1'
        contactPerson:
            technical:
                givenName: 'Tech User'
                emailAddress: 'techuser@example.com'
            support:
                givenName: 'Support User'
                emailAddress: 'supportuser@example.com'
        organization:
            en:
                name: 'Example'
                displayname: 'Example'
                url: 'http://example.com'

If you don't want to set contactPerson or organization, don't add those parameters instead of leaving them blank.

Configure firewall and user provider in app/config/security.yml

security:
    # ...

    providers:
        saml_provider:
            # Basic provider instantiates a user with default roles
            saml:
                user_class: 'AppBundle\Entity\User'
                default_roles: ['ROLE_USER']

    firewalls:
        app:
            pattern:    ^/
            anonymous: true
            saml:
                # Tell the firewall which SAML config to use, defaults to 'default'
                config: default
                # Match SAML attribute 'uid' with username.
                # Uses getNameId() method by default.
                username_attribute:
                check_path: /saml/default/acs
                login_path: /saml/default/login
            logout:
                # Path should be /saml/[CONFIG NAME]/logout
                path: /saml/default/logout

    access_control:
        - { path: ^/saml/default/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/saml/default/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/, roles: ROLE_USER }

Edit your app/config/routing

ae_saml_sp:
    resource: "@AEOneLoginSamlBundle/Resources/config/routing.yml"

Inject SAML attributes into User object (Optional)

Your user class must implement SamlUserInterface

<?php

namespace AppBundle\Entity;

use AE\OneLoginSamlBundle\Security\User\SamlUserInterface;

class User implements SamlUserInterface
{
    protected $username;
    protected $email;

    // ...

    public function setSamlAttributes(array $attributes)
    {
        $this->email = $attributes['mail'][0];
    }
}

Then you can get attributes from user object

$email = $this->getUser()->getEmail();

Integration with classic login form

You can integrate SAML authentication with traditional login form by editing your security.yml:

security:
    providers:
        user_provider:
            # Loads user from user repository
            entity:
                class: AppBundle:User
                property: username

    firewalls:
        default:
            anonymous: ~
            saml:
                # Tell the firewall which SAML Config you want to use (defaults to 'default')
                config: default
                username_attribute: uid
                # No need to specify check_path and login_path, they're set based on config name
                failure_path: /login
                always_use_default_target_path: true

            # Traditional login form
            form_login:
                login_path: /login
                check_path: /login_check
                always_use_default_target_path: true

            logout:
                path: /saml/default/logout

Then you can add a link to route saml_login in your login page in order to start SAML sign on.

    <a href="{{ path('saml_login', {saml: 'default'}) }}">SAML Login</a>

Just-in-time user provisioning (optional)

When user is not found by user provider, you can set a user factory to create a new user mapping SAML attributes.

Edit firewall settings in security.yml:

firewalls:
    default:
        anonymous: ~
        saml:
            # Tell the firewall which config to use (default is the default)
            config: default
            username_attribute: uid
            # User factory service
            user_factory: my_user_factory
            # Persist new user. Doctrine is required.
            persist_user: true
        logout:
            path: /saml/logout

Create the user factory service editing services.yml:

services:
    my_user_factory:
        class: AE\OneLoginSamlBundle\Security\User\SamlUserFactory
        arguments:
            # User class
            - AppBundle\Entity\User
            # Attribute mapping.
            - password: 'notused'
              email: $mail
              name: $cn
              lastname: $sn
              roles: ['ROLE_USER']

Fields with '$' references to SAML attribute value.

Or you can create your own User Factory that implements SamlUserFactoryInterface

<?php

namespace AppBundle\Security;

use AppBundle\Entity\User;
use AE\OneLoginSamlBundle\Security\Authentication\Token\SamlTokenInterface;
use AE\OneLoginSamlBundle\Security\User\SamlUserFactoryInterface;

class UserFactory implements SamlUserFactoryInterface
{
    public function createUser(SamlTokenInterface $token)
    {
        $attributes = $token->getAttributes();
        $user = new User();
        $user->setRoles(array('ROLE_USER'));
        $user->setUsername($token->getUsername());
        $user->setPassword('notused');
        $user->setEmail($attributes['mail'][0]);
        $user->setName($attributes['cn'][0]);

        return $user;
    }
}
services:
    my_user_factory:
        class: AppBundle\Security\UserFactory