smindel/saml

This package is abandoned and no longer maintained. No replacement package was suggested.

PHP SAML 2.0 Adapter

1.0.0 2018-07-18 01:55 UTC

This package is auto-updated.

Last update: 2023-04-19 00:13:53 UTC


README

This library helps creating AuthnRequest and LogoutRequest objects and validating identity provider (IdP) responses. It is designed to be used in a MVC framework to implement a SAML 2.0 service provider (SP).

Standard

As a first step the library is aiming at, but not yet complying to OASIS SAML 2.0 SP Lite conformance. (http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf)

  • Web SSO, , HTTP redirect: check
  • Web SSO, , HTTP POST: check
  • Web SSO, , HTTP artifact
  • Artifact Resolution, SOAP
  • Enhanced Client/Proxy SSO, PAOS
  • Single Logout (IdP-initiated) – HTTP redirect
  • Single Logout (SP-initiated) – HTTP redirect: check

Security Features

  • Schema validation
  • Signature validation

Usage

Request Authentication

This goes in a controller action:

if (isset($_POST['SAMLResponse'])) {
    $requestID = $_SESSION['SAML.AuthnRequest.ID'];
    $raw = base64_decode($_POST['SAMLResponse']);
    $samlResponse = \Smindel\SAML\IdentityProvider\Response::fromXML($raw);
    $idpId = [IDP_ID];
    if ($samlResponse->validate($requestID, $idpId)) {
        $_SESSION['SAML.ID'] = $samlResponse->getSubjectId();
        var_dump($samlResponse->getSubject());
    } else {
        $_SESSION['SAML.ID'] = null;
        $_SESSION['SAML.AuthnRequest.ID'] = null;
        var_dump($samlResponse->getValidationError());die;
    }
}

if (!$_SESSION['SAML.ID']) {
    $idpUrl = [IDP_LOGIN_URL];
    $acs = Director::absoluteUrl($this->link());
    $samlRequest = \Smindel\SAML\ServiceProvider\AuthnRequest::create($idpUrl, $acs, $requestID);
    $_SESSION['SAML.AuthnRequest.ID'] = $samlRequest['ID'];

    $url = $idpUrl . '?' . http_build_query(['SAMLRequest' => $samlRequest->deflate()]);
    return $this->redirect($url);
}
var_dump('logged id');

Reads

Tools / Validators

todos

  • Validation
    • verify certificate
    • SSL
    • For how long do we store request ids to prevent replay???
  • Logout response
  • Tests
  • MetadataProvider