smindel / saml
PHP SAML 2.0 Adapter
Installs: 1 434
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 1
Requires
- ext-dom: *
- ext-openssl: *
- psr/container: 1.0.0
- robrichards/xmlseclibs: dev-master
Requires (Dev)
- phpunit/phpunit: ~5.7
This package is auto-updated.
Last update: 2023-04-19 00:13:53 UTC
README
This library helps creating AuthnRequest and LogoutRequest objects and validating identity provider (IdP) responses. It is designed to be used in a MVC framework to implement a SAML 2.0 service provider (SP).
Standard
As a first step the library is aiming at, but not yet complying to OASIS SAML 2.0 SP Lite conformance. (http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf)
- Web SSO, , HTTP redirect: check
- Web SSO, , HTTP POST: check
- Web SSO, , HTTP artifact
- Artifact Resolution, SOAP
- Enhanced Client/Proxy SSO, PAOS
- Single Logout (IdP-initiated) – HTTP redirect
- Single Logout (SP-initiated) – HTTP redirect: check
Security Features
- Schema validation
- Signature validation
Usage
Request Authentication
This goes in a controller action:
if (isset($_POST['SAMLResponse'])) {
$requestID = $_SESSION['SAML.AuthnRequest.ID'];
$raw = base64_decode($_POST['SAMLResponse']);
$samlResponse = \Smindel\SAML\IdentityProvider\Response::fromXML($raw);
$idpId = [IDP_ID];
if ($samlResponse->validate($requestID, $idpId)) {
$_SESSION['SAML.ID'] = $samlResponse->getSubjectId();
var_dump($samlResponse->getSubject());
} else {
$_SESSION['SAML.ID'] = null;
$_SESSION['SAML.AuthnRequest.ID'] = null;
var_dump($samlResponse->getValidationError());die;
}
}
if (!$_SESSION['SAML.ID']) {
$idpUrl = [IDP_LOGIN_URL];
$acs = Director::absoluteUrl($this->link());
$samlRequest = \Smindel\SAML\ServiceProvider\AuthnRequest::create($idpUrl, $acs, $requestID);
$_SESSION['SAML.AuthnRequest.ID'] = $samlRequest['ID'];
$url = $idpUrl . '?' . http_build_query(['SAMLRequest' => $samlRequest->deflate()]);
return $this->redirect($url);
}
var_dump('logged id');
Reads
- https://en.wikipedia.org/wiki/SAML_2.0
- https://github.com/jch/saml
- https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet
- http://xacmlinfo.org/2013/06/28/how-saml2-single-logout-works/
- https://stackoverflow.com/questions/19538561/verify-digital-signature-in-saml-response-against-certificate-in-php
- https://github.com/robrichards/xmlseclibs/blob/master/tests/xmlsec-verify.phpt
Tools / Validators
todos
- Validation
- verify certificate
- SSL
- For how long do we store request ids to prevent replay???
- Logout response
- Tests
- MetadataProvider