|
1 | | -## Laravel-saml2 |
2 | | -A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much 'simple' than 'simple'samlphp |
| 1 | +## Laravel 4 - Saml2 |
| 2 | +A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lighter and easier to install than simplesamlphp SP. It doesn't need separate routes or session storage to work! |
| 3 | + |
| 4 | +The aim of this library is to be as simple as possible. We won't mess with Laravel users, auth, session... We prefer to limit ourselves to a concrete task. Ask the user to authenticate at the IDP and process the response. Same case for SLO requests. |
| 5 | + |
| 6 | + |
| 7 | +## Installation - Composer |
| 8 | + |
| 9 | +To install Saml2 as a Composer package to be used with Laravel 4, simply add this to your composer.json: |
| 10 | + |
| 11 | +```json |
| 12 | +"aacotroneo/laravel-saml2": "0.0.1" |
| 13 | +``` |
| 14 | + |
| 15 | +..and run `composer update`. Once it's installed, you can register the service provider in `app/config/app.php` in the `providers` array: |
| 16 | + |
| 17 | +```php |
| 18 | +'providers' => array( |
| 19 | + 'Aacotroneo\Saml2\Saml2ServiceProvider', |
| 20 | +) |
| 21 | +``` |
| 22 | + |
| 23 | +Then publish the config file with `php artisan config:publish aacotroneo/laravel-saml2`. This will add the file `app/config/packages/aacotroneo/laravel-saml2/saml_settings.php`. This config is handled almost directly by [one login](https://github.com/onelogin/php-saml) so you may get further references there, but will cover here what's really necessary. |
| 24 | + |
| 25 | +### Configuration |
| 26 | + |
| 27 | +Once you publish your saml_settings.php to your own files, you need to configure your sp and IDP (remote server). The only real difference between this config and the one that OneLogin uses, is that the SP entityId, assertionConsumerService url and singleLogoutService URL are inyected by the library. They are taken from routes 'saml_metadata', 'saml_acs' and 'saml_sls' respectively. |
| 28 | + |
| 29 | +Remember that you don't need to implement those routes, but you'll need to add them to your IDP configuration. For example, if you use simplesamlphp, add the following to /metadata/sp-remote.php |
| 30 | + |
| 31 | +```php |
| 32 | +$metadata['http://laravel_url/saml/metadata'] = array( |
| 33 | + 'AssertionConsumerService' => 'http://laravel_url/saml/acs', |
| 34 | + 'SingleLogoutService' => 'http://laravel_url/saml/sls', |
| 35 | + //the following two affect what the $Saml2user->getUserId() will return |
| 36 | + 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', |
| 37 | + 'simplesaml.nameidattribute' => 'uid' |
| 38 | +); |
| 39 | +``` |
| 40 | +You can check that metadata if you actually navigate to 'http://laravel_url/saml/metadata' |
| 41 | + |
| 42 | + |
| 43 | + |
| 44 | +### Usage |
| 45 | + |
| 46 | +When you want your user to login, just call `Saml2Auth::login()`. Just remember that it does not use any session storage, so if you ask it to login it will redirect to the IDP wheather the user is logged in or not. For example, you can change the auth filter. |
| 47 | +```php |
| 48 | +Route::filter('auth', function() |
| 49 | +{ |
| 50 | + if (Auth::guest()) |
| 51 | + { |
| 52 | + return SAML2::login(URL::full()); //url is saved in RelayState |
| 53 | + |
| 54 | + } |
| 55 | +}); |
| 56 | +``` |
| 57 | + |
| 58 | +Only if you want to know, that will redirect the user to the IDP, and will came back to an endpoint the library serves at /saml2/acs. That will process the response and fire an event when is ready. So, next step for you is to handle the response. |
| 59 | + |
| 60 | +```php |
| 61 | + |
| 62 | +Event::listen('saml2.loginRequestReceived', function(Saml2User $user) |
| 63 | +{ |
| 64 | + //$user->getAttributes(); |
| 65 | + //$user->getUserId(); |
| 66 | + //base64_decode($user->getRawSamlAssertion(); |
| 67 | + $laravelUser = //find user by ID or attribute |
| 68 | + //if it does not exist create it and go on or show an error message |
| 69 | + Auth::login($laravelUser); |
| 70 | + $redirectUrl = $user->getIntendedUrl(); //this is URL::full() in our example |
| 71 | + if($redirectUrl !== null){ |
| 72 | + Redirect::to($redirectUrl); |
| 73 | + }else { |
| 74 | + Redirect::to('/'); |
| 75 | + } |
| 76 | + |
| 77 | +}); |
| 78 | +``` |
| 79 | +### Log out |
| 80 | +Now there are two ways the user can log out. |
| 81 | + + 1 - By logging out in your app: In this case you 'should' notify the IDP first so it closes global session. |
| 82 | + + 2 - By logging out of the global SSO Session. In this case the IDP will notify you on /saml2/slo enpoint (already provided) |
| 83 | + |
| 84 | +For case 1 call `Saml2Auth::logout();` or redirect the user to the route 'saml_logout' which does just that. Do not close session inmediately as you need to receive a response confirmation from the IDP (redirection). That response will be handled by the library at /saml2/sls and will fire an event for you to complete the operation. |
| 85 | + |
| 86 | +For case 2 you will only receive the event. Both cases 1 and 2 receive the same event. |
| 87 | + |
| 88 | +```php |
| 89 | +Event::listen('saml2.logoutRequestReceived', function() |
| 90 | +{ |
| 91 | + Auth::logout(); |
| 92 | + //echo "bye, we logged out."; |
| 93 | + //For case 2, logout() will redirect somewhere else. If we are here, it's case 1, so we can redirect elsewhere |
| 94 | + Redirect::to('/public'); |
| 95 | +}); |
| 96 | +``` |
| 97 | + |
| 98 | + |
| 99 | +That's it. Feel free to ask any questions, make PR or suggestions, or open Issues. |
| 100 | + |
| 101 | + |
3 | 102 |
|
4 | 103 |
|
5 | 104 |
|
0 commit comments