some release details

Author: aacotroneo

composer.json

@@ -1,6 +1,9 @@
 {
-    "name": "aacotroneo/saml2",
+    "name": "aacotroneo/laravel-saml2",
     "description": "A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
+    "keywords": ["laravel","saml", "saml2", "onelogin"],
+    "homepage": "https://github.com/aacotroneo/laravel-saml2",
+    "license": "MIT",
     "authors": [
         {
             "name": "aacotroneo",

src/Aacotroneo/Saml2/Saml2Auth.php

@@ -19,9 +19,6 @@ class Saml2Auth
 
     protected $samlAssertion;
 
-    protected $redirectUrl; //not used right now. Handled in Laravel
-
-
     function __construct($config)
     {
         $this->auth = new OneLogin_Saml2_Auth($config);
@@ -70,7 +67,7 @@ function logout()
     }
 
     /**
-     * Porcess a Saml response (assertion consumer service)
+     * Process a Saml response (assertion consumer service)
      * @throws \Exception when errors are encountered. This sould not happen in a normal flow.
      */
     function acs()
@@ -93,14 +90,10 @@ function acs()
             throw new \Exception("The saml assertion is not valid, please check the logs.");
         }
 
-
-        if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) {
-            $this->redirectUrl = $_POST['RelayState'];
-        }
     }
 
     /**
-     * Porcess a Saml response (assertion consumer service)
+     * Process a Saml response (assertion consumer service)
      * @throws \Exception
      */
     function sls()
@@ -131,10 +124,9 @@ function getMetadata()
         $metadata = $settings->getSPMetadata();
         $errors = $settings->validateMetadata($metadata);
 
-
         if (empty($errors)) {
-            return $metadata;
 
+            return $metadata;
         } else {
 
             throw new InvalidArgumentException(

src/Aacotroneo/Saml2/Saml2User.php

@@ -4,7 +4,7 @@
 
 use Input;
 use OneLogin_Saml2_Auth;
-use Symfony\Component\HttpFoundation\Request;
+use URL;
 
 /**
  * A simple class that represents the user that 'came' inside the saml2 assertion
@@ -14,7 +14,6 @@
 class Saml2User
 {
 
-
     protected $auth;
 
     function __construct(OneLogin_Saml2_Auth $auth)
@@ -48,7 +47,17 @@ function getAttributes()
      */
     function getRawSamlAssertion()
     {
-        return Input::get('SAMLResponse'); //rememeber this is only valid the request the assertion is received!!
+        return Input::get('SAMLResponse'); //just this request
+    }
+
+    function getIntendedUrl()
+    {
+        $relayState = Input::get('RelayState'); //just this request
+
+        if ($relayState && URL::full() !=$relayState) {
+
+            return $relayState;
+        }
     }
 
 } 

src/config/advanced_saml_settings.php

@@ -1,17 +1,17 @@
 <?php
 
 //This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
-$idp_host = 'http://idp_host/simplesaml';
+$idp_host = 'http://localhost:8000/simplesaml';
 
 return $settings = array(
     // If 'strict' is True, then the PHP Toolkit will reject unsigned
     // or unencrypted messages if it expects them signed or encrypted
     // Also will reject the messages if not strictly follow the SAML
     // standard: Destination, NameId, Conditions ... are validated too.
-    'strict' => false,
+    'strict' => true, //@todo: make this depend on laravel config
 
     // Enable debug mode (to print errors)
-    'debug' => false,
+    'debug' => false, //@todo: make this depend on laravel config
 
     // Service Provider Data that we are deploying
     'sp' => array(
@@ -81,4 +81,94 @@
          */
         // 'certFingerprint' => '',
     ),
+
+
+
+    /***
+     *
+     *  OneLogin advanced settings
+     *
+     *
+     */
+    // Security settings
+    'security' => array(
+
+        /** signatures and encryptions offered */
+
+        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
+        // will be encrypted.
+        'nameIdEncrypted' => false,
+
+        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+        // will be signed.              [The Metadata of the SP will offer this info]
+        'authnRequestsSigned' => false,
+
+        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
+        // will be signed.
+        'logoutRequestSigned' => false,
+
+        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
+        // will be signed.
+        'logoutResponseSigned' => false,
+
+        /* Sign the Metadata
+         False || True (use sp certs) || array (
+                                                    keyFileName => 'metadata.key',
+                                                    certFileName => 'metadata.crt'
+                                                )
+        */
+        'signMetadata' => false,
+
+
+        /** signatures and encryptions required **/
+
+        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+        // <samlp:LogoutResponse> elements received by this SP to be signed.
+        'wantMessagesSigned' => false,
+
+        // Indicates a requirement for the <saml:Assertion> elements received by
+        // this SP to be signed.        [The Metadata of the SP will offer this info]
+        'wantAssertionsSigned' => false,
+
+        // Indicates a requirement for the NameID received by
+        // this SP to be encrypted.
+        'wantNameIdEncrypted' => false,
+
+        // Authentication context.
+        // Set to false and no AuthContext will be sent in the AuthNRequest,
+        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
+        'requestedAuthnContext' => true,
+    ),
+
+    // Contact information template, it is recommended to suply a technical and support contacts
+    'contactPerson' => array(
+        'technical' => array(
+            'givenName' => 'name',
+            'emailAddress' => '[email protected]'
+        ),
+        'support' => array(
+            'givenName' => 'Support',
+            'emailAddress' => '[email protected]'
+        ),
+    ),
+
+    // Organization information template, the info in en_US lang is recomended, add more if required
+    'organization' => array(
+        'en-US' => array(
+            'name' => 'Name',
+            'displayname' => 'Display Name',
+            'url' => 'http://url'
+        ),
+    ),
+
+/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current
+
+   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
+                                      // MUST NOT assume that the IdP validates the sign
+   'wantAssertionsSigned' => true,
+   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
+   'wantNameIdEncrypted' => false,
+*/
+
 );

src/config/saml_settings.php

@@ -2,7 +2,6 @@
 
 namespace Aacotroneo\Saml2\Controllers;
 
-use Auth;
 use Event;
 use Saml2Auth;
 use Controller;
@@ -33,7 +32,6 @@ public function metadata()
      */
     public function acs()
     {
-        //if successful will redirect to
         Saml2Auth::acs();
         $user = Saml2Auth::getSaml2User();
         Event::fire('saml2.loginRequestReceived', array($user));
@@ -42,7 +40,7 @@ public function acs()
     /**
      * Process an incoming saml2 logout request.
      * Fires 'saml2.logoutRequestReceived' event if its valid.
-     * This means the user logged out of the SSO infrastructre, you 'should' log him out locally too.
+     * This means the user logged out of the SSO infrastructure, you 'should' log him out locally too.
      */
     public function sls()
     {
@@ -51,12 +49,11 @@ public function sls()
     }
 
     /**
-     * This initiats a logout request across all the SSO infrastructure.
+     * This initiates a logout request across all the SSO infrastructure.
      */
     public function logout()
     {
-        Saml2Auth::logout();
-        //will actually end up in the sls endpoint
+        Saml2Auth::logout();  //will actually end up in the sls endpoint
     }
 
 }

src/controllers/Saml2Controller.php

@@ -1,14 +1,12 @@
 <?php
 
-//Config::get('administrator::administrator.uri')
-Route::group(array('prefix' => '/saml'), function () {
+Route::group(array('prefix' => '/saml2'), function () {
 
     Route::get('/logout', array(
         'as' => 'saml_logout',
         'uses' => 'Aacotroneo\Saml2\Controllers\Saml2Controller@logout',
     ));
 
-
     Route::get('/metadata', array(
         'as' => 'saml_metadata',
         'uses' => 'Aacotroneo\Saml2\Controllers\Saml2Controller@metadata',