L4: basic setup finished. V 0.01 -

Author: aacotroneo

src/Aacotroneo/Saml2/Saml2Auth.php

@@ -6,50 +6,72 @@
 use OneLogin_Saml2_Error;
 use OneLogin_Saml2_Utils;
 
+use Log;
+use Psr\Log\InvalidArgumentException;
+
 class Saml2Auth
 {
 
     /**
      * @var \OneLogin_Saml2_Auth
      */
     protected $auth;
-    protected $uid_key;
+
+    protected $samlAssertion;
+
+    protected $redirectUrl; //not used right now. Handled in Laravel
+
 
     function __construct($config)
     {
-//        session_start();
         $this->auth = new OneLogin_Saml2_Auth($config);
-//        $this->uid_key = $uid_key;
-//        $this->id_key = $config[]
     }
 
+    /**
+     * @return bool if a valid user was fetched from the saml assertion this request.
+     */
     function isAuthenticated()
     {
-        return isset($_SESSION['samlUserdata']);
-    }
+        $auth = $this->auth;
 
-    function getUserId()
-    {
-        $attributes = $this->getAttributes();
-        return $attributes[$this->uid_key][0];
+        return $auth->isAuthenticated();
     }
 
-    function getAttributes()
-    {
-        $attributes = $_SESSION['samlUserdata'];
-        return $attributes;
+    /**
+     * The user info from the assertion
+     * @return Saml2User
+     */
+    function getSaml2User(){
+
+        return new Saml2User($this->auth);
     }
 
-    function getRawSamlAssertion()
+    /**
+     * Initiate a saml2 login flow. It will redirect! Before calling this, check if user is
+     * authenticated (here in saml2). That would be true when the assertion was received this request.
+     */
+    function login($returnTo = null)
     {
-        return isset($_SESSION['SAMLAssertion']) ? $_SESSION['SAMLAssertion'] : null;
+        $auth = $this->auth;
+
+        $auth->login($returnTo);
     }
 
-    function login()
+    /**
+     * Initiate a saml2 logout flow. It will close session on all other SSO services. You should close
+     * local session if applicable.
+     */
+    function logout()
     {
-        $this->auth->login();
+        $auth = $this->auth;
+
+        $auth->logout();
     }
 
+    /**
+     * Porcess a Saml response (assertion consumer service)
+     * @throws \Exception when errors are encountered. This sould not happen in a normal flow.
+     */
     function acs()
     {
 
@@ -58,43 +80,49 @@ function acs()
 
         $auth->processResponse();
 
-
         $errors = $auth->getErrors();
 
         if (!empty($errors)) {
-            print_r('<p>' . implode(', ', $errors) . '</p>');
-            exit();
+            Log::error("Invalid saml response", $errors);
+            throw new \Exception("The saml assertion is not valid, please check the logs.");
         }
 
         if (!$auth->isAuthenticated()) {
-            echo "<p>Not authenticated</p>";
-            exit();
+            Log::error("Could not authenticate with the saml response. Something happened");
+            throw new \Exception("The saml assertion is not valid, please check the logs.");
         }
 
-        $_SESSION['samlUserdata'] = $auth->getAttributes();
-
-        $_SESSION['SAMLAssertion'] = $_POST['SAMLResponse']; //se lo robo al saml
 
         if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) {
-            $auth->redirectTo($_POST['RelayState']);
+            $this->redirectUrl = $_POST['RelayState'];
         }
     }
 
+    /**
+     * Porcess a Saml response (assertion consumer service)
+     * @throws \Exception
+     */
     function sls()
     {
         $auth = $this->auth;
 
-        $auth->processSLO();
+        $keep_local_session = true; //we don't touch session here
+        $auth->processSLO($keep_local_session);
 
         $errors = $auth->getErrors();
 
-        if (empty($errors)) {
-            print_r('Sucessfully logged out');
-        } else {
-            print_r(implode(', ', $errors));
+        if (!empty($errors)) {
+            Log::error("Could not log out", $errors);
+            throw new \Exception("Could not log out");
         }
+
     }
 
+    /**
+     * Show metadata about the local sp. Use this to configure your saml2 IDP
+     * @return mixed xml string representing metadata
+     * @throws \InvalidArgumentException if metadata is not correctly set
+     */
     function getMetadata()
     {
         $auth = $this->auth;
@@ -105,11 +133,10 @@ function getMetadata()
 
         if (empty($errors)) {
             return $metadata;
-//            header('Content-Type: text/xml');
-//            echo $metadata;
+
         } else {
 
-            throw new OneLogin_Saml2_Error(
+            throw new InvalidArgumentException(
                 'Invalid SP metadata: ' . implode(', ', $errors),
                 OneLogin_Saml2_Error::METADATA_SP_INVALID
             );

src/Aacotroneo/Saml2/Saml2User.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace Aacotroneo\Saml2;
+
+use Input;
+use OneLogin_Saml2_Auth;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * A simple class that represents the user that 'came' inside the saml2 assertion
+ * Class Saml2User
+ * @package Aacotroneo\Saml2
+ */
+class Saml2User {
+
+
+    protected $auth;
+
+    function __construct(OneLogin_Saml2_Auth $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * @return string User Id retrieved from assertion processed this request
+     */
+    function getUserId()
+    {
+        $auth = $this->auth;
+
+        return $auth->getNameId();
+
+    }
+
+    /**
+     * @return array attributes retrieved from assertion processed this request
+     */
+    function getAttributes()
+    {
+        $auth = $this->auth;
+
+        return $auth->getAttributes();
+    }
+
+    /**
+     * @return string the saml assertion processed this request
+     */
+    function getRawSamlAssertion()
+    {
+        return Input::get('SAMLResponse'); //rememeber this is only valid the request the assertion is received!!
+    }
+
+} 

src/config/saml_settings.php

@@ -1,5 +1,8 @@
 <?php
 
+//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
+$idp_host = 'http://idp_host/simplesaml';
+
 return $settings = array (
     // If 'strict' is True, then the PHP Toolkit will reject unsigned
     // or unencrypted messages if it expects them signed or encrypted
@@ -16,7 +19,7 @@
         // Specifies constraints on the name identifier to be used to
         // represent the requested subject.
         // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
-        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
 
         // Usually x509cert and privateKey of the SP are provided by files placed at
         // the certs folder. But we can also provide them with the following parameters
@@ -51,11 +54,11 @@
     // Identity Provider Data that we want connect with our SP
     'idp' => array (
         // Identifier of the IdP entity  (must be a URI)
-        'entityId' => 'http://localhost:8000/simplesaml/saml2/idp/metadata.php',
+        'entityId' => $idp_host.'/saml2/idp/metadata.php',
         // SSO endpoint info of the IdP. (Authentication Request protocol)
         'singleSignOnService' => array (
             // URL Target of the IdP where the SP will send the Authentication Request Message
-            'url' => 'http://localhost:8000/simplesaml/saml2/idp/SSOService.php',
+            'url' => $idp_host.'/saml2/idp/SSOService.php',
             // SAML protocol binding to be used when returning the <Response>
             // message.  Onelogin Toolkit supports for this endpoint the
             // HTTP-POST binding only
@@ -64,7 +67,7 @@
         // SLO endpoint info of the IdP.
         'singleLogoutService' => array (
             // URL Location of the IdP where the SP will send the SLO Request
-            'url' => 'http://localhost:8000/simplesaml/saml2/idp/SingleLogoutService.php',
+            'url' => $idp_host.'/saml2/idp/SingleLogoutService.php',
             // SAML protocol binding to be used when returning the <Response>
             // message.  Onelogin Toolkit supports for this endpoint the
             // HTTP-Redirect binding only

src/controllers/Saml2Controller.php

@@ -2,15 +2,22 @@
 
 namespace Aacotroneo\Saml2\Controllers;
 
+use Auth;
+use Event;
 use Saml2Auth;
 use Controller;
 use Response;
 
 
-class Saml2Controller extends Controller {
+class Saml2Controller extends Controller
+{
 
-
-    public function metadata(){
+    /**
+     * Generate local sp metadata
+     * @return \Illuminate\Http\Response
+     */
+    public function metadata()
+    {
 
         $metadata = Saml2Auth::getMetadata();
         $response = Response::make($metadata, 200);
@@ -20,12 +27,36 @@ public function metadata(){
         return $response;
     }
 
-    public function acs(){
-        return "acs";
+    /**
+     * Process an incoming saml2 assertion request.
+     * Fires 'saml2.loginRequestReceived' event if a valid user is Found
+     */
+    public function acs()
+    {
+        //if successful will redirect to
+        Saml2Auth::acs();
+        $user = Saml2Auth::getSaml2User();
+        Event::fire('saml2.loginRequestReceived', array($user));
     }
 
+    /**
+     * Process an incoming saml2 logout request.
+     * Fires 'saml2.logoutRequestReceived' event if its valid.
+     * This means the user logged out of the SSO infrastructre, you 'should' log him out locally too.
+     */
+    public function sls()
+    {
+        Saml2Auth::sls();
+        Event::fire('saml2.logoutRequestReceived');
+    }
 
-    public function sls(){
-        return "sls";
+    /**
+     * This initiats a logout request across all the SSO infrastructure.
+     */
+    public function logout()
+    {
+        Saml2Auth::logout();
+        //will actually end up in the sls endpoint
     }
+
 }

src/routes.php

@@ -2,7 +2,13 @@
 
 //Config::get('administrator::administrator.uri')
 Route::group(array('prefix' => '/saml'), function() {
-    //Admin Dashboard
+
+    Route::get('/logout', array(
+        'as' => 'saml_logout',
+        'uses' => 'Aacotroneo\Saml2\Controllers\Saml2Controller@logout',
+    ));
+
+
     Route::get('/metadata', array(
         'as' => 'saml_metadata',
         'uses' => 'Aacotroneo\Saml2\Controllers\Saml2Controller@metadata',