Basic wiring

Author: aacotroneo

composer.json

@@ -1,10 +1,10 @@
 {
-    "name": "aacotroneo/laravel-saml2",
+    "name": "aacotroneo/saml2",
     "description": "A laravel package for saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
     "authors": [
         {
             "name": "aacotroneo",
-            "email": "aacotroneo at gmail dot com"
+            "email": "aacotroneo@gmail.com"
         }
     ],
     "require": {
@@ -14,10 +14,10 @@
     },
     "autoload": {
         "classmap": [
-            "src/migrations"
+            "src/controllers"
         ],
         "psr-0": {
-            "Aacotroneo\\LaravelSaml2\\": "src/"
+            "Aacotroneo\\Saml2\\": "src/"
         }
     },
     "minimum-stability": "stable"

src/Aacotroneo/LaravelSaml2/LaravelSaml2ServiceProvider.php renamed to src/Aacotroneo/Saml2/Saml2ServiceProvider.php

@@ -1,8 +1,9 @@
-<?php namespace Aacotroneo\LaravelSaml2;
+<?php
+namespace Aacotroneo\Saml2;
 
 use Illuminate\Support\ServiceProvider;
 
-class LaravelSaml2ServiceProvider extends ServiceProvider {
+class Saml2ServiceProvider extends ServiceProvider {
 
 	/**
 	 * Indicates if loading of the provider is deferred.
@@ -18,7 +19,9 @@ class LaravelSaml2ServiceProvider extends ServiceProvider {
 	 */
 	public function boot()
 	{
-		$this->package('aacotroneo/laravel-saml2');
+		$this->package('aacotroneo/saml2');
+
+        include __DIR__.'/../../routes.php';
 	}
 
 	/**

src/config/advanced_saml_settings.php

@@ -0,0 +1,86 @@
+<?php
+
+return $advancedSettings = array (
+
+    // Security settings
+    'security' => array (
+
+        /** signatures and encryptions offered */
+
+        // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
+        // will be encrypted.
+        'nameIdEncrypted' => false,
+
+        // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
+        // will be signed.              [The Metadata of the SP will offer this info]
+        'authnRequestsSigned' => false,
+
+        // Indicates whether the <samlp:logoutRequest> messages sent by this SP
+        // will be signed.
+        'logoutRequestSigned' => false,
+
+        // Indicates whether the <samlp:logoutResponse> messages sent by this SP
+        // will be signed.
+        'logoutResponseSigned' => false,
+
+        /* Sign the Metadata
+         False || True (use sp certs) || array (
+                                                    keyFileName => 'metadata.key',
+                                                    certFileName => 'metadata.crt'
+                                                )
+        */
+        'signMetadata' => false,
+
+
+        /** signatures and encryptions required **/
+
+        // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
+        // <samlp:LogoutResponse> elements received by this SP to be signed.
+        'wantMessagesSigned' => false,
+
+        // Indicates a requirement for the <saml:Assertion> elements received by
+        // this SP to be signed.        [The Metadata of the SP will offer this info]
+        'wantAssertionsSigned' => false,
+
+        // Indicates a requirement for the NameID received by
+        // this SP to be encrypted.
+        'wantNameIdEncrypted' => false,
+
+        // Authentication context.
+        // Set to false and no AuthContext will be sent in the AuthNRequest,
+        // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
+        // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
+        'requestedAuthnContext' => true,
+    ),
+
+    // Contact information template, it is recommended to suply a technical and support contacts
+    'contactPerson' => array (
+        'technical' => array (
+            'givenName' => '',
+            'emailAddress' => ''
+        ),
+        'support' => array (
+            'givenName' => '',
+            'emailAddress' => ''
+        ),
+    ),
+
+    // Organization information template, the info in en_US lang is recomended, add more if required
+    'organization' => array (
+        'en-US' => array(
+            'name' => '',
+            'displayname' => '',
+            'url' => ''
+        ),
+    ),
+);
+
+
+/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int]   http://saml2int.org/profile/current
+
+   'authnRequestsSigned' => false,    // SP SHOULD NOT sign the <samlp:AuthnRequest>,
+                                      // MUST NOT assume that the IdP validates the sign
+   'wantAssertionsSigned' => true,
+   'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
+   'wantNameIdEncrypted' => false,
+*/

src/config/saml_settings.php

@@ -0,0 +1,78 @@
+<?php
+
+return $settings = array (
+    // If 'strict' is True, then the PHP Toolkit will reject unsigned
+    // or unencrypted messages if it expects them signed or encrypted
+    // Also will reject the messages if not strictly follow the SAML
+    // standard: Destination, NameId, Conditions ... are validated too.
+    'strict' => false,
+
+    // Enable debug mode (to print errors)
+    'debug' => false,
+
+    // Service Provider Data that we are deploying
+    'sp' => array (
+        // Identifier of the SP entity  (must be a URI)
+        'entityId' => '',
+        // Specifies info about where and how the <AuthnResponse> message MUST be
+        // returned to the requester, in this case our SP.
+        'assertionConsumerService' => array (
+            // URL Location where the <Response> from the IdP will be returned
+            'url' => '',
+            // SAML protocol binding to be used when returning the <Response>
+            // message.  Onelogin Toolkit supports for this endpoint the
+            // HTTP-Redirect binding only
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+        ),
+        // Specifies info about where and how the <Logout Response> message MUST be
+        // returned to the requester, in this case our SP.
+        'singleLogoutService' => array (
+            // URL Location where the <Response> from the IdP will be returned
+            'url' => '',
+            // SAML protocol binding to be used when returning the <Response>
+            // message.  Onelogin Toolkit supports for this endpoint the
+            // HTTP-Redirect binding only
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ),
+        // Specifies constraints on the name identifier to be used to
+        // represent the requested subject.
+        // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
+        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+
+        // Usually x509cert and privateKey of the SP are provided by files placed at
+        // the certs folder. But we can also provide them with the following parameters
+        'x509cert' => '',
+        'privateKey' > '',
+    ),
+
+    // Identity Provider Data that we want connect with our SP
+    'idp' => array (
+        // Identifier of the IdP entity  (must be a URI)
+        'entityId' => '',
+        // SSO endpoint info of the IdP. (Authentication Request protocol)
+        'singleSignOnService' => array (
+            // URL Target of the IdP where the SP will send the Authentication Request Message
+            'url' => '',
+            // SAML protocol binding to be used when returning the <Response>
+            // message.  Onelogin Toolkit supports for this endpoint the
+            // HTTP-POST binding only
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ),
+        // SLO endpoint info of the IdP.
+        'singleLogoutService' => array (
+            // URL Location of the IdP where the SP will send the SLO Request
+            'url' => '',
+            // SAML protocol binding to be used when returning the <Response>
+            // message.  Onelogin Toolkit supports for this endpoint the
+            // HTTP-Redirect binding only
+            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+        ),
+        // Public x509 certificate of the IdP
+        'x509cert' => '',
+        /*
+         *  Instead of use the whole x509cert you can use a fingerprint
+         *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
+         */
+        // 'certFingerprint' => '',
+    ),
+);

src/controllers/Saml2Controller.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Aacotroneo\Saml2;
+
+
+use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\Config;
+
+class Saml2Controller extends Controller {
+
+
+    public function metadata(){
+
+        $config = Config::get('saml2::saml_settings');
+
+
+        return print_r($config, true);
+    }
+
+    public function acs(){
+        return "acs";
+    }
+
+
+    public function sls(){
+        return "sls";
+    }
+}

src/routes.php

@@ -0,0 +1,20 @@
+<?php
+
+//Config::get('administrator::administrator.uri')
+Route::group(array('prefix' => '/saml'), function() {
+    //Admin Dashboard
+    Route::get('/metadata', array(
+        'as' => 'saml_metadata',
+        'uses' => 'Aacotroneo\Saml2\Saml2Controller@metadata',
+    ));
+
+    Route::post('/acs', array(
+        'as' => 'saml_metadata',
+        'uses' => 'Aacotroneo\Saml2\Controllers\AdminController@acs',
+    ));
+
+    Route::get('/sls', array(
+        'as' => 'saml_metadata',
+        'uses' => 'Aacotroneo\Saml2\Controllers\AdminController@sls',
+    ));
+});