Single sign on using SimpleSamlPhp wrapper on Laravel

筅森魡賤 提交于 2020-05-27 07:00:08

问题


Implementing single sign on in my laravel application. I have decided to use this plugin https://github.com/aacotroneo/laravel-saml2 which is basically a wrapper on famous SimpleSamlPhp.

I downloaded the code via composer and as per given information Remember that you don't need to implement those routes, but you'll need to add them to your IDP configuration. For example, if you use simplesamlphp, add the following to /metadata/sp-remote.php

$metadata['http://laravel_url/saml/metadata'] = array(
 'AssertionConsumerService' => 'http://laravel_url/saml/acs',
 'SingleLogoutService' => 'http://laravel_url/saml/sls',
 //the following two affect what the $Saml2user->getUserId() will return
 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
 'simplesaml.nameidattribute' => 'uid'  
);

I can't find metadata/sp-remote.php, any idea? and as far as http://laravel_url/saml/acs is concerned, do I need to deploy saml on the server? because at the moment the plugin code is in vendors in laravel core architecture code hierarchy.


回答1:


First some background:

There are two parts to any SAML interaction - the Identity Provider ("IDP") and the Service Provider ("SP"). The IDP is the master authenticator if you like, to which various applications (SPs) connect.

The idea is that the user visits your app, which in turn communicates as a Service Provider to the Identity Provider to get your credentials. And because multiple apps / SPs connect to the same IDP, you get the benefits of a single sign-on.

During the set-up phase, metadata configurations are swapped between the SPs and IDP to establish trust between them. This isn't user-level data -- it's application-level data that allows them to talk.

OK. So now on to your question:

The package you are using allows your Laravel app to talk to an IDP, but before it can do so you need to swap some metadata. The metadata for your app is the snippet above. This needs to go in the IDP configurations, which is where you will find this metadata/sp-remote (or more precisely metadata/saml20-sp-remote, which is where you paste this in.

If you haven't done so already, I'd recommend using [https://simplesamlphp.org/docs/stable/][1] as the IDP here as the Laravel package works with it pretty much out of the box.

One final tip: if you are using SAML2, then I found that you need to change the metadata key to refer to saml2 instead of saml above. ie $metadata['http://laravel_url/saml2/metadata'] and not $metadata['http://laravel_url/saml/metadata']




回答2:


I hope this will help others. I added saml2_settings.php in the config folder.

Updated the routes:

'logoutRoute' => '/logout',
'loginRoute' => '/homepage',
'errorRoute' => '/error',

updated x509cert (publickey.cer) and privateKey

Updated 'entityId', added the url of metadata xml. Updated singleLogoutService and rest of the required details in the saml2_settings.php file.

Added two listeners 1) for login event 2) for logout event

Updated the routes file like this:

\Illuminate\Support\Facades\Event::listen('Aacotroneo\Saml2\Events\Saml2LogoutEvent', function ($event) {
    \Illuminate\Support\Facades\Auth::logout();
    \Illuminate\Support\Facades\Session::save();
    return redirect("login");
});

\Illuminate\Support\Facades\Event::listen('Aacotroneo\Saml2\Events\Saml2LoginEvent', function (\Aacotroneo\Saml2\Events\Saml2LoginEvent $event) {

    $user = $event->getSaml2User();
    $userData = [
        'id' => $user->getUserId(),
        'attributes' => $user->getAttributes(),
        'assertion' => $user->getRawSamlAssertion()
    ];


      // add the login for auto login based on your settings
    /// REDIRECT the user to homepage
    }
});


来源:https://stackoverflow.com/questions/38605932/single-sign-on-using-simplesamlphp-wrapper-on-laravel

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!