Single sign on using SimpleSamlPhp wrapper on Laravel

Question

Implementing single sign on in my laravel application. I have decided to use this plugin https://github.com/aacotroneo/laravel-saml2 which is basically a wrapper on famous SimpleSamlPhp.

I downloaded the code via composer and as per given information Remember that you don't need to implement those routes, but you'll need to add them to your IDP configuration. For example, if you use simplesamlphp, add the following to /metadata/sp-remote.php

$metadata['http://laravel_url/saml/metadata'] = array(
 'AssertionConsumerService' => 'http://laravel_url/saml/acs',
 'SingleLogoutService' => 'http://laravel_url/saml/sls',
 //the following two affect what the $Saml2user->getUserId() will return
 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
 'simplesaml.nameidattribute' => 'uid'  
);

I can't find metadata/sp-remote.php, any idea? and as far as http://laravel_url/saml/acs is concerned, do I need to deploy saml on the server? because at the moment the plugin code is in vendors in laravel core architecture code hierarchy.

Hi, so you have to install or config `SimpleSamlPHP` ? How is your SAML integration ? Can you give me some hints ? — code-8, Feb 22 '17 at 16:06
@ihue i didn't get a chance to get back to that part, I might do that soon, not sure though. — Danyal Sandeelo, Feb 22 '17 at 18:50
I have the same question about installation. I am not sure if I need to pull it out of vendor and put it into the web root to make it work. — dustbuster, Feb 05 '20 at 19:22
I didn't bring it in the root, i kept it in the vendor, added some code in the route as a call back. I will try to share the details and update the question. It worked finally. @dustbuster — Danyal Sandeelo, Feb 05 '20 at 20:19
Thank you my friend. I am fighting the same beast and it has been a few days. I am getting lost in my own head right now. If you're so inclined, I would very much appreciate it! I am having some luck with samllight. I got a response FINALLY! — dustbuster, Feb 05 '20 at 20:22
Hi. the package "[aacotroneo/laravel-saml2](https://github.com/aacotroneo/laravel-saml2/)" does not use [SimpleSAMLphp](https://simplesamlphp.org) but [onelogin/php-saml](https://github.com/onelogin/php-saml) — Cyrille37, Sep 22 '20 at 10:22
@DanyalSandeelo No, there are 2 distinct implementations, like we can see in composer files, and source code ;-) — Cyrille37, Sep 22 '20 at 10:28
@Cyrille37 nice never looked into the details I implemented it in 2017 — Danyal Sandeelo, Sep 22 '20 at 10:30

score 12 · Answer 1 · edited Feb 03 '20 at 17:41

12

First some background:

There are two parts to any SAML interaction - the Identity Provider ("IDP") and the Service Provider ("SP"). The IDP is the master authenticator if you like, to which various applications (SPs) connect.

The idea is that the user visits your app, which in turn communicates as a Service Provider to the Identity Provider to get your credentials. And because multiple apps / SPs connect to the same IDP, you get the benefits of a single sign-on.

During the set-up phase, metadata configurations are swapped between the SPs and IDP to establish trust between them. This isn't user-level data -- it's application-level data that allows them to talk.

OK. So now on to your question:

The package you are using allows your Laravel app to talk to an IDP, but before it can do so you need to swap some metadata. The metadata for your app is the snippet above. This needs to go in the IDP configurations, which is where you will find this metadata/sp-remote (or more precisely metadata/saml20-sp-remote, which is where you paste this in.

If you haven't done so already, I'd recommend using [https://simplesamlphp.org/docs/stable/][1] as the IDP here as the Laravel package works with it pretty much out of the box.

One final tip: if you are using SAML2, then I found that you need to change the metadata key to refer to saml2 instead of saml above. ie $metadata['http://laravel_url/saml2/metadata'] and not $metadata['http://laravel_url/saml/metadata']

edited Feb 03 '20 at 17:41

dustbuster

79,958
7
21
41

answered Aug 24 '16 at 23:34

Fixspec

420
1
4
10

Thanks a lot for the detailed description, appreciate it. – Danyal Sandeelo Aug 25 '16 at 12:25
1

Amazing Answer, I wish I can give you 1000 upvotes. :D – code-8 Feb 22 '17 at 16:02
Do we have to install SimpleSamlPHP to continue using this package = https://github.com/aacotroneo/laravel-saml2 ? – code-8 Feb 22 '17 at 16:07
@ihue I have integrated as well, but when I get the valid response from SSO then I validate the laravel user so that it's auto logged it but seems like it can't do that. – Danyal Sandeelo Jun 15 '17 at 07:49
@ihue here is the link to the question https://stackoverflow.com/questions/44560598/authenticating-user-directly-in-laravel-using-a-test-route – Danyal Sandeelo Jun 15 '17 at 07:50
I am about to jump down this rabbit hole. There's a whole lot out there for setting up an IDP but not a lot about SP. This explanation is very helpful! – dustbuster Feb 03 '20 at 17:43
@Fixspec i am trying first time this, I have my IDP metafile, and also have my SP platform in laravel , where should I add that IDP metafile in my application, I have send them my Metadata fle but I do not know where to add IDP metafile, can you please just help on this ? where to place the IPD metadata file. – always-a-learner Jun 05 '22 at 06:19

score 1 · Accepted Answer · answered Feb 05 '20 at 20:37

1

I hope this will help others. I added saml2_settings.php in the config folder.

Updated the routes:

'logoutRoute' => '/logout',
'loginRoute' => '/homepage',
'errorRoute' => '/error',

updated x509cert (publickey.cer) and privateKey

Updated 'entityId', added the url of metadata xml. Updated singleLogoutService and rest of the required details in the saml2_settings.php file.

Added two listeners 1) for login event 2) for logout event

Updated the routes file like this:

\Illuminate\Support\Facades\Event::listen('Aacotroneo\Saml2\Events\Saml2LogoutEvent', function ($event) {
    \Illuminate\Support\Facades\Auth::logout();
    \Illuminate\Support\Facades\Session::save();
    return redirect("login");
});

\Illuminate\Support\Facades\Event::listen('Aacotroneo\Saml2\Events\Saml2LoginEvent', function (\Aacotroneo\Saml2\Events\Saml2LoginEvent $event) {

    $user = $event->getSaml2User();
    $userData = [
        'id' => $user->getUserId(),
        'attributes' => $user->getAttributes(),
        'assertion' => $user->getRawSamlAssertion()
    ];


      // add the login for auto login based on your settings
    /// REDIRECT the user to homepage
    }
});

answered Feb 05 '20 at 20:37

Danyal Sandeelo

12,196
10
47
78

You are alright! Thank you! Anything that can get me a little closer to getting out of this hell i’m in right now I’ll gladly upvote the heck out of it! There is NOTHING on laravel and SSO! – dustbuster Feb 05 '20 at 20:41
but I still need to have that metadata inside the vendor/..etc.../simplesamlphp/simplesamlphp/metadata.php file, right? – dustbuster Feb 05 '20 at 21:06
are you using the same plugin that I have mentioned above? @dustbuster – Danyal Sandeelo Feb 05 '20 at 21:12
I have EVERY plugin installed. This is a laravel 4 to 6 upgrade. Which basically is rewriting the whole thing. It was originally done with simpleSaml, but in my inability to get that working, I have tried saml light, and I tried aacotroneo/laravel-saml2: "^2.1" as well as trying to debug simple saml php I am just not having much luck. With aacotroneo/laravel-saml2 I don't get any errors, but nothing happens. It runs thru the logic, doesn't error, and I can't seem to find any logged response or otherwise. I did get Saml light to redirect me though. That was by far the most success I've had. – dustbuster Feb 05 '20 at 21:22
Also, I can't see to get a dd() to work in the Saml2Controller. I just want to dump out the login method, and it's just not running thru that code. – dustbuster Feb 05 '20 at 21:30
aacotroneo/laravel-saml2 for this , same thing happened to me. I eventually had to add event listeners in the routes file and it work. @dustbuster – Danyal Sandeelo Feb 05 '20 at 21:52

Single sign on using SimpleSamlPhp wrapper on Laravel

2 Answers2

Linked