Exposing/Configuring SimpleSamlphp's web route on laravel 6.12

Question

I've come across a problem. I am updating a laravel site from 4.2 to 6.12 which is mostly a manual project, and I've stumbled across an issue with laravel, AWS, and SimpleSamlphp. When you have a load balancer hooked up to AWS, it makes it rather difficult to have two web sites on one server in AWS.

In SimpleSamlphp you need to have part of the package exposed to the internet. However in Laravel, it's rather difficult to run native PHP files/scripts without them being filtered through the framework. Since I installed SimpleSamlphp using composer, everything is hosted in the vender directory. There is very little documentation supporting composer installation and I am unsure how to expose simplesamlphp/simplesamlphp/www/* to the internet. By the way, I am trying to be the service provider.

I am unable to configure AWS to support a second web page, Laravel is filtering my routes, and SimpleSamlphp has very little documentation on PSR Standards and how it's supposed to be configured.

I have not been able to get to the welcome page for simplesamlphp. Could I possibly be missing a publish script?

I have tried placing the simplesamlphp/www/* into the public/ directory and using the following I found in a 2013 stack overflow post.

Route::get("/", function() {
    ob_start();
    require("www/module.php");
    return ob_get_clean();
});
Route::get("/", function() {
    ob_start();
    require("www/index.php");
    return ob_get_clean();
});

But it doesn't work. Since this is an upgrade, technically I should be able to grab the metadata, config, and with some new certs be able to get this to work. But I am getting held up exposing these web pages. Right now I get tossed into a loop of authentication because I cannot receive the ACS call. At least that's my best guess.

This is my metadata, I have not ruled out that I got this wrong. saml20-idp-remote.php

<?php
$metadata['CLIENTCONFIG'] = array (
    'metadata-set' => 'saml20-idp-remote',
    'entityid' => 'CLIENTCONFIG',
    'AssertionConsumerService' => 'http://myServer.com/acs_response',
    'SingleSignOnService' => 
    array (
        0 => 
            array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                'Location' => 'https://www.destination.com/',
            ),
            'SingleLogoutService' => '',
            'certificate' => 'x509.crt', 
            'certFingerprint'=>'OP:K7:91:89:9G:AB:0Y:JF:2V:F9:90:2V:6O:5C:41:9D:PL:FG:45:34',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    )
);
?>

authsources.php:

<?php
$config = [
    /* This is the name of this authentication source, and will be used to access it later. */
    'admin' => array(
        // The default is to use core:AdminPassword, but it can be replaced with
        // any authentication source.
        'core:AdminPassword',
    ),
    'CLIENTCONFIG' => array(
        'saml:SP',
        'idp'=>'CLIENTCONFIG',
        'acs.Bindings' => array(
            'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
            'urn:oasis:names:tc:SAML:1.0:profiles:browser-post',
        ),
        'ForceAuthn' => TRUE,
        'entityID' => 'CLIENTCONFIG',
        'saml:idp' => 'CLIENTCONFIG',
        'discoURL' => null,
        'privatekey' => 'saml.pem',
        'certificate' => 'saml.crt',
        'redirect.sign' => TRUE,
        'redirect.validate' => TRUE,
        'OrganizationName' => array(
            'en' => 'TheCompanyIWorkFor',
        ), 
        'OrganizationURL'=>'www.TheCompanyIWorkFor.com', 
        'sign.authnrequest'=> TRUE,
    ),

];

Right now, when I try this is what my SAML inspector says is going on: If you notice that my ACS does not match the ASC that I input. I think that's a default setting.

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_1234567890987654321234567890QWERTYUIOPASDFGHJKL"
                    Version="2.0"
                    IssueInstant="2020-02-10T14:36:01Z"
                    Destination=""
                    AssertionConsumerServiceURL="http://mywebsite.com/module.php/saml/sp/saml2-acs.php/CLIENTCONFIG"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>CLIENTCONFIG</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>

This is my UserController method that picks up the login route:

use SimpleSAML\Auth\Simple;

public function getLogin(){
        if(!\Auth::check()) {
            $auth = New Simple('CLIENTCONFIG');
            dump('getLogin method');
            $auth->requireAuth([
                'ReturnTo' => 'http://myWebsite/dashboard',
                'KeepPost' => FALSE,
            ]);
            \SimpleSAML\Session::getSessionFromRequest()->cleanup();
        }
        $data=Array();
        // I get throw into an infinite loop of request generation. 
        return view('user.login', $data);
    }

I do not know a whole lot about SSO and I have been on this for waaaay too long! So if anyone can help get this configured as a composer package, I would appreciate it. The goal is to hit the SSO URL, and be redirected to the IDP for login and then be sent back. This is probably too much info, and its been scrambled, but I got nothing to lose at this point.

And no, this is not the same: Single sign on using SimpleSamlPhp wrapper on Laravel that question is actually for another package.

Thanks!

Answer 1

There was a couple problems here. The main one being is that I could not reach simplesamlphp's built in webpage.

On my local environment laravel would just not let me out of the framework. But I found that I could use www/ on my AWS dev server to get there.

Since this was installed using composer I had to use this link and adjust my baseurlpath. http://example.com/www/module.php/core/frontpage_welcome.php I can't stress how important it is to hit the simplesaml backend webpage. This gives you all the tools you need to complete the project. If you can't get to it, try adding the www before module.php part of the URL.

Also I had an issue with my metadata This:

<?php
$metadata['CLIENTCONFIG'] = array (
    'metadata-set' => 'saml20-idp-remote',
    'entityid' => 'CLIENTCONFIG',
    'AssertionConsumerService' => 'http://mysite/acs_response',
    'SingleSignOnService' => 
    array (
        0 => 
            array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                'Location' => 'https://www.destination.com/',
            ),
            'SingleLogoutService' => '',
            'certificate' => 'x509.crt', 
            'certFingerprint'=>'OP:K7:91:89:9G:AB:0Y:JF:2V:F9:90:2V:6O:5C:41:9D:PL:FG:45:34',
            'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
    )
);
?>

Should have been:

<?php
$metadata['CLIENTCONFIG'] = array (
    'metadata-set' => 'saml20-idp-remote',
    'entityid' => 'CLIENTCONFIG',
    'AssertionConsumerService' => 'http://mysite/acs_response',
    'SingleSignOnService' => 
    array (
        0 => 
            array (
                'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                'Location' => 'https://www.destination.com/',
            ),
    ),
    'SingleLogoutService' => '',
    'certificate' => 'x509.crt', 
    'certFingerprint'=>'OP:K7:91:89:9G:AB:0Y:JF:2V:F9:90:2V:6O:5C:41:9D:PL:FG:45:34',
    'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
);
?>

I had the last chunk inside the array, and it should NOT have been there. Again, Try to get to that webpage.

Also I had to set my 'baseurlpath' => 'http://example.com/www' After I did that, all the paths generated included the www and I didn't need to inject them into my URL to get to it.

Moral of the story, do whatever it takes to get to the www/module.php/core/frontpage_welcome.php The world will open up from there including tools to create the metadata. (And example.com should be the website you are working on. Not the federated server. Just to clarify.)