Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes to simplify configuration and support post bindings #14

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Changes to simplify configuration and support post bindings #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4287709
Dynamically check for gzipped content
pcable Aug 26, 2018
0e8faf3
Added response logging.
pcable Aug 26, 2018
e1bc16b
Added a command to create certificates and generate the metadata.
pcable Aug 26, 2018
497c564
Changed default certificate expiry
pcable Aug 26, 2018
4f8aa73
Changed the sp setup so we don't need a base 64 encoded value.
pcable Aug 26, 2018
fb0b8af
Fixed issues that appeared during deployment. Escaping <? in metadata…
pcable Aug 27, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 82 additions & 94 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,64 +38,6 @@ php artisan vendor:publish --tag="saml_config"

will publish the config/saml.php file.

#### SAML SP entries

Within the saml.php config file the SAML Service Provider array needs to be filled. Subsequently an example from the config/saml.php file:

```
'sp' => [

/**
* Sample SP entry
* The entry is identified by the base64 encoded URL. This example shows a possible entry for
* a SimpleSamlPhp service provider running on localhost:
*
* Sample URL: https://localhost/samlsp/module.php/saml/sp/saml2-acs.php/default-sp
* Base64 encoded URL: aHR0cHM6Ly9sb2NhbGhvc3Qvc2FtbHNwL21vZHVsZS5waHAvc2FtbC9zcC9zYW1sMi1hY3MucGhwL2RlZmF1bHQtc3A=
*/
'aHR0cHM6Ly9sb2NhbGhvc3Qvc2FtbHNwL21vZHVsZS5waHAvc2FtbC9zcC9zYW1sMi1hY3MucGhwL2RlZmF1bHQtc3A=' => [

// The destination is the consuming SAML URL. This might be a SamlAuthController receiving the SAML response.
'destination' => 'https://localhost/samlsp/module.php/saml/sp/saml2-acs.php/default-sp',
// Issuer could be anything, mostly it makes sense to pass the metadata URL
'issuer' => 'https://localhost',

// OPTIONAL: Use a specific audience restriction value when creating the SAMLRequest object.
// Default value is the assertion consumer service URL (the base64 encoded SP url).
// This is a bugfix for Nextcloud as SP and can be removed for normal SPs.
'audience_restriction' => 'http://localhost',
],

],
```

You can generate the base_64 encoded AssertionURL by using the following artisan command.

```bash
$ php artisan laravel-saml:encodeurl https://sp.webapp.com/saml/login
--
URL Given: https://sp.webapp.com/saml/login
Encoded AssertionURL:aHR0cHM6Ly9zcC53ZWJhcHAuY29tL3NhbWwvbG9naW4=
```

config/saml.php:
```
'sp' => [

...

/**
* New entry
*
* Sample URL: https://sp.webapp.com/saml/login
* Base64 encoded URL: aHR0cHM6Ly9zcC53ZWJhcHAuY29tL3NhbWwvY29uc3VtZQ==
*/
'aHR0cHM6Ly9zcC53ZWJhcHAuY29tL3NhbWwvY29uc3VtZQ==' => [
'destination' => 'https://sp.webapp.com/saml/consume',
'issuer' => 'https://sp.webapp.com',
],
],
```

#### FileSystem configuration

Expand All @@ -113,18 +55,55 @@ Within ```config/filesystem.php``` following entry needs to be added:
],
```

The package controllers are using the ```storage/saml``` path for retrieving both certificates and the metadata file. Create first the storage path, then either add or link the certificates. Add also a metadata file for the SAML IDP. For help generating an IDP metadata.xml file, see https://www.samltool.com/idp_metadata.php.
#### Setting the entity id

In config/saml.php set the field idp.entity-id to your entity id. This is normally a uri, the uri doesn't need to exist, it just needs to be unique

'idp' => [
.....
'entityId' => 'http://idp.wherever.com'
],

#### Generating metadata and certificates

There is a sample metadata template in storage/saml/idp/metadata.blade.php, This was generated using https://www.samltool.com/idp_metadata.php

Edit this template to customize it for your site.

When you're finished run the following command to generate certificates and the metadata file

```
mkdir -p storage/saml/idp
touch storage/saml/idp/{metadata.xml,cert.pem,key.pem}
php artisan laravel-saml:generate-meta --cert
```

Add the contents to the metadata.xml, cert.pem and key.pem files for the IDP.
To use exisiting certificates just make sure they're present in the saml drive then run the command without the --cert option

#### SAML SP entries

Within the saml.php config file the SAML Service Provider array needs to be filled.

```
'sp' => [

//Tableau
'https://sso.online.tableau.com/public/sp/SSO?alias=xxxx-xxxx-xxxx-xxxx-xxxxxxxx' => [
'entity-id' => 'https://sso.online.tableau.com/public/sp/metadata?alias=xxxx-xxxx-xxxx-xxxx-xxxxxxxx',
'certificate' => 'MIICozC........dUvTnGP18g=='
],

//A nifty testing service provider
'https://sptest.iamshowcase.com/acs' => [

]

],
```

### Using the SAML package

To use the SAML package, some files need to be modified. Within your login view, problably ```resources/views/auth/login.blade.php``` add a SAMLRequest field beneath the CSRF field (this is actually a good place for it):
To use the SAML package, some files need to be modified.
Within your login view, problably ```resources/views/auth/login.blade.php``` add a SAMLRequest field beneath the CSRF field
(this is actually a good place for it):
```
{{-- The hidden CSRF field for secure authentication --}}
{{ csrf_field() }}
Expand All @@ -134,37 +113,24 @@ To use the SAML package, some files need to be modified. Within your login view,
@endif
```

The SAMLRequest field will be filled automatically when a SAMLRequest is sent by a http request and therefore initiate a SAML authentication attempt. To initiate the SAML auth, the login and redirect functions need to be modified. Within ```app/Http/Middleware/AuthenticatesUsers.php``` add following lines to both the top and the authenticated function:
(NOTE: you might need to copy it out from vendor/laravel/framework/src/Illuminate/Foundation/Auth/ to your Middleware directory)

The SAMLRequest field will be filled automatically when a SAMLRequest is sent by a http request and therefore initiate a SAML authentication attempt.
To initiate the SAML auth, the login and redirect functions need to be modified.
Within ```app/Http/Controllers/Auth/LoginController.php``` change ```use AuthenticatesUsers``` to ```use SamlAuthenticatesUsers```

```
<?php
use App\Http\Controllers\Controller;
use KingStarter\LaravelSaml\Http\Traits\SamlAuthenticatesUsers;

namespace App\Http\Middleware;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Foundation\Auth\RedirectsUsers;
use Illuminate\Foundation\Auth\ThrottlesLogins;

use KingStarter\LaravelSaml\Http\Traits\SamlAuth;

trait AuthenticatesUsers
class LoginController extends Controller
{
use RedirectsUsers, ThrottlesLogins, SamlAuth;

...
...

protected function authenticated(Request $request, $user)
{
if(Auth::check() && isset($request['SAMLRequest'])) {
$this->handleSamlLoginRequest($request);
}
}

...
use SamlAuthenticatesUsers;

.....
```


To allow later direct redirection when somebody is already logged in, we need to add also some lines to ```app/Http/Middleware/RedirectIfAuthenticated.php```:
```
<?php
Expand Down Expand Up @@ -201,19 +167,41 @@ class RedirectIfAuthenticated
}
```

## SAML Service Providers (SPs)

To add one or more service providers, go to the ```config/saml.php``` configuration file and scroll down to the 'sp' array. Having the Login-Address of the SAML-SP, add another entry. For reasons of internal interpretation, the URL needs to be Base64 encoded.
### bindings:HTTP-POST

If you're using HTTP post bindings then you'll need to allow saml to get the login request via post.

in web.php add the new route

```
....
Auth::routes();
Route::post('/postLogin', 'Auth\LoginController@showLoginForm');
```

You'll also need to add a csrf exemption to ```App\Http\Middleware\VerifyCsrfToken```

class VerifyCsrfToken extends Middleware
{
/**
* The URIs that should be excluded from CSRF verification.
*
* @var array
*/
protected $except = [
'/postLogin'
];
}

### Debugging SP entries
### Debugging Connection

In case that there are some problems receiving the Base64 string or evaluating SAML authentication requests in general, it is possible to use the debugger setting ```saml.debug_saml_request``` within the config file.
You can enable logging with the config/saml.php setting debug_saml_request

```
// Allow debugging within SamlAuth trait to get SP data
// during SAML authentication request
'debug_saml_request' => true,
```

Make sure that the environmental logging variable ```APP_LOG_LEVEL``` is set to debug within your ```.env``` file.

Make sure that the environmental logging variable ```APP_LOG_LEVEL``` is set to debug within your ```.env``` file. It will log to ```storage/logs/laravel.log```
71 changes: 0 additions & 71 deletions src/Console/EncodeAssertionUrlCommand.php
View file
Open in desktop

This file was deleted.

Loading