Skip to content

Commit

Permalink
Merge e922830 into f2c4a7f
Browse files Browse the repository at this point in the history
  • Loading branch information
Moroine Bentefrit committed Aug 17, 2017
2 parents f2c4a7f + e922830 commit 9eb0666
Show file tree
Hide file tree
Showing 23 changed files with 389 additions and 153 deletions.
168 changes: 166 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ adactive_sas_saml2_bridge:
public_key: %idp_public_key_file_path%
private_key: %idp_private_key_file_path%
```

Also add logout handler.
```yaml
logout:
handlers: [adactive_sas_saml2_bridge.logout.handler]
```
The hosted configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP
functionality can be turned off and on individually through the repective `enabled` flags.

Expand Down Expand Up @@ -115,7 +121,36 @@ class SamlServiceProviderRepository implements ServiceProviderRepository
"assertionConsumerUrl" => "https://test.fake/saml/acs",
"assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
"singleLogoutUrl" => "https://test.fake/saml/sls",
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
"nameIdValue" => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
"NameQualifier" => 'test.fake',
"wantSignedAuthnRequest" => true,
"wantSignedAuthnResponse" => true,
"wantSignedAssertions" => false,
"wantSignedLogoutRequest" => false,
"wantSignedLogoutResponse" => false,
"attributes" => [
'User.Email' => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
'User.Username' => function (UserInterface $user) {
/** @var User $user */
return $user->getName();
},
'first_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getFirstName();
},
'last_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getLastName();
},
],
]
);
}
Expand All @@ -140,6 +175,135 @@ class SamlServiceProviderRepository implements ServiceProviderRepository
}
```

######Slack example
```
$this->spMap["https://slack.com"] = new ServiceProvider(
[
/**
* Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
* '-----END CERTIFICATE-----'.
*
* @return null|string
*/
'certificateData' => 'MIIDrzCCApagAwIBAgIBADANBgkqhkiG9w0BAQ0FADBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wHhcNMTUwMzE3MDEyMzMyWhcNMjUwMzE0MDEyMzMyWjBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wggEjMA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgDB0y4ruySosz1GX/3KI1jp4oivxtnXLeMwKELrBgG+rZ8pl+UMhLG2iCp0nbnwSxXVU0ONJVI3SSzJ5VQtBHHCA4UAzse0HRaSZfBs+6urKoMLf8iusBYk62f2g/RAPjsMVcjC8B3FHyhaD9OnWSdJ7uGopmwwEhDiwf/gdS9Uw8FojYDuVprODfmj7+fgWPkGTf8TRGaHjudjuP1LMDRAz2cI0ym09jbnW8BVynSjjUrE+K9ri1uWzT2tp49OHqSgjaXkWWY6prFa9MT8jsibe02Id2i5+h0c4F892O7MybNWgF139dMGapmW4rf3GT7brLZEO4sZPwovhlj3b6U+8wIDAQABo1AwTjAdBgNVHQ4EFgQUa2YVk5yi+WMxLT/q7rokAfzyvU0wHwYDVR0jBBgwFoAUa2YVk5yi+WMxLT/q7rokAfzyvU0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQIAUwv53vh2LkgbJbBGyRlSkjAZyybwM7pO6TtQ4SHyn366SG1lZXkc9S9u8m4kMETDquOujC/fZLiAe4f8rZ8+ZXV0f17FL/RhMDzVBv6DgDabfpXAkt+Yn+ZIThFi2D7L4jyJzZPbaf7soCu1e/Dx0CBhm/Lz2nsny6Il7rkEbDB7gBpjZODMMi/PEJ5I462JUrj+9aSZBtx2/NXIoFkLZ1B4j3UG+WJhcYMlMBim/GTimKS7yzkvfqdADmIAaO0RPYduNPds6Dyjyjbqj3XR3WwdsmTorO95UKitRGu10ImwByXo2xzQCwGNP8WuRAmWVIlisLLNEDKTnZDb38085gY=',
/**
* Returns the full path to the (local) file that contains the X509 pem certificate.
*
* @return null|string
*/
"certificateFile" => "",
/**
* @return null|string
*/
"entityId" => "https://slack.com",
/**
* @return null|bool
*/
"assertionEncryptionEnabled" => true,
"assertionConsumerUrl" => "https://$slackTeamName.slack.com/sso/saml",
"assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
"singleLogoutUrl" => "https://$slackTeamName.slack.com/sso/saml/logout",
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,
"nameIdValue" => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
"NameQualifier" => "$slackTeamName.slack.com",
"wantSignedAuthnRequest" => true,
"wantSignedAuthnResponse" => true,
"wantSignedAssertions" => false,
"attributes" => [
'User.Email' => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
'User.Username' => function (UserInterface $user) {
/** @var User $user */
return $user->getName();
},
'first_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getFirstName();
},
'last_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getLastName();
},
],
]
);
```
######Freshdesk example
```
$this->spMap["https://$freshdeskAccountName.freshdesk.com"] = new ServiceProvider(
[
/**
* Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and
* '-----END CERTIFICATE-----'.
*
* @return null|string
*/
'certificateData' => '',
/**
* Returns the full path to the (local) file that contains the X509 pem certificate.
*
* @return null|string
*/
"certificateFile" => "",
/**
* @return null|string
*/
"entityId" => "https://$freshdeskAccountName.freshdesk.com",
/**
* @return null|bool
*/
"assertionEncryptionEnabled" => false,
"assertionConsumerUrl" => "https://$freshdeskAccountName.freshdesk.com/login/saml",
"assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,
"singleLogoutUrl" => "https://$freshdeskAccountName.freshdesk.com/logout/saml",
"singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,
"nameIdFormat" => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
"nameIdValue" => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
"NameQualifier" => "$freshdeskAccountName.freshdesk.com",
"wantSignedAuthnRequest" => false,
"wantSignedAuthnResponse" => false,
"wantSignedAssertions" => true,
"attributes" => [
'email' => function (UserInterface $user) {
/** @var User $user */
return $user->getEmailCanonical();
},
'name' => function (UserInterface $user) {
/** @var User $user */
return $user->getName();
},
'given_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getFirstName();
},
'family_name' => function (UserInterface $user) {
/** @var User $user */
return $user->getLastName();
},
],
]
);
```

> Note: Keep in mind that this is a example, you may retrieve ServiceProviders from database
#### Create the Controller
Expand Down Expand Up @@ -240,4 +404,4 @@ So feel free to create issue and pull-request in order to help us making this bu


[1]: https://github.com/simplesamlphp/saml2
[2]: https://github.com/OpenConext/Stepup-saml-bundle
[2]: https://github.com/OpenConext/Stepup-saml-bundle
2 changes: 2 additions & 0 deletions src/AdactiveSasSaml2BridgeBundle.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,15 @@

namespace AdactiveSas\Saml2BridgeBundle;

use AdactiveSas\Saml2BridgeBundle\SAML2\BridgeContainer;
use Symfony\Component\HttpKernel\Bundle\Bundle;

class AdactiveSasSaml2BridgeBundle extends Bundle
{
public function boot()
{
parent::boot();
/** @var BridgeContainer $bridgeContainer */
$bridgeContainer = $this->container->get('adactive_sas_saml2_bridge.container');
\SAML2_Compat_ContainerSingleton::setContainer($bridgeContainer);
}
Expand Down
6 changes: 2 additions & 4 deletions src/DependencyInjection/AdactiveSasSaml2BridgeExtension.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,13 @@

namespace AdactiveSas\Saml2BridgeBundle\DependencyInjection;

use AdactiveSas\Saml2BridgeBundle\Entity\HostedEntities;
use AdactiveSas\Saml2BridgeBundle\SAML2\Provider\HostedIdentityProviderProcessor;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\Config\FileLocator;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Definition;
use Symfony\Component\DependencyInjection\Loader;
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
use Symfony\Component\DependencyInjection\Loader;
use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;

/**
* This is the class that loads and manages your bundle configuration.
Expand Down
11 changes: 0 additions & 11 deletions src/DependencyInjection/Configuration.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,17 +83,6 @@ private function addHostedSection(ArrayNodeDefinition $node)
->scalarNode('private_key')
->info('The absolute path to the private key used to sign Responses to AuthRequests with')
->end()
->arrayNode('signing')
->addDefaultsIfNotSet()
->children()
->booleanNode("authn_request")
->defaultTrue()
->end()
->booleanNode("logout_request")
->defaultTrue()
->end()
->end()
->end()
->end()
->end()
->end()
Expand Down
3 changes: 0 additions & 3 deletions src/Entity/HostedEntities.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,6 @@ public function getIdentityProvider()
$this->identityProviderConfiguration['logout_route']
);

$configuration["wantSignedAuthnRequest"] = $this->identityProviderConfiguration["signing"]["authn_request"];
$configuration["wantSignedLogoutRequest"] = $this->identityProviderConfiguration["signing"]["logout_request"];

return $this->identityProvider = new HostedIdentityProvider($configuration);
}

Expand Down
17 changes: 16 additions & 1 deletion src/Entity/ServiceProvider.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,21 @@ public function getSingleLogoutBinding()
return $this->get('singleLogoutBinding');
}

/**
* @return string|null
*/
public function getNameIdValue(){
return $this->get('nameIdValue');
}

/**
* @return bool
*/
public function wantSignedAuthnRequest()
{
return $this->get('wantSignedAuthnRequest', true);
}

/**
* @return bool
*/
Expand Down Expand Up @@ -99,7 +114,7 @@ public function getNameIdFormat()
*/
public function getAttributes()
{
return $this->get('attributes');
return $this->get('attributes', []);
}

/**
Expand Down
8 changes: 7 additions & 1 deletion src/SAML2/Binding/HttpBindingInterface.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@ public function getUnsignedRequest(\SAML2_Request $request);
*/
public function receiveSignedAuthnRequest(Request $request);

/**
* @param Request $request
* @return \SAML2_AuthnRequest
*/
public function receiveAuthnRequest(Request $request);

/**
* @param Request $request
* @return \SAML2_LogoutRequest
Expand Down Expand Up @@ -82,4 +88,4 @@ public function receiveSignedMessage(Request $request);
* @return \SAML2_Message
*/
public function receiveUnsignedMessage(Request $request);
}
}
18 changes: 15 additions & 3 deletions src/SAML2/Binding/HttpPostBinding.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,17 @@ public function receiveSignedAuthnRequest(Request $request)
throw new UnsupportedBindingException("Unsupported binding: signed POST AuthnRequest is not supported at the moment");
}

/**
* @param Request $request
* @return \SAML2_AuthnRequest
*/
public function receiveAuthnRequest(Request $request)
{
throw new UnsupportedBindingException(
"Unsupported binding: signed POST AuthnRequest is not supported at the moment"
);
}

/**
* @param Request $request
* @return \SAML2_LogoutRequest
Expand Down Expand Up @@ -214,9 +225,10 @@ protected function getResponseForm(\SAML2_StatusResponse $response, $isSign)
SAML2ResponseForm::class,
$data,
[
"has_relay_state" => $hasRelayState,
"destination" => $response->getDestination(),
"has_relay_state"=> $hasRelayState,
"destination" => $response->getDestination(),
]
);
}
}

}
23 changes: 22 additions & 1 deletion src/SAML2/Binding/HttpRedirectBinding.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,23 @@ public function receiveSignedAuthnRequest(Request $request){
return $message;
}

/**
* @param Request $request
* @return \SAML2_AuthnRequest
*/
public function receiveAuthnRequest(Request $request){
$message = $this->receiveUnsignedMessage($request);

if (!$message instanceof \SAML2_AuthnRequest) {
throw new InvalidArgumentException(sprintf(
'The received request is not an AuthnRequest, "%s" received instead',
substr(get_class($message), strrpos($message, '_') + 1)
));
}

return $message;
}

/**
* @param Request $request
* @return \SAML2_LogoutRequest
Expand Down Expand Up @@ -339,6 +356,10 @@ protected function getReceivedSamlMessageFromQuery(ReceivedMessageQueryString $q

$message = \SAML2_Message::fromXML($document->firstChild);

if (null === $message->getRelayState()) {
$message->setRelayState($query->getRelayState());
}

$currentUri = $this->getFullRequestUri($request);
if (!$message->getDestination() === $currentUri) {
throw new BadRequestHttpException(sprintf(
Expand All @@ -359,4 +380,4 @@ protected function getFullRequestUri(Request $request)
{
return $request->getSchemeAndHttpHost() . $request->getBasePath() . $request->getRequestUri();
}
}
}

0 comments on commit 9eb0666

Please sign in to comment.