Connect Yii 2 application to a Saml Identity Provider for Single Sign on
Clone or download
asasmoyo Merge pull request #16 from juliardi/master
update php-saml to version 3.x
Latest commit 5d58b6f Oct 18, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src updates php-saml to version 3.x Oct 17, 2018
tests allow set config from array Apr 28, 2018
.editorconfig add editorconfig Oct 29, 2016
.gitignore Added phpstorm configuration folder. Jan 1, 2016
.travis.yml updates php-saml to version 3.x Oct 17, 2018
README.md update README.md May 18, 2018
composer.json updates php-saml to version 3.x Oct 17, 2018
composer.lock updates php-saml to version 3.x Oct 17, 2018

README.md

Yii 2 Saml

Build Status

Connect Yii 2 application to a Saml Identity Provider for Single Sign On

Installation

The preferred way to install this extension is through composer.

Either run

php composer.phar require --prefer-dist asasmoyo/yii2-saml "*"

or add

"asasmoyo/yii2-saml": "*"

to the require section of your composer.json file.

Configuration

Register asasmoyo\yii2saml\Saml to your components in config/web.php.

'components' => [
    'saml' => [
        'class' => 'asasmoyo\yii2saml\Saml',
        'configFileName' => '@app/config/saml.php', // OneLogin_Saml config file (Optional)
    ]
]

This component requires a OneLogin_Saml configuration stored in a php file. The default value for configFileName is @app/config/saml.php so make sure to create this file before. This file must returns the OneLogin_Saml configuration. See this link for example configuration.

<?php

$urlManager = Yii::$app->urlManager;
$spBaseUrl = $urlManager->getHostInfo() . $urlManager->getBaseUrl();

return [
    'sp' => [
        'entityId' => $spBaseUrl.'/saml/metadata',
        'assertionConsumerService' => [
            'url' => $spBaseUrl.'/saml/acs',
        ],
        'singleLogoutService' => [
            'url' => $spBaseUrl.'/saml/sls',
        ],
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
    ],
    'idp' => [
        'entityId' => 'identity-provider',
        'singleSignOnService' => [
            'url' => 'https://idp.com/sso',
        ],
        'singleLogoutService' => [
            'url' => 'https://idp.com/sls',
        ],
        'x509cert' => '<x509cert string>',
    ],
];

NOTE : As of version 1.6.0 you can directly put your configuration into your component. For example:

<?php

$urlManager = Yii::$app->urlManager;
$spBaseUrl = $urlManager->getHostInfo() . $urlManager->getBaseUrl();

$config = [
    // some other configuration here

    'components' => [
        'saml' => [
            'class' => 'asasmoyo\yii2saml\Saml',
            'config' => [
                'sp' => [
                    'entityId' => $spBaseUrl.'/saml/metadata',
                    'assertionConsumerService' => [
                        'url' => $spBaseUrl.'/saml/acs',
                    ],
                    'singleLogoutService' => [
                        'url' => $spBaseUrl.'/saml/sls',
                    ],
                    'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
                ],
                'idp' => [
                    'entityId' => 'identity-provider',
                    'singleSignOnService' => [
                        'url' => 'https://idp.com/sso',
                    ],
                    'singleLogoutService' => [
                        'url' => 'https://idp.com/sls',
                    ],
                    'x509cert' => '<x509cert string>',
                ],
            ];
        ]
    ],

    // some other configuration here
];

return $config;

Usage

This extension provides 4 actions:

  1. LoginAction

    This actions will initiate login process to Identity Provider specified in config file. To use this action, just register this action to your actions in your controller.

    <?php
    
    namespace app\controllers;
    
    use Yii;
    use yii\web\Controller;
    use yii\helpers\Url;
    
    
    class SamlController extends Controller {
    
        // Remove CSRF protection
        public $enableCsrfValidation = false;
    
        public function actions() {
            return [
                'login' => [
                    'class' => 'asasmoyo\yii2saml\actions\LoginAction'
                ]
            ];
        }
    
    }

    Now you can login to your Identity Provider by visiting saml/login.

  2. AcsAction

    This action will process saml response sent by Identity Provider after succesfull login. You can register a callback to do some operation like read the attributes sent by Identity Provider and create a new user from that attributes. To use this action just register this action to you controllers's actions.

    <?php
    
    namespace app\controllers;
    
    use Yii;
    use yii\web\Controller;
    use yii\helpers\Url;
    
    
    class SamlController extends Controller {
    
        // Remove CSRF protection
        public $enableCsrfValidation = false;
    
        public function actions() {
            return [
                ...
                'acs' => [
                    'class' => 'asasmoyo\yii2saml\actions\AcsAction',
                    'successCallback' => [$this, 'callback'],
                    'successUrl' => Url::to('site/welcome'),
                ]
            ];
        }
    
        /**
         * @param array $attributes attributes sent by Identity Provider.
         */
        public function callback($attributes) {
            // do something
        }
    }

    NOTE: Make sure to register the acs action's url to AssertionConsumerService and the sls actions's url to SingleLogoutService (if supported) in the Identity Provider.

  3. MetadataAction

    This action will show metadata of you application in xml. To use this action, just register the action to your controller's action.

    <?php
    
        public function actions() {
            return [
                ...
                'metadata' => [
                    'class' => 'asasmoyo\yii2saml\actions\MetadataAction'
                ]
            ];
        }
  4. LogoutAction

    This action will initiate SingleLogout process to Identity Provider. To use this action, just register this action to your controller's actions.

    <?php
    
        public function actions() {
            return [
                ...
                'logout' => [
                    'class' => 'asasmoyo\yii2saml\actions\LogoutAction',
                    'returnTo' => Url::to('site/bye'),
                ]
            ];
        }
  5. SlsAction

    This action will process saml logout request/response sent by Identity Provider. To use this action just register this action to you controllers's actions.

    <?php
    
        public function actions() {
            ...
    
            return [
                ...
                'sls' => [
                    'class' => 'asasmoyo\yii2saml\actions\SlsAction',
                    'successUrl' => Url::to('site/bye'),
                ]
            ]
        }

Usage

If the SAMLResponse is rejected, add to the SAML settings the parameter

'debug' => true,

and the reason will be prompted.

LICENCE

MIT Licence