Symfony bundle that provide a SAML Identity Provider (idp).
A bundle that adds SAML capabilities to your application using simplesamlphp/saml2 highly inspired by
OpenConext/Stepup-saml-bundle
SAML Support is limited, this bundle can be used to provide a basic identity provider with the following support:
Add the package to your Composer file
composer require adactive-sas/saml2-bridge-bundle
Add the bundle to your kernel in app/AppKernel.php
public function registerBundles(){// ...$bundles[] = new AdactiveSas\Saml2BridgeBundle\AdactiveSasSaml2BridgeBundle();}
adactive_sas_saml2_bridge:hosted:metadata_route: name_of_the_route_of_metadata_urlidentity_provider:enabled: trueservice_provider_repository: service.name.of.entity_repositorysso_route: name_of_the_route_of_the_single_sign_on_urlsls_route: name_of_the_route_of_the_single_logout_urllogin_route: name_of_the_route_of_the_login_urllogout_route: name_of_the_route_of_the_logout_urlpublic_key: %idp_public_key_file_path%private_key: %idp_private_key_file_path%
Also add logout handler.
logout:handlers: [adactive_sas_saml2_bridge.logout.handler]
The hosted configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP
functionality can be turned off and on individually through the repective enabled flags.
The inlined certificate in the last line can be replaced with certificate_file containing a filesystem path to
a file which contains said certificate.
It is recommended to use parameters as listed above. The various publickey and privatekey variables are the
contents of the key in a single line, without the certificate etc. delimiters. The use of parameters as listed above
is highly recommended so that the actual key contents can be kept out of the configuration files (using for instance
a local parameters.yml file).
The service_provider_repository is a repository of service providers for which you offer IdP services. The service
configured must implement the AdactiveSas\Saml2BridgeBundle\Entity\ServiceProviderRepository interface.
<?phpnamespace Acme\SamlBundle\Entity;use AdactiveSas\Saml2BridgeBundle\Entity\ServiceProvider;use AdactiveSas\Saml2BridgeBundle\Entity\ServiceProviderRepository;class SamlServiceProviderRepository implements ServiceProviderRepository{protected $spMap = [];public function __construct() {$this->spMap["https://test.fake/metadata"] = new ServiceProvider([/*** Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and* '-----END CERTIFICATE-----'.** @return null|string*/'certificateData' => 'MIIEJTCCAw2gAwIBAgIJANug+o++1X5IMA0GCSqGSIb3DQEBCwUAMIGoMQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDEVMBMGA1UECgwMU1VSRm5ldCBCLlYuMRMwEQYDVQQLDApTVVJGY29uZXh0MRwwGgYDVQQDDBNTVVJGbmV0IERldmVsb3BtZW50MSswKQYJKoZIhvcNAQkBFhxzdXJmY29uZXh0LWJlaGVlckBzdXJmbmV0Lm5sMB4XDTE0MTAyMDEyMzkxMVoXDTE0MTExOTEyMzkxMVowgagxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRUwEwYDVQQKDAxTVVJGbmV0IEIuVi4xEzARBgNVBAsMClNVUkZjb25leHQxHDAaBgNVBAMME1NVUkZuZXQgRGV2ZWxvcG1lbnQxKzApBgkqhkiG9w0BCQEWHHN1cmZjb25leHQtYmVoZWVyQHN1cmZuZXQubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXuSSBeNJY3d4p060oNRSuAER5nLWT6AIVbv3XrXhcgSwc9m2b8u3ksp14pi8FbaNHAYW3MjlKgnLlopYIylzKD/6Ut/clEx67aO9Hpqsc0HmIP0It6q2bf5yUZ71E4CN2HtQceO5DsEYpe5M7D5i64kS2A7e2NYWVdA5Z01DqUpQGRBc+uMzOwyif6StBiMiLrZH3n2r5q5aVaXU4Vy5EE4VShv3Mp91sgXJj/v155fv0wShgl681v8yf2u2ZMb7NKnQRA4zM2Ng2EUAyy6PQ+Jbn+rALSm1YgiJdVuSlTLhvgwbiHGO2XgBi7bTHhlqSrJFK3Gs4zwIsop/XqQRBAgMBAAGjUDBOMB0GA1UdDgQWBBQCJmcoa/F7aM3jIFN7Bd4uzWRgzjAfBgNVHSMEGDAWgBQCJmcoa/F7aM3jIFN7Bd4uzWRgzjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBd80GpWKjp1J+Dgp0blVAox1s/WPWQlex9xrx1GEYbc5elp3svS+S82s7dFm2llHrrNOBt1HZVC+TdW4f+MR1xq8O5lOYjDRsosxZc/u9jVsYWYc3M9bQAx8VyJ8VGpcAK+fLqRNabYlqTnj/t9bzX8fS90sp8JsALV4g84Aj0G8RpYJokw+pJUmOpuxsZN5U84MmLPnVfmrnuCVh/HkiLNV2c8Pk8LSomg6q1M1dQUTsz/HVxcOhHLj/owwh3IzXf/KXV/E8vSYW8o4WWCAnruYOWdJMI4Z8NG1Mfv7zvb7U3FL1C/KLV04DqzALXGj+LVmxtDvuxqC042apoIDQV',/*** Returns the full path to the (local) file that contains the X509 pem certificate.** @return null|string*/"certificateFile" => "",/*** @return null|string*/"entityId" => "https://test.fake/saml/metadata",/*** @return null|bool*/"assertionEncryptionEnabled" => true,"assertionConsumerUrl" => "https://test.fake/saml/acs","assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,"singleLogoutUrl" => "https://test.fake/saml/sls","singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,"nameIdValue" => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},"NameQualifier" => 'test.fake',"wantSignedAuthnRequest" => true,"wantSignedAuthnResponse" => true,"wantSignedAssertions" => false,"wantSignedLogoutRequest" => false,"wantSignedLogoutResponse" => false,"attributes" => ['User.Email' => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},'User.Username' => function (UserInterface $user) {/** @var User $user */return $user->getName();},'first_name' => function (UserInterface $user) {/** @var User $user */return $user->getFirstName();},'last_name' => function (UserInterface $user) {/** @var User $user */return $user->getLastName();},],"validAudiences" => ["https://test.fake/saml/acs",],"assertionNotBeforeInterval" => new \DateInterval('PT0S'),"assertionNotOnOrAfterInterval" => new \DateInterval('PT5M'),"assertionSessionNotOnOrAfterInterval" => new \DateInterval('P1D'),]);}/*** @param string $entityId* @return ServiceProvider*/public function getServiceProvider($entityId){return $this->hasServiceProvider($entityId) ? $this->spMap[$entityId] : null;}/*** @param string $entityId* @return bool*/public function hasServiceProvider($entityId){return array_key_exists($entityId, $this->spMap);}}
<?php$this->spMap["https://slack.com"] = new ServiceProvider([/*** Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and* '-----END CERTIFICATE-----'.** @return null|string*/'certificateData' => 'MIIDrzCCApagAwIBAgIBADANBgkqhkiG9w0BAQ0FADBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wHhcNMTUwMzE3MDEyMzMyWhcNMjUwMzE0MDEyMzMyWjBxMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEhMB8GA1UECgwYU2xhY2sgVGVjaG5vbG9naWVzLCBJbmMuMRIwEAYDVQQDDAlzbGFjay5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28wggEjMA0GCSqGSIb3DQEBAQUAA4IBEAAwggELAoIBAgDB0y4ruySosz1GX/3KI1jp4oivxtnXLeMwKELrBgG+rZ8pl+UMhLG2iCp0nbnwSxXVU0ONJVI3SSzJ5VQtBHHCA4UAzse0HRaSZfBs+6urKoMLf8iusBYk62f2g/RAPjsMVcjC8B3FHyhaD9OnWSdJ7uGopmwwEhDiwf/gdS9Uw8FojYDuVprODfmj7+fgWPkGTf8TRGaHjudjuP1LMDRAz2cI0ym09jbnW8BVynSjjUrE+K9ri1uWzT2tp49OHqSgjaXkWWY6prFa9MT8jsibe02Id2i5+h0c4F892O7MybNWgF139dMGapmW4rf3GT7brLZEO4sZPwovhlj3b6U+8wIDAQABo1AwTjAdBgNVHQ4EFgQUa2YVk5yi+WMxLT/q7rokAfzyvU0wHwYDVR0jBBgwFoAUa2YVk5yi+WMxLT/q7rokAfzyvU0wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQIAUwv53vh2LkgbJbBGyRlSkjAZyybwM7pO6TtQ4SHyn366SG1lZXkc9S9u8m4kMETDquOujC/fZLiAe4f8rZ8+ZXV0f17FL/RhMDzVBv6DgDabfpXAkt+Yn+ZIThFi2D7L4jyJzZPbaf7soCu1e/Dx0CBhm/Lz2nsny6Il7rkEbDB7gBpjZODMMi/PEJ5I462JUrj+9aSZBtx2/NXIoFkLZ1B4j3UG+WJhcYMlMBim/GTimKS7yzkvfqdADmIAaO0RPYduNPds6Dyjyjbqj3XR3WwdsmTorO95UKitRGu10ImwByXo2xzQCwGNP8WuRAmWVIlisLLNEDKTnZDb38085gY=',/*** Returns the full path to the (local) file that contains the X509 pem certificate.** @return null|string*/"certificateFile" => "",/*** @return null|string*/"entityId" => "https://slack.com",/*** @return null|bool*/"assertionEncryptionEnabled" => true,"assertionConsumerUrl" => "https://$slackTeamName.slack.com/sso/saml","assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,"singleLogoutUrl" => "https://$slackTeamName.slack.com/sso/saml/logout","singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,"nameIdFormat" => \SAML2_Const::NAMEID_PERSISTENT,"nameIdValue" => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},"NameQualifier" => "$slackTeamName.slack.com","wantSignedAuthnRequest" => true,"wantSignedAuthnResponse" => true,"wantSignedAssertions" => false,"attributes" => ['User.Email' => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},'User.Username' => function (UserInterface $user) {/** @var User $user */return $user->getName();},'first_name' => function (UserInterface $user) {/** @var User $user */return $user->getFirstName();},'last_name' => function (UserInterface $user) {/** @var User $user */return $user->getLastName();},],]);
<?php$this->spMap["https://$freshdeskAccountName.freshdesk.com"] = new ServiceProvider([/*** Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and* '-----END CERTIFICATE-----'.** @return null|string*/'certificateData' => '',/*** Returns the full path to the (local) file that contains the X509 pem certificate.** @return null|string*/"certificateFile" => "",/*** @return null|string*/"entityId" => "https://$freshdeskAccountName.freshdesk.com",/*** @return null|bool*/"assertionEncryptionEnabled" => false,"assertionConsumerUrl" => "https://$freshdeskAccountName.freshdesk.com/login/saml","assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,"singleLogoutUrl" => "https://$freshdeskAccountName.freshdesk.com/logout/saml","singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,"nameIdFormat" => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',"nameIdValue" => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},"NameQualifier" => "$freshdeskAccountName.freshdesk.com","wantSignedAuthnRequest" => false,"wantSignedAuthnResponse" => false,"wantSignedAssertions" => true,"attributes" => ['email' => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},'name' => function (UserInterface $user) {/** @var User $user */return $user->getName();},'given_name' => function (UserInterface $user) {/** @var User $user */return $user->getFirstName();},'family_name' => function (UserInterface $user) {/** @var User $user */return $user->getLastName();},],]);
<?php$this->spMap["rpm.newrelic.com"] = new ServiceProvider([/*** Returns the contents of an X509 pem certificate, without the '-----BEGIN CERTIFICATE-----' and* '-----END CERTIFICATE-----'.** @return null|string*/'certificateData' => '',/*** Returns the full path to the (local) file that contains the X509 pem certificate.** @return null|string*/"certificateFile" => "",/*** @return null|string*/"entityId" => "rpm.newrelic.com",/*** @return null|bool*/"assertionEncryptionEnabled" => false,"assertionConsumerUrl" => "https://rpm.newrelic.com/accounts/$accountId/sso/saml/finalize","assertionConsumerBinding" => \SAML2_Const::BINDING_HTTP_POST,"singleLogoutUrl" => "","singleLogoutBinding" => \SAML2_Const::BINDING_HTTP_REDIRECT,"nameIdFormat" => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',"nameIdValue" => function (UserInterface $user) {/** @var User $user */return $user->getEmailCanonical();},"NameQualifier" => "rpm.newrelic.com","wantSignedAuthnRequest" => false,"wantSignedAuthnResponse" => false,"wantSignedAssertions" => true,"attributes" => [],]);
Note: Keep in mind that this is a example, you may retrieve ServiceProviders from database
<?phpnamespace Acme\SamlBundle\Controller;use Symfony\Bundle\FrameworkBundle\Controller\Controller;use Symfony\Component\HttpFoundation\Request;use Symfony\Component\Routing\Annotation\Route;/*** @Route("/saml")*/class SamlController extends Controller{/*** @Route("/sso", name="acme_saml_sso")* @return \Symfony\Component\HttpFoundation\Response*/public function singleSignOnAction(Request $httpRequest){$idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");return $idpProcessor->processSingleSignOn($httpRequest);}/*** @Route("/sls", name="acme_saml_sls")* @return \Symfony\Component\HttpFoundation\Response*/public function singleLogoutAction(Request $httpRequest){$idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");return $idpProcessor->processSingleLogoutService($httpRequest);}/*** @Route("/metadata", name="acme_saml_metadata", defaults={"_format"="xml"})** @return \Symfony\Component\HttpFoundation\Response*/public function metadataAction(){$idpProcessor = $this->get("adactive_sas_saml2_bridge.processor.hosted_idp");return $idpProcessor->getMetadataXmlResponse();}}
<?xml version="1.0" ?><container xmlns="http://symfony.com/schema/dic/services"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"><services><service id="acme.saml.service_provider_repository" class="Acme\SamlBundle\Entity\SamlServiceProviderRepository"></service></services></container>
adactive_sas_saml2_bridge:hosted:metadata_route: acme_saml_metadataidentity_provider:enabled: trueservice_provider_repository: acme.saml.service_provider_repositorysso_route: acme_saml_ssosls_route: acme_saml_slslogin_route: fos_user_security_loginlogout_route: fos_user_security_logoutpublic_key: '%kernel.root_dir%/../vendor/adactive-sas/saml2-bridge-bundle/src/Resources/keys/development_publickey.cer'private_key: '%kernel.root_dir%/../vendor/adactive-sas/saml2-bridge-bundle/src/Resources/keys/development_privatekey.pem'
Note: this is development keys, never use them in production !
We are aware that this bundle really miss tests, this would come in next releases.
For the time being, this bundle is very limited but is designed to be support all SAML2 process.
So feel free to create issue and pull-request in order to help us making this bundle a bit more complete.