nbgrp / onelogin-saml-bundle Goto Github PK

OneLogin SAML Symfony Bundle

License: BSD 3-Clause "New" or "Revised" License

PHP 100.00%

symfony-bundle onelogin saml saml2 sso single-sign-on

onelogin-saml-bundle's Issues

Misleading information about ONELOGIN_CUSTOMPATH

As of today it's impossible to configure custom path for certs because when this bundle is configuring \OneLogin\Saml2\Settings it's already passing $settings will all information resolved.

Workaround: use %env()% with cert-content.

Failed to Load Resources

Hi,
There is an issue with the resources when routes.yaml file looks like this
nbgrp_saml: resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"
I got this error
There is no extension able to load the configuration for "nbgrp_saml"

And when I change the bundle name like below
nbgrp_onelogin_saml: resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"
There is another error
Unrecognized option "resource" under "nbgrp_onelogin_saml". Available options are "entity_manager_name", "idp_parameter_name", "onelogin_settings", "use_proxy_vars".

I also checked bundles.php and this line is added
Nbgrp\OneloginSamlBundle\NbgrpOneloginSamlBundle::class => ['all' => true],

Symfony 6.2.2
PHP 8.1.1

If someone can help, thank you a lot in advance!

JIT provisioning and persisting User doesn't change anything in the database

Hello !

So I'm having with using the JIT provisioning and the persist_user.

What I'm trying to achieve is that at every connexion of the user, if in the attributes "roles" something has changed, than it changes its roles into the database.

What my code looks like :

in the security.yaml ->

providers:
        saml_provider:
            ##  Basic provider instantiates a user with identifier and default roles
            entity:
                class: App\Entity\User
                property: email

...


main:
            pattern: ^/
            provider: saml_provider
            saml:
                ##  Match SAML attribute 'uid' with user identifier.
                ##  Otherwise, used \OneLogin\Saml2\Auth::getNameId() method by default.
                identifier_attribute: email
                check_path: saml_acs
                login_path: saml_login
                user_factory: saml_user_factory
                persist_user: true
            logout:
                path: saml_logout

in the services.yaml ->

services:
    saml_user_factory:
          class: App\Security\UserFactory

And in my UserFactory.php ->

 public function createUser(string $identifier, array $attributes): UserInterface
 {
        $user = new User();
        $user->setEmail($attributes['email'][0]);
        $user->setFirstname($attributes['firstname'][0]);
        $user->setLastname($attributes['lastname'][0]);
        $user->setTrigram($attributes['trigram'][0]);

        $rolesAttributes = $attributes['roles'];
        if ($_ENV['APP_ENV'] == 'prod') {
            $user->setRoles($this->setProdRoles($rolesAttributes));
        } else if ($_ENV['APP_ENV'] == 'dev') {
            $user->setRoles($this->setDevRoles($rolesAttributes));
        } else {
            $user->setRoles([]);
        }
        return $user;
}

And then for an exemple of the prod roles function ->

public function setProdRoles(array $rolesAttributes): array
    {
        $roles = [];
        if (in_array('roles1', $rolesAttributes)) {
            $roles[] = 'ROLE_USER';
        }
        if (in_array('roles2', $rolesAttributes)) {
            $roles[] = 'ROLE_TEST1';
        }
        if (in_array('roles3', $rolesAttributes)) {
            $roles[] = 'ROLE_TEST2';
        }
        return $roles;
    }

For the use case, what happens is that when a user load for the first time on my application, and in his attribute roles he has only "roles1", then he's going to have 'ROLE_USER' in the database.
But then, in the saml server we add the 'roles2', and what happens is that when he reconnects to the website, he doesn't have the 'ROLE_TEST1' in the database, even though we tried to delete cookies, etc... I have to manually change in the database...

How can i achieve this please ?

Is it possible to set returnTo?

Is it possible to set returnTo parametr via $_GET or something like that?

I have url /saml/login. I want to redirect always from page, where I click on login button. I would like to set something like /saml/login?returnTo=/account/me and after login (or logout) get to page /account/me etc.

Routes not working after fresh installation

Background

After upgrading from Symfony 5.4 to Symfony 6.3, I had to change from hslavich/oneloginsaml-bundle to nbgrp/onelogin-saml-bundle too. Once removed hslavich/oneloginsaml-bundle, I did a fresh installation of nbgrp/onelogin-saml-bundle.

Problem

The routes (like saml_login and saml_acs) coudn't be found.

Solution

I added this manually into /config/routes.yaml:

nbgrp_onelogin_saml:
    resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"

Proposal:

I don't know if this is a bug, but it would be helpful to know, if it should be working like this. If yes, it would be beneficial to have this in your README.md-file. (and/or to fix the bug)

ADFS Problem

We get an error, when using adfs server as IDP
Error details: Found invalid data while decoding.

What do we have to configure to get adfs server working?
Thanks for your helping.

Override reply (assertion customer service) doesn't work.

routes.php in this bundle use hard-coded paths. The bundle configuration allows us to specify an ACS URL, but this doesn't override the default /saml/acs route. I need this to be /saml2. How should I approach this problem?

Edit:

I've worked around the issue by manually defining routes (based on the ones from the bundle). I don't think this is a good solution though. In case routes get added or removed in the future, this would break future updates on my end.

saml_metadata:
    path: '/saml/metadata'
    controller: Nbgrp\OneloginSamlBundle\Controller\Metadata
    defaults: {'idp': ~}

saml_acs:
    path: '/saml2' # <--- This is the one I changed.
    controller: Nbgrp\OneloginSamlBundle\Controller\AssertionConsumerService
    defaults: {'idp': ~}
    methods: ['POST']

saml_login:
    path: '/saml/login'
    controller: Nbgrp\OneloginSamlBundle\Controller\Login
    defaults: { 'idp': ~ }

saml_logout:
    path: '/saml/logout'
    controller: Nbgrp\OneloginSamlBundle\Controller\Logout
    defaults: { 'idp': ~ }

No AuthNRequest sent from SP

I'm trying to get a docker network set up with an SP and IdP - my SP is a Symfony 6 app on localhost:8000, and the IdP is a docker image kenchan0130/simplesamlphp:develop - mapped to local-idp.local:4000, which is effectively a wrapper for SimpleSAMLphp.org codebase configured as an IdP.

When I go to the url on my SP that is marked as protected, I'm redirected to the IdP login page as expected, but there is no AuthNRequest SAML payload - is this by design?

After upgrading, got a ServiceNotFoundException

Got this exception after upgrading my app to SF6 and using this bundle.
Symfony packages are updated and all the recipes too. Old hslavich bundle is removed.

The service "security.authenticator.saml.main" has a dependency on a non-existent service "".

My security.yaml is like following as exception refers to authenticator in "main" firewall:

security:
    enable_authenticator_manager: true
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        #users_in_memory: { memory: null }
        saml_provider:
            # Basic provider instantiates a user with default roles
            saml:
                user_class: 'App\Entity\User'
                default_roles: [ 'ROLE_USER' ]
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            lazy: true
            provider: saml_provider

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true
            saml:
                ##  Match SAML attribute 'uid' with user identifier.
                ##  Otherwise, used \OneLogin\Saml2\Auth::getNameId() method by default.
                identifier_attribute: uid
                ##  Use the attribute's friendlyName instead of the name.
                use_attribute_friendly_name: false
                check_path: saml_acs
                login_path: saml_login
            logout:
                path: saml_logout

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/databases, roles: ROLE_ADMIN }
        #- { path: ^/rooms, roles: ROLE_ADMIN }
        - { path: ^/server, roles: ROLE_ADMIN }
        - { path: ^/audit, roles: ROLE_ADMIN }
        - { path: ^/saml/(metadata|login|acs), roles: PUBLIC_ACCESS }
        - { path: ^/, roles: ROLE_USER }

Need to disable onelogin behaviours

Our application is deployed for differents clients with differents need of configuration (including SSO activation).

There is no configuration attribute to disable the OneLogin Bundle functionnalities, so i tried to comment all configuration from nbgrp_onelogin_saml.yaml and even if it is not perfect, I can "hide" sso behaviours by this way... except on logout !

The SamlLogoutListener is registered on LogoutEvent.

#[AsEventListener(LogoutEvent::class)]
    public function processSingleLogout(LogoutEvent $event): void
    {
        $authService = $this->getAuthService($event->getRequest());
        if (!$authService) {
            return;
        }

        $token = $event->getToken();
        if (!$token instanceof SamlToken) {
            return;
        }

        try {
            $authService->processSLO();
        } catch (\OneLogin\Saml2\Error) {
            if (!empty($authService->getSLOurl())) {
                /** @var string|null $sessionIndex */
                $sessionIndex = $token->hasAttribute(SamlAuthenticator::SESSION_INDEX_ATTRIBUTE)
                    ? $token->getAttribute(SamlAuthenticator::SESSION_INDEX_ATTRIBUTE)
                    : null;
                $authService->logout(null, [], $token->getUserIdentifier(), $sessionIndex);
            }
        }
    }
`

And getAuthService throws an exception when there is no services configured ! But, if we take a look on the processSingleLogout function, there could be a small change on the code that can prevent unobvious exception, by testing $token before $authService.

```php
#[AsEventListener(LogoutEvent::class)]
    public function processSingleLogout(LogoutEvent $event): void
    {

        $token = $event->getToken();
        if (!$token instanceof SamlToken) {
            return;
        }

        $authService = $this->getAuthService($event->getRequest());
        if (!$authService) {
            return;
        }
`

What do you think about this change ? Could it be inplemented into a new version of onelogin-saml-bundle ?

And more globally, what do you think about manage a enable o disable attribute into configuration ?

Problem with the settings for Azure

Hello,

I am using onelogin-saml-bundle on symfony 6.
With google, everything work fine.
But I have issue on Microsoft Azure.
When my application launch the connection to azure, I receive the error AADSTS750055: SAML message was not properly DEFLATE-encoded.

Unlikely to google connection, I think Azure required the request to the idp to be encoded and deflated.
But i can't find the right settings to set.
In the azure xml metada, I have a digest value and a signature value.
But I don't know where to put them in my bundle setting.

Here is my setting:

nbgrp_onelogin_saml:
  onelogin_settings:
    default:
      # Mandatory SAML settings
      idp:
        entityId: "%env(SAML_ENTITY_ID)%"
        singleSignOnService:
          url: "%env(SAML_SSO_URI)%"
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
        x509cert: "%env(SAML_CERT)%"
      sp:
        entityId: "%env(LIGHT__SAML_ENTITY__ID)%" 
        assertionConsumerService:
          url: '%env(LIGHT__SAML_ENTITY__ID)%/saml/acs' 
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
        singleLogoutService:
          url: '%env(LIGHT__SAML_ENTITY__ID)%/logout'
          binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
      # Optional SAML settings
      baseurl: '%env(LIGHT__SAML_ENTITY__ID)%/saml/' 
      strict: true
      debug: true
      security:
        nameIdEncrypted: false
        authnRequestsSigned: false
        logoutRequestSigned: false
        logoutResponseSigned: false
        signMetadata: false
        wantMessagesSigned: false
        wantAssertionsEncrypted: false
        wantAssertionsSigned: false
        wantNameId: false
        wantNameIdEncrypted: false
        requestedAuthnContext: true
        wantXMLValidation: false
        relaxDestinationValidation: false
        destinationStrictlyMatches: true
        allowRepeatAttributeName: false
        rejectUnsolicitedResponsesWithInResponseTo: false
        signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
        digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
        encryption_algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
        lowercaseUrlencoding: false
      compress:
        requests: false
        responses: false
  # Optional parameters
  use_proxy_vars: true
  idp_parameter_name: 'custom-idp'
  entity_manager_name: 'custom-em'

Can someone please help me ?

Marion

Multiple idP: restrict email by format

Hi,

I'm using nbgrp/onelogin-saml-bundle with multiple idP.
Users are mapped and logged by email.

I would like to restrict sign in and login only for email like "@company-idp-name.com".

Could you please help me to do this ?

Thanks

500 Error: Attribute not found, but present in SAML data

I have a Symfony 6.4 container and a boxy/mock-saml container configured in a docker compose file. I believe I have everything connected / configured properly - the containers start up, and when I go to the app home page (localhost:8000) I am redirected to the saml container's login (localhost:4000).

The Attributes configured in the AttributeStatement of the SAML data are minimal - id, email, firstName, lastName - I updated the security.yaml to use the id as the identifier:

security:
    firewalls:
        main:
            provider: saml_provider
            saml:
               identifier_attribute: id

However, after logging in to the SAML container, I'm redirected back to the app container on 8000, but an error is thrown saying that the id attribute cannot be found:

RuntimeException:
Attribute "id" not found in SAML data.

  at vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:198
  at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->extractIdentifier()
     (vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:145)
  at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->createPassport()
     (vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:96)
  at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->authenticate()
     (vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticator.php:70)
  at Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator->authenticate()
     (vendor/symfony/security-http/Authentication/AuthenticatorManager.php:176)
  at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticator()
     (vendor/symfony/security-http/Authentication/AuthenticatorManager.php:158)
  at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticators()
     (vendor/symfony/security-http/Authentication/AuthenticatorManager.php:140)
  at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->authenticateRequest()
     (vendor/symfony/security-http/Firewall/AuthenticatorManagerListener.php:40)
  at Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener->authenticate()
     (vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticatorManagerListener.php:68)
  at Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener->authenticate()
     (vendor/symfony/security-bundle/Debug/WrappedLazyListener.php:46)
  at Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate()
     (vendor/symfony/security-http/Firewall/AbstractListener.php:26)
  at Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke()
     (vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php:83)
  at Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners()
     (vendor/symfony/security-http/Firewall.php:95)
  at Symfony\Component\Security\Http\Firewall->onKernelRequest()
     (vendor/symfony/event-dispatcher/Debug/WrappedListener.php:116)
  at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
     (vendor/symfony/event-dispatcher/EventDispatcher.php:220)
  at Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
     (vendor/symfony/event-dispatcher/EventDispatcher.php:56)
  at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
     (vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:139)
  at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
     (vendor/symfony/http-kernel/HttpKernel.php:157)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
     (vendor/symfony/http-kernel/HttpKernel.php:76)
  at Symfony\Component\HttpKernel\HttpKernel->handle()
     (vendor/symfony/http-kernel/Kernel.php:197)
  at Symfony\Component\HttpKernel\Kernel->handle()
     (vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35)
  at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
     (vendor/autoload_runtime.php:29)
  at require_once('/var/www/html/vendor/autoload_runtime.php')
     (public/index.php:5)

But inspecting the SAML data with the Chrome extensions clearly shows the id attribute present:

Thoughts? work arounds?

(Is there something broken with that SAML XML structure?)

Dynamic IDP configuration based on user's domain

Hello,

I am setting up SAML authentication in my Symfony application using the bundle. However, I need to configure the IDP dynamically based on the user's domain when logging in.

Currently, it seems that the bundle does not support this functionality, as the IDP configuration is defined in the config/packages/nbgrp_onelogin_saml.yaml configuration file that is loaded during initialization.
Is there another way to do this with the current bundle? Is there a function to inject a custom config?

Thank you in advance for your help.

Nbgrp_onlelogin_saml.yaml and .env variables

Hello,

I have found a problem with the config file of this library.

The "binding" parameters don't seems to allow environnement variables.

Example :

nbgrp_onelogin_saml:
  use_proxy_vars: true
  onelogin_settings:
    default:
      # Basic settings
      idp:
        entityId: "%env(SAML_IDP_ENTITY_ID)%"
        singleSignOnService:
          url: "%env(SAML_SINGLE_SIGN_ON_SERVICE_URL)%"
          binding: "%env(SAML_SINGLE_SIGN_ON_SERVICE_BINDING)%"

The error we encounter :

Invalid configuration for path "nbgrp_onelogin_saml.onelogin_settings.default.idp.singleSignOnService.binding": invalid value.

How i fixed this error :

binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

This behavior is managed in src/DependencyInjection/Configuration.php :

->scalarNode('binding')
    ->validate()
        ->ifTrue(static fn ($value): bool => !str_starts_with($value, 'urn:oasis:names:tc:SAML:2.0:bindings:'))
        ->thenInvalid('invalid value.')
    ->end()
->end()

It seems like this value " %env()%" is not replaced before the call of validate() method.

Is it really mandatory to have this verification or is there another way to achieve the desired result ?

Thanks.

Configuration :

Php : 8.1.8
Symfony : 6.2
Nbgrp_login_saml : 1.3.2

Inject <saml:Subject><saml:NameID> into User-Entity

I'm using Wordpress as IDP.
The free version of the WP-Plugin (https://de.wordpress.org/plugins/miniorange-wp-as-saml-idp/) does not set any attributes.
The only property which is set in the response is in saml:Subject

This value exists in OneLogin\Saml2\Auth $nameId, SamlAuthenticator can access this property.
But i don't see a way to inject that property into the UserEntity.

SamlAuthenticator cannot be replaced via DI, there is no Event.
Am I missing something? Is there a little hack?

By the way...
As i can see Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::extractIdentifier() would return exact this value, if identifier_attribute is not set in options.

onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php

Line 184 in cdf08b8

if (\array_key_exists('identifier_attribute', $this->options)) {

Problem: As i can see, it's not possible to delete "identifier_attribute" from $this->options via yaml. It's not possible to delete / unset keys with yaml.

User provider: load by SAML attributes?

Hi and thanks for your work on this bundle!
I'm currently in the process of integrating it inside a new Symfony site.

In my use-case I don't want the user provider to create users on SAML success, but rather:

retrieve the SAML attributes
process them depending on the IdP
and determine the username/identifier based on these attributes and IdP.

I used to use aerialship/saml-sp-bundle which had a handy UserManagerInterface with loadUserBySamlInfo(SamlSpInfo $samlInfo): UserInterface. The user provider could implement this interface, and that method would be called on SAML auth success. See the docs for a little more details.

Note: It also has a createUserFromSamlInfo(SamlSpInfo $samlInfo): UserInterface but I'm currently not interested in this feature 😉

Is something similar currently possible (maybe listening to an event)?
If not, do you think it could improve the bundle?

Thanks!

Multiple IDP use without specifying which one to use on idp side

Hello !

First of all, thank you very much for your work !

In my app I need to use multiple IDP settings, but I don't want to specify which one to use, I want it to be the role of the idp (Azure in my case)

My use case is :
The user comes to my app, he's redirected to login.microsoftonline.com, where he can connect with his e-mail address, then microsoft redirect him on his specific tenant according his e-mail.

Once he is logged in azure, it knows where to redirect him as I have configured it in each of my tenants (https://my-idp.com/acs?idp=correct-idp).

I don't think this is possible in the current state of your bundle, am I wrong ? It takes the default IDP setting if we do not specify which IDP setting to use when sending the first login request

Events not firing (UserCreatedEvent, UserUpdatedEvent)

Tried with Listener and Subscriber, but despite DeferredUserListener is calling dispatch nothing is kicking in.

# service.yaml
    App\EventListener\SamlUserCreatedListener:
        tags:
            - { name: kernel.event_listener, event: 'Nbgrp\OneloginSamlBundle\Event\UserCreatedEvent', method: onSamlUserCreated }

Subscriber:

class CustomEventSubscriber implements EventSubscriberInterface
{

  public function __construct(private LoggerInterface $logger)
  {
  }

  public static function getSubscribedEvents(): array
  {
    // return the subscribed events, their methods and priorities
    return [
      UserCreatedEvent::class => 'onCreated',
    ];
  }

  public function onCreated(UserCreatedEvent $event)
  {
    $this->logger->info($event->getUser()->getUserIdentifier());
  }
}

Not called listeners:

Nbgrp\OneloginSamlBundle\Event\UserCreatedEvent
--
0 | "App\EventListener\SamlUserCreatedListener::onSamlUserCreated(UserCreatedEvent $event)"
-1000 | "App\EventSubscriber\CustomEventSubscriber::onCreated(UserCreatedEvent $event)"

new user created at each connection

Hello !
I'm having an issue where each time I log into my application, a new entity is created and I would like to know how can I have just 1 entity user related to the identifier please.

For example, if I log in with the same credentials twice, than I'll have 2 entity of the same user in my database, though I'd like to only have one (that's the point).

If someone can help, thank you a lot in advance !

Need to use urn:federation:authentication:windows for requestedAuthnContext

Hello,

Thanks for your work !

I need to specify the value 'urn:federation:authentication:windows' for requestedAuthnContext conffiguration, but there is configuration control with do not permit to use something diffrent from 'urn:oasis:names:tc:SAML:2.0:ac:classes:' (Configuration.php, line 169)

Why (It does not appear that php-saml lib is so restricted) ?
How can I fix this ?

->variableNode('requestedAuthnContext')
                                        ->validate()
                                            ->ifTrue(static fn ($value) => !(\is_bool($value) || \is_array($value)))
                                            ->thenInvalid('must be an array or a boolean.')
                                        ->end()
                                        ->validate()
                                            ->ifTrue(static fn ($value) => \is_array($value) && array_filter($value, static fn ($item): bool => !str_starts_with($item, 'urn:oasis:names:tc:SAML:2.0:ac:classes:')))
                                            ->thenInvalid('invalid value.')
                                        ->end()
                                    ->end()
`

Thanks for your reply.
N.B : using last release version (1.3.2)

Deprecation Note in Symfony 6.2

Using the current Symfony 6.2 release, I get the following deprecation warning:

The "Nbgrp\OneloginSamlBundle\Onelogin\AuthArgumentResolver" class implements "Symfony\Component\HttpKernel\Controller\ArgumentValueResolverInterface" that is deprecated since Symfony 6.2, implement ValueResolverInterface instead.

I would appreciate, if you would fix this. Thank you.

After logging in via IdP 'authentication failed'

I believe I have everything set up properly - the SP's nbgrp_onelogin_saml.yaml is pretty much boilerplate with the IdP's domains as below:

 default:
            # Mandatory SAML settings
            idp:
                entityId: 'http://local-idp.local:4000/simplesaml/shib13/idp/metadata.php'
                singleSignOnService:
                    url: "http://local-idp.local:4000/simplesaml/saml2/idp/SSOService.php?spentityid=http://localhost:8000/saml/metadata"
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                singleLogoutService:
                    url: 'http://local-idp.local:4000/simplesaml/saml2/idp/SingleLogoutService.php'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                x509cert: 'MIIDb...'
            sp:
                entityId: 'http://localhost:8000/saml/metadata'  #  Default: '<request_scheme_and_host>/saml/metadata'
                assertionConsumerService:
                    url: 'http://localhost:8000/saml/acs'  #  Default: '<request_scheme_and_host>/saml/acs'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
                singleLogoutService:
                    url: 'http://localhost:8000/saml/logout'  #  Default: '<request_scheme_and_host>/saml/logout'
                    binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                privateKey: 'MIIEv...'
            # Optional SAML settings

The sp.privateKey and idp.x509cert values are directly out of the certificates in the IdP image.

This more or less works as expected - I have the /admin path set up to be SSO log in only in config/security.yaml, and if I go to localhost:8000/admin, I am redirected to the IdP site. I log in with the credentials set in the authsources.php file in the IdP config user the SimpleSaml docs, and am redirected back to the SP with a SAML payload, including the matching x509 cert value.

But when I get back to the SP, I get an 'authentication failed' exception error:

RuntimeException:
The authentication failed.

at vendor/nbgrp/onelogin-saml-bundle/src/Controller/Login.php:45
  at Nbgrp\OneloginSamlBundle\Controller\Login->__invoke()
     (vendor/symfony/http-kernel/HttpKernel.php:181)
  at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
     (vendor/symfony/http-kernel/HttpKernel.php:76)
  at Symfony\Component\HttpKernel\HttpKernel->handle()
     (vendor/symfony/http-kernel/Kernel.php:197)
  at Symfony\Component\HttpKernel\Kernel->handle()
     (vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35)
  at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
     (vendor/autoload_runtime.php:29)
  at require_once('/var/www/html/vendor/autoload_runtime.php')
     (public/index.php:5)

Thoughts? happy to post more of the config or SAML payload if that's helpful.

Thx!

Symfony 7 support?

As this is mentioned to be for Symfony 6 and newer?

Maybe create just pre-release where composer constraints are updated so people can test themselves if this works?

<request_scheme_and_host> with x-forwarded-prefix

Hi,

It seems that the <request_scheme_and_host> variable is not compliant with the "x-forwarded-prefix" proxy header.
Is it possible to implement it ? <request_scheme_and_host> is a must-have 😊

Thanks

nbgrp / onelogin-saml-bundle Goto Github PK

onelogin-saml-bundle's Issues

Background

Problem

Solution

Proposal:

Recommend Projects

Recommend Topics

Recommend Org