nbgrp / onelogin-saml-bundle Goto Github PK
View Code? Open in Web Editor NEWOneLogin SAML Symfony Bundle
License: BSD 3-Clause "New" or "Revised" License
OneLogin SAML Symfony Bundle
License: BSD 3-Clause "New" or "Revised" License
As of today it's impossible to configure custom path for certs because when this bundle is configuring \OneLogin\Saml2\Settings
it's already passing $settings
will all information resolved.
Workaround: use %env()% with cert-content.
Hi,
There is an issue with the resources when routes.yaml file looks like this
nbgrp_saml: resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"
I got this error
There is no extension able to load the configuration for "nbgrp_saml"
And when I change the bundle name like below
nbgrp_onelogin_saml: resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"
There is another error
Unrecognized option "resource" under "nbgrp_onelogin_saml". Available options are "entity_manager_name", "idp_parameter_name", "onelogin_settings", "use_proxy_vars".
I also checked bundles.php and this line is added
Nbgrp\OneloginSamlBundle\NbgrpOneloginSamlBundle::class => ['all' => true],
Symfony 6.2.2
PHP 8.1.1
If someone can help, thank you a lot in advance!
Hello !
So I'm having with using the JIT provisioning and the persist_user.
What I'm trying to achieve is that at every connexion of the user, if in the attributes "roles" something has changed, than it changes its roles into the database.
What my code looks like :
in the security.yaml ->
providers:
saml_provider:
## Basic provider instantiates a user with identifier and default roles
entity:
class: App\Entity\User
property: email
...
main:
pattern: ^/
provider: saml_provider
saml:
## Match SAML attribute 'uid' with user identifier.
## Otherwise, used \OneLogin\Saml2\Auth::getNameId() method by default.
identifier_attribute: email
check_path: saml_acs
login_path: saml_login
user_factory: saml_user_factory
persist_user: true
logout:
path: saml_logout
in the services.yaml ->
services:
saml_user_factory:
class: App\Security\UserFactory
And in my UserFactory.php ->
public function createUser(string $identifier, array $attributes): UserInterface
{
$user = new User();
$user->setEmail($attributes['email'][0]);
$user->setFirstname($attributes['firstname'][0]);
$user->setLastname($attributes['lastname'][0]);
$user->setTrigram($attributes['trigram'][0]);
$rolesAttributes = $attributes['roles'];
if ($_ENV['APP_ENV'] == 'prod') {
$user->setRoles($this->setProdRoles($rolesAttributes));
} else if ($_ENV['APP_ENV'] == 'dev') {
$user->setRoles($this->setDevRoles($rolesAttributes));
} else {
$user->setRoles([]);
}
return $user;
}
And then for an exemple of the prod roles function ->
public function setProdRoles(array $rolesAttributes): array
{
$roles = [];
if (in_array('roles1', $rolesAttributes)) {
$roles[] = 'ROLE_USER';
}
if (in_array('roles2', $rolesAttributes)) {
$roles[] = 'ROLE_TEST1';
}
if (in_array('roles3', $rolesAttributes)) {
$roles[] = 'ROLE_TEST2';
}
return $roles;
}
For the use case, what happens is that when a user load for the first time on my application, and in his attribute roles he has only "roles1", then he's going to have 'ROLE_USER' in the database.
But then, in the saml server we add the 'roles2', and what happens is that when he reconnects to the website, he doesn't have the 'ROLE_TEST1' in the database, even though we tried to delete cookies, etc... I have to manually change in the database...
How can i achieve this please ?
Is it possible to set returnTo parametr via $_GET or something like that?
I have url /saml/login. I want to redirect always from page, where I click on login button. I would like to set something like /saml/login?returnTo=/account/me and after login (or logout) get to page /account/me etc.
After upgrading from Symfony 5.4 to Symfony 6.3, I had to change from hslavich/oneloginsaml-bundle
to nbgrp/onelogin-saml-bundle
too. Once removed hslavich/oneloginsaml-bundle
, I did a fresh installation of nbgrp/onelogin-saml-bundle
.
The routes (like saml_login
and saml_acs
) coudn't be found.
I added this manually into /config/routes.yaml
:
nbgrp_onelogin_saml:
resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php"
I don't know if this is a bug, but it would be helpful to know, if it should be working like this. If yes, it would be beneficial to have this in your README.md
-file. (and/or to fix the bug)
We get an error, when using adfs server as IDP
Error details: Found invalid data while decoding.
What do we have to configure to get adfs server working?
Thanks for your helping.
routes.php in this bundle use hard-coded paths. The bundle configuration allows us to specify an ACS URL, but this doesn't override the default /saml/acs
route. I need this to be /saml2
. How should I approach this problem?
Edit:
I've worked around the issue by manually defining routes (based on the ones from the bundle). I don't think this is a good solution though. In case routes get added or removed in the future, this would break future updates on my end.
saml_metadata:
path: '/saml/metadata'
controller: Nbgrp\OneloginSamlBundle\Controller\Metadata
defaults: {'idp': ~}
saml_acs:
path: '/saml2' # <--- This is the one I changed.
controller: Nbgrp\OneloginSamlBundle\Controller\AssertionConsumerService
defaults: {'idp': ~}
methods: ['POST']
saml_login:
path: '/saml/login'
controller: Nbgrp\OneloginSamlBundle\Controller\Login
defaults: { 'idp': ~ }
saml_logout:
path: '/saml/logout'
controller: Nbgrp\OneloginSamlBundle\Controller\Logout
defaults: { 'idp': ~ }
I'm trying to get a docker network set up with an SP and IdP - my SP is a Symfony 6 app on localhost:8000
, and the IdP is a docker image kenchan0130/simplesamlphp:develop
- mapped to local-idp.local:4000
, which is effectively a wrapper for SimpleSAMLphp.org codebase configured as an IdP.
When I go to the url on my SP that is marked as protected, I'm redirected to the IdP login page as expected, but there is no AuthNRequest
SAML payload - is this by design?
Got this exception after upgrading my app to SF6 and using this bundle.
Symfony packages are updated and all the recipes too. Old hslavich bundle is removed.
The service "security.authenticator.saml.main" has a dependency on a non-existent service "".
My security.yaml is like following as exception refers to authenticator in "main" firewall:
security:
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
#users_in_memory: { memory: null }
saml_provider:
# Basic provider instantiates a user with default roles
saml:
user_class: 'App\Entity\User'
default_roles: [ 'ROLE_USER' ]
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
lazy: true
provider: saml_provider
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
saml:
## Match SAML attribute 'uid' with user identifier.
## Otherwise, used \OneLogin\Saml2\Auth::getNameId() method by default.
identifier_attribute: uid
## Use the attribute's friendlyName instead of the name.
use_attribute_friendly_name: false
check_path: saml_acs
login_path: saml_login
logout:
path: saml_logout
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/databases, roles: ROLE_ADMIN }
#- { path: ^/rooms, roles: ROLE_ADMIN }
- { path: ^/server, roles: ROLE_ADMIN }
- { path: ^/audit, roles: ROLE_ADMIN }
- { path: ^/saml/(metadata|login|acs), roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER }
Our application is deployed for differents clients with differents need of configuration (including SSO activation).
There is no configuration attribute to disable the OneLogin Bundle functionnalities, so i tried to comment all configuration from nbgrp_onelogin_saml.yaml and even if it is not perfect, I can "hide" sso behaviours by this way... except on logout !
The SamlLogoutListener is registered on LogoutEvent.
#[AsEventListener(LogoutEvent::class)]
public function processSingleLogout(LogoutEvent $event): void
{
$authService = $this->getAuthService($event->getRequest());
if (!$authService) {
return;
}
$token = $event->getToken();
if (!$token instanceof SamlToken) {
return;
}
try {
$authService->processSLO();
} catch (\OneLogin\Saml2\Error) {
if (!empty($authService->getSLOurl())) {
/** @var string|null $sessionIndex */
$sessionIndex = $token->hasAttribute(SamlAuthenticator::SESSION_INDEX_ATTRIBUTE)
? $token->getAttribute(SamlAuthenticator::SESSION_INDEX_ATTRIBUTE)
: null;
$authService->logout(null, [], $token->getUserIdentifier(), $sessionIndex);
}
}
}
`
And getAuthService throws an exception when there is no services configured ! But, if we take a look on the processSingleLogout function, there could be a small change on the code that can prevent unobvious exception, by testing $token before $authService.
```php
#[AsEventListener(LogoutEvent::class)]
public function processSingleLogout(LogoutEvent $event): void
{
$token = $event->getToken();
if (!$token instanceof SamlToken) {
return;
}
$authService = $this->getAuthService($event->getRequest());
if (!$authService) {
return;
}
`
What do you think about this change ? Could it be inplemented into a new version of onelogin-saml-bundle ?
And more globally, what do you think about manage a enable o disable attribute into configuration ?
Hello,
I am using onelogin-saml-bundle on symfony 6.
With google, everything work fine.
But I have issue on Microsoft Azure.
When my application launch the connection to azure, I receive the error AADSTS750055: SAML message was not properly DEFLATE-encoded.
Unlikely to google connection, I think Azure required the request to the idp to be encoded and deflated.
But i can't find the right settings to set.
In the azure xml metada, I have a digest value and a signature value.
But I don't know where to put them in my bundle setting.
Here is my setting:
nbgrp_onelogin_saml:
onelogin_settings:
default:
# Mandatory SAML settings
idp:
entityId: "%env(SAML_ENTITY_ID)%"
singleSignOnService:
url: "%env(SAML_SSO_URI)%"
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: "%env(SAML_CERT)%"
sp:
entityId: "%env(LIGHT__SAML_ENTITY__ID)%"
assertionConsumerService:
url: '%env(LIGHT__SAML_ENTITY__ID)%/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: '%env(LIGHT__SAML_ENTITY__ID)%/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
# Optional SAML settings
baseurl: '%env(LIGHT__SAML_ENTITY__ID)%/saml/'
strict: true
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
signMetadata: false
wantMessagesSigned: false
wantAssertionsEncrypted: false
wantAssertionsSigned: false
wantNameId: false
wantNameIdEncrypted: false
requestedAuthnContext: true
wantXMLValidation: false
relaxDestinationValidation: false
destinationStrictlyMatches: true
allowRepeatAttributeName: false
rejectUnsolicitedResponsesWithInResponseTo: false
signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
encryption_algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc'
lowercaseUrlencoding: false
compress:
requests: false
responses: false
# Optional parameters
use_proxy_vars: true
idp_parameter_name: 'custom-idp'
entity_manager_name: 'custom-em'
Can someone please help me ?
Marion
Hi,
I'm using nbgrp/onelogin-saml-bundle with multiple idP.
Users are mapped and logged by email.
I would like to restrict sign in and login only for email like "@company-idp-name.com".
Could you please help me to do this ?
Thanks
I have a Symfony 6.4 container and a boxy/mock-saml
container configured in a docker compose file. I believe I have everything connected / configured properly - the containers start up, and when I go to the app home page (localhost:8000
) I am redirected to the saml container's login (localhost:4000
).
The Attributes configured in the AttributeStatement
of the SAML data are minimal - id, email, firstName, lastName
- I updated the security.yaml
to use the id
as the identifier:
security:
firewalls:
main:
provider: saml_provider
saml:
identifier_attribute: id
However, after logging in to the SAML container, I'm redirected back to the app container on 8000
, but an error is thrown saying that the id
attribute cannot be found:
RuntimeException:
Attribute "id" not found in SAML data.
at vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:198
at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->extractIdentifier()
(vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:145)
at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->createPassport()
(vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php:96)
at Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator->authenticate()
(vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticator.php:70)
at Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator->authenticate()
(vendor/symfony/security-http/Authentication/AuthenticatorManager.php:176)
at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticator()
(vendor/symfony/security-http/Authentication/AuthenticatorManager.php:158)
at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticators()
(vendor/symfony/security-http/Authentication/AuthenticatorManager.php:140)
at Symfony\Component\Security\Http\Authentication\AuthenticatorManager->authenticateRequest()
(vendor/symfony/security-http/Firewall/AuthenticatorManagerListener.php:40)
at Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener->authenticate()
(vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticatorManagerListener.php:68)
at Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener->authenticate()
(vendor/symfony/security-bundle/Debug/WrappedLazyListener.php:46)
at Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate()
(vendor/symfony/security-http/Firewall/AbstractListener.php:26)
at Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke()
(vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php:83)
at Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners()
(vendor/symfony/security-http/Firewall.php:95)
at Symfony\Component\Security\Http\Firewall->onKernelRequest()
(vendor/symfony/event-dispatcher/Debug/WrappedListener.php:116)
at Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke()
(vendor/symfony/event-dispatcher/EventDispatcher.php:220)
at Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
(vendor/symfony/event-dispatcher/EventDispatcher.php:56)
at Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
(vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:139)
at Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch()
(vendor/symfony/http-kernel/HttpKernel.php:157)
at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
(vendor/symfony/http-kernel/HttpKernel.php:76)
at Symfony\Component\HttpKernel\HttpKernel->handle()
(vendor/symfony/http-kernel/Kernel.php:197)
at Symfony\Component\HttpKernel\Kernel->handle()
(vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35)
at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
(vendor/autoload_runtime.php:29)
at require_once('/var/www/html/vendor/autoload_runtime.php')
(public/index.php:5)
But inspecting the SAML data with the Chrome extensions clearly shows the id
attribute present:
Thoughts? work arounds?
(Is there something broken with that SAML XML structure?)
Hello,
I am setting up SAML authentication in my Symfony application using the bundle. However, I need to configure the IDP dynamically based on the user's domain when logging in.
Currently, it seems that the bundle does not support this functionality, as the IDP configuration is defined in the config/packages/nbgrp_onelogin_saml.yaml configuration file that is loaded during initialization.
Is there another way to do this with the current bundle? Is there a function to inject a custom config?
Thank you in advance for your help.
Hello,
I have found a problem with the config file of this library.
The "binding" parameters don't seems to allow environnement variables.
Example :
nbgrp_onelogin_saml:
use_proxy_vars: true
onelogin_settings:
default:
# Basic settings
idp:
entityId: "%env(SAML_IDP_ENTITY_ID)%"
singleSignOnService:
url: "%env(SAML_SINGLE_SIGN_ON_SERVICE_URL)%"
binding: "%env(SAML_SINGLE_SIGN_ON_SERVICE_BINDING)%"
The error we encounter :
Invalid configuration for path "nbgrp_onelogin_saml.onelogin_settings.default.idp.singleSignOnService.binding": invalid value.
How i fixed this error :
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
This behavior is managed in src/DependencyInjection/Configuration.php :
->scalarNode('binding')
->validate()
->ifTrue(static fn ($value): bool => !str_starts_with($value, 'urn:oasis:names:tc:SAML:2.0:bindings:'))
->thenInvalid('invalid value.')
->end()
->end()
It seems like this value " %env()%" is not replaced before the call of validate() method.
Is it really mandatory to have this verification or is there another way to achieve the desired result ?
Thanks.
Configuration :
Php : 8.1.8
Symfony : 6.2
Nbgrp_login_saml : 1.3.2
I'm using Wordpress as IDP.
The free version of the WP-Plugin (https://de.wordpress.org/plugins/miniorange-wp-as-saml-idp/) does not set any attributes.
The only property which is set in the response is in saml:Subject
This value exists in OneLogin\Saml2\Auth $nameId, SamlAuthenticator can access this property.
But i don't see a way to inject that property into the UserEntity.
SamlAuthenticator cannot be replaced via DI, there is no Event.
Am I missing something? Is there a little hack?
By the way...
As i can see Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\SamlAuthenticator::extractIdentifier() would return exact this value, if identifier_attribute is not set in options.
Problem: As i can see, it's not possible to delete "identifier_attribute" from $this->options via yaml. It's not possible to delete / unset keys with yaml.
Hi and thanks for your work on this bundle!
I'm currently in the process of integrating it inside a new Symfony site.
In my use-case I don't want the user provider to create users on SAML success, but rather:
I used to use aerialship/saml-sp-bundle
which had a handy UserManagerInterface
with loadUserBySamlInfo(SamlSpInfo $samlInfo): UserInterface
. The user provider could implement this interface, and that method would be called on SAML auth success. See the docs for a little more details.
Note: It also has a createUserFromSamlInfo(SamlSpInfo $samlInfo): UserInterface
but I'm currently not interested in this feature ๐
Is something similar currently possible (maybe listening to an event)?
If not, do you think it could improve the bundle?
Thanks!
Hello !
First of all, thank you very much for your work !
In my app I need to use multiple IDP settings, but I don't want to specify which one to use, I want it to be the role of the idp (Azure in my case)
My use case is :
The user comes to my app, he's redirected to login.microsoftonline.com, where he can connect with his e-mail address, then microsoft redirect him on his specific tenant according his e-mail.
Once he is logged in azure, it knows where to redirect him as I have configured it in each of my tenants (https://my-idp.com/acs?idp=correct-idp).
I don't think this is possible in the current state of your bundle, am I wrong ? It takes the default IDP setting if we do not specify which IDP setting to use when sending the first login request
Tried with Listener and Subscriber, but despite DeferredUserListener
is calling dispatch
nothing is kicking in.
# service.yaml
App\EventListener\SamlUserCreatedListener:
tags:
- { name: kernel.event_listener, event: 'Nbgrp\OneloginSamlBundle\Event\UserCreatedEvent', method: onSamlUserCreated }
Subscriber:
class CustomEventSubscriber implements EventSubscriberInterface
{
public function __construct(private LoggerInterface $logger)
{
}
public static function getSubscribedEvents(): array
{
// return the subscribed events, their methods and priorities
return [
UserCreatedEvent::class => 'onCreated',
];
}
public function onCreated(UserCreatedEvent $event)
{
$this->logger->info($event->getUser()->getUserIdentifier());
}
}
Not called listeners:
Nbgrp\OneloginSamlBundle\Event\UserCreatedEvent
--
0 | "App\EventListener\SamlUserCreatedListener::onSamlUserCreated(UserCreatedEvent $event)"
-1000 | "App\EventSubscriber\CustomEventSubscriber::onCreated(UserCreatedEvent $event)"
Hello !
I'm having an issue where each time I log into my application, a new entity is created and I would like to know how can I have just 1 entity user related to the identifier please.
For example, if I log in with the same credentials twice, than I'll have 2 entity of the same user in my database, though I'd like to only have one (that's the point).
If someone can help, thank you a lot in advance !
Hello,
Thanks for your work !
I need to specify the value 'urn:federation:authentication:windows' for requestedAuthnContext conffiguration, but there is configuration control with do not permit to use something diffrent from 'urn:oasis:names:tc:SAML:2.0:ac:classes:' (Configuration.php, line 169)
Why (It does not appear that php-saml lib is so restricted) ?
How can I fix this ?
->variableNode('requestedAuthnContext')
->validate()
->ifTrue(static fn ($value) => !(\is_bool($value) || \is_array($value)))
->thenInvalid('must be an array or a boolean.')
->end()
->validate()
->ifTrue(static fn ($value) => \is_array($value) && array_filter($value, static fn ($item): bool => !str_starts_with($item, 'urn:oasis:names:tc:SAML:2.0:ac:classes:')))
->thenInvalid('invalid value.')
->end()
->end()
`
Thanks for your reply.
N.B : using last release version (1.3.2)
Using the current Symfony 6.2 release, I get the following deprecation warning:
The "Nbgrp\OneloginSamlBundle\Onelogin\AuthArgumentResolver" class implements "Symfony\Component\HttpKernel\Controller\ArgumentValueResolverInterface" that is deprecated since Symfony 6.2, implement ValueResolverInterface instead.
I would appreciate, if you would fix this. Thank you.
I'm trying to get a docker network set up with an SP and IdP - my SP is a Symfony 6 app on localhost:8000
, and the IdP is a docker image kenchan0130/simplesamlphp:develop
- mapped to local-idp.local:4000
, which is effectively a wrapper for SimpleSAMLphp.org codebase configured as an IdP.
I believe I have everything set up properly - the SP's nbgrp_onelogin_saml.yaml
is pretty much boilerplate with the IdP's domains as below:
default:
# Mandatory SAML settings
idp:
entityId: 'http://local-idp.local:4000/simplesaml/shib13/idp/metadata.php'
singleSignOnService:
url: "http://local-idp.local:4000/simplesaml/saml2/idp/SSOService.php?spentityid=http://localhost:8000/saml/metadata"
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
singleLogoutService:
url: 'http://local-idp.local:4000/simplesaml/saml2/idp/SingleLogoutService.php'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
x509cert: 'MIIDb...'
sp:
entityId: 'http://localhost:8000/saml/metadata' # Default: '<request_scheme_and_host>/saml/metadata'
assertionConsumerService:
url: 'http://localhost:8000/saml/acs' # Default: '<request_scheme_and_host>/saml/acs'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
singleLogoutService:
url: 'http://localhost:8000/saml/logout' # Default: '<request_scheme_and_host>/saml/logout'
binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
privateKey: 'MIIEv...'
# Optional SAML settings
The sp.privateKey
and idp.x509cert
values are directly out of the certificates in the IdP image.
This more or less works as expected - I have the /admin
path set up to be SSO log in only in config/security.yaml
, and if I go to localhost:8000/admin
, I am redirected to the IdP site. I log in with the credentials set in the authsources.php
file in the IdP config user the SimpleSaml docs, and am redirected back to the SP with a SAML payload, including the matching x509
cert value.
But when I get back to the SP, I get an 'authentication failed' exception error:
RuntimeException:
The authentication failed.
at vendor/nbgrp/onelogin-saml-bundle/src/Controller/Login.php:45
at Nbgrp\OneloginSamlBundle\Controller\Login->__invoke()
(vendor/symfony/http-kernel/HttpKernel.php:181)
at Symfony\Component\HttpKernel\HttpKernel->handleRaw()
(vendor/symfony/http-kernel/HttpKernel.php:76)
at Symfony\Component\HttpKernel\HttpKernel->handle()
(vendor/symfony/http-kernel/Kernel.php:197)
at Symfony\Component\HttpKernel\Kernel->handle()
(vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35)
at Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run()
(vendor/autoload_runtime.php:29)
at require_once('/var/www/html/vendor/autoload_runtime.php')
(public/index.php:5)
Thoughts? happy to post more of the config or SAML payload if that's helpful.
Thx!
As this is mentioned to be for Symfony 6 and newer?
Maybe create just pre-release where composer constraints are updated so people can test themselves if this works?
Hi,
It seems that the <request_scheme_and_host> variable is not compliant with the "x-forwarded-prefix" proxy header.
Is it possible to implement it ? <request_scheme_and_host> is a must-have ๐
Thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.