This package allows you to implement your own Identification Provider (idP) using the SAML 2.0 standard to be used with supporting SAML 2.0 Service Providers (SP).
Require this package with composer:
composer require codegreencreative/laravel-samlidpPublish config
php artisan vendor:publish --tag="samlidp_config"FileSystem configuration
// config/filesystem.php
'disks' => [
...
'samlidp' => [
'driver' => 'local',
'root' => storage_path() . '/samlidp',
]
],Use the following command to create a self signed certificate for your IdP. If you change the certname or keyname to anything other than the default names, you will need to update your config/samlidp.php config file to reflect those new file names.
php artisan samlidp:cert [--days <days> --keyname <name> --certname <name>]Options:
--days=<days> Days to add for the expiration date [default: 7800]
--keyname=<name> Name of the certificate key file [default: key.pem]
--certname=<name> Name of the certificate file [default: cert.pem]Within your login view, probably resources/views/auth/login.blade.php add the SAMLRequest directive beneath the CSRF directive:
@csrf
@samlidpThe SAMLRequest directive will fill out the hidden input automatically when a SAMLRequest is sent by an HTTP request and therefore initiate a SAML authentication attempt. To initiate the SAML auth, the login and redirect processes need to be intervened. This is done using the Laravel events fired upon authentication.
After you publish the config file, you will need to set up your Service Providers. The key for the Service Provider is a base 64 encoded Consumer Service (ACS) URL. You can get this information from your Service Provider, but you will need to base 64 encode the URL and place it in your config. This is due to config dot notation.
You may use this command to help generate a new SAML Service Provider:
php artisan samlidp:spExample SP in config/samlidp.php file:
<?php
return [
// The URI to your login page
'login_uri' => 'login',
// The URI to the saml metadata file, this describes your idP
'issuer_uri' => 'saml/metadata',
// List of all Service Providers
'sp' => [
// Base64 encoded ACS URL
'aHR0cHM6Ly9teWZhY2Vib29rd29ya3BsYWNlLmZhY2Vib29rLmNvbS93b3JrL3NhbWwucGhw' => [
// ACS URL of the Service Provider
'destination' => 'https://example.com/saml/acs',
// Simple Logout URL of the Service Provider
'logout' => 'https://example.com/saml/sls',
]
]
];Service providers may require more additional attributes to be sent via assertion. Its even possible that they require the same information but as a different Claim Type.
By Default this package will send the following Claim Types:
ClaimTypes::EMAIL_ADDRESS as auth()->user()->email
ClaimTypes::GIVEN_NAME as auth()->user()->name
This is because Laravel migrations, by default, only supply email and name fields that are usable by SAML 2.0.
To add additional Claim Types, you can subscribe to the Assertion event:
CodeGreenCreative\SamlIdp\Events\Assertion
Sample Listener:
<?php
namespace App\Listeners;
use LightSaml\ClaimTypes;
use LightSaml\Model\Assertion\Attribute;
use CodeGreenCreative\SamlIdp\Events\Assertion;
class SamlAssertionAttributes
{
public function handle(Assertion $event)
{
$event->attribute_statement
->addAttribute(new Attribute(ClaimTypes::PPID, auth()->user()->id))
->addAttribute(new Attribute(ClaimTypes::NAME, auth()->user()->name));
}
}