SAML bundle for gateway, self-service, and ra

Overview

SURFnet SamlBundle

A bundle that adds SAML capabilities to your application using simplesamlphp/saml2

Developed as part of the SURFnet Stepup Gateway

Installation

  • Add the package to your Composer file
    composer require surfnet/stepup-saml-bundle

How to install with SF4.3+

  1. Require the bundle in the composer.json (version 4.1.9 or higher)
  2. Enable the bundle in config/bundles.php add to the return statement: Surfnet\SamlBundle\SurfnetSamlBundle::class => ['all' => true],
  3. Specify the bundle configuration in config/packages/surfnet_saml.yml, consult the configuration section below for available options.

And, on top of that you should explicitly configure the Twig templating engine:

In config/packages/framework.yaml add:

framework:
    templating:
        engines:
            - twig

Configuration

surfnet_saml:
    hosted:
        attribute_dictionary:
            ignore_unknown_attributes: false
        service_provider:
            enabled: true
            assertion_consumer_route: name_of_the_route_of_the_assertion_consumer_url
            public_key: %surfnet_saml_sp_publickey%
            private_key: %surfnet_saml_sp_privatekey%
        identity_provider:
            enabled: true
            service_provider_repository: service.name.of.entity_repository
            sso_route: name_of_the_route_of_the_single_sign_on_url
            public_key: %surfnet_saml_idp_publickey%
            private_key: %surfnet_saml_idp_privatekey%
        metadata:
            entity_id_route: name_of_the_route_of_metadata_url
            public_key: %surfnet_saml_metadata_publickey%
            private_key: %surfnet_saml_metadata_privatekey%
    remote:
        identity_provider:
            enabled: true
            entity_id: %surfnet_saml_remote_idp_entity_id%
            sso_url: %surfnet_saml_remote_idp_sso_url%
            certificate: %surfnet_saml_remote_idp_certificate%
        service_providers:
            - entity_id: "%surfnet_saml_remote_sp_entity_id%"
              certificate_file: "%surfnet_saml_remote_sp_certificate%"
              assertion_consumer_service_url: "%surfnet_saml_remote_sp_acs%"            

The hosted: configuration lists the configuration for the services (SP, IdP or both) that your application offers. SP and IdP functionality can be turned off and on individually through the repective enabled flags.

The remote: configuration lists, if enabled, the configuration for one or more remote service providers and identity providers to connect to. If your application authenticates with a single identity provider, you can use the identity_provider: option as shown above. The identity provider can be accessed runtime using the @surfnet_saml.remote.idp service.

If your application authenticates with more than one identity providers, you can omit the identity_provider: key from configuration and list all identity providers under identity_providers:. The identity providers can be accessed by using the @surfnet_saml.remote.identity_providers service.

    remote:
        identity_providers:
            -  enabled: true
               entity_id: %surfnet_saml_remote_idp_entity_id%
               sso_url: %surfnet_saml_remote_idp_sso_url%
               certificate: %surfnet_saml_remote_idp_certificate%

The inlined certificate in the last line can be replaced with certificate_file containing a filesystem path to a file which contains said certificate. It is recommended to use parameters as listed above. The various publickey and privatekey variables are the contents of the key in a single line, without the certificate etc. delimiters. The use of parameters as listed above is highly recommended so that the actual key contents can be kept out of the configuration files (using for instance a local parameters.yml file).

The service_provider_repository is a repository of service providers for which you offer IdP services. The service configured must implement the Surfnet\SamlBundle\Entity\ServiceProviderRepository interface.

Service providers can be provided statically by using the remote.service_providers configuration option. To use these configured service providers keep in mind that you need to assign surfnet_saml.remote.service_providers as service_provider_repository.

Example Usage

Metadata Publishing

<?php

namespace Acme\SamlBundle

use Surfnet\SamlBundle\Http\XMLResponse;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;

class MetadataController extends Controller
{
    public function metadataAction(Request $request)
    {
        /** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $metadataFactory */
        $metadataFactory = $this->get('surfnet_saml.metadata_factory');

        return new XMLResponse($metadataFactory->generate());
    }
}

See more examples in EXAMPLES.md.

Release strategy

CHANGELOG.md

Please read: https://github.com/OpenConext/Stepup-Deploy/wiki/Release-Management for more information on the release strategy used in Stepup projects.

UPGRADING.md

When introducing backwards compatible breaking changes in the bundle. Please update the UPGRADING.md file to instruct users how to deal with these changes. This makes upgrading as painless as possible.

Comments
  • Docs on IdP setup?

    Docs on IdP setup?

    Hey -

    I'm working on setting up my project to act as an IdP. I have it currently almost setup just using the simplesamlphp library, however it looks like this would provide a cleaner integration into my project.

    A few questions -

    • What are the metadata keys for?
    • for the SSO route where should that point/do you have an example of the controller?

    If i understand this should allow me to do the following more or less:

    1. Setup my symfony2 project as an IdP. I currently use FOSUserBundle.
    2. When an external SP pings my service it'd all go through the Symfony2 application, if the user isn't logged in, it'll take them to the login page and then when they've logged in resume the sign on process.

    Just am curious on the steps/setup for this. If this doesn't work like I described above please let me know how it does work.

    I figured if I can get this fully managed inside the Symfony app that'd be better than the final step I'm on with the non-bundled version. I'm currently at the point I'd just need to write a custom session handler to get the session data from the database and integrated with Symfony's PDOSessionHandler.

    Thanks!

    opened by daum 15
  • Remove Multiplicity from AttributeDefinition

    Remove Multiplicity from AttributeDefinition

    The SAML2 specification does not make any mention of multiplicity. Furthermore the functionality was used sparsely if at all and should not have been relied on as it was configuration based, which could have changed causing a BC break in and of itself as an Attribute could suddenly cause exceptions to be thrown when configuration changed or was overridden.

    opened by DRvanR 8
  • Updates SAML attribute definitions to be used by dictionary

    Updates SAML attribute definitions to be used by dictionary

    Part of (preparations for) ticket 106955902

    Done:

    • Add known URNs
    • Missing URNs are set to null.
    • Add logic to allow null URNs
    • Move logic to responsible classes
    opened by arothuis 7
  • Make authentication context an array, parity with getter

    Make authentication context an array, parity with getter

    When setting the AuthnContextClassRef, accept an array. This creates parity with the getter, which also returns an array. This also fixes the RA, which set an authn context array($requiredLoa). It is the only place where setAuthenticationContext() is used afaik.

    opened by rjkip 7
  • Add support for Symfony 4.3

    Add support for Symfony 4.3

    • Add symfony/phpunit-bridge to make sure we are not using deprecated dependencies
    • Add extra CI run for SF 4 with php 7.2

    https://www.pivotaltracker.com/story/show/167697164

    opened by epinxteren 6
  • Bugfix: signature verification with different query encoding

    Bugfix: signature verification with different query encoding

    136419577

    If the SP sends a SAMLRequest that is encoded differently as query parameters than PHP's standard way of encoding (http_build_query), signature verification should not break.

    The spec states:

    (...) [N]ote that URL-encoding is not canonical; that is, there are multiple legal encodings for a given value. The relying party MUST therefore perform the verification step using the original URL-encoded values it received on the query string. It is not sufficient to re-encode the parameters after the have been processed by software because > the resulting encoding may not match the signer's encoding.

    For further reference, see: Oasis Standard regarding SAML Bindings, 15 March 2005, page 18, line 620

    We were re-encoding the query string, but we should rely on the encoding given.

    bug enhancement review 
    opened by arothuis 6
  • Enable debug logging of signature verification

    Enable debug logging of signature verification

    This is a request from @pmeulen so that debugging is easier when Response signature verfication fails.

    • [ ] Inject the logger rather than pass in method call.
    opened by DRvanR 6
  • Why does HostedEntities::generateUrl reset the request context?

    Why does HostedEntities::generateUrl reset the request context?

    At https://github.com/SURFnet/Stepup-saml-bundle/blob/develop/src/Entity/HostedEntities.php#L141. This prevents me from setting a custom host on the request context.

    Introduced by https://github.com/SURFnet/Stepup-saml-bundle/commit/f9852abf656b76e5cf520b3e7c4d3c255fc38ea5.

    question 
    opened by ddeboer 5
  • Fix AuthnRequest->isSigned()

    Fix AuthnRequest->isSigned()

    When $signature in AuthnRequest::create is "" or null, base64_decode will return an empty string. In addition, whenever the decoding fails, base64_decode will return false. After applying this patch, these cases are handled properly.

    opened by cb8 5
  • Feature/find definition by urn

    Feature/find definition by urn

    Ticket 107032674

    • Upgrades the AttributeDictionary to allow finding Definitions by URN
    • Upgrades the AttributeAdapter to allow returning a set of Attributes (an AttributeSet), containing name and URN representations of the attribute and its values
    opened by arothuis 5
  • Symfony 3 support

    Symfony 3 support

    I'd like to use this bundle in a Symfony 3 project, this PR will be an attempt to support Symfony 3. I need to time box it however so I can't guarantee it will work.

    opened by lucasvanlierop 4
Releases(4.4.0)
  • 4.4.0(May 9, 2022)

    • Include SP certificate in generated metadata when present #104
    • Add eduId and surf-crm-id to attribute dictionary
    • Add two code examples in the file EXAMPLES.md
    Source code(tar.gz)
    Source code(zip)
  • 4.3.3(Feb 10, 2022)

    What's Changed

    • Add internal-collabPersonId to attribute dictionary by @MKodde in https://github.com/OpenConext/Stepup-saml-bundle/pull/111

    Full Changelog: https://github.com/OpenConext/Stepup-saml-bundle/compare/4.3.2...4.3.3

    Source code(tar.gz)
    Source code(zip)
  • 4.3.2(Nov 23, 2021)

    What's Changed

    • Secure the way the verifySignature method is used by @MKodde in https://github.com/OpenConext/Stepup-saml-bundle/pull/104

    Full Changelog: https://github.com/OpenConext/Stepup-saml-bundle/compare/4.3.1...4.3.2

    Source code(tar.gz)
    Source code(zip)
  • 4.3.1(Nov 23, 2021)

  • 4.3.0(Sep 23, 2021)

  • 4.1.11(Mar 17, 2020)

  • 4.1.10(Feb 20, 2020)

  • 4.1.9(Nov 19, 2019)

  • 4.1.8(Nov 6, 2019)

    This is a security release that will harden the application against CVE 2019-3465

    • Force upgrade of xmlseclibs to version 3.0.4 #90
    • Enable ant on Travis builds #91
    Source code(tar.gz)
    Source code(zip)
  • 4.1.5(Jul 9, 2019)

  • 4.1.4(May 28, 2019)

    • Add WantAuthnRequestsSigned="true" to the IDPSSODescriptor in the Metadata #87
    • Add knowledge about attribute eduPersonScopedAffiliation #84
    Source code(tar.gz)
    Source code(zip)
  • 4.1.3(Feb 21, 2019)

  • 4.0.0(Mar 21, 2018)

    This release makes error reporting more specific. This release changed the API of the ReceivedAuthnRequestQueryString::getSignatureAlgorithm method, returning the signature algorithm url decoded. Any code using this method should be updated removing the url_decode call to prevent double decoding of the sigalg value.

    New features

    • Throw specific exceptions on signature errors #78
    Source code(tar.gz)
    Source code(zip)
  • 3.0.1(Mar 8, 2018)

  • 3.0.0(Jan 17, 2018)

    This release includes all prior changes but adds support for version 3 of the SimpleSamlPHP SAML2 library. The most notable changes include:

    • Support for older PHP versions has been dropped (PHP 5.5 & 5.4).
    • The PSR2 namespace update applied in version 2.0.0 of the SAML2 library was applied.
    • The \SAML2\XML\saml\NameID change introduced in version 3 of the SAML 2 library was applied.
    Source code(tar.gz)
    Source code(zip)
  • 3.0.0-rc3(Jan 16, 2018)

  • 2.11.2(Jan 9, 2018)

  • 2.11.1(Nov 30, 2017)

  • 2.11.0(Nov 22, 2017)

  • 2.10.0(Nov 17, 2017)

    Prior to this change a SAML assertion could fail when the IdP returned unknown attributes. This leads in an unhandled exception which resulted in an application/php error.

    By enabling the configuration directive "ignore_unknown_attributes" in the hosted->attribute_dictionary unknown attibutes are ignored. The SAML assertion will continue and only the values of the known attributes are available. See README.md for the configuration details. The configuration defaults to the previous behavior in which an assertion fails when encountering an unknown SAML attribute.

    Source code(tar.gz)
    Source code(zip)
  • 2.7.0(Feb 20, 2017)

    This release:

    • fixes strict HTTP parameter encoding scheme, allowing encodings other than PHP's default, preventing encoding issues when verifying signatures
    • introduces the concept of a received AuthnRequest
    • updates the RedirectBinding and SignatureVerifier APIs with methods to dealing with received AuthnRequests and their (HTTP) query strings
    Source code(tar.gz)
    Source code(zip)
  • 2.7.0-beta(Jan 12, 2017)

    This release:

    • fixes strict HTTP parameter encoding scheme, allowing encodings other than PHP's default, preventing encoding issues when verifying signatures
    • introduces the concept of a received AuthnRequest
    • updates the RedirectBinding and SignatureVerifier APIs with methods to dealing with received AuthnRequests and their (HTTP) query strings

    The beta suffix has been added because some changes still require more extensive review. This release is to be regarded unstable.

    This release has not been created with RMT in order to add the 'beta' suffix

    Source code(tar.gz)
    Source code(zip)
  • 0.2.0(Feb 27, 2015)

    • Fixed Signing of metadata to use SHA256 as signature algorithm
    • Updated SAML2 lib to point to fork that includes Subject support in AuthnRequest (to be made available upstream later
    • Some small stylistic changes
    • Minor fix for an error that did not trigger a bug
    Source code(tar.gz)
    Source code(zip)
Owner
OpenConext
OpenConext
💰 Self-hosted personal finance tracking web app

FINANCE FINANCE is a simple yet powerful, self-hosted personal finance tracking web app with the ability to parse SMS transactions and generate very u

Saleem Hadad 136 Sep 16, 2022
A bundle providing routes and glue code between Symfony and a WOPI connector.

WOPI Bundle A Symfony bundle to facilitate the implementation of the WOPI endpoints and protocol. Description The Web Application Open Platform Interf

Champs-Libres 5 Aug 20, 2022
A Symfony bundle that provides #StandWithUkraine banner and has some built-in features to block access to your resource for Russian-speaking users.

StandWithUkraineBundle На русском? Смотри README.ru.md This bundle provides a built-in StandWithUkraine banner for your Symfony application and has so

Victor Bocharsky 7 Jul 19, 2022
This bundle provides tools to build a complete GraphQL server in your Symfony App.

OverblogGraphQLBundle This Symfony bundle provides integration of GraphQL using webonyx/graphql-php and GraphQL Relay. It also supports: batching with

Webedia - Overblog 709 Sep 26, 2022
Pure PHP implementation of GraphQL Server – Symfony Bundle

Symfony GraphQl Bundle This is a bundle based on the pure PHP GraphQL Server implementation This bundle provides you with: Full compatibility with the

null 288 Sep 12, 2022
DataTables bundle for Symfony

Symfony DataTables Bundle This bundle provides convenient integration of the popular DataTables jQuery library for realtime Ajax tables in your Symfon

Omines Internetbureau 193 Sep 11, 2022
GraphQL Bundle for Symfony 2.

Symfony 2 GraphQl Bundle Use Facebook GraphQL with Symfony 2. This library port laravel-graphql. It is based on the PHP implementation here. Installat

Sergey Varibrus 36 Nov 1, 2020
An Unleash bundle for Symfony applications to provide an easy way to use feature flags

Unleash Bundle An Unleash bundle for Symfony applications. This provide an easy way to implement feature flags using Gitlab Feature Flags Feature. Ins

Stogon 8 Feb 2, 2022
Symfony Health Check Bundle Monitoring Project Status

Symfony Health Check Bundle Version Build Status Code Coverage master develop Installation Step 1: Download the Bundle Open a command console, enter y

MacPaw Inc. 27 Jul 7, 2022
Copy of hautelook/alice-bundle v2.9.0

AliceBundle A Symfony bundle to manage fixtures with nelmio/alice and fzaninotto/Faker. The database support is done in FidryAliceDataFixtures. Check

Global4Net Ltd. 3 Sep 10, 2021
The maker bundle allows you to generate content elements, front end modules

Contao 4 maker bundle The maker bundle allows you to generate content elements, front end modules, event listener, callbacks and hooks using interacti

Contao 7 Aug 3, 2022
Mediator - CQRS Symfony bundle. Auto Command/Query routing to corresponding handlers.

Installation $ composer require whsv26/mediator Bundle configuration // config/packages/mediator.php return static function (MediatorConfig $config)

Alexander Sv. 6 Aug 31, 2022
The NelmioApiDocBundle bundle allows you to generate a decent documentation for your APIs

NelmioApiDocBundle The NelmioApiDocBundle bundle allows you to generate a decent documentation for your APIs. Migrate from 3.x to 4.0 To migrate from

Nelmio 2.1k Sep 26, 2022
Airbrake.io & Errbit integration for Symfony 3/4/5. This bundle plugs the Airbrake API client into Symfony project

AmiAirbrakeBundle Airbrake.io & Errbit integration for Symfony 3/4/5. This bundle plugs the Airbrake API client into Symfony project. Prerequisites Th

Anton Minin 8 May 6, 2022
Symfony bundle for EventSauce (WIP)

Symfony EventSauce (WIP) This bundle provides the basic and extended container configuration of symfony for the EventSauce library. Before using it, I

Andrew Pakula 7 Sep 16, 2022
Symfony bundle integrating server-sent native notifications

Symfony UX Notify Symfony UX Notify is a Symfony bundle integrating server-sent native notifications in Symfony applications using Mercure. It is part

Symfony 5 Jul 14, 2022
Bundle to integrate Tactician with Symfony projects

TacticianBundle Symfony2 Bundle for the Tactician library https://github.com/thephpleague/tactician/ Installation Step 1: Download the Bundle Open a c

The League of Extraordinary Packages 242 Jun 18, 2022
The news bundle adds news functionality to Contao 4

Contao 4 news bundle The news bundle adds news functionality to Contao 4. Contao is an Open Source PHP Content Management System for people who want a

Contao 8 Jan 10, 2022
A RESTful and extendable Backend as a Service that provides instant backend to develop sites and apps faster, with dead-simple integration for JavaScript, iOS, Android and more.

Welcome to hook ![Gitter](https://badges.gitter.im/Join Chat.svg) hook is a RESTful, extendable Backend as a Service that provides instant backend to

doubleleft 760 Sep 16, 2022