This page is still under development
Table of Contents
Overview
OneLogin's SAML PHP toolkit let you build a SP (Service Provider) over your PHP application and connect it to any IdP (Identity Provider).
Supports:
- SSO and SLO (SP-Initiated and IdP-Initiated).
- Assertion and nameId encryption.
- Assertion signature.
- Message signature: AuthNRequest, LogoutRequest, LogoutResponses.
- Enable an Assertion Consumer Service endpoint.
- Enable a Single Logout Service endpoint.
- Publish the SP metadata (which can be signed).
Key features:
- saml2int - Implements the SAML 2.0 Web Browser SSO Profile.
- Session-less - Forget those common conflicts between the SP and the final app, the toolkit delegate session in the final app.
- Easy to use - Programmer will be allowed to code high-level and low-level programming, 2 easy to use APIs are available.
- Tested - Thoroughly tested.
- Popular - OneLogin's customers use it. Many PHP SAML plugins uses it.
Up-to-date information and general implementation guides can be found in the onelogin/php-saml GitHub repo.
Installation
Option 1. Download from GitHub
The toolkit is hosted on GitHub. You can download it from:
Search for 3.X.X releases
Copy the core of the library inside the php application. (each application has its structure so take your time to locate the PHP SAML toolkit in the best place). See the "Guide to add SAML support to my app" to know how.
Option 2. Composer
The toolkit supports composer. You can find the onelogin/php-saml package at https://packagist.org/packages/onelogin/php-saml
Configuration
The Onelogin's PHP Toolkit allows you to provide the settings info in 2 ways:
- Use a
settings.phpfile that we should locate at the base folder of the toolkit. - Use an array with the setting data.
settings.php
<?php
$settings = array(
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them to be signed or encrypted.
// Also it will reject the messages if the SAML standard is not strictly
// followed: Destination, NameId, Conditions ... are validated too.
'strict' => true,
// Enable debug mode (to print errors).
'debug' => false,
// Set a BaseURL to be used instead of try to guess
// the BaseURL of the view that process the SAML Message.
// Ex http://example.rit.edu/app
'baseurl' => 'http://example.rit.edu/app',
// Service Provider Data that we are deploying.
'sp' => array(
// Identifier of the SP entity (must be a URI)
'entityId' => $baseurl . '/sp',
// Specifies info about where and how the<AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => $baseurl . '/consume.php',
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports this endpoint for the
// HTTP-POST binding only.
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned
'url' => $baseurl . '/slo.php',
// SAML protocol binding to be used when returning the <Response>
// message. OneLogin Toolkit supports the HTTP-Redirect binding
// only for this endpoint.
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Specifies the constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported.
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
// 'x509cert' => '',
// 'privateKey' => '',
/*
* Key rollover
* If you plan to update the SP x509cert and privateKey
* you can define here the new x509cert and it will be
* published on the SP metadata so Identity Providers can
* read them and get ready for rollover.
*/
// 'x509certNew' => '',
),
// Identity Provider Data that we want connected with our SP.
'idp' => array(
'entityId' => 'https://shibboleth.main.ad.rit.edu/idp/shibboleth',
'singleSignOnService' => array(
'url' => 'https://shibboleth.main.ad.rit.edu/idp/profile/SAML2/Redirect/SSO',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
'url' => 'https://shibboleth.main.ad.rit.edu/logout.html',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Public x509 certificate of the IdP
'x509cert' => 'MIIDVDCCAjygAwIBAgIVAMPFek+px9vIGJ0/+QhwyptEXQqaMA0GCSqGSIb3DQEB BQUAMCUxIzAhBgNVBAMTGnNoaWJib2xldGgubWFpbi5hZC5yaXQuZWR1MB4XDTA4 MTEyNTE4MzU0N1oXDTI4MTEyNTE4MzU0N1owJTEjMCEGA1UEAxMac2hpYmJvbGV0 aC5tYWluLmFkLnJpdC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC3LLiBrUjXO+LFsfrk4u5lQ62FfXJEPJnmL6/4WVsOtpLWMQZesuiOlyhFTsTN dlmFp37UTcZ9MJsTeG/1M87BxUnPB22Qn7TPNLh7Oi3QDinVyukPXRl6B/bHdtMh lq5V+E8rNyITaOc7YB6GkNLBOVBRemBcttmlwz5whHWwU/MNdQlBf4/KIu7mV5dp WQrnPvaTk3nle4vOtbPThipD5jiD2r/a4/l5gROJRuLvxQaiNfBfACwowp9R9DHK lpqD4EPSEv2v0RXJyFx4pMi/hnfmSjvIQi9s+J5sKzyNN3JtCzrVO5GSiddO46bR tvp5H/rz0cNpp5rnjz+NRkarAgMBAAGjezB5MFgGA1UdEQRRME+CGnNoaWJib2xl dGgubWFpbi5hZC5yaXQuZWR1hjFodHRwczovL3NoaWJib2xldGgubWFpbi5hZC5y aXQuZWR1L2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBRJRQ19Vjpa3qktIoVtEqdL onWQFTANBgkqhkiG9w0BAQUFAAOCAQEAmXDiVgm0fmvvhtzYO2GFBIpZNNzd+8ou jnUNTKNAliKToarQvLDTQUENh2L558u3OvwFXlC7hcnGNKin4VjQ/GWps+J7dQ67 gCiYMquyf5i9UE/j5ilriNXmSwzwvB/YPJzEMIFd2XBI550ODeIMf5B0gGx1EMB1 jyWpy4iOZbMCBbGn0Vo2/AeGyiUmT6/qcDnrMTg4fvAqG26kujwPBb42UpkwSo2E OZDp3OGGicpNhWVWca74r8KHYJGNBwXYmZ5ntP5Yfd9cElJKFLS21igLGkhr/o4N Im4Q86WvRXW4cHfy8OB9fEIURxSmGeZMYsd0YLh8ouPlWuLl3hWsyQ==',
),
);
Important SP Endpoints
Related to the SP there are three important views: The metadata view, the ACS view and the SLS view. The toolkit provides examples of those views in the endpoints directory.
Below is an example of a metadata view that will work with the settings.php file above.
metadata.php
<?php
define("TOOLKIT_PATH", '/var/www/php-saml/');
require_once dirname(TOOLKIT_PATH.'/_toolkit_loader.php';
// Or use the following if installing the toolkit via Composer
// require_once __DIR__ . '/vendor/autoload.php';
use OneLogin\Saml2\Settings;
use OneLogin\Saml2\Error;
require_once 'settings.php' ;
try {
#$auth = new OneLogin\Saml2\Auth($settingsInfo);
#$settings = $auth->getSettings();
// Now we only validate SP settings
$settings = new Settings($settingsInfo, true);
$metadata = $settings->getSPMetadata(true);
$errors = $settings->validateMetadata($metadata);
if (empty($errors)) {
header('Content-Type: text/xml');
echo $metadata;
} else {
throw new Error(
'Invalid SP metadata: '.implode(', ', $errors),
Error::METADATA_SP_INVALID
);
}
} catch (Exception $e) {
echo $e->getMessage();
}
However you decide to implement the metadata view, you must call getSPMetadata(true) so both the SP encryption key and signing key are returned.
More Information
For more info for implementing OneLogin's PHP SAML toolkit in your PHP application, please see their official docs on GitHub.
