定制 intervieweb/spid-php-lib 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

intervieweb/spid-php-lib

Composer 安装命令:

composer require intervieweb/spid-php-lib

包简介

PHP package for SPID authentication

README 文档

README

Main differences with official release:

  • implements logging
  • uses PSR-12 style guide

spid-php-lib

PHP package for SPID authentication.

This PHP package is aimed at implementing SPID Service Providers. SPID is the Italian digital identity system, which enables citizens to access all public services with a single set of credentials. This package provides a layer of abstraction over the SAML protocol by exposing just the subset required in order to implement SPID authentication in a web application.

Alternatives for PHP:

Framework specific libraries and examples based on spid-php-lib:

Alternatives for other languages:

Table of Contents

Repository layout

  • bin/ auxiliary scripts
  • example/ contains a demo application
  • src/ contains the library implementation
  • test/ contains the unit tests

Getting Started

Tested on: amd64 Debian 9.5 (stretch, current stable) with PHP 7.0.

Supports PHP 7.0, 7.1 and 7.2.

Prerequisites

sudo apt install composer make openssl php-curl php-zip php-xml

Configuring and Installing

NOTE: during testing, please use the test Identity Provider spid-testenv2.

  1. Install with composer

    composer require italia/spid-php-lib

  2. (OPTIONAL) Manually generate key and certificate files for your Service Provider (SP).

    Example: openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/C=IT/ST=Italy/L=Milan/O=myservice/CN=localhost" -keyout sp.key -out sp.crt

    This step can be skipped: the library takes care of this step automatically if you declare the optional sp_key_cert_values key in the settings array. Check the example in the Usage section for further details.

  3. Download the Identity Provider (IdP) metadata files and place them in a directory in your project, for example idp_metadata. A convenience tool is provided to download those of the production IdPs: vendor/italia/spid-php-lib/bin/download_idp_metadata.php, example usage:

    mkdir idp_metadata
    php vendor/italia/spid-php-lib/bin/download_idp_metadata.php ./idp_metadata

    TEST ENVIRONMENT: If you are using spid-testenv2, manually download the IdP metadata and place it in your idp_metadata folder

  4. Make your SP known to IdPs: for production follow the guidelines at https://www.spid.gov.it/come-diventare-fornitore-di-servizi-pubblici-e-privati-con-spid

    TEST ENVIRONMENT: simply download your Service Provider (SP) metadata and place it in the appropriate folder of the test environment. The test environment must be restarted after every change to the SP metadata.

Usage

All classes provided by this package reside in the Italia\Spid namespace. More detailed documentation is available in the SAMLInterface.php file.

Load them using the composer-generated autoloader:

require_once(__DIR__ . "/vendor/autoload.php");

The main class is Italia\Spid\Sp (service provider).

Generate a settings array following this guideline

$settings = array(
    'sp_entityid' => SP_BASE_URL, // preferred: https protocol, no trailing slash, example: https://sp.example.com/
    'sp_key_file' => '/path/to/sp.key',
    'sp_cert_file' => '/path/to/sp.crt',
    'sp_comparison' => 'exact', // one of: "exact", "minimum", "better" or "maximum"
    'sp_assertionconsumerservice' => [
        // order is important ! the 0-base index in this array will be used as ID in the calls
        SP_BASE_URL . '/acs',
        ...
    ],
    'sp_singlelogoutservice' => [
        // order is important ! the 0-base index in this array will be used as ID in the calls
        [SP_BASE_URL . '/slo', 'POST'],
        [SP_BASE_URL . '/slo', 'REDIRECT']
        ...
    ],
    'sp_org_name' => 'your organization full name',
    'sp_org_display_name' => 'your organization display name',
    'sp_key_cert_values' => [ // Optional: remove this if you want to generate .key & .crt files manually
        'countryName' => 'Your Country',
        'stateOrProvinceName' => 'Your Province or State',
        'localityName' => 'Locality',
        'commonName' => 'Name',
        'emailAddress' => 'your@email.com',
    ]
    'idp_metadata_folder' => '/path/to/idp_metadata/',
    'sp_attributeconsumingservice' => [
        // order is important ! the 0-base index in this array will be used as ID in the calls
        ["fiscalNumber"],
        ["name", "familyName", "fiscalNumber", "email", "spidCode"],
        ...
    ],
    // Time in seconds of skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter
    // assertion condition validity timestamps, and IssueInstant response / assertion timestamps. Optional.
    // Default is 0. Acceptable range: 0-300 (inclusive)
    'accepted_clock_skew_seconds' => 100
);

then initialize the main Sp class

$sp = new Italia\Spid\Sp($settings);

Don't want the library to generate .key and .crt files for you? Then remove the sp_key_cert_values key from the settings array, or decalre

// $autoconfiguration skips .key/.crt generation if set to false
$sp = new Italia\Spid\Sp($settings, null, $autoconfiguration = false);

Performing login

// shortname of IdP, same as the name of corresponding IdP metadata file, without .xml
$idpName = 'testenv';
// index of assertion consumer service as per the SP metadata (sp_assertionconsumerservice in settings array)
$assertId = 0;
// index of attribute consuming service as per the SP metadata (sp_attributeconsumingservice in settings array)
$attrId = 1;

// Generate the login URL and redirect to the IdP login page
$sp->login($idpName, $assertId, $attrId);

Complete the login operation by calling

$sp->isAuthenticated();

at the assertion consumer service URL.

Then call

$userAttributes = $sp->getAttributes();

to receive an array of the requested user attributes.

Performing logout

Call

// index of single logout service as per the SP metadata (sp_singlelogoutservice in settings array)
$sloId = 0;

$sp->logout($sloId);

The method will redirect to the IdP Single Logout page, or return false if you are not logged in.

Complete API

Method Description
__contruct($settings, $protocol = null, $autoconfigure = true) $settings should be based on the example provided in the Usage section. $protocol represents the protocol used for login. At the moment only SAML is supported, and can be selected by either $protocol = 'saml' or the default $protocol = null. $autoconfigure tells the constructor if it should check for .key and .crt files at the specified location from the $settings array and generate them in case they are not found. Set this to false if you wish to generate those manually.
loadIdpFromFile(string $filename) loads an Idp object by parsing the provided XML at $filename
getIdpList() : array loads all the Idp objects from the idp_metadata_folder provided in settings
getIdp(string $filename) alias of loadIdpFromFile
getSPMetadata() : string returns the SP metadata as a string
login(string $idpFilename, int $assertID, int $attrID, $level = 1, string $redirectTo = null, $shouldRedirect = true) login with REDIRECT binding. Use $idpFilename to select in IdP for login by indicating the name (without extension) of an XML file in your idp_metadata_folder. $assertID and $attrID indicate respectively the array index of sp_assertionconsumerservice and sp_attributeconsumingservice provided in settings. Optional parameters: $level for SPID authentication level (1, 2 or 3), $redirectTo to indicate an url to redirect to after login, $shouldRedirect to indicate if the login function should automatically redirect to the IdP or should return the login url as a string
loginPost(string $idpName, int $ass, int $attr, $level = 1, string $redirectTo = null, $shouldRedirect = true) like login, but uses POST binding
logout(int $slo, string $redirectTo = null, $shouldRedirect = true) logout with REDIRECT binding. $slo indicates the array index of the sp_singlelogoutservice provided in settings. Optional parameters: $redirectTo to indicate an url to redirect to after login, $shouldRedirect to indicate if the login function should automatically redirect to the IdP or should return the login url as a string
logoutPost(int $slo, string $redirectTo = null, $shouldRedirect = true) like logout, but uses POST binding
isAuthenticated() : bool checks if the user is authenticated. This method MUST be called after login and logout to finalize the operation.
getAttributes() : array If you requested attributes with an attribute consuming service during login, this method will return them in array format

Example

A basic demo application is provided in the example/ directory of this repository.

/example and /tests folders are NOT provided with the production version from packagist, remember to require the dev-develop version or just clone this repository (advised)

To try it out:

  1. Generate a test certificate and key pair with:

    openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -subj "/C=IT/ST=Italy/L=Milan/O=myservice/CN=localhost" -keyout sp.key -out sp.crt
  2. Adapt the hostname of the SP changing the $base variable in the example/index.php file; the browser you'll be testing from must be able to resolve the FQDN (the default is https://sp.example.com). Using HTTPS is strongly suggested.

  3. Configure and install the test IdP spid-testenv2

  4. Serve the example dir from your preferred webserver

  5. Visit https://sp.example.com/metadata to get the SP metadata, then copy these over to the IdP and register the SP with the IdP

  6. Visit https://idp.example.com/metadata to get the IdP metadata, then save it as example/idp_metadata/testenv.xml to register the IdP with the SP

  7. Visit: https://sp.example.com and click login.

Demo application

A Docker-based demo application is available at https://github.com/simevo/spid-php-lib-example.

Features

  • provides a lean implementation without relying on external SAML packages
  • routing-agnostic, can be integrated in any web framework / CMS
  • uses a session to store the authentication result and the received attributes
  • does not currently support Attribute Authority (AA)

Compliance with SPID regulations (for Service Providers)
Metadata:
parsing of IdP XML metadata (1.2.2.4)
support for multiple signing certificates in IdP XML metadata (1.2.2.4)
parsing of AA XML metadata (2.2.4)
SP XML metadata generation (1.3.2)
AuthnRequest generation (1.2.2.1):
generation of AuthnRequest XML
HTTP-Redirect binding
HTTP-POST binding
AssertionConsumerServiceURL customization The library uses AssertionConsumerServiceIndex customization which is preferred
AssertionConsumerServiceIndex customization
AttributeConsumingServiceIndex customization
AuthnContextClassRef (SPID level) customization
RequestedAuthnContext/@Comparison customization
RelayState customization (1.2.2)
Response/Assertion parsing
verification of Signature value (if any)
verification of Signature certificate (if any) against IdP/AA metadata
verification of Assertion/Signature value
verification of Assertion/Signature certificate against IdP/AA metadata
verification of SubjectConfirmationData/@Recipient
verification of SubjectConfirmationData/@NotOnOrAfter
verification of SubjectConfirmationData/@InResponseTo
verification of Issuer
verification of Assertion/Issuer
verification of Destination
verification of Conditions/@NotBefore
verification of Conditions/@NotOnOrAfter
verification of Audience
parsing of Response with no Assertion (authentication/query failure)
parsing of failure StatusCode (Requester/Responder)
Response/Assertion parsing for SSO (1.2.1, 1.2.2.2, 1.3.1):
parsing of NameID
parsing of AuthnContextClassRef (SPID level)
parsing of attributes
Response/Assertion parsing for attribute query (2.2.2.2, 2.3.1):
parsing of attributes
LogoutRequest generation (for SP-initiated logout):
generation of LogoutRequest XML
HTTP-Redirect binding
HTTP-POST binding
LogoutResponse parsing (for SP-initiated logout):
parsing of LogoutResponse XML
verification of Response/Signature value (if any)
verification of Response/Signature certificate (if any) against IdP metadata
verification of Issuer
verification of Destination
PartialLogout detection pending, see: #46
LogoutRequest parsing (for third-party-initiated logout):
parsing of LogoutRequest XML
verification of Response/Signature value (if any)
verification of Response/Signature certificate (if any) against IdP metadata
verification of Issuer
verification of Destination
parsing of NameID
LogoutResponse generation (for third-party-initiated logout):
generation of LogoutResponse XML
HTTP-Redirect binding
HTTP-POST binding
PartialLogout customization pending, see: #46
AttributeQuery generation (2.2.2.1):
generation of AttributeQuery XML
SOAP binding (client)

More features

  • Generation of SPID button markup

Troubleshooting

It is advised to install a browser plugin to trace SAML messages:

In addition, you can use the SAML Developer Tools provided by onelogin to understand what is going on

Testing

To test and lint this package you must place yourself in its root directory, then follow the provided instructions.

Assuming you followed the installation instructions with composer, simply do:

cd vendor/italia/spid-php-lib

Unit tests

Install prerequisites with composer, generate key and certificate for the SP and download the metadata for all current production IdPs with:

composer install
bin/download_idp_metadata.php example/idp_metadata

then launch the unit tests with PHPunit:

./vendor/bin/phpunit --stderr --testdox tests

Linting

This project complies with the PSR-2: Coding Style Guide.

Make sure you are in the package directory, then lint the code with:

./vendor/bin/phpcs --standard=PSR2 xxx.php

Contributing

For your contributions please use the git-flow workflow.

See also

Authors

Lorenzo Cattaneo and Paolo Greppi, simevo s.r.l.

License

Copyright (c) 2018-2020, Developers Italia

License: BSD 3-Clause, see LICENSE file.

intervieweb/spid-php-lib 适用场景与选型建议

intervieweb/spid-php-lib 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.26k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2023 年 10 月 20 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 intervieweb/spid-php-lib 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 intervieweb/spid-php-lib 我们能提供哪些服务?
定制开发 / 二次开发

基于 intervieweb/spid-php-lib 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1.26k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 1
  • 点击次数: 21
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 1
  • Watchers: 0
  • Forks: 37
  • 开发语言: PHP

其他信息

  • 授权协议: BSD-3-Clause
  • 更新时间: 2023-10-20