承接 juhedata/laravel-samlidp 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

juhedata/laravel-samlidp

Composer 安装命令:

composer require juhedata/laravel-samlidp

包简介

Make your Laravel application an Idenification Provider using SAML 2.0.

README 文档

README

Latest Version on Packagist Total Downloads

Laravel SAML IdP

This package allows you to implement your own Identification Provider (idP) using the SAML 2.0 standard to be used with supporting SAML 2.0 Service Providers (SP).

该组件可以让你实现基于SAML 2.0协议的IDP端(IDP端提供身份验证,用户在此登录)。

Version

1.0

  • Laravel 5.X required

2.0

  • PHP 7.2+ required
  • Laravel 6.X required

Installation

Require this package with composer:

用composer安装本组件:

composer require juhedata/laravel-samlidp:^2.0

Publish config

发布配置文件

php artisan vendor:publish --tag="samlidp_config"

FileSystem configuration

文件系统配置

// config/filesystem.php

'disks' => [

        ...

        'samlidp' => [
            'driver' => 'local',
            'root' => storage_path() . '/samlidp',
        ]
],

Use the following command to create a self signed certificate for your IdP. If you change the certname or keyname to anything other than the default names, you will need to update your config/samlidp.php config file to reflect those new file names.

用以下命令生成自签证书

php artisan samlidp:cert [--days <days> --keyname <name> --certname <name>]
Options:
  --days=<days>      Days to add for the expiration date [default: 7800]
  --keyname=<name>   Name of the certificate key file [default: key.pem]
  --certname=<name>  Name of the certificate file [default: cert.pem]

Usage

Within your login view, probably resources/views/auth/login.blade.php add the SAMLRequest directive beneath the CSRF directive:

在登录页面(如resources/views/auth/login.blade.php),在CSRF directive后增加SAMLRequest directive

@csrf
@samlidp

The SAMLRequest directive will fill out the hidden input automatically when a SAMLRequest is sent by an HTTP request and therefore initiate a SAML authentication attempt. To initiate the SAML auth, the login and redirect processes need to be intervened. This is done using the Laravel events fired upon authentication.

SAMLRequest directive会自动检查当前的HTTP请求是否含有SAML相关的参数,若有则补充SAML相关的参数到登录的表单中。 相关中间件会处理表单中的SAML请求,并将用户重定向到SP。

Config

After you publish the config file, you will need to set up your Service Providers. The key for the Service Provider is a base 64 encoded Consumer Service (ACS) URL. You can get this information from your Service Provider, but you will need to base 64 encode the URL and place it in your config. This is due to config dot notation.

You may use this command to help generate a new SAML Service Provider:

一个idP可以对应多个SP,用以下命令生成SP配置代码:

php artisan samlidp:sp

Example SP in config/samlidp.php file:

可参考 config/samlidp.php 文件中的SP配置示例:

<?php

return [
    // The URI to your login page
    'login_uri' => 'login',
    // The URI to the saml metadata file, this describes your idP
    'issuer_uri' => 'saml/metadata',
    // List of all Service Providers
    'sp' => [
        // Base64 encoded ACS URL
        'aHR0cHM6Ly9teWZhY2Vib29rd29ya3BsYWNlLmZhY2Vib29rLmNvbS93b3JrL3NhbWwucGhw' => [
            // ACS URL of the Service Provider
            'destination' => 'https://example.com/saml/acs',
            // Simple Logout URL of the Service Provider
            'logout' => 'https://example.com/saml/sls',
        ]
    ]

];

Log out of IdP after SLO

If you wish to log out of the IdP after SLO has completed, set LOGOUT_AFTER_SLO to true in your .env perform the logout action on the Idp.

// .env

LOGOUT_AFTER_SLO=true

Redirect to SLO initiator after logout

If you wish to return the user back to the SP by which SLO was initiated, you may provide an additional query parameter to the /saml/logout route, for example:

https://idp.com/saml/logout?redirect_to=mysp.com

After all SP's have been logged out of, the user will be redirected to mysp.com. For this to work properly you need to add the sp_slo_redirects option to your config/samlidp.php config file, for example:

<?php

// config/samlidp.php

return [
    // If you need to redirect after SLO depending on SLO initiator
    // key is beginning of HTTP_REFERER value from SERVER, value is redirect path
    'sp_slo_redirects' => [
        'mysp.com' => 'https://mysp.com',
    ],

];

Attributes (optional)

Service providers may require more additional attributes to be sent via assertion. Its even possible that they require the same information but as a different Claim Type.

SP可能要求提供更多的属性。

By Default this package will send the following Claim Types:

ClaimTypes::EMAIL_ADDRESS as auth()->user()->email ClaimTypes::GIVEN_NAME as auth()->user()->name

This is because Laravel migrations, by default, only supply email and name fields that are usable by SAML 2.0.

To add additional Claim Types, you can subscribe to the Assertion event:

CodeGreenCreative\SamlIdp\Events\Assertion

Subscribing to the Event:

可以通过订阅相关事件,来向SP传递更多属性:

In your App\Providers\EventServiceProvider class, add to the already existing $listen property...

App\Providers\EventServiceProvider 中订阅这个事件:CodeGreenCreative\SamlIdp\Events\Assertion

protected $listen = [
    'App\Events\Event' => [
        'App\Listeners\EventListener',
    ],
    'CodeGreenCreative\SamlIdp\Events\Assertion' => [
        'App\Listeners\SamlAssertionAttributes'
    ]
];

Sample Listener:

Listener示例:

<?php

namespace App\Listeners;

use LightSaml\ClaimTypes;
use LightSaml\Model\Assertion\Attribute;
use CodeGreenCreative\SamlIdp\Events\Assertion;

class SamlAssertionAttributes
{
    public function handle(Assertion $event)
    {
        $event->attribute_statement
            ->addAttribute(new Attribute(ClaimTypes::PPID, auth()->user()->id))
            ->addAttribute(new Attribute(ClaimTypes::NAME, auth()->user()->name));
    }
}

juhedata/laravel-samlidp 适用场景与选型建议

juhedata/laravel-samlidp 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 2.28k 次下载、GitHub Stars 达 0, 最近一次更新时间为 2020 年 06 月 02 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「SSO」 「auth」 「acl」 「laravel」 「idp」 「saml」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 juhedata/laravel-samlidp 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 juhedata/laravel-samlidp 我们能提供哪些服务?
定制开发 / 二次开发

基于 juhedata/laravel-samlidp 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 2.28k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 19
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 91
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2020-06-02