PHPackages nbgrp/onelogin-saml-bundle - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. nbgrp/onelogin-saml-bundle ActiveSymfony-bundle[Authentication & Authorization](/categories/authentication) nbgrp/onelogin-saml-bundle ========================== OneLogin SAML Symfony Bundle v3.0.0(5mo ago)551.2M—1.1%24[13 issues](https://github.com/nbgrp/onelogin-saml-bundle/issues)[2 PRs](https://github.com/nbgrp/onelogin-saml-bundle/pulls)BSD-3-ClausePHPPHP ^8.4CI passing Since Nov 29Pushed 1mo ago4 watchersCompare [ Source](https://github.com/nbgrp/onelogin-saml-bundle)[ Packagist](https://packagist.org/packages/nbgrp/onelogin-saml-bundle)[ RSS](/packages/nbgrp-onelogin-saml-bundle/feed)WikiDiscussions 3.0 Synced 1mo ago READMEChangelog (10)Dependencies (15)Versions (45)Used By (0) OneloginSamlBundle ================== [](#oneloginsamlbundle) [![Latest Stable Version](https://camo.githubusercontent.com/97436ea50aa5cac65c2ab7fac44f712b97041acbddc511e64257b73acc99d581/68747470733a2f2f706f7365722e707567782e6f72672f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f76)](https://packagist.org/packages/nbgrp/onelogin-saml-bundle)[![Latest Unstable Version](https://camo.githubusercontent.com/f03b633175af840786dc43d99fa301592806244a6c0604273e39d6dd0f5a56d3/68747470733a2f2f706f7365722e707567782e6f72672f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f762f756e737461626c65)](https://packagist.org/packages/nbgrp/onelogin-saml-bundle)[![Total Downloads](https://camo.githubusercontent.com/8550b88c94cf1592ef4058a540611eb3f443ff8fdfe1bbfb60bdf00d14cd0a4a/68747470733a2f2f706f7365722e707567782e6f72672f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f646f776e6c6f616473)](https://packagist.org/packages/nbgrp/onelogin-saml-bundle)[![License](https://camo.githubusercontent.com/4cabef24f13b1ae90259a34d5e3543b7462311effeb3ac61bff62a7a04d38024/68747470733a2f2f706f7365722e707567782e6f72672f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f6c6963656e7365)](https://packagist.org/packages/nbgrp/onelogin-saml-bundle) [![PHP Version Require](https://camo.githubusercontent.com/9dd3bbcf6887ca36e0800025a24942907317a8496a249168011e13e5ac4fadd8/68747470733a2f2f706f7365722e707567782e6f72672f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f726571756972652f706870)](https://packagist.org/packages/nbgrp/onelogin-saml-bundle)[![Codecov](https://camo.githubusercontent.com/6b61746168f69a808d822243536ab80aef6eb8f9f685f9b669f022634adbb5cf/68747470733a2f2f636f6465636f762e696f2f67682f6e626772702f6f6e656c6f67696e2d73616d6c2d62756e646c652f6272616e63682f312e782f67726170682f62616467652e7376673f746f6b656e3d48313737353142545734)](https://codecov.io/gh/nbgrp/onelogin-saml-bundle)[![Audit](https://github.com/nbgrp/onelogin-saml-bundle/actions/workflows/audit.yml/badge.svg)](https://github.com/nbgrp/onelogin-saml-bundle/actions/workflows/audit.yml) [![SymfonyInsight](https://camo.githubusercontent.com/70f509e232fd8570e49a8957eb812d7b51d820e846ab5f08fcbdadfdc5d1c034/68747470733a2f2f696e73696768742e73796d666f6e792e636f6d2f70726f6a656374732f65643762393236332d313739632d343432612d396634352d3638373765346536646264622f736d616c6c2e737667)](https://insight.symfony.com/projects/ed7b9263-179c-442a-9f45-6877e4e6dbdb) Overview -------- [](#overview) [OneLogin SAML](https://github.com/onelogin/php-saml) Symfony Bundle. > This bundle depends on Symfony 6 and newer. > For older Symfony versions you can use [hslavich/oneloginsaml-bundle](https://github.com/hslavich/OneloginSamlBundle)which this bundle based on. ### Compatibility [](#compatibility) BranchSymfony1.xSymfony 62.xSymfony 7**3.x**Symfony 8Installation ------------ [](#installation) ``` composer require nbgrp/onelogin-saml-bundle ``` If you use Symfony Flex it enables the bundle automatically. Otherwise, to enable the bundle add the following code in `config/bundles.php`: ``` return [ // ... Nbgrp\OneloginSamlBundle\NbgrpOneloginSamlBundle::class => ['all' => true], ]; ``` Configuration ------------- [](#configuration) To configure the bundle you need to add configuration in `config/packages/nbgrp_onelogin_saml.yaml`. You can use any configuration format (yaml, xml, or php), but for convenience in this document will be used yaml. > Check for more info about OneLogin PHP SAML settings. > You can use `` placeholder in the following configuration values which will be replaced by the appropriate values from the `Request` object: > > - onelogin\_settings.sp.entityId > - onelogin\_settings.sp.assertionConsumerService.url > - onelogin\_settings.sp.singleLogoutService.url > - onelogin\_settings.baseurl > > Pay attention to [trusted proxies settings](https://symfony.com/doc/current/deployment/proxies.html)if you're running your application behind a load balancer or a reverse proxy. ``` nbgrp_onelogin_saml: onelogin_settings: default: # Mandatory SAML settings idp: entityId: 'https://id.example.com/saml2/idp/metadata.php' singleSignOnService: url: 'https://id.example.com/saml2/idp/SSOService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' singleLogoutService: url: 'https://id.example.com/saml2/idp/SingleLogoutService.php' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' x509cert: 'MIIC...' sp: entityId: 'https://myapp.com/saml/metadata' # Default: '/saml/metadata' assertionConsumerService: url: 'https://myapp.com/saml/acs' # Default: '/saml/acs' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' singleLogoutService: url: 'https://myapp.com/saml/logout' # Default: '/saml/logout' binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect' privateKey: 'MIIE...' # Optional SAML settings baseurl: 'https://myapp.com/saml/' # Default: '/saml/' strict: true debug: true security: nameIdEncrypted: false authnRequestsSigned: false logoutRequestSigned: false logoutResponseSigned: false signMetadata: false wantMessagesSigned: false wantAssertionsEncrypted: false wantAssertionsSigned: true wantNameId: false wantNameIdEncrypted: false requestedAuthnContext: true requestedAuthnContextComparison: 'exact' wantXMLValidation: false relaxDestinationValidation: false destinationStrictlyMatches: true allowRepeatAttributeName: false rejectUnsolicitedResponsesWithInResponseTo: false signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256' encryption_algorithm: 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' lowercaseUrlencoding: false contactPerson: technical: givenName: 'Tech User' emailAddress: 'techuser@example.com' support: givenName: 'Support User' emailAddress: 'supportuser@example.com' administrative: givenName: 'Administrative User' emailAddress: 'administrativeuser@example.com' organization: en-US: name: 'Example' displayname: 'Example' url: 'http://example.com' compress: requests: false responses: false # Optional another one SAML settings (see Multiple IdP below) another: idp: # ... sp: # ... # ... # Optional parameters use_proxy_vars: true idp_parameter_name: 'custom-idp' entity_manager_name: 'custom-em' # Optional parameters for the method \OneLogin\Saml2\Auth::login # See https://github.com/SAML-Toolkits/php-saml?tab=readme-ov-file#initiate-sso authn_request: parameters: Param1: value1 Param2: value2 forceAuthn: true isPassive: false setNameIdPolicy: true nameIdValueReq: 'extra-id' ``` There are few extra parameters for `idp` and `sp` sections. You can read more about them from OneLogin PHP SAML docs. Instead of specify IdP and SP x509 certificates and private keys, you can store them in OneLogin PHP SAML [certs directory](https://github.com/onelogin/php-saml#certs) or use global constant `ONELOGIN_CUSTOMPATH` to specify custom directory (complete path will be `ONELOGIN_CUSTOMPATH.'certs/'`). If you do not want to set some contactPerson or organization info, do not add those parameters instead of leaving them blank. Configure user provider and firewall in `config/packages/security.yaml`: ``` security: # ... providers: saml_provider: ## Basic provider instantiates a user with identifier and default roles saml: user_class: 'App\Entity\User' default_roles: ['ROLE_USER'] firewalls: main: pattern: ^/ saml: ## Match SAML attribute 'uid' with user identifier. ## Otherwise, used \OneLogin\Saml2\Auth::getNameId() method by default. identifier_attribute: uid ## Use the attribute's friendlyName instead of the name. use_attribute_friendly_name: true check_path: saml_acs login_path: saml_login logout: path: saml_logout access_control: - { path: ^/saml/(metadata|login|acs), roles: PUBLIC_ACCESS } - { path: ^/, roles: ROLE_USER } ``` Edit your `config/routes.yaml`: ``` nbgrp_saml: resource: "@NbgrpOneloginSamlBundle/Resources/config/routes.php" type: php ``` ### Multiple IdP [](#multiple-idp) You can configure more than one OneLogin PHP SAML settings for multiple IdP. To do this you need to specify SAML settings for each IdP (sections with `default` and `another` keys in configuration above) and pass the name of the necessary IdP by a query string parameter `idp` or a request attribute with the same name. You can use another name with help of `idp_parameter_name` bundle parameter. > To use appropriate SAML settings, all requests to bundle routes should contain correct IdP parameter. If a request has no query parameter or attribute with IdP value, the first key in `onelogin_settings` section will be used as default IdP. ### Using reverse proxy [](#using-reverse-proxy) When you use your application behind a reverse proxy and use `X-Forwarded-*` headers, you need to set parameter `nbgrp_onelogin_saml.use_proxy_vars = true` to allow underlying OneLogin library determine request protocol, host and port correctly. Optional features ----------------- [](#optional-features) ### Inject SAML attributes into User object [](#inject-saml-attributes-into-user-object) To be able to inject SAML attributes into user object, you must implement `SamlUserInterface`. ```