PHPackages schno01/php-deutschlandid-saml - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. schno01/php-deutschlandid-saml ActiveLibrary[Authentication & Authorization](/categories/authentication) schno01/php-deutschlandid-saml ============================== Simple SAML toolkit for bundID/deutschlandID in PHP v4.4.1(10mo ago)134MITPHPPHP >=8.1CI passing Since Jun 5Pushed 10mo agoCompare [ Source](https://github.com/schno01/php-deutschlandid-saml)[ Packagist](https://packagist.org/packages/schno01/php-deutschlandid-saml)[ Docs](https://github.com/SAML-Toolkits/php-saml)[ RSS](/packages/schno01-php-deutschlandid-saml/feed)WikiDiscussions 4.x-dev Synced 1mo ago READMEChangelog (2)Dependencies (8)Versions (100)Used By (0) SAML PHP Toolkit Compatible with PHP 8.X ======================================== [](#saml-php-toolkit-compatible-with-php--8x) [![php-saml 4.x-dev package](https://github.com/SAML-Toolkits/php-saml/actions/workflows/php-package.yml/badge.svg?branch=4.x-dev)](https://github.com/SAML-Toolkits/php-saml/actions/workflows/php-package.yml) [![Coverage Status](https://camo.githubusercontent.com/b2c452dd97b13ff0790aad02fcfd5c4142041a17eaa02229c4b2a3bc15553330/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f53414d4c2d546f6f6c6b6974732f7068702d73616d6c2f62616467652e7376673f6272616e63683d342e782d646576)](https://coveralls.io/github/SAML-Toolkits/php-saml?branch=4.x-dev) [![Packagist Dependency Version (specify version)](https://camo.githubusercontent.com/d2bbb851756ed337bf78b672be68e0c5db9e99e0c5c61911cef1e551a0923c4a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646570656e64656e63792d762f6f6e656c6f67696e2f7068702d73616d6c2f7068703f76657273696f6e3d342e302e30)](https://camo.githubusercontent.com/d2bbb851756ed337bf78b672be68e0c5db9e99e0c5c61911cef1e551a0923c4a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646570656e64656e63792d762f6f6e656c6f67696e2f7068702d73616d6c2f7068703f76657273696f6e3d342e302e30) [![License](https://camo.githubusercontent.com/60096986c5ca8b0c33cb85822de1d690b8e34516d010a8bef1919000beb82b71/68747470733a2f2f706f7365722e707567782e6f72672f6f6e656c6f67696e2f7068702d73616d6c2f6c6963656e73652e706e67)](https://packagist.org/packages/onelogin/php-saml) [![Packagist Downloads](https://camo.githubusercontent.com/44aeb535be4e7a60199e34dc3c925b0ae817b6d3cc22c632fbf8553329a6515d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f6f6e656c6f67696e2f7068702d73616d6c)](https://camo.githubusercontent.com/44aeb535be4e7a60199e34dc3c925b0ae817b6d3cc22c632fbf8553329a6515d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646d2f6f6e656c6f67696e2f7068702d73616d6c) [![Packagist Downloads](https://camo.githubusercontent.com/2efb3f6c5a5ac4f9bd5f0dcdb286a3336a4786978cf5e6a7ab603677afb9714d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6f6e656c6f67696e2f7068702d73616d6c3f6c6162656c3d546f74616c253230646f776e6c6f616473)](https://camo.githubusercontent.com/2efb3f6c5a5ac4f9bd5f0dcdb286a3336a4786978cf5e6a7ab603677afb9714d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6f6e656c6f67696e2f7068702d73616d6c3f6c6162656c3d546f74616c253230646f776e6c6f616473) Add SAML support to your PHP software using this library. Warning ------- [](#warning) This version is compatible with PHP 8.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json) NOTE !!! This is a customized version for the bundID, deutschlandID without guarantee or liability. Please take the necessary security precautions yourself when operating the software. DEMO-Config ----------- [](#demo-config) ``` Array ( [strict] => 1 [debug] => 0 [baseurl] => https://... [sp] => Array ( [entityId] => https://... [assertionConsumerService] => Array ( [url] => https://... [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST ) [attributeConsumingService] => Array ( [serviceName] => ... [serviceDescription] => ... [requestedAttributes] => Array ( [0] => Array ( [name] => urn:oid:2.5.4.42 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => givenName ) [1] => Array ( [name] => urn:oid:2.5.4.4 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => surname ) [2] => Array ( [name] => urn:oid:0.9.2342.19200300.100.1.3 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => mail ) [3] => Array ( [name] => urn:oid:2.5.4.16 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => postalAdddress ) [4] => Array ( [name] => urn:oid:2.5.4.17 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => postalCode ) [5] => Array ( [name] => urn:oid:2.5.4.7 [isRequired] => 1 [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => localityName ) [6] => Array ( [name] => urn:oid:1.2.40.0.10.2.1.1.225599 [isRequired] => [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => country ) [7] => Array ( [name] => urn:oid:1.3.6.1.4.1.33592.1.3.5 [isRequired] => [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => gender ) [8] => Array ( [name] => urn:oid:0.9.2342.19200300.100.1.40 [isRequired] => [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => personalTitle ) [9] => Array ( [name] => urn:oid:2.5.4.20 [isRequired] => [nameFormat] => urn:oasis:names:tc:SAML:2.0:attrname-format:uri [friendlyName] => telephoneNumber ) ) ) [NameIDFormat] => urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified [x509cert] => M...= [privateKey] => M...= [x509certMulti] => Array ( [signing] => Array ( [0] => M...= ) [encryption] => Array ( [0] => M...= ) ) ) [idp] => Array ( [entityId] => https://id.bund.de/idp [singleSignOnService] => Array ( [url] => https://id.bund.de/idp/profile/SAML2/POST/SSO [binding] => urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST ) [x509cert] => M....g== ) [security] => Array ( [nameIdEncrypted] => [authnRequestsSigned] => 1 [logoutRequestSigned] => [logoutResponseSigned] => [signMetadata] => [wantMessagesSigned] => [wantAssertionsEncrypted] => [wantAssertionsSigned] => 1 [wantNameId] => [wantNameIdEncrypted] => [requestedAuthnContext] => [wantXMLValidation] => 1 [relaxDestinationValidation] => [allowRepeatAttributeName] => [destinationStrictlyMatches] => [rejectUnsolicitedResponsesWithInResponseTo] => [signatureAlgorithm] => http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1 [encryption_algorithm] => hhttp://www.w3.org/2009/xmlenc11#aes256-gcm [digestAlgorithm] => http://www.w3.org/2001/04/xmlenc#sha256 [lowercaseUrlencoding] => ) [contactPerson] => Array ( [technical] => Array ( [givenName] => ... [emailAddress] => ... ) [support] => Array ( [givenName] => ... [emailAddress] => ... ) ) [organization] => Array ( [en] => Array ( [name] => ... [displayname] => ... [url] => https://... ) ) ) ``` USAGE ----- [](#usage) ``` $this->auth = new Auth(...); $this->auth->login(); ``` After Redirect get Reponse from $\_POST\['SAMLResponse'\] ``` $this->auth->processResponse($this->auth->getLastRequestID()); $eid_data = (array)$this->auth->getAttributesWithFriendlyName(); $eid_data = $this->toFirstOnes($eid_data); ``` // $this->toFirstOnes : ``` private function toFirstOnes(array $eid_data): array { foreach ($eid_data as $key => $value) { if(is_array($value)) { $eid_data[$key]=$value[0]; } } return $eid_data; } ``` Security Guidelines ------------------- [](#security-guidelines) If you believe you have discovered a security vulnerability in this toolkit, please report it by mail to the maintainer: Why add SAML support to my software? ------------------------------------ [](#why-add-saml-support-to-my-software) SAML is an XML-based standard for web browser single sign-on and is defined by the OASIS Security Services Technical Committee. The standard has been around since 2002, but lately it is becoming popular due its advantages: - **Usability** - One-click access from portals or intranets, deep linking, password elimination and automatically renewing sessions make life easier for the user. - **Security** - Based on strong digital signatures for authentication and integrity, SAML is a secure single sign-on protocol that the largest and most security conscious enterprises in the world rely on. - **Speed** - SAML is fast. One browser redirect is all it takes to securely sign a user into an application. - **Phishing Prevention** - If you don’t have a password for an app, you can’t be tricked into entering it on a fake login page. - **IT Friendly** - SAML simplifies life for IT because it centralizes authentication, provides greater visibility and makes directory integration easier. - **Opportunity** - B2B cloud vendor should support SAML to facilitate the integration of their product. General description ------------------- [](#general-description) SAML PHP toolkit let you build a SP (Service Provider) over your PHP application and connect it to any IdP (Identity Provider). Supports: - SSO and SLO (SP-Initiated and IdP-Initiated). - Assertion and nameId encryption. - Assertion signature. - Message signature: AuthNRequest, LogoutRequest, LogoutResponses. - Enable an Assertion Consumer Service endpoint. - Enable a Single Logout Service endpoint. - Publish the SP metadata (which can be signed). Key features: - **saml2int** - Implements the SAML 2.0 Web Browser SSO Profile. - **Session-less** - Forget those common conflicts between the SP and the final app, the toolkit delegate session in the final app. - **Easy to use** - Programmer will be allowed to code high-level and low-level programming, 2 easy to use APIs are available. - **Tested** - Thoroughly tested. - **Popular** - Developers use it. Many PHP SAML plugins uses it. Integrate your PHP toolkit at OneLogin using this guide: Installation ------------ [](#installation) ### Dependencies [](#dependencies) - `php >= 5.4` and some core extensions like `php-xml`, `php-date`, `php-zlib`. - `openssl`. Install the openssl library. It handles x509 certificates. - `gettext`. Install that library and its php driver. It handles translations. - `curl`. Install that library and its php driver if you plan to use the IdP Metadata parser. ### Code [](#code) #### Option 1. clone the repository from github [](#option-1-clone-the-repository-from--github) git clone :SAML-Toolkits/php-saml.git Then pull the 4.X.X branch/tag #### Option 2. Download from github [](#option-2-download-from-github) The toolkit is hosted on github. You can download it from: - Search for 4.X.X releases Copy the core of the library inside the php application. (each application has its structure so take your time to locate the PHP SAML toolkit in the best place). See the "Guide to add SAML support to my app" to know how. Take in mind that the compressed file only contains the main files. If you plan to play with the demos, use the Option 1. #### Option 3. Composer [](#option-3-composer) The toolkit supports [composer](https://getcomposer.org/). You can find the `onelogin/php-saml` package at In order to import the saml toolkit to your current php project, execute ``` composer composer require schno01/php-deutschlandid-saml:dev-4.x-dev ``` Remember to select the 3.X.X branch After installation has completed you will find at the `vendor/` folder a new folder named `onelogin` and inside the `php-saml`. Make sure you are including the autoloader provided by composer. It can be found at `vendor/autoload.php`. **Important** In this option, the x509 certs must be stored at `vendor/onelogin/php-saml/certs`and settings file stored at `vendor/onelogin/php-saml`. Your settings are at risk of being deleted when updating packages using `composer update` or similar commands. So it is **highly** recommended that instead of using settings files, you pass the settings as an array directly to the constructor (explained later in this document). If you do not use this approach your settings are at risk of being deleted when updating packages using `composer update` or similar commands. Compatibility ------------- [](#compatibility) This 4.X.X supports PHP >=7.3 . It is not compatible with PHP5.6 or PHP7.0, PHP7.1 or PHP7.2 Namespaces ---------- [](#namespaces) If you are using the library with a framework like Symfony that contains namespaces, remember that calls to the class must be done by adding a backslash (`\`) to the start, for example to use the static method getSelfURLNoQuery use: ``` \OneLogin\Saml2\Utils::getSelfURLNoQuery() ``` Security warning ---------------- [](#security-warning) In production, the `strict` parameter **MUST** be set as `"true"` and the `signatureAlgorithm` and `digestAlgorithm` under `security` must be set to something other than SHA1 (see ). Otherwise your environment is not secure and will be exposed to attacks. In production also we highly recommended to register on the settings the IdP certificate instead of using the fingerprint method. The fingerprint, is a hash, so at the end is open to a collision attack that can end on a signature validation bypass. Other SAML toolkits deprecated that mechanism, we maintain it for compatibility and also to be used on test environment. ### Avoiding Open Redirect attacks [](#avoiding-open-redirect-attacks) Some implementations uses the RelayState parameter as a way to control the flow when SSO and SLO succeeded. So basically the user is redirected to the value of the RelayState. If you are using Signature Validation on the HTTP-Redirect binding, you will have the RelayState value integrity covered, otherwise, and on HTTP-POST binding, you can't trust the RelayState so before executing the validation, you need to verify that its value belong a trusted and expected URL. Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html). ### Avoiding Replay attacks [](#avoiding-replay-attacks) A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO). SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that make harder this kind of attacks, but they are still possible. In order to avoid them, the SP can keep a list of SAML Messages or Assertion IDs already validated and processed. Those values only need to be stored the amount of time of the SAML Message life time, so we don't need to store all processed message/assertion Ids, but the most recent ones. The OneLogin\\Saml2\\Auth class contains the [getLastRequestID](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L657), [getLastMessageId](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L762) and [getLastAssertionId](https://github.com/SAML-Toolkits/php-saml/blob/b8214b74dd72960fa6aa88ab454667c64cea935c/src/Saml2/Auth.php#L770) methods to retrieve the IDs Checking that the ID of the current Message/Assertion does not exists in the list of the ones already processed will prevent reply attacks. Getting started --------------- [](#getting-started) ### Knowing the toolkit [](#knowing-the-toolkit) The new SAML Toolkit contains different folders (`certs`, `endpoints`, `lib`, `demo`, etc.) and some files. Let's start describing the folders: #### `certs/` [](#certs) SAML requires a x509 cert to sign and encrypt elements like `NameID`, `Message`, `Assertion`, `Metadata`. If our environment requires sign or encrypt support, this folder may contain the x509 cert and the private key that the SP will use: - `sp.crt` - The public cert of the SP - `sp.key` - The private key of the SP Or also we can provide those data in the setting file at the `$settings['sp']['x509cert']`and the `$settings['sp']['privateKey']`. Sometimes we could need a signature on the metadata published by the SP, in this case we could use the x509 cert previously mentioned or use a new x.509 cert: `metadata.crt` and `metadata.key`. Use `sp_new.crt` if you are in a key rollover process and you want to publish that x509 certificate on Service Provider metadata. #### `src/` [](#src) This folder contains the heart of the toolkit, the libraries: - `Saml2` folder contains the new version of the classes and methods that are described in a later section. #### `doc/` [](#doc) This folder contains the API documentation of the toolkit. #### `endpoints/` [](#endpoints) The toolkit has three endpoints: - `metadata.php` - Where the metadata of the SP is published. - `acs.php` - Assertion Consumer Service. Processes the SAML Responses. - `sls.php` - Single Logout Service. Processes Logout Requests and Logout Responses. You can use the files provided by the toolkit or create your own endpoints files when adding SAML support to your applications. Take in mind that those endpoints files uses the setting file of the toolkit's base folder. #### `locale/` [](#locale) Locale folder contains some translations: `en_US` and `es_ES` as a proof of concept. Currently there are no translations but we will eventually localize the messages and support multiple languages. #### Other important files [](#other-important-files) - `settings_example.php` - A template to be used in order to create a settings.php file which contains the basic configuration info of the toolkit. - `advanced_settings_example.php` - A template to be used in order to create a advanced\_settings.php file which contains extra configuration info related to the security, the contact person, and the organization associated to the SP. - `_toolkit_loader.php` - This file load the toolkit libraries (The SAML2 lib). #### Miscellaneous [](#miscellaneous) - `tests/` - Contains the unit test of the toolkit. - `demo1/` - Contains an example of a simple PHP app with SAML support. Read the `Readme.txt` inside for more info. - `demo2/` - Contains another example. ### How it works [](#how-it-works) #### Settings [](#settings) First of all we need to configure the toolkit. The SP's info, the IdP's info, and in some cases, configure advanced security issues like signatures and encryption. There are two ways to provide the settings information: - Use a `settings.php` file that we should locate at the base folder of the toolkit. - Use an array with the setting data and provide it directly to the constructor of the class. There is a template file, `settings_example.php`, so you can make a copy of this file, rename and edit it. ```